hxxps://drive[.]google[.]com/file/d/17yOMTXPy6qEXPeMU85uyB8olb7IEFXle/view

Analysis

max time kernel
67s
max time network
68s
platform
windows10-2004_x64
resource
win10v2004-20250211-en
resource tags

arch:x64arch:x86image:win10v2004-20250211-enlocale:en-usos:windows10-2004-x64system
submitted
14-02-2025 06:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/file/d/17yOMTXPy6qEXPeMU85uyB8olb7IEFXle/view

Score

6^/10

discovery link pdf

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
4	drive.google.com
5	drive.google.com

HTTP links in PDF interactive object 1 IoCs

Detects HTTP links in interactive objects within PDF files.

pdf link

resource	yara_rule
behavioral1/files/0x0009000000023dcf-120.dat	pdf_with_link_action

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
400	MicrosoftEdgeUpdate.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3912	msedge.exe
3912	msedge.exe
3576	msedge.exe
3576	msedge.exe
3264	identity_helper.exe
3264	identity_helper.exe
5240	msedge.exe
5240	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs

pid	Process
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3576 wrote to memory of 3396	3576	msedge.exe	91
PID 3576 wrote to memory of 3396	3576	msedge.exe	91
PID 3576 wrote to memory of 3860	3576	msedge.exe	92
PID 3576 wrote to memory of 3860	3576	msedge.exe	92
PID 3576 wrote to memory of 3860	3576	msedge.exe	92
PID 3576 wrote to memory of 3860	3576	msedge.exe	92
PID 3576 wrote to memory of 3860	3576	msedge.exe	92
PID 3576 wrote to memory of 3860	3576	msedge.exe	92
PID 3576 wrote to memory of 3860	3576	msedge.exe	92
PID 3576 wrote to memory of 3860	3576	msedge.exe	92
PID 3576 wrote to memory of 3860	3576	msedge.exe	92
PID 3576 wrote to memory of 3860	3576	msedge.exe	92
PID 3576 wrote to memory of 3860	3576	msedge.exe	92
PID 3576 wrote to memory of 3860	3576	msedge.exe	92
PID 3576 wrote to memory of 3860	3576	msedge.exe	92
PID 3576 wrote to memory of 3860	3576	msedge.exe	92
PID 3576 wrote to memory of 3860	3576	msedge.exe	92
PID 3576 wrote to memory of 3860	3576	msedge.exe	92
PID 3576 wrote to memory of 3860	3576	msedge.exe	92
PID 3576 wrote to memory of 3860	3576	msedge.exe	92
PID 3576 wrote to memory of 3860	3576	msedge.exe	92
PID 3576 wrote to memory of 3860	3576	msedge.exe	92
PID 3576 wrote to memory of 3860	3576	msedge.exe	92
PID 3576 wrote to memory of 3860	3576	msedge.exe	92
PID 3576 wrote to memory of 3860	3576	msedge.exe	92
PID 3576 wrote to memory of 3860	3576	msedge.exe	92
PID 3576 wrote to memory of 3860	3576	msedge.exe	92
PID 3576 wrote to memory of 3860	3576	msedge.exe	92
PID 3576 wrote to memory of 3860	3576	msedge.exe	92
PID 3576 wrote to memory of 3860	3576	msedge.exe	92
PID 3576 wrote to memory of 3860	3576	msedge.exe	92
PID 3576 wrote to memory of 3860	3576	msedge.exe	92
PID 3576 wrote to memory of 3860	3576	msedge.exe	92
PID 3576 wrote to memory of 3860	3576	msedge.exe	92
PID 3576 wrote to memory of 3860	3576	msedge.exe	92
PID 3576 wrote to memory of 3860	3576	msedge.exe	92
PID 3576 wrote to memory of 3860	3576	msedge.exe	92
PID 3576 wrote to memory of 3860	3576	msedge.exe	92
PID 3576 wrote to memory of 3860	3576	msedge.exe	92
PID 3576 wrote to memory of 3860	3576	msedge.exe	92
PID 3576 wrote to memory of 3860	3576	msedge.exe	92
PID 3576 wrote to memory of 3860	3576	msedge.exe	92
PID 3576 wrote to memory of 3912	3576	msedge.exe	93
PID 3576 wrote to memory of 3912	3576	msedge.exe	93
PID 3576 wrote to memory of 1504	3576	msedge.exe	94
PID 3576 wrote to memory of 1504	3576	msedge.exe	94
PID 3576 wrote to memory of 1504	3576	msedge.exe	94
PID 3576 wrote to memory of 1504	3576	msedge.exe	94
PID 3576 wrote to memory of 1504	3576	msedge.exe	94
PID 3576 wrote to memory of 1504	3576	msedge.exe	94
PID 3576 wrote to memory of 1504	3576	msedge.exe	94
PID 3576 wrote to memory of 1504	3576	msedge.exe	94
PID 3576 wrote to memory of 1504	3576	msedge.exe	94
PID 3576 wrote to memory of 1504	3576	msedge.exe	94
PID 3576 wrote to memory of 1504	3576	msedge.exe	94
PID 3576 wrote to memory of 1504	3576	msedge.exe	94
PID 3576 wrote to memory of 1504	3576	msedge.exe	94
PID 3576 wrote to memory of 1504	3576	msedge.exe	94
PID 3576 wrote to memory of 1504	3576	msedge.exe	94
PID 3576 wrote to memory of 1504	3576	msedge.exe	94
PID 3576 wrote to memory of 1504	3576	msedge.exe	94
PID 3576 wrote to memory of 1504	3576	msedge.exe	94
PID 3576 wrote to memory of 1504	3576	msedge.exe	94
PID 3576 wrote to memory of 1504	3576	msedge.exe	94

