b6ae167bc7a98a16120698f2f11452449118662dd3f1cc88e6ef7286465b45ca

Analysis

max time kernel
253s
max time network
247s
platform
windows11-21h2_x64
resource
win11-20250210-en
resource tags

arch:x64arch:x86image:win11-20250210-enlocale:en-usos:windows11-21h2-x64system
submitted
17/02/2025, 11:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Videos/Captures/READ_NOTE.html
Size

3KB
MD5

d2294fc6905efe047a0663b7ffcf79d4
SHA1

9bf17f976f73ec0ce4f05dbfdb5d4ebc9fc1f2d0
SHA256

c459e80d8500c3db9810f63f835e5cc1e4f08cb2deda4832846edf1eac31e1dd
SHA512

983e14d90fe1f5c4993724e1d8ae57132ccda5efc62f0d14146e36c8982d0315753c6aa573f97c6f7d29136051e65eb85bbe9a02846b431a06b5e71ec1ac8a28

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4284	MicrosoftEdgeUpdate.exe
3964	MicrosoftEdgeUpdate.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
652	msedge.exe
652	msedge.exe
3392	msedge.exe
3392	msedge.exe
4996	msedge.exe
4996	msedge.exe
3140	identity_helper.exe
3140	identity_helper.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3392 wrote to memory of 2088	3392	msedge.exe	85
PID 3392 wrote to memory of 2088	3392	msedge.exe	85
PID 3392 wrote to memory of 2344	3392	msedge.exe	86
PID 3392 wrote to memory of 2344	3392	msedge.exe	86
PID 3392 wrote to memory of 2344	3392	msedge.exe	86
PID 3392 wrote to memory of 2344	3392	msedge.exe	86
PID 3392 wrote to memory of 2344	3392	msedge.exe	86
PID 3392 wrote to memory of 2344	3392	msedge.exe	86
PID 3392 wrote to memory of 2344	3392	msedge.exe	86
PID 3392 wrote to memory of 2344	3392	msedge.exe	86
PID 3392 wrote to memory of 2344	3392	msedge.exe	86
PID 3392 wrote to memory of 2344	3392	msedge.exe	86
PID 3392 wrote to memory of 2344	3392	msedge.exe	86
PID 3392 wrote to memory of 2344	3392	msedge.exe	86
PID 3392 wrote to memory of 2344	3392	msedge.exe	86
PID 3392 wrote to memory of 2344	3392	msedge.exe	86
PID 3392 wrote to memory of 2344	3392	msedge.exe	86
PID 3392 wrote to memory of 2344	3392	msedge.exe	86
PID 3392 wrote to memory of 2344	3392	msedge.exe	86
PID 3392 wrote to memory of 2344	3392	msedge.exe	86
PID 3392 wrote to memory of 2344	3392	msedge.exe	86
PID 3392 wrote to memory of 2344	3392	msedge.exe	86
PID 3392 wrote to memory of 2344	3392	msedge.exe	86
PID 3392 wrote to memory of 2344	3392	msedge.exe	86
PID 3392 wrote to memory of 2344	3392	msedge.exe	86
PID 3392 wrote to memory of 2344	3392	msedge.exe	86
PID 3392 wrote to memory of 2344	3392	msedge.exe	86
PID 3392 wrote to memory of 2344	3392	msedge.exe	86
PID 3392 wrote to memory of 2344	3392	msedge.exe	86
PID 3392 wrote to memory of 2344	3392	msedge.exe	86
PID 3392 wrote to memory of 2344	3392	msedge.exe	86
PID 3392 wrote to memory of 2344	3392	msedge.exe	86
PID 3392 wrote to memory of 2344	3392	msedge.exe	86
PID 3392 wrote to memory of 2344	3392	msedge.exe	86
PID 3392 wrote to memory of 2344	3392	msedge.exe	86
PID 3392 wrote to memory of 2344	3392	msedge.exe	86
PID 3392 wrote to memory of 2344	3392	msedge.exe	86
PID 3392 wrote to memory of 2344	3392	msedge.exe	86
PID 3392 wrote to memory of 2344	3392	msedge.exe	86
PID 3392 wrote to memory of 2344	3392	msedge.exe	86
PID 3392 wrote to memory of 2344	3392	msedge.exe	86
PID 3392 wrote to memory of 2344	3392	msedge.exe	86
PID 3392 wrote to memory of 652	3392	msedge.exe	87
PID 3392 wrote to memory of 652	3392	msedge.exe	87
PID 3392 wrote to memory of 380	3392	msedge.exe	88
PID 3392 wrote to memory of 380	3392	msedge.exe	88
PID 3392 wrote to memory of 380	3392	msedge.exe	88
PID 3392 wrote to memory of 380	3392	msedge.exe	88
PID 3392 wrote to memory of 380	3392	msedge.exe	88
PID 3392 wrote to memory of 380	3392	msedge.exe	88
PID 3392 wrote to memory of 380	3392	msedge.exe	88
PID 3392 wrote to memory of 380	3392	msedge.exe	88
PID 3392 wrote to memory of 380	3392	msedge.exe	88
PID 3392 wrote to memory of 380	3392	msedge.exe	88
PID 3392 wrote to memory of 380	3392	msedge.exe	88
PID 3392 wrote to memory of 380	3392	msedge.exe	88
PID 3392 wrote to memory of 380	3392	msedge.exe	88
PID 3392 wrote to memory of 380	3392	msedge.exe	88
PID 3392 wrote to memory of 380	3392	msedge.exe	88
PID 3392 wrote to memory of 380	3392	msedge.exe	88
PID 3392 wrote to memory of 380	3392	msedge.exe	88
PID 3392 wrote to memory of 380	3392	msedge.exe	88
PID 3392 wrote to memory of 380	3392	msedge.exe	88
PID 3392 wrote to memory of 380	3392	msedge.exe	88

