hxxps://drive[.]google[.]com/file/d/1UfVK6se05inrUnQZfi6GT-WU4M5evJn2/view

Analysis

max time kernel
200s
max time network
202s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02-09-2024 14:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/file/d/1UfVK6se05inrUnQZfi6GT-WU4M5evJn2/view

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3216	Minecraft free.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
3	drive.google.com
7	drive.google.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Minecraft free.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-656926755-4116854191-210765258-1000\{60309630-F2B4-4990-A556-C88446F5426D}	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 866088.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2992	msedge.exe
2992	msedge.exe
4828	msedge.exe
4828	msedge.exe
4992	identity_helper.exe
4992	identity_helper.exe
1660	msedge.exe
1660	msedge.exe
1640	msedge.exe
1640	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 20 IoCs

pid	Process
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4828 wrote to memory of 1500	4828	msedge.exe	85
PID 4828 wrote to memory of 1500	4828	msedge.exe	85
PID 4828 wrote to memory of 1860	4828	msedge.exe	86
PID 4828 wrote to memory of 1860	4828	msedge.exe	86
PID 4828 wrote to memory of 1860	4828	msedge.exe	86
PID 4828 wrote to memory of 1860	4828	msedge.exe	86
PID 4828 wrote to memory of 1860	4828	msedge.exe	86
PID 4828 wrote to memory of 1860	4828	msedge.exe	86
PID 4828 wrote to memory of 1860	4828	msedge.exe	86
PID 4828 wrote to memory of 1860	4828	msedge.exe	86
PID 4828 wrote to memory of 1860	4828	msedge.exe	86
PID 4828 wrote to memory of 1860	4828	msedge.exe	86
PID 4828 wrote to memory of 1860	4828	msedge.exe	86
PID 4828 wrote to memory of 1860	4828	msedge.exe	86
PID 4828 wrote to memory of 1860	4828	msedge.exe	86
PID 4828 wrote to memory of 1860	4828	msedge.exe	86
PID 4828 wrote to memory of 1860	4828	msedge.exe	86
PID 4828 wrote to memory of 1860	4828	msedge.exe	86
PID 4828 wrote to memory of 1860	4828	msedge.exe	86
PID 4828 wrote to memory of 1860	4828	msedge.exe	86
PID 4828 wrote to memory of 1860	4828	msedge.exe	86
PID 4828 wrote to memory of 1860	4828	msedge.exe	86
PID 4828 wrote to memory of 1860	4828	msedge.exe	86
PID 4828 wrote to memory of 1860	4828	msedge.exe	86
PID 4828 wrote to memory of 1860	4828	msedge.exe	86
PID 4828 wrote to memory of 1860	4828	msedge.exe	86
PID 4828 wrote to memory of 1860	4828	msedge.exe	86
PID 4828 wrote to memory of 1860	4828	msedge.exe	86
PID 4828 wrote to memory of 1860	4828	msedge.exe	86
PID 4828 wrote to memory of 1860	4828	msedge.exe	86
PID 4828 wrote to memory of 1860	4828	msedge.exe	86
PID 4828 wrote to memory of 1860	4828	msedge.exe	86
PID 4828 wrote to memory of 1860	4828	msedge.exe	86
PID 4828 wrote to memory of 1860	4828	msedge.exe	86
PID 4828 wrote to memory of 1860	4828	msedge.exe	86
PID 4828 wrote to memory of 1860	4828	msedge.exe	86
PID 4828 wrote to memory of 1860	4828	msedge.exe	86
PID 4828 wrote to memory of 1860	4828	msedge.exe	86
PID 4828 wrote to memory of 1860	4828	msedge.exe	86
PID 4828 wrote to memory of 1860	4828	msedge.exe	86
PID 4828 wrote to memory of 1860	4828	msedge.exe	86
PID 4828 wrote to memory of 1860	4828	msedge.exe	86
PID 4828 wrote to memory of 2992	4828	msedge.exe	87
PID 4828 wrote to memory of 2992	4828	msedge.exe	87
PID 4828 wrote to memory of 4312	4828	msedge.exe	88
PID 4828 wrote to memory of 4312	4828	msedge.exe	88
PID 4828 wrote to memory of 4312	4828	msedge.exe	88
PID 4828 wrote to memory of 4312	4828	msedge.exe	88
PID 4828 wrote to memory of 4312	4828	msedge.exe	88
PID 4828 wrote to memory of 4312	4828	msedge.exe	88
PID 4828 wrote to memory of 4312	4828	msedge.exe	88
PID 4828 wrote to memory of 4312	4828	msedge.exe	88
PID 4828 wrote to memory of 4312	4828	msedge.exe	88
PID 4828 wrote to memory of 4312	4828	msedge.exe	88
PID 4828 wrote to memory of 4312	4828	msedge.exe	88
PID 4828 wrote to memory of 4312	4828	msedge.exe	88
PID 4828 wrote to memory of 4312	4828	msedge.exe	88
PID 4828 wrote to memory of 4312	4828	msedge.exe	88
PID 4828 wrote to memory of 4312	4828	msedge.exe	88
PID 4828 wrote to memory of 4312	4828	msedge.exe	88
PID 4828 wrote to memory of 4312	4828	msedge.exe	88
PID 4828 wrote to memory of 4312	4828	msedge.exe	88
PID 4828 wrote to memory of 4312	4828	msedge.exe	88
PID 4828 wrote to memory of 4312	4828	msedge.exe	88