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://drive.google.com/file/d/17yOMTXPy6qEXPeMU85uyB8olb7IEFXle/view
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9aaf446f8,0x7ff9aaf44708,0x7ff9aaf44718
  2⤵
  PID:3396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,15535333683322002697,5240240748830546057,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:2
  2⤵
  PID:3860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,15535333683322002697,5240240748830546057,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2296 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2112,15535333683322002697,5240240748830546057,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2596 /prefetch:8
  2⤵
  PID:1504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,15535333683322002697,5240240748830546057,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
  2⤵
  PID:232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,15535333683322002697,5240240748830546057,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
  2⤵
  PID:32
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,15535333683322002697,5240240748830546057,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5408 /prefetch:1
  2⤵
  PID:2444
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,15535333683322002697,5240240748830546057,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5692 /prefetch:8
  2⤵
  PID:2916
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,15535333683322002697,5240240748830546057,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5692 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,15535333683322002697,5240240748830546057,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6060 /prefetch:1
  2⤵
  PID:400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,15535333683322002697,5240240748830546057,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5932 /prefetch:1
  2⤵
  PID:3216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,15535333683322002697,5240240748830546057,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5436 /prefetch:1
  2⤵
  PID:4636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,15535333683322002697,5240240748830546057,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5332 /prefetch:1
  2⤵
  PID:4252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2112,15535333683322002697,5240240748830546057,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5132 /prefetch:8
  2⤵
  PID:5172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,15535333683322002697,5240240748830546057,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5516 /prefetch:1
  2⤵
  PID:5180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2112,15535333683322002697,5240240748830546057,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4184 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,15535333683322002697,5240240748830546057,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5176 /prefetch:1
  2⤵
  PID:5468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,15535333683322002697,5240240748830546057,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6500 /prefetch:1
  2⤵
  PID:5476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=ppapi --field-trial-handle=2112,15535333683322002697,5240240748830546057,131072 --lang=en-US --device-scale-factor=1 --ppapi-antialiased-text-enabled=1 --ppapi-subpixel-rendering-setting=1 --mojo-platform-channel-handle=5188 /prefetch:6
  2⤵
  PID:5636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,15535333683322002697,5240240748830546057,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5472 /prefetch:1
  2⤵
  PID:5280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,15535333683322002697,5240240748830546057,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1816 /prefetch:1
  2⤵
  PID:4324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,15535333683322002697,5240240748830546057,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6440 /prefetch:1
  2⤵
  PID:372

