hxxp://drive[.]google[.]com/file/d/1Mzn6o3n5xIhN6nueBAl3YTzyb27ZgMrD/view?wIlIOKgtGy

Analysis

max time kernel
144s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07/09/2024, 12:47

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

http://drive.google.com/file/d/1Mzn6o3n5xIhN6nueBAl3YTzyb27ZgMrD/view?wIlIOKgtGy

Score

6^/10

discovery

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
5	drive.google.com
14	drive.google.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2392887640-1187051047-2909758433-1000\{BFF7848D-693E-48E3-B4B8-100E3C7E1843}	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
3964	msedge.exe
3964	msedge.exe
5112	msedge.exe
5112	msedge.exe
3820	identity_helper.exe
3820	identity_helper.exe
3108	msedge.exe
3108	msedge.exe
2888	msedge.exe
2888	msedge.exe
2888	msedge.exe
2888	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs

pid	Process
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5112 wrote to memory of 3600	5112	msedge.exe	83
PID 5112 wrote to memory of 3600	5112	msedge.exe	83
PID 5112 wrote to memory of 4616	5112	msedge.exe	84
PID 5112 wrote to memory of 4616	5112	msedge.exe	84
PID 5112 wrote to memory of 4616	5112	msedge.exe	84
PID 5112 wrote to memory of 4616	5112	msedge.exe	84
PID 5112 wrote to memory of 4616	5112	msedge.exe	84
PID 5112 wrote to memory of 4616	5112	msedge.exe	84
PID 5112 wrote to memory of 4616	5112	msedge.exe	84
PID 5112 wrote to memory of 4616	5112	msedge.exe	84
PID 5112 wrote to memory of 4616	5112	msedge.exe	84
PID 5112 wrote to memory of 4616	5112	msedge.exe	84
PID 5112 wrote to memory of 4616	5112	msedge.exe	84
PID 5112 wrote to memory of 4616	5112	msedge.exe	84
PID 5112 wrote to memory of 4616	5112	msedge.exe	84
PID 5112 wrote to memory of 4616	5112	msedge.exe	84
PID 5112 wrote to memory of 4616	5112	msedge.exe	84
PID 5112 wrote to memory of 4616	5112	msedge.exe	84
PID 5112 wrote to memory of 4616	5112	msedge.exe	84
PID 5112 wrote to memory of 4616	5112	msedge.exe	84
PID 5112 wrote to memory of 4616	5112	msedge.exe	84
PID 5112 wrote to memory of 4616	5112	msedge.exe	84
PID 5112 wrote to memory of 4616	5112	msedge.exe	84
PID 5112 wrote to memory of 4616	5112	msedge.exe	84
PID 5112 wrote to memory of 4616	5112	msedge.exe	84
PID 5112 wrote to memory of 4616	5112	msedge.exe	84
PID 5112 wrote to memory of 4616	5112	msedge.exe	84
PID 5112 wrote to memory of 4616	5112	msedge.exe	84
PID 5112 wrote to memory of 4616	5112	msedge.exe	84
PID 5112 wrote to memory of 4616	5112	msedge.exe	84
PID 5112 wrote to memory of 4616	5112	msedge.exe	84
PID 5112 wrote to memory of 4616	5112	msedge.exe	84
PID 5112 wrote to memory of 4616	5112	msedge.exe	84
PID 5112 wrote to memory of 4616	5112	msedge.exe	84
PID 5112 wrote to memory of 4616	5112	msedge.exe	84
PID 5112 wrote to memory of 4616	5112	msedge.exe	84
PID 5112 wrote to memory of 4616	5112	msedge.exe	84
PID 5112 wrote to memory of 4616	5112	msedge.exe	84
PID 5112 wrote to memory of 4616	5112	msedge.exe	84
PID 5112 wrote to memory of 4616	5112	msedge.exe	84
PID 5112 wrote to memory of 4616	5112	msedge.exe	84
PID 5112 wrote to memory of 4616	5112	msedge.exe	84
PID 5112 wrote to memory of 3964	5112	msedge.exe	85
PID 5112 wrote to memory of 3964	5112	msedge.exe	85
PID 5112 wrote to memory of 4424	5112	msedge.exe	86
PID 5112 wrote to memory of 4424	5112	msedge.exe	86
PID 5112 wrote to memory of 4424	5112	msedge.exe	86
PID 5112 wrote to memory of 4424	5112	msedge.exe	86
PID 5112 wrote to memory of 4424	5112	msedge.exe	86
PID 5112 wrote to memory of 4424	5112	msedge.exe	86
PID 5112 wrote to memory of 4424	5112	msedge.exe	86
PID 5112 wrote to memory of 4424	5112	msedge.exe	86
PID 5112 wrote to memory of 4424	5112	msedge.exe	86
PID 5112 wrote to memory of 4424	5112	msedge.exe	86
PID 5112 wrote to memory of 4424	5112	msedge.exe	86
PID 5112 wrote to memory of 4424	5112	msedge.exe	86
PID 5112 wrote to memory of 4424	5112	msedge.exe	86
PID 5112 wrote to memory of 4424	5112	msedge.exe	86
PID 5112 wrote to memory of 4424	5112	msedge.exe	86
PID 5112 wrote to memory of 4424	5112	msedge.exe	86
PID 5112 wrote to memory of 4424	5112	msedge.exe	86
PID 5112 wrote to memory of 4424	5112	msedge.exe	86
PID 5112 wrote to memory of 4424	5112	msedge.exe	86
PID 5112 wrote to memory of 4424	5112	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://drive.google.com/file/d/1Mzn6o3n5xIhN6nueBAl3YTzyb27ZgMrD/view?wIlIOKgtGy