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://drive.google.com/file/d/1UfVK6se05inrUnQZfi6GT-WU4M5evJn2/view
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffddaaa46f8,0x7ffddaaa4708,0x7ffddaaa4718
  2⤵
  PID:1500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,1176896131880854582,9253317769910980131,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:2
  2⤵
  PID:1860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,1176896131880854582,9253317769910980131,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2264 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,1176896131880854582,9253317769910980131,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2848 /prefetch:8
  2⤵
  PID:4312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,1176896131880854582,9253317769910980131,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
  2⤵
  PID:2568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,1176896131880854582,9253317769910980131,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
  2⤵
  PID:1020
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,1176896131880854582,9253317769910980131,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4972 /prefetch:8
  2⤵
  PID:4916
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,1176896131880854582,9253317769910980131,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4972 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,1176896131880854582,9253317769910980131,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5324 /prefetch:1
  2⤵
  PID:3560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,1176896131880854582,9253317769910980131,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5340 /prefetch:1
  2⤵
  PID:4576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,1176896131880854582,9253317769910980131,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3448 /prefetch:1
  2⤵
  PID:3656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,1176896131880854582,9253317769910980131,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1
  2⤵
  PID:4368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,1176896131880854582,9253317769910980131,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5736 /prefetch:1
  2⤵
  PID:2640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,1176896131880854582,9253317769910980131,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4652 /prefetch:1
  2⤵
  PID:3592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2132,1176896131880854582,9253317769910980131,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3488 /prefetch:8
  2⤵
  PID:1440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2132,1176896131880854582,9253317769910980131,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=3472 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:1660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,1176896131880854582,9253317769910980131,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5480 /prefetch:1
  2⤵
  PID:4440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,1176896131880854582,9253317769910980131,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5512 /prefetch:1
  2⤵
  PID:388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,1176896131880854582,9253317769910980131,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5972 /prefetch:1
  2⤵
  PID:4628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,1176896131880854582,9253317769910980131,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5444 /prefetch:1
  2⤵
  PID:1576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,1176896131880854582,9253317769910980131,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5936 /prefetch:1
  2⤵
  PID:4488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2132,1176896131880854582,9253317769910980131,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5896 /prefetch:8
  2⤵
  PID:3696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,1176896131880854582,9253317769910980131,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6340 /prefetch:1
  2⤵
  PID:1244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2132,1176896131880854582,9253317769910980131,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6800 /prefetch:8
  2⤵
  PID:3260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2132,1176896131880854582,9253317769910980131,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1700 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,1176896131880854582,9253317769910980131,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6504 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3184
- C:\Users\Admin\Downloads\Minecraft free.exe
  "C:\Users\Admin\Downloads\Minecraft free.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,1176896131880854582,9253317769910980131,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2152 /prefetch:1
  2⤵
  PID:4040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,1176896131880854582,9253317769910980131,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6936 /prefetch:1
  2⤵
  PID:4836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,1176896131880854582,9253317769910980131,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6124 /prefetch:1
  2⤵
  PID:3080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,1176896131880854582,9253317769910980131,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7080 /prefetch:1
  2⤵
  PID:3920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,1176896131880854582,9253317769910980131,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6416 /prefetch:1
  2⤵
  PID:3496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,1176896131880854582,9253317769910980131,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6996 /prefetch:1
  2⤵
  PID:1724

