hxxps://drive[.]google[.]com/uc?export=download&id=1aDQ93KLASV-LqhzplcipjdT_mpeYyKZJ

Analysis

max time kernel
147s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20250207-en
resource tags

arch:x64arch:x86image:win10v2004-20250207-enlocale:en-usos:windows10-2004-x64system
submitted
11-02-2025 06:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/uc?export=download&id=1aDQ93KLASV-LqhzplcipjdT_mpeYyKZJ

Score

8^/10

discovery

Malware Config

Signatures

Downloads MZ/PE file 1 IoCs

flow	pid	Process
149	3592	Process not Found

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
2	drive.google.com
5	drive.google.com

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
53	api.ipify.org
54	api.ipify.org
55	api.ipify.org

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2224	MicrosoftEdgeUpdate.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1416	msedge.exe
1416	msedge.exe
816	msedge.exe
816	msedge.exe
4972	identity_helper.exe
4972	identity_helper.exe
616	msedge.exe
616	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
816	msedge.exe
816	msedge.exe
816	msedge.exe
816	msedge.exe
816	msedge.exe
816	msedge.exe
816	msedge.exe
816	msedge.exe
816	msedge.exe
816	msedge.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
816	msedge.exe
816	msedge.exe
816	msedge.exe
816	msedge.exe
816	msedge.exe
816	msedge.exe
816	msedge.exe
816	msedge.exe
816	msedge.exe
816	msedge.exe
816	msedge.exe
816	msedge.exe
816	msedge.exe
816	msedge.exe
816	msedge.exe
816	msedge.exe
816	msedge.exe
816	msedge.exe
816	msedge.exe
816	msedge.exe
816	msedge.exe
816	msedge.exe
816	msedge.exe
816	msedge.exe
816	msedge.exe
816	msedge.exe
816	msedge.exe
816	msedge.exe
816	msedge.exe
816	msedge.exe
816	msedge.exe
816	msedge.exe
816	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
816	msedge.exe
816	msedge.exe
816	msedge.exe
816	msedge.exe
816	msedge.exe
816	msedge.exe
816	msedge.exe
816	msedge.exe
816	msedge.exe
816	msedge.exe
816	msedge.exe
816	msedge.exe
816	msedge.exe
816	msedge.exe
816	msedge.exe
816	msedge.exe
816	msedge.exe
816	msedge.exe
816	msedge.exe
816	msedge.exe
816	msedge.exe
816	msedge.exe
816	msedge.exe
816	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 816 wrote to memory of 4572	816	msedge.exe	86
PID 816 wrote to memory of 4572	816	msedge.exe	86
PID 816 wrote to memory of 3032	816	msedge.exe	87
PID 816 wrote to memory of 3032	816	msedge.exe	87
PID 816 wrote to memory of 3032	816	msedge.exe	87
PID 816 wrote to memory of 3032	816	msedge.exe	87
PID 816 wrote to memory of 3032	816	msedge.exe	87
PID 816 wrote to memory of 3032	816	msedge.exe	87
PID 816 wrote to memory of 3032	816	msedge.exe	87
PID 816 wrote to memory of 3032	816	msedge.exe	87
PID 816 wrote to memory of 3032	816	msedge.exe	87
PID 816 wrote to memory of 3032	816	msedge.exe	87
PID 816 wrote to memory of 3032	816	msedge.exe	87
PID 816 wrote to memory of 3032	816	msedge.exe	87
PID 816 wrote to memory of 3032	816	msedge.exe	87
PID 816 wrote to memory of 3032	816	msedge.exe	87
PID 816 wrote to memory of 3032	816	msedge.exe	87
PID 816 wrote to memory of 3032	816	msedge.exe	87
PID 816 wrote to memory of 3032	816	msedge.exe	87
PID 816 wrote to memory of 3032	816	msedge.exe	87
PID 816 wrote to memory of 3032	816	msedge.exe	87
PID 816 wrote to memory of 3032	816	msedge.exe	87
PID 816 wrote to memory of 3032	816	msedge.exe	87
PID 816 wrote to memory of 3032	816	msedge.exe	87
PID 816 wrote to memory of 3032	816	msedge.exe	87
PID 816 wrote to memory of 3032	816	msedge.exe	87
PID 816 wrote to memory of 3032	816	msedge.exe	87
PID 816 wrote to memory of 3032	816	msedge.exe	87
PID 816 wrote to memory of 3032	816	msedge.exe	87
PID 816 wrote to memory of 3032	816	msedge.exe	87
PID 816 wrote to memory of 3032	816	msedge.exe	87
PID 816 wrote to memory of 3032	816	msedge.exe	87
PID 816 wrote to memory of 3032	816	msedge.exe	87
PID 816 wrote to memory of 3032	816	msedge.exe	87
PID 816 wrote to memory of 3032	816	msedge.exe	87
PID 816 wrote to memory of 3032	816	msedge.exe	87
PID 816 wrote to memory of 3032	816	msedge.exe	87
PID 816 wrote to memory of 3032	816	msedge.exe	87
PID 816 wrote to memory of 3032	816	msedge.exe	87
PID 816 wrote to memory of 3032	816	msedge.exe	87
PID 816 wrote to memory of 3032	816	msedge.exe	87
PID 816 wrote to memory of 3032	816	msedge.exe	87
PID 816 wrote to memory of 1416	816	msedge.exe	88
PID 816 wrote to memory of 1416	816	msedge.exe	88
PID 816 wrote to memory of 1352	816	msedge.exe	89
PID 816 wrote to memory of 1352	816	msedge.exe	89
PID 816 wrote to memory of 1352	816	msedge.exe	89
PID 816 wrote to memory of 1352	816	msedge.exe	89
PID 816 wrote to memory of 1352	816	msedge.exe	89
PID 816 wrote to memory of 1352	816	msedge.exe	89
PID 816 wrote to memory of 1352	816	msedge.exe	89
PID 816 wrote to memory of 1352	816	msedge.exe	89
PID 816 wrote to memory of 1352	816	msedge.exe	89
PID 816 wrote to memory of 1352	816	msedge.exe	89
PID 816 wrote to memory of 1352	816	msedge.exe	89
PID 816 wrote to memory of 1352	816	msedge.exe	89
PID 816 wrote to memory of 1352	816	msedge.exe	89
PID 816 wrote to memory of 1352	816	msedge.exe	89
PID 816 wrote to memory of 1352	816	msedge.exe	89
PID 816 wrote to memory of 1352	816	msedge.exe	89
PID 816 wrote to memory of 1352	816	msedge.exe	89
PID 816 wrote to memory of 1352	816	msedge.exe	89
PID 816 wrote to memory of 1352	816	msedge.exe	89
PID 816 wrote to memory of 1352	816	msedge.exe	89