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument C:\Users\Admin\AppData\Local\Temp\Videos\Captures\READ_NOTE.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff0ba43cb8,0x7fff0ba43cc8,0x7fff0ba43cd8
  2⤵
  PID:2088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1900,16219692423395479858,16605902714800474421,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1932 /prefetch:2
  2⤵
  PID:2344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1900,16219692423395479858,16605902714800474421,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2360 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1900,16219692423395479858,16605902714800474421,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2824 /prefetch:8
  2⤵
  PID:380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,16219692423395479858,16605902714800474421,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3216 /prefetch:1
  2⤵
  PID:1708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,16219692423395479858,16605902714800474421,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
  2⤵
  PID:3292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1900,16219692423395479858,16605902714800474421,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4140 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4996
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1900,16219692423395479858,16605902714800474421,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4472 /prefetch:8
  2⤵
  PID:1100
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1900,16219692423395479858,16605902714800474421,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4472 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,16219692423395479858,16605902714800474421,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4812 /prefetch:1
  2⤵
  PID:4924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,16219692423395479858,16605902714800474421,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4844 /prefetch:1
  2⤵
  PID:4472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,16219692423395479858,16605902714800474421,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3828 /prefetch:1
  2⤵
  PID:2676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,16219692423395479858,16605902714800474421,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1
  2⤵
  PID:324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1900,16219692423395479858,16605902714800474421,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4904 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4608