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5012

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4836

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x50c 0x3e0
1⤵
PID:4028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9e3fc58a8fb86c93d19e1500b873ef6f

SHA1
c6aae5f4e26f5570db5e14bba8d5061867a33b56

SHA256
828f4eacac1c40b790fd70dbb6fa6ba03dcc681171d9b2a6579626d27837b1c4

SHA512
e5e245b56fa82075e060f468a3224cf2ef43f1b6d87f0351a2102d85c7c897e559be4caeaecfdc4059af29fdc674681b61229319dda95cb2ee649b2eb98d313e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
27304926d60324abe74d7a4b571c35ea

SHA1
78b8f92fcaf4a09eaa786bbe33fd1b0222ef29c1

SHA256
7039ad5c2b40f4d97c8c2269f4942be13436d739b2e1f8feb7a0c9f9fdb931de

SHA512
f5b6181d3f432238c7365f64fc8a373299e23ba8178bcc419471916ef8b23e909787c7c0617ab22e4eb90909c02bd7b84f1386fbc61e2bdb5a0eb474175da4bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\1cdc15f8-1f85-482c-a852-f16dc0671b13.tmp

Filesize
6KB

MD5
d441248df795410f961539865fb30555

SHA1
ca7ad2058bbca0ba584e854bd33891ea828e0232

SHA256
f68adacdea47ac5d85a2fc7b99e550a22b98b3bd57ef4696dff25e3c35997e40

SHA512
6d789ec7997468367b5f7a4bdfa4d717e0409ef512b7f8ae73609124509f3baf3f846c6fd65a42c1111d0777fca3bf87ae09220b3b967a2f9a6db18a7466ae14

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
67KB

MD5
ed124bdf39bbd5902bd2529a0a4114ea

SHA1
b7dd9d364099ccd4e09fd45f4180d38df6590524

SHA256
48232550940208c572ebe487aa64ddee26e304ba3e310407e1fc31a5c9deed44

SHA512
c4d180292afa484ef9556d15db1d3850416a85ad581f6f4d5eb66654991fa90f414029b4ce13ed142271a585b46b3e53701735ee3e0f45a78b67baa9122ba532

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
41KB

MD5
f3d0a156d6ecb39d1805d60a28c8501d

SHA1
d26dd641e0b9d7c52b19bc9e89b53b291fb1915c

SHA256
e8be4436fcedf9737ea35d21ec0dcc36c30a1f41e02b3d40aa0bfa2be223a4a3

SHA512
076acfd19e4a43538f347ab460aa0b340a2b60d33f8be5f9b0ef939ef4e9f365277c4ff886d62b7edb20a299aacf50976321f9f90baba8ccd97bc5ac24a580bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
64KB