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://drive.google.com/uc?export=download&id=1aDQ93KLASV-LqhzplcipjdT_mpeYyKZJ
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffddff246f8,0x7ffddff24708,0x7ffddff24718
  2⤵
  PID:4572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,18235253041238140444,8334701352654450449,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2
  2⤵
  PID:3032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2072,18235253041238140444,8334701352654450449,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2332 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2072,18235253041238140444,8334701352654450449,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2912 /prefetch:8
  2⤵
  PID:1352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,18235253041238140444,8334701352654450449,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:1
  2⤵
  PID:1788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,18235253041238140444,8334701352654450449,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3424 /prefetch:1
  2⤵
  PID:740
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,18235253041238140444,8334701352654450449,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5268 /prefetch:8
  2⤵
  PID:1068
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,18235253041238140444,8334701352654450449,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5268 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,18235253041238140444,8334701352654450449,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5408 /prefetch:1
  2⤵
  PID:4008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,18235253041238140444,8334701352654450449,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5352 /prefetch:1
  2⤵
  PID:4272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,18235253041238140444,8334701352654450449,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2884 /prefetch:1
  2⤵
  PID:3692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,18235253041238140444,8334701352654450449,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5612 /prefetch:1
  2⤵
  PID:4920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,18235253041238140444,8334701352654450449,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5460 /prefetch:1
  2⤵
  PID:2328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2072,18235253041238140444,8334701352654450449,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3532 /prefetch:8
  2⤵
  PID:2496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2072,18235253041238140444,8334701352654450449,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5928 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,18235253041238140444,8334701352654450449,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5796 /prefetch:1
  2⤵
  PID:4588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,18235253041238140444,8334701352654450449,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1912 /prefetch:1
  2⤵
  PID:2956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,18235253041238140444,8334701352654450449,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5008 /prefetch:1
  2⤵
  PID:3796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,18235253041238140444,8334701352654450449,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5584 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4524