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1400

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4620

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7N0U4NUU1NkMtMTQ0My00QTU2LTgwNDctNTJENzg3NDc3RkQzfSIgdXNlcmlkPSJ7RDMwQzVGRkQtODFFQi00NEUxLTk4MzMtMEJCRTkwQjQxQjg5fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7NEEwQUU0NDYtN0FGQS00MTg0LUJCMzgtNTJCMzg4NEEyRURDfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4yMjAwMC40OTMiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iIiBwcm9kdWN0X25hbWU9IiIvPjxleHAgZXRhZz0iJnF1b3Q7RSt4YkF6Nlk2c1UxMjg5YlM2cWw0VlJMYmtqZkJVR1RNSnNqckhyNDRpST0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7OEE2OUQzNDUtRDU2NC00NjNjLUFGRjEtQTY5RDlFNTMwRjk2fSIgdmVyc2lvbj0iMTIzLjAuNjMxMi4xMjMiIG5leHR2ZXJzaW9uPSIiIGxhbmc9ImVuIiBicmFuZD0iR0dMUyIgY2xpZW50PSIiIGluc3RhbGxhZ2U9IjciIGluc3RhbGxkYXRldGltZT0iMTczOTE4NDMzNiIgb29iZV9pbnN0YWxsX3RpbWU9IjEzMzgzNjU1NjQ3OTQxMDAwMCI-PGV2ZW50IGV2ZW50dHlwZT0iMzEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjIxNzk4NjIiIHN5c3RlbV91cHRpbWVfdGlja3M9IjQ5NzIwNDY0OTQiLz48L2FwcD48L3JlcXVlc3Q-
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:4284

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7N0U4NUU1NkMtMTQ0My00QTU2LTgwNDctNTJENzg3NDc3RkQzfSIgdXNlcmlkPSJ7RDMwQzVGRkQtODFFQi00NEUxLTk4MzMtMEJCRTkwQjQxQjg5fSIgaW5zdGFsbHNvdXJjZT0ic2NoZWR1bGVyIiByZXF1ZXN0aWQ9InsxRTFCMTkzQS02RTJFLTQ5NzItOTRBQy0yMDAxQkJBMTM1NTF9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iMiIgcGh5c21lbW9yeT0iNCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjIyMDAwLjQ5MyIgc3A9IiIgYXJjaD0ieDY0IiBwcm9kdWN0X3R5cGU9IjQ4IiBpc193aXA9IjAiIGlzX2luX2xvY2tkb3duX21vZGU9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSIiIHByb2R1Y3RfbmFtZT0iIi8-PGV4cCBldGFnPSImcXVvdDtFK3hiQXo2WTZzVTEyODliUzZxbDRWUkxia2pmQlVHVE1Kc2pySHI0NGlJPSZxdW90OyIvPjxhcHAgYXBwaWQ9IntGM0M0RkUwMC1FRkQ1LTQwM0ItOTU2OS0zOThBMjBGMUJBNEF9IiB2ZXJzaW9uPSIxLjMuMTk1LjQzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSIiIGJyYW5kPSJJTkJYIiBjbGllbnQ9IiIgaW5zdGFsbGFnZT0iNyIgY29ob3J0PSJycmZAMC4zNSI-PHVwZGF0ZWNoZWNrLz48cGluZyByPSI3IiByZD0iNjYxNSIgcGluZ19mcmVzaG5lc3M9Ins5OUY5N0M5RS1FN0RCLTQzQ0QtOTUxNC0xNEVBQjNBMjhBOTh9Ii8-PC9hcHA-PGFwcCBhcHBpZD0iezU2RUIxOEY4LUIwMDgtNENCRC1CNkQyLThDOTdGRTdFOTA2Mn0iIHZlcnNpb249IjkwLjAuODE4LjY2IiBuZXh0dmVyc2lvbj0iIiBsYW5nPSIiIGJyYW5kPSJJTkJYIiBjbGllbnQ9IiIgZXhwZXJpbWVudHM9ImNvbnNlbnQ9ZmFsc2UiIGluc3RhbGxhZ2U9IjciIGlzX3Bpbm5lZF9zeXN0ZW09InRydWUiIGxhc3RfbGF1bmNoX2NvdW50PSIxIiBsYXN0X2xhdW5jaF90aW1lPSIxMzM4NDI2NTA0NzkxMzE5MzAiPjx1cGRhdGVjaGVjay8-PHBpbmcgYWN0aXZlPSIxIiBhPSI3IiByPSI3IiBhZD0iNjYxNSIgcmQ9IjY2MTUiIHBpbmdfZnJlc2huZXNzPSJ7NDI2QjZFN0QtODMwOS00MTY4LTgwRTEtNzg5RDI1MjYzQjAzfSIvPjwvYXBwPjxhcHAgYXBwaWQ9IntGMzAxNzIyNi1GRTJBLTQyOTUtOEJERi0wMEMzQTlBN0U0QzV9IiB2ZXJzaW9uPSIxMzIuMC4yOTU3LjE0MCIgbmV4dHZlcnNpb249IiIgbGFuZz0iIiBicmFuZD0iSU5CWCIgY2xpZW50PSIiIGluc3RhbGxhZ2U9IjciIGNvaG9ydD0icnJmQDAuNzkiIHVwZGF0ZV9jb3VudD0iMSI-PHVwZGF0ZWNoZWNrLz48cGluZyByPSI3IiByZD0iNjYxNSIgcGluZ19mcmVzaG5lc3M9Ins5M0ZFNzhBQS1GMzlGLTRDNzAtQTJGNi04MEZDMkJDRThCMTh9Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:3964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log