MD5
d6b36c7d4b06f140f860ddc91a4c659c

SHA1
ccf16571637b8d3e4c9423688c5bd06167bfb9e9

SHA256
34013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92

SHA512
2a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
63KB

MD5
710d7637cc7e21b62fd3efe6aba1fd27

SHA1
8645d6b137064c7b38e10c736724e17787db6cf3

SHA256
c0997474b99524325dfedb5c020436e7ea9f9c9a1a759ed6daf7bdd4890bdc2b

SHA512
19aa77bed3c441228789cf8f931ca6194cc8d4bc7bb85d892faf5eaeda67d22c8c3b066f8ceda8169177da95a1fe111bd3436ceeaf4c784bd2bf96617f4d0c44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008

Filesize
19KB

MD5
2e86a72f4e82614cd4842950d2e0a716

SHA1
d7b4ee0c9af735d098bff474632fc2c0113e0b9c

SHA256
c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f

SHA512
7a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000009

Filesize
84KB

MD5
74e33b4b54f4d1f3da06ab47c5936a13

SHA1
6e5976d593b6ee3dca3c4dbbb90071b76e1cd85c

SHA256
535fc48679c38decd459ad656bdd6914e539754265244d0cc7b1da6bddf3e287

SHA512
79218e8ee50484af968480ff9b211815c97c3f3035414e685aa5d15d9b4152682d87b66202339f212bf3b463a074bf7a4431107b50303f28e2eb4b17843991c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000a

Filesize
1.2MB

MD5
540af416cc54fd550dcdd8d00b632572

SHA1
644a9d1dfcf928c1e4ed007cd50c2f480a8b7528

SHA256
e4e53d750c57e4d92ab9de185bb37f5d2cc5c4fcc6a2be97386af78082115cbb

SHA512
7692e046e49fcde9c29c7d6ea06ed4f16216ec9fb7ea621d3cc4493364743c03925e74244785588d1a4bfc2bedd32b41e7e66e244990d4076e781d7f4bbb270f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000033

Filesize
20KB

MD5
d517ec714cf5a12b9dedbb94a419e40f

SHA1
dde9afb02dd9c4aa7aa902c8e464e3bb7db6139a

SHA256
d358bafe59e817c89c2cea04468ba69cab3677723fc2fad09c291e86608478c3

SHA512
2b356aa332078ab59377c96a223e69773018e5721fe313a7306bc2301dd278581f5be2be6f2bf219464acc1d5575d6502e81c0f150fcd1d5aca25938cbf5166b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000038

Filesize
110KB

MD5
8769f4b323b8f257cf2425bb43c7d5e8

SHA1
494376576c39b06456f0210055178d3afa440f87

SHA256
a8cfac72aa192c52b1ae50ea9b104650008c13ef57a62e2f6c63c01a59beb828

SHA512
0076ddbbe26ea6c7fd2bd67aea68469faa50aae164e5472a6600e147e520951afe59dda47360f9f5babc8b533313cdaed99ce62784137c8881a52e645f7fad99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
18d56b6297883cfb6607d25c84c0bb9d

SHA1
fe6cdbb0306f22b4ab9d62a254b755db73d24388

SHA256
b8d496ddab6537144f981d78fda04c939e7ba1a94d3f8f82a23da4abe4bc602b

SHA512
d4a43f5e75e26f120db9abccca168f2a55eb79b0085e6426d2c606227d9190d7ad4cfb9b1e065c1d88c12643a7d26a0bccca5e36a01f76e319632ea43c1e41b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
5a87e14d78c28d946c4618a7ba8aa483

SHA1
378c195cba70529f505f2cf4043e4f14a8066166

SHA256
d906e147b4906589441660e262fd49371797fb9c67ce2a4090b063dda949ed80

SHA512
02e0a1aea86859d060a69eabc95373f7a1965155a4d5500d5e6eda77cf2234abd0b5a9649718abf6695ab5160976ca06b522f08b1b7b6d28baf0e1e032a639ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
f02bf3f85ca65d11b1e375224540b52f