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3656

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1628

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7QTEyRjk4RjItRTAzMi00MjdBLTkyNUYtRjVGRjE1MkU0QUQzfSIgdXNlcmlkPSJ7RDEyMjhBMzctNzlFRC00OEIyLTk4Q0EtMjU0RTJEOTlBODI2fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7M0E3RjNFNkItOTVFNC00OEVDLTg4NUUtRjBGRkQwOEUzQzI0fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIzIiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDQ0OTciIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxNjkzODEzMjAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MDQ1OTY1NjY0Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:2224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
aa50e46aef7f210bf65d44c570031714

SHA1
41993bb24a2c4cffdb5ea9bd4eeb825bf6b6fa79

SHA256
857a7702a47be49f185619891e5c74e34b4bb2515279033f3b5a0a9be2da839d

SHA512
dd5a1e88b2000957e3ddf057329a24dbbfc5408857cd1432799f20c21b967b627627bf1a3caa23e9698bb8133b7033d925487bcf46d864186a707176f8969029

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
fc7e2abfae997eac3dd58ba7132b3a2a

SHA1
ed7e80b26252b600acc6d89b985f4235b0fb03fb

SHA256
be084d16cf52949ceb38b98ebc8761cd5bf1a6ac9e8c247efc12bb669f5f023a

SHA512
a504e52646c4be5ee0f0d979b0d7a539228ab638394c658d1a88eff86f6db4091146b176484388afa6967a296af7ea97b4d2678577ea85f83d721ef2fe63f928

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
480B

MD5
b1889dd3d59c820744ee233f2ebbb91c

SHA1
6494315e95280145bc38fb7ab03bc878212ba8ff

SHA256
3ac919b70a97f57d7301f85214de31aa4b84c17b6f2bf28e072d1672f8934b5f

SHA512
f364f7b077a93f83830ada9bfc7689f8817a3f0740b5a9339a35824e16075f2b6b136ad3d58da9ce105f0770369f045bd818d2f8857809a558afea6783defae4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
945B

MD5
7f6bafcadd7263b6e01d6288e8c7c5fe

SHA1
085fa53cc4a686ea2f433c13f88d17a1c536d825

SHA256
63ecf12c2c878c90292692442012d03d11d7b3f29e27448433b318ba5e859944

SHA512
6e64eae55cd22ff328c0704ba53f161aef7a3b4417e45308c6dbb722266a9f7a2ff1ba7096c71a9820cb2bcc611e427be6ccf8e3d45214b7d8a51ac404ff2722

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
75d819e40a2c1bc103d0d59233c4f2b6

SHA1
fbdd5ded7a700a8a0b18bb5d7ba65a68c9136081

SHA256
45beac1393b7b31f8d8e924201d965ee0c9ef59c0d79aa7efdaac856762448c8

SHA512
50dd86a4cfae359e015501276dfbdaf31fa5582770609919eb42b458db71369fb980e552b0138ace185ff9552b81d6f1e76b60de9b6e29193a5bfdf2f3756684

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f75cc333048ffe1df3bad7ca21d108b2

SHA1
46f1015638e251ecb53673a0995d25a127c4eddc

SHA256
9acda4375621753a421edffffd0f5e154158d8188a59827a8baeb995c5aba529

SHA512
b2f506c97ec687934c181b13c79df192dac61e8b50bb2115100d7e5f36bb3143f3ea554ae82c95b573e1b226259b5a2173f60399b77c697069c4dad16e0bfe93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c29fd90532016fb87b7df14c6e95a6c1

SHA1
9ec3dd9cb5b48411d0cbb2905dd6b54e282010fb

SHA256
c7c322c3ca2c690b8e3101b43d186d56de92bb4273e13705c569eea89dc9f23f

SHA512
74f2337a25c737f8ca5a4769657ad87f044342d1e0a669218e00a14dac1124b97f9823a1a8aa9fe23af7477ee4731864810f05d33b17d4431e43a3f428afd25b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1c23315f98f42df25e44ee4b6b402c9e

