hxxps://drive[.]google[.]com/uc?export=download&id=1aDQ93KLASV-LqhzplcipjdT_mpeYyKZJ

Analysis

max time kernel
326s
max time network
325s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10/12/2024, 08:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/uc?export=download&id=1aDQ93KLASV-LqhzplcipjdT_mpeYyKZJ

Score

6^/10

discovery

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
12	drive.google.com
16	drive.google.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
94	api.ipify.org
93	api.ipify.org

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4456	msedge.exe
4456	msedge.exe
1884	msedge.exe
1884	msedge.exe
1336	msedge.exe
1336	msedge.exe
1868	identity_helper.exe
1868	identity_helper.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs

pid	Process
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe

Suspicious use of SendNotifyMessage 26 IoCs

pid	Process
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1884 wrote to memory of 392	1884	msedge.exe	84
PID 1884 wrote to memory of 392	1884	msedge.exe	84
PID 1884 wrote to memory of 380	1884	msedge.exe	85
PID 1884 wrote to memory of 380	1884	msedge.exe	85
PID 1884 wrote to memory of 380	1884	msedge.exe	85
PID 1884 wrote to memory of 380	1884	msedge.exe	85
PID 1884 wrote to memory of 380	1884	msedge.exe	85
PID 1884 wrote to memory of 380	1884	msedge.exe	85
PID 1884 wrote to memory of 380	1884	msedge.exe	85
PID 1884 wrote to memory of 380	1884	msedge.exe	85
PID 1884 wrote to memory of 380	1884	msedge.exe	85
PID 1884 wrote to memory of 380	1884	msedge.exe	85
PID 1884 wrote to memory of 380	1884	msedge.exe	85
PID 1884 wrote to memory of 380	1884	msedge.exe	85
PID 1884 wrote to memory of 380	1884	msedge.exe	85
PID 1884 wrote to memory of 380	1884	msedge.exe	85
PID 1884 wrote to memory of 380	1884	msedge.exe	85
PID 1884 wrote to memory of 380	1884	msedge.exe	85
PID 1884 wrote to memory of 380	1884	msedge.exe	85
PID 1884 wrote to memory of 380	1884	msedge.exe	85
PID 1884 wrote to memory of 380	1884	msedge.exe	85
PID 1884 wrote to memory of 380	1884	msedge.exe	85
PID 1884 wrote to memory of 380	1884	msedge.exe	85
PID 1884 wrote to memory of 380	1884	msedge.exe	85
PID 1884 wrote to memory of 380	1884	msedge.exe	85
PID 1884 wrote to memory of 380	1884	msedge.exe	85
PID 1884 wrote to memory of 380	1884	msedge.exe	85
PID 1884 wrote to memory of 380	1884	msedge.exe	85
PID 1884 wrote to memory of 380	1884	msedge.exe	85
PID 1884 wrote to memory of 380	1884	msedge.exe	85
PID 1884 wrote to memory of 380	1884	msedge.exe	85
PID 1884 wrote to memory of 380	1884	msedge.exe	85
PID 1884 wrote to memory of 380	1884	msedge.exe	85
PID 1884 wrote to memory of 380	1884	msedge.exe	85
PID 1884 wrote to memory of 380	1884	msedge.exe	85
PID 1884 wrote to memory of 380	1884	msedge.exe	85
PID 1884 wrote to memory of 380	1884	msedge.exe	85
PID 1884 wrote to memory of 380	1884	msedge.exe	85
PID 1884 wrote to memory of 380	1884	msedge.exe	85
PID 1884 wrote to memory of 380	1884	msedge.exe	85
PID 1884 wrote to memory of 380	1884	msedge.exe	85
PID 1884 wrote to memory of 380	1884	msedge.exe	85
PID 1884 wrote to memory of 4456	1884	msedge.exe	86
PID 1884 wrote to memory of 4456	1884	msedge.exe	86
PID 1884 wrote to memory of 4100	1884	msedge.exe	87
PID 1884 wrote to memory of 4100	1884	msedge.exe	87
PID 1884 wrote to memory of 4100	1884	msedge.exe	87
PID 1884 wrote to memory of 4100	1884	msedge.exe	87
PID 1884 wrote to memory of 4100	1884	msedge.exe	87
PID 1884 wrote to memory of 4100	1884	msedge.exe	87
PID 1884 wrote to memory of 4100	1884	msedge.exe	87
PID 1884 wrote to memory of 4100	1884	msedge.exe	87
PID 1884 wrote to memory of 4100	1884	msedge.exe	87
PID 1884 wrote to memory of 4100	1884	msedge.exe	87
PID 1884 wrote to memory of 4100	1884	msedge.exe	87
PID 1884 wrote to memory of 4100	1884	msedge.exe	87
PID 1884 wrote to memory of 4100	1884	msedge.exe	87
PID 1884 wrote to memory of 4100	1884	msedge.exe	87
PID 1884 wrote to memory of 4100	1884	msedge.exe	87
PID 1884 wrote to memory of 4100	1884	msedge.exe	87
PID 1884 wrote to memory of 4100	1884	msedge.exe	87
PID 1884 wrote to memory of 4100	1884	msedge.exe	87
PID 1884 wrote to memory of 4100	1884	msedge.exe	87
PID 1884 wrote to memory of 4100	1884	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://drive.google.com/uc?export=download&id=1aDQ93KLASV-LqhzplcipjdT_mpeYyKZJ
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdcf3146f8,0x7ffdcf314708,0x7ffdcf314718
  2⤵
  PID:392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,14412588527956577497,2023958438385246652,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2080 /prefetch:2
  2⤵
  PID:380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,14412588527956577497,2023958438385246652,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2384 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2076,14412588527956577497,2023958438385246652,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2708 /prefetch:8
  2⤵
  PID:4100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,14412588527956577497,2023958438385246652,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
  2⤵
  PID:4464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,14412588527956577497,2023958438385246652,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
  2⤵
  PID:2220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2076,14412588527956577497,2023958438385246652,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5056 /prefetch:8
  2⤵
  PID:740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,14412588527956577497,2023958438385246652,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5028 /prefetch:1
  2⤵
  PID:1404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2076,14412588527956577497,2023958438385246652,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5332 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,14412588527956577497,2023958438385246652,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5184 /prefetch:1
  2⤵
  PID:728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,14412588527956577497,2023958438385246652,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5432 /prefetch:1
  2⤵
  PID:2368
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,14412588527956577497,2023958438385246652,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5296 /prefetch:8
  2⤵
  PID:4476
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,14412588527956577497,2023958438385246652,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5296 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,14412588527956577497,2023958438385246652,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6032 /prefetch:1
  2⤵
  PID:3112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,14412588527956577497,2023958438385246652,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5688 /prefetch:1
  2⤵
  PID:3428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,14412588527956577497,2023958438385246652,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5272 /prefetch:1
  2⤵
  PID:264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2076,14412588527956577497,2023958438385246652,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=1824 /prefetch:8
  2⤵
  PID:4440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,14412588527956577497,2023958438385246652,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3040 /prefetch:1
  2⤵
  PID:4288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,14412588527956577497,2023958438385246652,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2756 /prefetch:1
  2⤵
  PID:3492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,14412588527956577497,2023958438385246652,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3132 /prefetch:1
  2⤵
  PID:4968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,14412588527956577497,2023958438385246652,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3704 /prefetch:1
  2⤵
  PID:1904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,14412588527956577497,2023958438385246652,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6280 /prefetch:1
  2⤵
  PID:264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,14412588527956577497,2023958438385246652,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6468 /prefetch:1
  2⤵
  PID:4768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2076,14412588527956577497,2023958438385246652,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5016 /prefetch:8
  2⤵
  PID:3332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2076,14412588527956577497,2023958438385246652,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5916 /prefetch:8
  2⤵
  PID:5008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,14412588527956577497,2023958438385246652,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3392 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,14412588527956577497,2023958438385246652,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1248 /prefetch:1
  2⤵
  PID:2536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,14412588527956577497,2023958438385246652,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5572 /prefetch:1
  2⤵
  PID:1168