SHA1
88c6043548e670893454b28fc8daf1c82b2e4213

SHA256
81c98403dcf826e4848ff82129c639277678369862df4e18aaec6dc95e471eb7

SHA512
a344c963e0b07103f5d69270069690e8cfa48289c2d6326c24ac1db586f6167268f95307698fc4f793ca9dfa2c18d961f541303ddaaaa3009645591f7aa5c726

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
bfa8d3217d4f0540ec41fd5b4a22759e

SHA1
802f2ba5a8a08fa98c6fc15f853cd7a0444ad496

SHA256
d9097aaccb5bbc48e274ec34c7dd726053c55e238464968034a9c795b7da2388

SHA512
558a0a35f7dfb288b828c030108cdb880d6eeaa881cc56fec79cdc633ff08bbadf0d5b80ec998a3e9eca48e8b986ab25a059e91e91003130d78ff170499a7090

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
1fccc971678a92299adac676b9c36ada

SHA1
231b981bded9aafd391937a2406d28e0df34610b

SHA256
d991b907c756073054dd2e0d78a3246699ccb98c9e177a8599f04c4f0e3e158d

SHA512
c0516739e021b5fc1f101a3d74d9d2fe9cbd6a643ee6a7b31ad912529de338846c680fa6cd814aa745fa2541658249e43cc1e12aa76aa46b6ab4ff7932f3199b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
96eb869d948fae7cb2cfdde7a00d6554

SHA1
e8c441e041246d4c1694d5b2690cacd37ee208ec

SHA256
b9667d3159ae9f91edd8266c78f26a04315d7e6c6c6f9440ebee23c46969c058

SHA512
098d8c6c84aac1b5da840d5112a1c0096873a1974683f14a47bf45c1102150b31b9e53094c1e980f636bd6db6bfa3c6c4faecf94576991075317a92ec8856504

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
9dc86208f1f7cef2cdff64e59aa43eeb

SHA1
87e1e29f7a4148f481dbabffa285e46bf326be39

SHA256
0c3a39a26486e1a5a0ff03e113d88f41022d5de6afa50491b8aca3c78c7d58a8

SHA512
712bf4b08bb62b2b8a75b3eb2a9221fad07215bedfdf0b51e6bb029e858f6a2872459ca7f49a7da92b3df98b5141e55a899e0d0fac560f3cba0ec57930bf5fa2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
f1979c3344d6e323e75a41a74468f308

SHA1
2d8311c837a23b36d1f6310d20f8c66c92ea5920

SHA256
c518453a74fecb39801462fe79e9734767a687d7ed0fb789a68a2def676ec08b

SHA512
b6290f34fb43215e9bb53d88da5b57b45bc1c7e2e9ec866bcccb5d3d8554d0b18b8c8d866e5cd269ed143751ca1e87ffae2c53b0692f49192c1c7fe0d76092cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
79a1e2aafee6fe4ecc2cbf88350f26a3

SHA1
73bddbb11df2d32d26fb9950539244e268c649d6

SHA256
b2acbbddef7a5bc4847e7b53894e525c9fac1033d8ce3302ae81c293e769307b

SHA512
2847755753d755058545c62c8d36b536cb8e39f1c0c40a52eb8a0c5fb141ec7f72846ee7d499a8c3c3778526c23d73689f1078f29f0beda8d43ff7d5ea637d2b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
492a42f925d2e82a26d6193924cb9283

SHA1
9093f30b77f366594dc2e72c455d3669be53be65

SHA256
606120cc858c42ee5c916ce2374bee09d0d65601783146a1ef3b6734a7177608

SHA512
e7e20675ccbcf7de3f3a1b51aa3bd14be2ff4f7f2d21a87786d0b348c81fc95b03f61c7f5bd6a40774aaab4127c9876be678a5c6bd5ccec185e38c1b68e9c6bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
3c1ebb74b462d2e60d4dfbdb0dd7ae32

SHA1
9ac600730f22e1f735602d300f49841eaa90da2c

SHA256
ccb067d918da2ce66daba64558f3e78ced21eccf0540ee24e7a07bf366fca354

SHA512
43a7d9a677c2ff9316ed89d953a39b55794a324162c7e7b4f10a6c764b499314ace33b44134cf47b11f8ad87afe7af23b206063159ffe29dc34238c15e20a57d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
f42197c42df9d3b0c21a4e9b644c8ea2

SHA1
3b8d30f1a6e3cbff3170630371e42a5f791d938d

SHA256
fb5ef5d8a8ad62410fdc01f0c4105eef9c8c9c37d512faba930bd7923856a884

SHA512
6bc0b0d59f8fe456e5bfe7ef8c5af9f054b1370dd244323471c09e9401fdf65de87fe8d8ac249aa7f9fe9e85446d1cf917528a937ca78d9ace78402ed909bd98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe583071.TMP

Filesize
204B

MD5
aa4a281765bfb25e0a12556f439dcc37

SHA1
ee2e99b6f148d2201534fb849c525306af47e3cf

SHA256
4b2c1d5fbb2d7bab903690f5d4915af1d479e3dd1095bec01eded15dfac6e5d7

SHA512
935ea429d380138abdcf7c4c7999a86d3065ff40467c0f5e57d2cc23ac17555bedb02774d9289a9725cba60f9b2fa1fe8afb701558f78fb96ec7b727e3991613

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
b80d332fdb3d67af0d4c1c87557acfb1

SHA1
b11c59b25408a1ec282468f8441331831edcfb56

SHA256
e3cfae036a8f31fcb6b707f07257388b917c1d5c74bb463dcb4c9362cc2da6e8

SHA512
d402079a7a4b2c14de7bf039c526f672f42bfb1fc9e29c5338343b62540f75c59c34d63dc5eb1f27de7677c6e5a354bf59483400b9713d78f1e4306eafdbfac2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
8f2b9f165b13b1c11f370681ec15e387

SHA1
082dab1adf7f2e31aa72f8803f52c15216671d07

SHA256
4736b01560c35a6239c3822d863259c4b9f5d14dfc286cc1615842a71267dce6

SHA512
65d2e63c669233059979f7115726cff3c06c055a668fcb26454a83eca20da85ddd7629c8d2f5b1eb6f29ce999c1ceec111360661df28d7c53225b3b72e47b451

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
10KB

MD5
c7ec3f48e45b210841c415cba588c281

SHA1
e702b518098940f3203d33f0f3f5f03e16faa741

SHA256
c6a2213a22ac6ec472c1cd4d7c02bd336dd54545ee63d9663a885907d18e92a0

SHA512
9306feef2a63f6b44a94b9366b5cbd2a88a248dd6e60d406ed0951afcb6c12c65e8e9f6a0304bc9ab424a8dfe4afa1249086b43773447765a5e4bd6eef9869e2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
10KB

MD5
d2944afed090a92ffdfaed9a8d67954a

SHA1
2243e7f3292e70211048a6d6787e1162ace7836b

SHA256
9d53685980dff535921a8481a6efd8f8ca750e993d22c17263d96d24249dabea

SHA512
e9bf79285958f431658a12248e4fa7426d5d8de037021f4a3f89132980c0ae63b1a268d2801d55bcf40ee8d43667436e916c32404076fc0e66c3e1ed09b41221

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 866088.crdownload

Filesize
679KB

MD5
605a171c61a0607bdcf6be80ed07cf95

SHA1
477d4391b0d84406127e43ead289a3596ac1e5e5

SHA256
09b78dc85713ca0f27f17d94c939cc606a59847c1f2b5cdd281b52a48cdaeab9

SHA512
3b32197d76951d0e1cd7043758af9b33be12b30c03df00a3ef36078205fa95b1582f65bdf4437a1b879a922d2950868e905bcd2227ce3816d5437556b103d338

Download Submit
memory/3216-409-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download