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1824

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:856

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MzhBRkEwRkUtRTRFNy00Nzc3LTgzODQtOEJEMTYxRUVGQTU4fSIgdXNlcmlkPSJ7MzZCOEVBOTUtQ0ExOC00RDMzLUE1RTQtNjQ2NDUzNEVEMUMzfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7RkUzNzgyNEYtMDQ4Ny00QzZGLTgyNDEtOUEwRkEwMEI3NDcyfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIyIiBpbnN0YWxsZGF0ZXRpbWU9IjE3MzkyODMzNzEiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4Mzc1NDE5Mjc1MzAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1NDA0MDgwMjIzIi8-PC9hcHA-PC9yZXF1ZXN0Pg
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e7cdb863a609a2c77150bd0168843b66

SHA1
81f66ff335d38ce1985e57650c45c92a780f5f47

SHA256
cae95bfcebfe3738b20d2502a4e8252b7cb44b699f219e4050043e2ce5e50700

SHA512
f4bfd5280f196266ed021e30bdd29ec9013a5ce73f5737fdae5d8a296a6a669296370c7405e9778144dd745ae53d3143de8de23967984828870eaf318d74e9b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
99a53beb5abd659549f1af758f31cd5c

SHA1
1b91526d8dd19cbe0c572207bd99e47e9b6bfdbc

SHA256
c0605e1d61f7a80a5b7a13f151bb4b90a330ccd0b3a436a9aa9d5e6d11b1334e

SHA512
e798e3d8a716acd1356882caf3012a2d65570e4eb5cf34df4459747851dfe75aa04b4de27217e88baa46d69e2e1ac40be6d8167e4f8857788365bc9c10428f26

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
480B

MD5
e0ba7aef217f2e29fc4200617e17244a

SHA1
846327261442de05a1ea68f0073ed9bb417d9b4b

SHA256
d7e4ed7c900dc7db864207e1c72ff71bb501888108735ecff02686846b4dcb8b

SHA512
9d6a3e794a5977190a597aacde854cf8547931380116102aa4ded6ae314fa90806f5305d735903ac9e77a07ba41add770fa5aead023c8d75c3d2f0a0d0e23aff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
f0e16abd3c5d88cb3c22a77b74c3a61c

SHA1
2f7a93824731a347ba834563f352f5c7c4a74d84

SHA256
640e1cc0858d379cbcb653952f711ff1e8ee25fa7dabcb6c6d3e491a2562b1bc

SHA512
05518b951e71e2f91e656500675636bcc360962bb608f910b3e96e5edc083474defe6c1ecbc744e4482fffacdfd39dedd053896c70c1fea2ab595877c0015995

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
7b9a716c5cadde365df424a55b2fe62a

SHA1
3767075084035ebde29fbdd8032979c0f0a3da05

SHA256
b6481ad67d3c760d5466f7727b643793398bd9734fc84a4d2b276a08f8b00ab6

SHA512
a0128c39d3ce4016509a3c8bb081fc917ac422e19d5220d2864edabc208ba73cded8319d1327c86f457d16a65805e862f369026b7280746dc32a776bc523ef98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b9ef06b7140158f8b2560f31b2d84fa8

SHA1
3588d0675edf53cc20f8ab555a8814cb7be4d56b

SHA256
dfe9d213f6e5027a5a30b1057943567841091b2e76e03ac35aa634ef616c3530

SHA512
b7a0b76de3afbb200b93ccfd975b2be08df13d265673b390d343f8735d86b5520b18d4678cfe625babaf06de75751a9a5f22324cc2f64a82395aa0823781b35e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
2fac312ba030a71007b2584f9e247ee0