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1728

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0a9dc42e4013fc47438e96d24beb8eff

SHA1
806ab26d7eae031a58484188a7eb1adab06457fc

SHA256
58d66151799526b3fa372552cd99b385415d9e9a119302b99aadc34dd51dd151

SHA512
868d6b421ae2501a519595d0c34ddef25b2a98b082c5203da8349035f1f6764ddf183197f1054e7e86a752c71eccbc0649e515b63c55bc18cf5f0592397e258f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
61cef8e38cd95bf003f5fdd1dc37dae1

SHA1
11f2f79ecb349344c143eea9a0fed41891a3467f

SHA256
ae671613623b4477fbd5daf1fd2d148ae2a09ddcc3804b2b6d4ffcb60b317e3e

SHA512
6fb9b333fe0e8fde19fdd0bd01a1990a4e60a87c0a02bc8297da1206e42f8690d06b030308e58c862e9e77714a585eed7cc1627590d99a10aeb77fc0dd3d864d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
47457c73b946d29320309e210d6044ec

SHA1
6e1f81397eb701b56b5406a3bcbaa107ede189a4

SHA256
90d361642af925780d04b98e12195f3d3213508f546ca842e6b53ff7b8df6fa2

SHA512
2e7cef1fe989debc51f78e7b15b127eb336148545a3599922870edac7ad90b2f9933475b92b7c6c1668b1408e828d1796922cc5bf111642e069bdf771ef16e1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
166aea4dcfd830b0e6a31f11a3e2cdce

SHA1
cfd159e895ebea3cf00a8ab0acff7de84359410b

SHA256
81adf256ee1bae87f1e96ac5b0f7c367fed4cf87df6e6ad5a3f816447363aedc

SHA512
27fc1e6f3756293e3c389b9a4448097e24c9c31149b4200d2a909b77e0c9793578e059d7751799cd59ae18cbaacf0284500ea53131670eee8ef82d49b0a58302

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
89e62699645b2df36fc25e5a304e1b87

SHA1
03621d896dbc768da4000df0764c17d5b18b606d

SHA256
a82f0684283982a688a59eb7e30c2c38feec92178436e788805a1f4ab17a5235

SHA512
b74f5c44b126287177c6d2ad04ad79968e52d373e48c00dd013d6cef9c3ce672a3c89e795f867d790d30e585f48f4447c02d75dabe153fe11cf63ee383842d28

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
e08a244654adc18e94716d92e1d0f611

SHA1
46bebf130f4952e1da5592da6458ad4d9ead051d

SHA256
a5a6daa4ad16e7c546f6a59ad3656c4d71b30a450d2ae26932f6466ea25bc560

SHA512
9c0fbe5aba7095d745a4e16a44886c31b21fe45e41d93802ee3b6aca340c60bc73b268b68a00248f51e690cf0132a484805a236d29ab276010993344b83ae2b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1023B

MD5
7bcf41650a07d09538af6e41f08be722

SHA1
1d8c0b927fa6c6057c578892737a7b845d19a77c

SHA256
f2b091cc8168a8765c1070604315f81aa00fcdd4a25e8aaf8a33c8da35450e45

SHA512
d83e7ab8d5a32e2964a0e771fc45b2b74eb738172ea4bb0e447329a31a2c71d5d0cfbdf5ab5a6215b7b4a6c646fa220c37ff3577051fe086a85814c1c97edf63

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
02bebae53107cd0ce8ea015e952b4987

SHA1
d7da00e395c925d97b94e50dd9582ed38edaeff9

SHA256
7b3e06fb7bd3e1cf64bc2679c6650fd939fcc4fc300fd115ffb50dd2f382b208

SHA512
42c99a851e391a4109f5fad9d27e7965127ebb2d45cbd605e6ed8bd899fa09a47df1786fd3de41ac53ab4d2cc08b244b8836e0b5aad29d80f33e18ddafdb5d09