SHA1
998fdd9cf686cc36263430dc50a5b1d2e2c823af

SHA256
5f85992d974b98a9c805900277dc058eaab63fbb0600eef6d42b7d689bf72905

SHA512
467b7e6b8712c885f21e0aeecd44a2c3dd8855893c09237c4fd3384d09c83359102e951e33f4984b60c3cae73c086e3c823aa3b8e68dde871d0f7d750b11fabd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
67c34dac5a6e4116b16fbccb04adbe48

SHA1
89ae4e430d198b914a4f39fa77e0bae32da2e71d

SHA256
534aab57f3ca388fd5203ab48dcafb307a63bb8c38480581800fdfe571a90717

SHA512
545aa0c17f3002dcec999ba74b14ad9f77930d617932d302a192f600f787ac4bb7b3ab1779c11cbe0013eab1dca9dabe2b1d9b41ecd3803d94a7d2b69d74fbfa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
874B

MD5
920c05d09cdee2dd71ea2a9a462b2f93

SHA1
3fe4dfeecd861e0dc2d744c2c4093e8a33344ab1

SHA256
d4505798ed17a33cabf1825b7c410fffa58c8e3b7d7dd7e8d7dde116b0293175

SHA512
0aeaf1e21df5ac8dd8853855fae139ec67c10cac63643ab0c14dc1a32adff213e93b2d71ebd2a06760efe3fbb41651b6773a09c8fa725dfd0320a53e2639a0b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
4301993c1e0b777c7288fb19fdaa55ac

SHA1
21ed938a802b88070883e5ddd420ee86056cf46e

SHA256
2e46841b0793e6670e9bdcd3c1db7f7a5bae599bafc1a851220b7f846452bc5f

SHA512
cb8a74ea8a0e8767def08e6680f30de17724bb0007bdcbe906ba7d8b15a63e58c8a67767bcd31059247a2738bdab7bb1465782f978ab71a11860bf356e562bd8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
538B

MD5
6b91936178e5c2b2a42ed4a0c248e0a9

SHA1
ecdfec52bc446e372316b72f38a418d7c290dcdf

SHA256
44eb2a26e9089371cc3195e5bba270d86c68dfe254e23d151df98691916dc6ef

SHA512
f30dee45de6818677a36491af21b3f93a119ecbe0ef023b95ae224ea2e38638c370224502f6de9bb72fb178ca5e423be5c81d3a4c93932a3f47061745368ff42

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
371B

MD5
24f21d9a44b887cfdda9e8418380d5c1

SHA1
c997652179f269faef6dfa7271affcc85bb919ec

SHA256
9cba28349a05b89cea68c3a4f9a64bf4e1531fa54cd32f6bb442a37662487443

SHA512
868cd8a570cc90ef8e438d0f8aae02145a2beaa3d957b3e6a175d79998722b5794a27c0ad70f2a378e09d871948545c3e4680b9c54cb95203cc72037fb3182be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe580191.TMP

Filesize
204B

MD5
3310a75fcb9ab190aa4e8a2b654bae11

SHA1
e35db8039d0b2167249a86d146e86bec7cb558f4

SHA256
ec6e123361fe4016a84c5371a87dab2a3b1263a536beb7320c1210a12de60f09

SHA512
7bb17e6a43fc5897a0cd097af14d64b84a6df06d07dc2edd694c6833c9452c8768a65798de5a928eaab092f620d95f4f12af13b2faa89bfcd6e79aed815cd3d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
d699ef236ea9172d882320dccdf86757

SHA1
5946ab6ae206d9f98203c2ac9a03410fff4d8521

SHA256
00f32a607ec05106020ea69130daa60219733f003e8aa8fcf395be34e2042662

SHA512
e63d55503d4e43dc91f368701ff4574c0954643ab1e399b28fab1399b93ec2ab85b5328af3d77da36ef175080e9f9fbae3a95cbad63b5effcb6fe9b8361831a5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit