hxxps://drive[.]google[.]com/drive/folders/1VXPOhQR2Rf6czienG4xOBzCUnNmBq38g?usp=drive_link

Analysis

max time kernel
186s
max time network
191s
platform
windows11-21h2_x64
resource
win11-20250207-en
resource tags

arch:x64arch:x86image:win11-20250207-enlocale:en-usos:windows11-21h2-x64system
submitted
08-02-2025 14:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/drive/folders/1VXPOhQR2Rf6czienG4xOBzCUnNmBq38g?usp=drive_link

Score

8^/10

discovery

Malware Config

Signatures

Downloads MZ/PE file 1 IoCs

flow	pid	Process
35	3560	Process not Found

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
1	drive.google.com
5	drive.google.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1068	MicrosoftEdgeUpdate.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
3096	msedge.exe
3096	msedge.exe
1348	msedge.exe
1348	msedge.exe
3156	msedge.exe
3156	msedge.exe
2472	identity_helper.exe
2472	identity_helper.exe
2556	msedge.exe
2556	msedge.exe
2556	msedge.exe
2556	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs

pid	Process
1348	msedge.exe
1348	msedge.exe
1348	msedge.exe
1348	msedge.exe
1348	msedge.exe
1348	msedge.exe
1348	msedge.exe
1348	msedge.exe
1348	msedge.exe
1348	msedge.exe
1348	msedge.exe
1348	msedge.exe
1348	msedge.exe
1348	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1348	msedge.exe
1348	msedge.exe
1348	msedge.exe
1348	msedge.exe
1348	msedge.exe
1348	msedge.exe
1348	msedge.exe
1348	msedge.exe
1348	msedge.exe
1348	msedge.exe
1348	msedge.exe
1348	msedge.exe
1348	msedge.exe
1348	msedge.exe
1348	msedge.exe
1348	msedge.exe
1348	msedge.exe
1348	msedge.exe
1348	msedge.exe
1348	msedge.exe
1348	msedge.exe
1348	msedge.exe
1348	msedge.exe
1348	msedge.exe
1348	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
1348	msedge.exe
1348	msedge.exe
1348	msedge.exe
1348	msedge.exe
1348	msedge.exe
1348	msedge.exe
1348	msedge.exe
1348	msedge.exe
1348	msedge.exe
1348	msedge.exe
1348	msedge.exe
1348	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1348 wrote to memory of 2300	1348	msedge.exe	83
PID 1348 wrote to memory of 2300	1348	msedge.exe	83
PID 1348 wrote to memory of 4172	1348	msedge.exe	84
PID 1348 wrote to memory of 4172	1348	msedge.exe	84
PID 1348 wrote to memory of 4172	1348	msedge.exe	84
PID 1348 wrote to memory of 4172	1348	msedge.exe	84
PID 1348 wrote to memory of 4172	1348	msedge.exe	84
PID 1348 wrote to memory of 4172	1348	msedge.exe	84
PID 1348 wrote to memory of 4172	1348	msedge.exe	84
PID 1348 wrote to memory of 4172	1348	msedge.exe	84
PID 1348 wrote to memory of 4172	1348	msedge.exe	84
PID 1348 wrote to memory of 4172	1348	msedge.exe	84
PID 1348 wrote to memory of 4172	1348	msedge.exe	84
PID 1348 wrote to memory of 4172	1348	msedge.exe	84
PID 1348 wrote to memory of 4172	1348	msedge.exe	84
PID 1348 wrote to memory of 4172	1348	msedge.exe	84
PID 1348 wrote to memory of 4172	1348	msedge.exe	84
PID 1348 wrote to memory of 4172	1348	msedge.exe	84
PID 1348 wrote to memory of 4172	1348	msedge.exe	84
PID 1348 wrote to memory of 4172	1348	msedge.exe	84
PID 1348 wrote to memory of 4172	1348	msedge.exe	84
PID 1348 wrote to memory of 4172	1348	msedge.exe	84
PID 1348 wrote to memory of 4172	1348	msedge.exe	84
PID 1348 wrote to memory of 4172	1348	msedge.exe	84
PID 1348 wrote to memory of 4172	1348	msedge.exe	84
PID 1348 wrote to memory of 4172	1348	msedge.exe	84
PID 1348 wrote to memory of 4172	1348	msedge.exe	84
PID 1348 wrote to memory of 4172	1348	msedge.exe	84
PID 1348 wrote to memory of 4172	1348	msedge.exe	84
PID 1348 wrote to memory of 4172	1348	msedge.exe	84
PID 1348 wrote to memory of 4172	1348	msedge.exe	84
PID 1348 wrote to memory of 4172	1348	msedge.exe	84
PID 1348 wrote to memory of 4172	1348	msedge.exe	84
PID 1348 wrote to memory of 4172	1348	msedge.exe	84
PID 1348 wrote to memory of 4172	1348	msedge.exe	84
PID 1348 wrote to memory of 4172	1348	msedge.exe	84
PID 1348 wrote to memory of 4172	1348	msedge.exe	84
PID 1348 wrote to memory of 4172	1348	msedge.exe	84
PID 1348 wrote to memory of 4172	1348	msedge.exe	84
PID 1348 wrote to memory of 4172	1348	msedge.exe	84
PID 1348 wrote to memory of 4172	1348	msedge.exe	84
PID 1348 wrote to memory of 4172	1348	msedge.exe	84
PID 1348 wrote to memory of 3096	1348	msedge.exe	85
PID 1348 wrote to memory of 3096	1348	msedge.exe	85
PID 1348 wrote to memory of 2564	1348	msedge.exe	86
PID 1348 wrote to memory of 2564	1348	msedge.exe	86
PID 1348 wrote to memory of 2564	1348	msedge.exe	86
PID 1348 wrote to memory of 2564	1348	msedge.exe	86
PID 1348 wrote to memory of 2564	1348	msedge.exe	86
PID 1348 wrote to memory of 2564	1348	msedge.exe	86
PID 1348 wrote to memory of 2564	1348	msedge.exe	86