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbfd4046f8,0x7ffbfd404708,0x7ffbfd404718
  2⤵
  PID:3600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,1282139859572205051,7320984500799819905,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:2
  2⤵
  PID:4616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,1282139859572205051,7320984500799819905,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2092,1282139859572205051,7320984500799819905,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2160 /prefetch:8
  2⤵
  PID:4424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,1282139859572205051,7320984500799819905,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3140 /prefetch:1
  2⤵
  PID:4568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,1282139859572205051,7320984500799819905,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3148 /prefetch:1
  2⤵
  PID:3092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,1282139859572205051,7320984500799819905,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4896 /prefetch:1
  2⤵
  PID:5012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,1282139859572205051,7320984500799819905,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5092 /prefetch:1
  2⤵
  PID:4480
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,1282139859572205051,7320984500799819905,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5620 /prefetch:8
  2⤵
  PID:1184
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,1282139859572205051,7320984500799819905,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5620 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,1282139859572205051,7320984500799819905,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5224 /prefetch:1
  2⤵
  PID:2308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,1282139859572205051,7320984500799819905,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5348 /prefetch:1
  2⤵
  PID:2668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,1282139859572205051,7320984500799819905,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3500 /prefetch:1
  2⤵
  PID:404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,1282139859572205051,7320984500799819905,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5756 /prefetch:1
  2⤵
  PID:3972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,1282139859572205051,7320984500799819905,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4888 /prefetch:1
  2⤵
  PID:1576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,1282139859572205051,7320984500799819905,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=180 /prefetch:1
  2⤵
  PID:2664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,1282139859572205051,7320984500799819905,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5376 /prefetch:1
  2⤵
  PID:4108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2092,1282139859572205051,7320984500799819905,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6496 /prefetch:8
  2⤵
  PID:1596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2092,1282139859572205051,7320984500799819905,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6508 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:3108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,1282139859572205051,7320984500799819905,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4752 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,1282139859572205051,7320984500799819905,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6320 /prefetch:1
  2⤵
  PID:4648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,1282139859572205051,7320984500799819905,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6620 /prefetch:1
  2⤵
  PID:2824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,1282139859572205051,7320984500799819905,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6848 /prefetch:1
  2⤵
  PID:2080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,1282139859572205051,7320984500799819905,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6620 /prefetch:1
  2⤵
  PID:2812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,1282139859572205051,7320984500799819905,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6504 /prefetch:1
  2⤵
  PID:888