Filesize
319KB

MD5
f8c8afb8ec9864c05b1ec73f9adb2ca7

SHA1
943ed34d938cf62ae6695c310dfa03b7cf66d77d

SHA256
12200f06526c372a3cc0cb8b63f60248266942e60fbd54d785624349be6fc5cb

SHA512
c0f6eba22365930085cd5064a5a1ce7f1aa869c0724b5adc4e911c6e2147eb7ea516b00922bdea7d0ffde482701a0a440698336d5a40f4539848393192167c02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
cb7fc9b0c2b21e5706641c421c4f5f84

SHA1
b911ef5164b8d968972e026743652dbd37e9d111

SHA256
aff9a8e6cfc7e101c493a18f07a77645b292429ba65e28c964445b0020bc3c96

SHA512
81f3ae6deed2fb35b46eec2a1ffe2fb31a430e91cda046d57b51f6a5a8a3cf757665a7c30e9e341da307ecf2049e44b4b34b6979fa953216295c5043a4f428d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e6ccdd370d8b96a5ab810745b4732161

SHA1
a5ab499e95cd44dec08f95f9c1cb55ba8207cf76

SHA256
50f583c9aaca6e9d27312793e40a7a8592cd360d0673f0bad9dc96f3da4f0b2a

SHA512
fc2db021d290fa4e63566ac0e6f5f28e44dd8aedfc9b3e3009db898d072674fd5807e472934423c601b5e7da3972a1bd710845eb612eb2486915f1e2627900e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
ab7a7a4cbc3b0166f647e32a1eeeaf34

SHA1
2c6efbad200ddd156bb03136f469fcca5b9f8319

SHA256
a2fcca976ea2fd157a41a162246e731193e70c0043d52c8fa3d8984b49720c21

SHA512
a2cd314292cdce66767a5b39aad5819746ca924506b3b928a26cc5a485330d20534b8bedfb773bf74dcaf7f1f555c0b8cf420bd9d356df6c3473fa28ecdaaa5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
976218c5099e9e02bdfc247846268944

SHA1
3ba52c7a029148996300652e0ae2017377583ce0

SHA256
2d7ee19c706671bd61f3136eac6dff1d73ce2ce756492e014b3f0fa990cb4fda

SHA512
1ea80dc0a2e19e24fda9dd77ad64784c1ddf3707275c66301cb354ecfd983ca3e7660eb14a6d32feead8537a31062e3273cde93d007bdba383b5f20c8d448fd6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
9KB

MD5
68f97d7d348dbb71c0788c07061ab12c

SHA1
afe7fbe5f5640555c3b3b31233767fb1f25a26a4

SHA256
83620c73a84f959cf3b3db920954938a4f5a8f5ac5b76051c7a6927e003c27d4

SHA512
125d909ad1e2255633587077d65aa233afdc10b30ec3bb9220ef1e0009578bc5fe5a34f44793e77c4953eb06260a43e043b7d5819a998bc50af3e9475a9c3029

Download Submit