PID 1348 wrote to memory of 2564	1348	msedge.exe	86
PID 1348 wrote to memory of 2564	1348	msedge.exe	86
PID 1348 wrote to memory of 2564	1348	msedge.exe	86
PID 1348 wrote to memory of 2564	1348	msedge.exe	86
PID 1348 wrote to memory of 2564	1348	msedge.exe	86
PID 1348 wrote to memory of 2564	1348	msedge.exe	86
PID 1348 wrote to memory of 2564	1348	msedge.exe	86
PID 1348 wrote to memory of 2564	1348	msedge.exe	86
PID 1348 wrote to memory of 2564	1348	msedge.exe	86
PID 1348 wrote to memory of 2564	1348	msedge.exe	86
PID 1348 wrote to memory of 2564	1348	msedge.exe	86
PID 1348 wrote to memory of 2564	1348	msedge.exe	86
PID 1348 wrote to memory of 2564	1348	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://drive.google.com/drive/folders/1VXPOhQR2Rf6czienG4xOBzCUnNmBq38g?usp=drive_link
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8d5303cb8,0x7ff8d5303cc8,0x7ff8d5303cd8
  2⤵
  PID:2300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1924,12599841143398529282,2520157500586255531,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1956 /prefetch:2
  2⤵
  PID:4172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1924,12599841143398529282,2520157500586255531,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1924,12599841143398529282,2520157500586255531,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2780 /prefetch:8
  2⤵
  PID:2564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,12599841143398529282,2520157500586255531,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:1
  2⤵
  PID:2784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,12599841143398529282,2520157500586255531,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
  2⤵
  PID:4956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,12599841143398529282,2520157500586255531,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4776 /prefetch:1
  2⤵
  PID:4240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1924,12599841143398529282,2520157500586255531,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4576 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3156
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1924,12599841143398529282,2520157500586255531,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5752 /prefetch:8
  2⤵
  PID:1452
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1924,12599841143398529282,2520157500586255531,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5752 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,12599841143398529282,2520157500586255531,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5392 /prefetch:1
  2⤵
  PID:708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,12599841143398529282,2520157500586255531,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5816 /prefetch:1
  2⤵
  PID:2212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,12599841143398529282,2520157500586255531,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4744 /prefetch:1
  2⤵
  PID:4756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,12599841143398529282,2520157500586255531,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5336 /prefetch:1
  2⤵
  PID:1732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,12599841143398529282,2520157500586255531,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5320 /prefetch:1
  2⤵
  PID:3584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,12599841143398529282,2520157500586255531,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5464 /prefetch:1
  2⤵
  PID:952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,12599841143398529282,2520157500586255531,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1148 /prefetch:1
  2⤵
  PID:3952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,12599841143398529282,2520157500586255531,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5776 /prefetch:1
  2⤵
  PID:1732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,12599841143398529282,2520157500586255531,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2580 /prefetch:1
  2⤵
  PID:5028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,12599841143398529282,2520157500586255531,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5456 /prefetch:1
  2⤵
  PID:3716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,12599841143398529282,2520157500586255531,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5240 /prefetch:1
  2⤵
  PID:4980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1924,12599841143398529282,2520157500586255531,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2972 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2556