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:680

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
eeaa8087eba2f63f31e599f6a7b46ef4

SHA1
f639519deee0766a39cfe258d2ac48e3a9d5ac03

SHA256
50fe80c9435f601c30517d10f6a8a0ca6ff8ca2add7584df377371b5a5dbe2d9

SHA512
eaabfad92c84f422267615c55a863af12823c5e791bdcb30cabe17f72025e07df7383cf6cf0f08e28aa18a31c2aac5985cf5281a403e22fbcc1fb5e61c49fc3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b9569e123772ae290f9bac07e0d31748

SHA1
5806ed9b301d4178a959b26d7b7ccf2c0abc6741

SHA256
20ab88e23fb88186b82047cd0d6dc3cfa23422e4fd2b8f3c8437546a2a842c2b

SHA512
cfad8ce716ac815b37e8cc0e30141bfb3ca7f0d4ef101289bddcf6ed3c579bc34d369f2ec2f2dab98707843015633988eb97f1e911728031dd897750b8587795

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000e

Filesize
212KB

MD5
08ec57068db9971e917b9046f90d0e49

SHA1
28b80d73a861f88735d89e301fa98f2ae502e94b

SHA256
7a68efe41e5d8408eed6e9d91a7b7b965a3062e4e28eeffeefb8cdba6391f4d1

SHA512
b154142173145122bc49ddd7f9530149100f6f3c5fd2f2e7503b13f7b160147b8b876344f6faae5e8616208c51311633df4c578802ac5d34c005bb154e9057cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
504B

MD5
77f6f6a3cdcadb250d8330bd97065dbe

SHA1
6f5e5893d8ef07e254e98629ac12ea19d0c36cb6

SHA256
6820c7ef40e36c6ccf977b6dfac02921d0b6e87154c99aeb9e9eca25033e9e0d

SHA512
4dc0835c8bb23404b94df1b930dd389921c47e5ba1843dd6ee727405426a6895846aa253214e556bfbe4fea598b4b205aae98831432af4af3664621e759f131d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
504B

MD5
4c6dbe57064e7d80b729e1fd605fc50d

SHA1
65cc12c70efe9131fd86c8b82124353e2f93794f

SHA256
f360fcf92be3532b590392e7f43b371322a0954fb59b3ab628c651757f0d9a1f

SHA512
485a847a8710d1375ebd0c3c51fbc9b662e80bae022557aea60559061089f9e902df9f4e0d5905eb75ac9bc2e1d28d61d628993d748c8720787cef3f4d970b52

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
341c45bec9d7f2e9e1ebba8c72cde14e

SHA1
7f75f409fd8ca1dd313617752bd8739c6fb124a8

SHA256
fa4ce2b4f1015ee188eb1826ada9e46454a1dde3c0395c7fb00a23c9d84cc833

SHA512
d244169adc2f8c831c55e53d54ccf43e76d93d401742f656b6521e7ae9a14875662096b8e17c6e904a9ac71a7e3c383f68f1ebb09e1069c1aaa0ef62477c43da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
0c4de0de0c8688b927e734ea30c5f646

SHA1
93b223fd6de52c784f38cac4a34d0e2b5d0c62ec

SHA256
89b6efb42de81cf57801ee77521277a8c9ce7d850bfabf03c48fa80614379ac6

SHA512
f995e7008c2e4534e0814253ad33022ba10797a557c653c943216f026641e40afc86944d23e5a9c2af0bd680d40b9f514c60c9e69ede01e7e50fda42b5f1a388

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
6KB

MD5
b3c1f613d62d67a9b0216670907eb8e3

SHA1
60f641fcc2b377c965b3f9f9c480f336b690a620

SHA256
103e86298fd822a032d13b9d7dea8d864eb3375f5b7f35bea5c0e80795491b73

SHA512
214c9b52de0324fafdf4756bc185430a07bb2e25a5bb40ce4b0ea238b7d66c27760c5d80f36c6c52614375fcddbef32785aebdbb1b0b97a59436f670e852056d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
a684abc283b98edfdf34576033f35e3a

SHA1
7ba23d2b2e60c2b901927cf95ea3c05b340e4726

SHA256
5597ff14bfd3401df457d46a639a36db585d97a9ff5e31a049aa7ad8e50a42c5

SHA512
8b0e8fbf290b9e24f782d593f1e6ec191b3dcbf5eea35f147eafdc2cff0780c465c836c4aa8a47a222daf3e71db164f37961ead79bc34dfffcbfeeb318361e77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9a0c66401cf35173fb67b5284790d9ec

SHA1
57a947321c889a10ee89aa38229d87cd5539c180

SHA256
8c31d7823ca84e1e43667b290ef76ace0d2dc391cae2873c91ef39670f9d3ace

SHA512
7490530eb5b88042b398887b4b0a47edc269a24aaa84ed114ac310b21dbc4bb21f6b550d9223ee0400f71ec9fcc90f45ed5ab764142326a9e039bf3b62df26d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
116cd88a52073bb21b446f81a7211155

SHA1
c75ef04a7ae6489efe95e037551308c9f5a5234f

SHA256
332b066ba0b6c252b03f60b5049af31e495bdee70d714da48b4c39a1c8a9c71f

SHA512
bb0227f7b65982b8bef1263b71f58c3ece8e4412d838893bbdfa58860a4eb65dfcf64a3a4454764a8f1eed7e66b463db305b960fb6e87d4992e44793076ff73a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
a8f3377a386ac00ea44e6fec0259d747

SHA1
45777233a76a36215a18c8c749a210f373d6dea2

SHA256
aa44287670a7622b15e53cc39de04d8fd2bd0e35a39dc1ac714e406256baaa9a

SHA512
e3fc95164913f20fe819a6ff9ccd7069ddb57c418596a411f0110108bc9707484d363037c7862c432c0889fc359b0eb8012df5b02580c910ed8a31b2430ade75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
5cdf8b734533830d7d71a5914dda83a7