SHA1
f7a5263a225df3239eeb9ed94b5d4c67516c9c08

SHA256
379452a9236a05a06e15a50786ba37d84ec0d0d7693e1e36eed8093330216bc5

SHA512
c559fed8e53803b03ccd36b523961bcf3d298e286f17e5bb9113ee551e6c9043fc31884cc84ef07d828b5b03f1223dcaf000f959e871074022483acca71a31a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
79461510fa442fdf5cb13d4569d345cd

SHA1
12c5ae3756b698598e63b34f2dd0f6d9a70a1f9d

SHA256
293e05ab7760f9c0c7ae6493f0a36c6de10086acb72a61f692adf59db2ac9d57

SHA512
83d6924794e35d28de5ca0dc64886e2b3e882ea1bd1377f81b09ecf88b3d6e622902fd4da497463c13ecfddff583d483ad8521e708aa2befcb2a8f4c7189156e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7ffe48505a20102450a3b1769d0c334c

SHA1
b7a9364706da8918f0ab4dfaabfd76311f8ef004

SHA256
7d9b77754a6ee0ca70cfe9e380af641600f5765951cec46d42be29a0c821cede

SHA512
87a9cd7d28d6bd05888bf2bda9764041e5f3667b58c75b892214089b51db4672cb7fb59b62fcf531f9f557addd68af2d90ce0bafc319f15f55246393720da6ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
04966fda0d75dcd0ae1c82fe6cf19eb3

SHA1
e90783dd3b35b201246ddd6d306b9bdb9f30b2da

SHA256
d649ce67b8988070b8f4a7fb5835fc6673b6181bdfd1788da09a56c8f6463ce1

SHA512
57f272baa54cfc97e99faa460aaabcf37e7e5b8e3317732ab02e12fa6001cdd11958583b78c3769dfb3d12b2c82ce0713accbe204df522a062e54651ae64a8a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
581b345a738bbadb7f38c0f7046f0eea

SHA1
8bfda1db565304e11db3c78286fd3a87dfbd85a2

SHA256
aaa1ceac781083c2a2ce77e0470603c6388f2941456abff97888d9428c106247

SHA512
32d534b410065dc881cdc7ce33cf9d1bd8f5c6636929858103e5f5c8aa356136dc97a0b470a2fd627cd2f05fae474edb1a8f4cbc307a9919419d91f500e3b3ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58a1c9.TMP

Filesize
1KB

MD5
53840f013b7831b1e076d4f8585347e4

SHA1
6d5354fe37c2888dcfc434ded80348508cc7c60f

SHA256
fdca7e5a7559b0e160b9cc5d86ecbc2f43be3a8031a2bd657255c8fcfcf943ab

SHA512
9542f798984097ea0faea7f4af8fd82fd0f15101aab809ae5051bbec1bbb632ff863917f6c5cd6ebffcfbaf8a87f5bdf0d2afdd8a0628c3bfc1ad33945627771

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
5caa46b0a5e9a07c45abedab11580ed6

SHA1
6b1d461763fb1f4460ec8bbf88c93a61e854680d

SHA256
936736a07b1c50325800da0a566804a47db7a562f19c25bb62255ca7524737c5

SHA512
69c155c21f3455b493f881da0b782de6b16c4cde082d976bff7103897f7e63c4c6897989a146b6af709e6238670ab5ed4f88b8ccc640b2e8c3f7836555ede455

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 173937.crdownload

Filesize
427KB

MD5
275fe1409223d21388d67682f9d071a5

SHA1
658eb533dc2eba8eee5f8adc0bc9326bea9fd360

SHA256
5d8a9ae5e0ea3a1e9fa7d38f16d03572b9fbb95b4892dd08d1733badef83b64a

SHA512
14dcf34f3b68529f6326cc0b3bb6fdd910c2bc5b18090974e94fa4cc490a2dfe56c8ed58666dc6b30adfe313e288d9cee4a3a63e324a0e5c65ec0e1bb166fc7e

Download Submit