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2492

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3552

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MjUzNzYxRTMtQjM1Ni00Qjg4LTlBQTgtNzEwNTUxRjZGODQ3fSIgdXNlcmlkPSJ7QTExQkIwNTQtNUZGRC00REJBLUExRUItQzE3OTUyOTAzNDlBfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7QTk2MjRFNDktMDFERC00NjcwLTk0NEQtRkU5RDBGMUU3QUExfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4yMjAwMC40OTMiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iIiBwcm9kdWN0X25hbWU9IiIvPjxleHAgZXRhZz0iJnF1b3Q7RSt4YkF6Nlk2c1UxMjg5YlM2cWw0VlJMYmtqZkJVR1RNSnNqckhyNDRpST0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7OEE2OUQzNDUtRDU2NC00NjNjLUFGRjEtQTY5RDlFNTMwRjk2fSIgdmVyc2lvbj0iMTIzLjAuNjMxMi4xMjMiIG5leHR2ZXJzaW9uPSIiIGxhbmc9ImVuIiBicmFuZD0iR0dMUyIgY2xpZW50PSIiIGluc3RhbGxhZ2U9IjAiIGluc3RhbGxkYXRldGltZT0iMTczODk1NTk3NyIgb29iZV9pbnN0YWxsX3RpbWU9IjEzMzgzNDI4NTM1NTkwMDAwMCI-PGV2ZW50IGV2ZW50dHlwZT0iMzEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjIxNzk4NjIiIHN5c3RlbV91cHRpbWVfdGlja3M9IjQ5MDIxMjYwNTMiLz48L2FwcD48L3JlcXVlc3Q-
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:1068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2522886e1b6b01847a8b2bd8239db83a

SHA1
4c16812bf9f827262030825bda1f644746c90ac0

SHA256
596eec2b17e61e2acd9682ba492a4d5263cab1361dadbee49dbf1a175c226cf3

SHA512
f32b6e29315f7e0459a3ee890eb40b713262b936182609c9ba7408c9aeff97353a27fd711e7713629f9a302b48cbb7cd1175bbed28dd6e07869bb947cf048c1c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7a2b6a38b7ba9aa7c64738c68e58edb9

SHA1
fc9280f92eaf999ddc4dfe87c08f0640384ecc77

SHA256
ceaedf34d68a4c20e135231363cba3816453f53b96ae58fd88bc5f00135dbb6b

SHA512
69aed16cd3a96b7dbc1205714fa46040f105547b8b7338d7320cbef5338cdee2985953cd10b037e2dd7ff8a79dd7ce76edced906c7b50ef54980e52fe00a4e7e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
336B

MD5
1db603d979c8e77193991f6740a28b67

SHA1
17bc3853cbd1df689e8c9798e79e1c2eb65f1afa

SHA256
e97ee96b0cc23617bfeb998ede639376f6c90f59295a131207068a18cbaabca7

SHA512
03e9b8240a4c6e0f739b645dffaddd2bb95835d20fd28f654621db6e0c7f7441694de9b60cd57e43e808d0a6b2bd19de889217c7d40075c5e22b17d780d51b06

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
c0b7b3aa075b28f27d6146702d1c3068

SHA1
21916b56fffa2fb5e0e99802d208b7e47e0ea2e9

SHA256
502e65a3ac9087adccc293064d3e3fd9d37b5f96ae1f483b90f4ee66b41a0137

SHA512
41834c028ba4efc79f5e6b83bbf8ade02b0f8f7438fc0c195046ff9515b711dc243dce01482994ca19e00848c6433ab13d2bde31c32a5ec3e361c8c2f51b67bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
649ee1fbeae8877de129bbe59be959a1

SHA1
2c8aad332fe51acaa355edbf5ef1b7583d610c1b

SHA256
31d87130d61627bc73fa60d4c360e1c99c0d87867a5dfaf35dc86933014cc71f

SHA512
6817650f6c6d264596eeebd33dbd1489a66c1cea0b1109e8d84432a48b42d345c124c42009acc5c2d417c26dac0c45a30e4c551ebc22f25526844e61f585063b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
4b6d351ad306bc98e4f1704ad227c0da

SHA1
198f68322a306d97c00a30ea692987e60d5a5dd1

SHA256
9b82d07ab572cbf11c775191a1fc5ce907d5a98c66ac1f9248388d3edd3c4095

SHA512
e5323c902ff848cb1920d8869dd7400e9e6caf033c6a79d367e22dcfd7691e95cf0b9336a9fa4d38fe5136248d1fbed18e09e3e6e0dc376c03e81a3ffb445375

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
543e051550cd48d73d62353087d06e94

SHA1
82d5ec157d9e2af6b9e918a7f0ee59f63fb48527

SHA256
eb0289f736f038ddb3044e044d936fb141bc71a2abb096ea09f7d9d65305ee91

SHA512
e7779bf2bfff1978606a859350433145647d7ecfe55dab8daf5d246ae892e09ba663458bdc002ffb7dd368061655fe321ca0d40d2c19d669bca30273a3dd8756

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6ca13fc181b82e3585b8b5c5eed2051a

SHA1
5e4ac07f9860c7537083e058875d2e8ad4c32926

SHA256
f501230e44b7a57368bdc77554d535079e7cdea9d28fdd7a2860a2c576335018

SHA512
1edf8728601631f39ba996aa5b905f93485da1ec85c736a4d69c9b35bd5323dc96841dc84c66b243c3f5af48c481ba4aea92f07f9539838bb5161a52a67abcc5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
479d575075eac58ee384ec6f30527bb9

SHA1
55c3a777219febe67565d65b8793e326d40f3ff6

SHA256
a10ff5b6543cc1c963d5df7b26aacb455db2806e5888f746b660b99fb8edb29a

SHA512
b4f45719c77ec3899250ce5e15eabe87845d1e318f7395993c863da35179b01d166014ed8e495080fc232c63bf7ac56cafccf3043d922b42a88109a5d340d0cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
731f7e58f5e78b759d38e0f55825b95f

SHA1
7c539d5b4f373fca91f17065f7a8404f6f2f484c

SHA256
881e07dc16c324b4cc4599cd9e7b11618c2b5316a2cfda5ca7bf3501f0a7eec9

SHA512
e3e5bf4d5e8854a0cc5d5d7c542aa5302f1f346564959b53a5bf1e12959b38eaf04b2deb9a6536123a6b666a868b5a19f212a2203698cb18fabfedfcb76025df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58465b.TMP

Filesize
368B

MD5
3ee677ac9db842d62ccf7d78425b9111

SHA1
feace93934e9ff48d0cdfd51ae126ae09c0637dc

SHA256
63ef88bc10f78daf8a9f6f8ce70f9670b4874668aa1340ef065a4213df42155e

SHA512
eaad715ba116f2b8f578e42401d4b6389d0db683db77cdf5a8c121f9bf143781576b0ba17b6b59aa2885817ce6dbd53032c69148d78e705d9edf37a885c30268

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\f8aa37ed-b377-43a4-9edf-072155337800.tmp

Filesize
6KB

MD5
7993df1396c89883f917519d48a2c8f4

SHA1
48c140be0d7acd37d7b6a90d5297b3fd5bf20eed

SHA256
aab63304fc7436efe14752c55cefddec7e4ba0a935b73d1b2e62fd2581d36942

SHA512
6769672792eac7f529ddf4a33b448602b1abd07f7d684c4510db02cc030c07f7fcc555f83a129eb51b852d2567c9dc1c094064454a10f22622e37b1d98e96d0a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
98e38f2cfc782e5abb7121062700c8ae

SHA1
e8c5b02a61406c9808c5caf2850c4e42100ae678

SHA256
3d223c6732d0ac701ac399c1444d8baa61f780252962df267ceb5bbdbc86ca5d

SHA512
71826141901f30aeaeaa24dd3fbac5464fcf401c3e62658eb56280a8bb5b0c6a766a2701941c39b2134c656b28e25d27727225adf182c61c567047feeab97ac6

Download Submit