SHA1
fe9f5bcff2ef54dcd1e9383b2f6e4aeacad7bda8

SHA256
6fda0d78dbffc93a99854269e09b38d40ebf1db23c0046d355c7bdd46226363b

SHA512
cc7310f6ca7bc3d21a4c8a0889ff200a4f418a5a6fb6f796d1caa12de1af71d0857ee51dcdd4e5a5c82c2b41c37215b1d20b24693d63d81c74d9f92bf7cea613

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe59792e.TMP

Filesize
48B

MD5
18dedaf6863c8ccb272aa790c41e3c33

SHA1
6e2e4325f7da4f0f01b1686ff60c87e726f18aa3

SHA256
f00fca6ce939947e130281ad0b4afcb22ba4c92bd1118fba4f49b9ed4fab2ddb

SHA512
53a53a9e414b034a53aab93736dc52950e1f459a62f96d76a3b28ef9014882cef37c9933cece7696cf5b8b6349d56ad5b6e2cad516b59f91c12fbb129d5ce32a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
13d951258e5fedf4ba37be85079267fb

SHA1
feef78d1608db255d3eb6151703f8b560c8a69a3

SHA256
3b35fd79252878faabf81cc91527278354e0386e83e473b78aca98f5e40a0b81

SHA512
ff4b06e6aeda5181edef57fe666906346b5e0abdb74b52eb273f1ade20fb685b17cc7e595c739db30bb083fb4b657fe0efab624a3011d1f8a3eb06a8edb24440

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
57283c69148116b9d6bd374c445b2915

SHA1
bc2ab9293add9f1cb6e594124f9434e73d07c7d3

SHA256
252e48ecd78608855b4ad8e9554569fd50083a048538f58c077ad9253ffd2f0f

SHA512
e0e54be02d42365aaa31b56ff4a0421e234dcb41140af707bf073b766ed6d9ffb697a54d478f71527420d51fd0ff99adae538f85c136f45d598fd1f83e85c503

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
3d32829954f5b91a354776bbc6f0c32d

SHA1
eb84dc827c32fdcd57eabb800d3da637fe042a96

SHA256
4af4fbc81454a9574e802a8ac25701ca5df075693e9cd76c8284e2141dbe1ebf

SHA512
b2972fcf370f7c286410c7d8dd931553b6fd3b4fe1bf413ee225b559d81cdadc032063f40aaea23d3330f470d17f44c4aea3cffa43e3c650f4c82faee91390f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
a2c722d17794b298419f751f2c8c8655

SHA1
e87c05f36218f97cd6c901adb9133dbf078d146d

SHA256
bc2d460ee458bd1b85ae8f272046e8f77b1a8881632e77ff90b66294527ef8ed

SHA512
c587be09c70caf1e88e162158fc3d8a3d9158a436e5bd61b4f1963800c6a5d420a2262d753c0d61fc13ac9d51aa4abff709972f01941ea1ed37081ac223f1152

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
875B

MD5
46951cf983fb76165f602498d9dc9080

SHA1
61450339e87d4e6f62f0439c1dc32258d2c7ad92

SHA256
e75f621c3e2ed712988a3c0162b5ef2619ef576840a8d1bdde78ac2159caf36b

SHA512
8ed2f0f400f6816fb370b992d4abd44a68d4dd5aac234b4ca9f5e6bf04b7ab5cfe716629f15bdd126bde20e4504ebaf3c8ebed8f6ec0a44dd5801a76f8e5d4f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57b90f.TMP

Filesize
707B

MD5
accc0791dbfa48a81e5f50b51bab4cf1

SHA1
8014db63528a420ddbd9c7873f7bd986d0ce0331

SHA256
ee0b8aec747c7f147c7a4593710f8486845150cb3248453a31586ecc0275ece2

SHA512
25ed8a497af487965f92ef093eba3e88479ec7e93d884dd08ff7639146317c57d4399844a77b25e21ee24fb602b5a9af0f94aaec13b990e56ba74fa092252bf3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
6f6412118a0bb1c93bcc5d56c9d7b142

SHA1
56c5f91ae981b846cba701ac60f442c5d79b60aa

SHA256
9ceaf8d50e7f8787cfd15fa31a065e65d819cb81e250d16669ae44d21eb1a528

SHA512
f90f98194ef7a78829a902e594d6b320916fff18815339b9f2574ede8b84a527f77a8cc95fc726a46901c05b1c8ca5db14131e727a65af99e0a5126b73d6113a

Download Submit