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
8036019c3e69025f983f58fed809b527

SHA1
53368083e31e10dcdcb2c5ea3590948876d272e3

SHA256
36d61eacfdec3fb38dab0a7e0fa3569d542dde8aa19b1af8c2f9f891e789336e

SHA512
a4fefa4ab306c291bd2bed258e9a160c9d4bb1616cc520aa9bd5e9fd382a7084f0ef1973ee8066e3bc4f9f85cfdf79aaa05abff139b3af19adf677d24848c16c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
3b7e0e42e2c33cb60cde9a9d7f59f075

SHA1
dc70ee2f297ac2f283b580157c7ecb7556731f0f

SHA256
54cebf59ae3a0312cab7a0bd9cc52f4c9ed05a298c80f700c199150b274a6752

SHA512
116495be0fc42059dd4fe62a79beac246e862e5fec3a75f91095211d69888bfe4f5ecc8f726fa851cd843d7f772bf8789edf6cc413815d73d9ce7166c393f4d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
36f80534af9e06735ee676ac080ca9fe

SHA1
4c4c6451d936a2d1a7cc9829390c7229ed32b805

SHA256
87ce5f7fcc7c0830e1a33f8b872ffb0e3f50b45354d0f17899fca80f9ec0f964

SHA512
f34d80b938b39933d994ff3ce6fe4be4323edcd6e9053f83bff4ffd9330f396a4878f7c31532a8671a6142fa33bbe7d5110fe24d30ec441894d93db1122ad7d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
873B

MD5
8c3612d465e9fa79a99b052db2ca8b2c

SHA1
7eec766fec3a161e49c378cabd805884680c4a15

SHA256
bed4058b441d89fbc49265230c7801c02350bd1933a6d2e224d553929bcc48eb

SHA512
31bf79249993cef2cf05316b8c41ba085a085341724875f9f37b48f82afec8fe0d9163fbfbfba377e313876b8f67294de8add58b2ab968a1dffcc04a68e39fd5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
e21c7d3c3671465e2436e93256fd3317

SHA1
3591da4684379d4465a906bcb47ba25cceedb955

SHA256
a0610209a89e931ba13dc3b600a644b8c0f4c3ade98d716350fce08786a61951

SHA512
9e272f805aad3c10b17c27e88fac9c28de8a9b94fa6ca3b9d2f217c920d4398f872f0efb266b28376151818dcded29cc1ac670d87acfcb6a9ee8e2edffbcbd0a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
371B

MD5
3528a9344b818865e5d4f0177848c44f

SHA1
b4467336fe5a2d03129e584a4de21e108e499c7d

SHA256
b3ca43a276f3fd8ff534b2325424f36196a30f90c82ec6969d30ae249ca79d8b

SHA512
9d3df50e9dc3816f11717313f58e320bd6d285ecf8c26b1782925a0494170edc2e0db333fa28f9240940bae7befda4bd2aaafd0c7d964a70e6af348f6bed6099

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe581cab.TMP

Filesize
371B

MD5
05fca3bf5852b139b9f6f4422bd2eb2d

SHA1
2f1ffafab4b6c5e6d3f11c051358c46efa438355

SHA256
43746fc72d9b5bf45aa836a5df12482a90d023f383a3d3cab552e5f8dc5bbb5d

SHA512
fee17cef10730ceca4973173ccef0a901d3deb0a784c10027c3e4a4b4a3f3dd34d1f49a3d73b92d9282cfbe826f84ae515a8a63cb141d90b3ec0b1b5325fb8d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
022dcc0ec47247843732eec0b2dc2603

SHA1
1fff258070f2e11acaf5d7377f781e66f75d3e20

SHA256
f097e81e2c994dca0030d232b21cfc5124265bd9e43e65003621779aaf452f6f

SHA512
72d0d5e37dbae26418520d83ff0daf214c1eb1c417468da9b1986ca817c9839f7d8b6a55999043800322ed33a135e361e6ea792ee73a961c4ce2a934f3ea27d3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit