600168731609f20a9c76bd184d8d5c887524fb27d1d3f62b60f73f2a4074e292

Resubmissions

14-06-2024 15:53

240614-tb3g1a1crp 4

13-06-2024 18:10

240613-wsdlba1gln 10

Analysis

max time kernel
149s
max time network
150s
platform
windows11-21h2_x64
resource
win11-20240611-en
resource tags

arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system
submitted
13-06-2024 18:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Screenshot 2024-06-08 1.10.46 PM.png
Size

87KB
MD5

43bfac5ae117b7303c02220af885ffc4
SHA1

795bdf71b59ef1e389b410068875d250003c6cdd
SHA256

600168731609f20a9c76bd184d8d5c887524fb27d1d3f62b60f73f2a4074e292
SHA512

4a94340ef9357b711bfdb00964e409762acf7e286558da65c9b46d4839c15a7100529389bbc56e982b628f70e289c65bef0bc426864ef5384e45af1872bcb6b2
SSDEEP

1536:oJBkqSqJX2SWfgjcYrimoGl2bLAGhoHqQ5o6XVwM2htxlimpjKfxX2:oJBkqSLSWYYYloIGhn5uGhTlipZX2

Score

10^/10

evasion

Malware Config

Signatures

Modifies security service 2 TTPs 1 IoCs
evasion

Modify Registry
T1112

Windows Service
T1543.003

Processes:

GamingRepair.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "3" GamingRepair.exe
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

MinecraftInstaller.exeGamingRepair.exe

pid process

2108 MinecraftInstaller.exe
3856 GamingRepair.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "3"	GamingRepair.exe

pid	process
2108	MinecraftInstaller.exe
3856	GamingRepair.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

GamingRepair.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	GamingRepair.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	GamingRepair.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 2 IoCs

Processes:

MiniSearchHost.exemsedge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1276817940-128734381-631578427-1000\{C9B40891-A44D-41E5-8694-D52D8182EAEC}	msedge.exe

NTFS ADS 2 IoCs

Processes:

msedge.exemsedge.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 763290.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\MinecraftInstaller.exe:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exe

pid	process
4040	msedge.exe
4040	msedge.exe
2424	msedge.exe
2424	msedge.exe
3996	identity_helper.exe
3996	identity_helper.exe
2012	msedge.exe
2012	msedge.exe
3584	msedge.exe
3584	msedge.exe
2236	msedge.exe
2236	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 18 IoCs

Processes:

msedge.exe

pid	process
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

MinecraftInstaller.exe

description pid process

Token: SeDebugPrivilege 2108 MinecraftInstaller.exe

description	pid	process
Token: SeDebugPrivilege	2108	MinecraftInstaller.exe

Suspicious use of FindShellTrayWindow 43 IoCs

Processes:

msedge.exe

pid	process
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

Processes:

msedge.exe

pid	process
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

MiniSearchHost.exe

pid process

1308 MiniSearchHost.exe

pid	process
1308	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 2424 wrote to memory of 3540	2424	msedge.exe	msedge.exe
PID 2424 wrote to memory of 3540	2424	msedge.exe	msedge.exe
PID 2424 wrote to memory of 1380	2424	msedge.exe	msedge.exe
PID 2424 wrote to memory of 1380	2424	msedge.exe	msedge.exe
PID 2424 wrote to memory of 1380	2424	msedge.exe	msedge.exe
PID 2424 wrote to memory of 1380	2424	msedge.exe	msedge.exe
PID 2424 wrote to memory of 1380	2424	msedge.exe	msedge.exe
PID 2424 wrote to memory of 1380	2424	msedge.exe	msedge.exe
PID 2424 wrote to memory of 1380	2424	msedge.exe	msedge.exe
PID 2424 wrote to memory of 1380	2424	msedge.exe	msedge.exe
PID 2424 wrote to memory of 1380	2424	msedge.exe	msedge.exe
PID 2424 wrote to memory of 1380	2424	msedge.exe	msedge.exe
PID 2424 wrote to memory of 1380	2424	msedge.exe	msedge.exe
PID 2424 wrote to memory of 1380	2424	msedge.exe	msedge.exe
PID 2424 wrote to memory of 1380	2424	msedge.exe	msedge.exe
PID 2424 wrote to memory of 1380	2424	msedge.exe	msedge.exe
PID 2424 wrote to memory of 1380	2424	msedge.exe	msedge.exe
PID 2424 wrote to memory of 1380	2424	msedge.exe	msedge.exe
PID 2424 wrote to memory of 1380	2424	msedge.exe	msedge.exe
PID 2424 wrote to memory of 1380	2424	msedge.exe	msedge.exe
PID 2424 wrote to memory of 1380	2424	msedge.exe	msedge.exe
PID 2424 wrote to memory of 1380	2424	msedge.exe	msedge.exe
PID 2424 wrote to memory of 1380	2424	msedge.exe	msedge.exe
PID 2424 wrote to memory of 1380	2424	msedge.exe	msedge.exe
PID 2424 wrote to memory of 1380	2424	msedge.exe	msedge.exe
PID 2424 wrote to memory of 1380	2424	msedge.exe	msedge.exe
PID 2424 wrote to memory of 1380	2424	msedge.exe	msedge.exe
PID 2424 wrote to memory of 1380	2424	msedge.exe	msedge.exe
PID 2424 wrote to memory of 1380	2424	msedge.exe	msedge.exe
PID 2424 wrote to memory of 1380	2424	msedge.exe	msedge.exe
PID 2424 wrote to memory of 1380	2424	msedge.exe	msedge.exe
PID 2424 wrote to memory of 1380	2424	msedge.exe	msedge.exe
PID 2424 wrote to memory of 1380	2424	msedge.exe	msedge.exe
PID 2424 wrote to memory of 1380	2424	msedge.exe	msedge.exe
PID 2424 wrote to memory of 1380	2424	msedge.exe	msedge.exe
PID 2424 wrote to memory of 1380	2424	msedge.exe	msedge.exe
PID 2424 wrote to memory of 1380	2424	msedge.exe	msedge.exe
PID 2424 wrote to memory of 1380	2424	msedge.exe	msedge.exe
PID 2424 wrote to memory of 1380	2424	msedge.exe	msedge.exe
PID 2424 wrote to memory of 1380	2424	msedge.exe	msedge.exe
PID 2424 wrote to memory of 1380	2424	msedge.exe	msedge.exe
PID 2424 wrote to memory of 1380	2424	msedge.exe	msedge.exe
PID 2424 wrote to memory of 4040	2424	msedge.exe	msedge.exe
PID 2424 wrote to memory of 4040	2424	msedge.exe	msedge.exe
PID 2424 wrote to memory of 1160	2424	msedge.exe	msedge.exe
PID 2424 wrote to memory of 1160	2424	msedge.exe	msedge.exe
PID 2424 wrote to memory of 1160	2424	msedge.exe	msedge.exe
PID 2424 wrote to memory of 1160	2424	msedge.exe	msedge.exe
PID 2424 wrote to memory of 1160	2424	msedge.exe	msedge.exe
PID 2424 wrote to memory of 1160	2424	msedge.exe	msedge.exe
PID 2424 wrote to memory of 1160	2424	msedge.exe	msedge.exe
PID 2424 wrote to memory of 1160	2424	msedge.exe	msedge.exe
PID 2424 wrote to memory of 1160	2424	msedge.exe	msedge.exe
PID 2424 wrote to memory of 1160	2424	msedge.exe	msedge.exe
PID 2424 wrote to memory of 1160	2424	msedge.exe	msedge.exe
PID 2424 wrote to memory of 1160	2424	msedge.exe	msedge.exe
PID 2424 wrote to memory of 1160	2424	msedge.exe	msedge.exe
PID 2424 wrote to memory of 1160	2424	msedge.exe	msedge.exe
PID 2424 wrote to memory of 1160	2424	msedge.exe	msedge.exe
PID 2424 wrote to memory of 1160	2424	msedge.exe	msedge.exe
PID 2424 wrote to memory of 1160	2424	msedge.exe	msedge.exe
PID 2424 wrote to memory of 1160	2424	msedge.exe	msedge.exe
PID 2424 wrote to memory of 1160	2424	msedge.exe	msedge.exe
PID 2424 wrote to memory of 1160	2424	msedge.exe	msedge.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Screenshot 2024-06-08 1.10.46 PM.png"
1⤵
PID:5056

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1308

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2424

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8f33c3cb8,0x7ff8f33c3cc8,0x7ff8f33c3cd8
2⤵
PID:3540

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1920,17840876933480699225,11621679804659203347,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1932 /prefetch:2
2⤵
PID:1380

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1920,17840876933480699225,11621679804659203347,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2292 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4040

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1920,17840876933480699225,11621679804659203347,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2752 /prefetch:8
2⤵
PID:1160

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,17840876933480699225,11621679804659203347,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
2⤵
PID:4864

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,17840876933480699225,11621679804659203347,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
2⤵
PID:3380

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,17840876933480699225,11621679804659203347,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4980 /prefetch:1
2⤵
PID:1040

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,17840876933480699225,11621679804659203347,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5004 /prefetch:1
2⤵
PID:4708

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1920,17840876933480699225,11621679804659203347,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3388 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3996

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1920,17840876933480699225,11621679804659203347,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5244 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,17840876933480699225,11621679804659203347,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5472 /prefetch:1
2⤵
PID:2428

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,17840876933480699225,11621679804659203347,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5392 /prefetch:1
2⤵
PID:3860

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,17840876933480699225,11621679804659203347,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3864 /prefetch:1
2⤵
PID:4604

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,17840876933480699225,11621679804659203347,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4564 /prefetch:1
2⤵
PID:4768

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,17840876933480699225,11621679804659203347,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5676 /prefetch:1
2⤵
PID:428

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,17840876933480699225,11621679804659203347,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4960 /prefetch:1
2⤵
PID:2364

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1920,17840876933480699225,11621679804659203347,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5548 /prefetch:8
2⤵
PID:680

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1920,17840876933480699225,11621679804659203347,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5040 /prefetch:8
2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3584

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,17840876933480699225,11621679804659203347,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5352 /prefetch:1
2⤵
PID:4868

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,17840876933480699225,11621679804659203347,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2492 /prefetch:1
2⤵
PID:4172

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,17840876933480699225,11621679804659203347,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1984 /prefetch:1
2⤵
PID:376

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,17840876933480699225,11621679804659203347,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5064 /prefetch:1
2⤵
PID:2936

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,17840876933480699225,11621679804659203347,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5508 /prefetch:1
2⤵
PID:4024

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,17840876933480699225,11621679804659203347,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5176 /prefetch:1
2⤵
PID:2196

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,17840876933480699225,11621679804659203347,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4684 /prefetch:1
2⤵
PID:1712

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,17840876933480699225,11621679804659203347,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6208 /prefetch:1
2⤵
PID:3584

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1920,17840876933480699225,11621679804659203347,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6608 /prefetch:8
2⤵
PID:3472

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1920,17840876933480699225,11621679804659203347,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4936 /prefetch:8
2⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:2236

C:\Users\Admin\Downloads\MinecraftInstaller.exe
"C:\Users\Admin\Downloads\MinecraftInstaller.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2108

C:\Users\Admin\AppData\Local\Temp\GamingRepair.exe
"C:\Users\Admin\AppData\Local\Temp\GamingRepair.exe" scenarioMinecraft
3⤵
- Modifies security service
- Executes dropped EXE
- Checks processor information in registry
PID:3856

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2464

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2532

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
a74887034b3a720c50e557d5b1c790bf

SHA1
fb245478258648a65aa189b967590eef6fb167be

SHA256
f25b27187fad2b82ac76fae98dfdddc1c04f4e8370d112d45c1dd17a8908c250

SHA512
888c3fceb1a28a41c5449f5237ca27c7cbd057ce407f1542973478a31aa84ce9b77943130ca37551c31fa7cd737b9195b7374f886a969b39148a531530a91af3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
64f055a833e60505264595e7edbf62f6

SHA1
dad32ce325006c1d094b7c07550aca28a8dac890

SHA256
7172dc46924936b8dcee2d0c39535d098c2dbf510402c5bbb269399aed4d4c99

SHA512
86644776207d0904bc3293b4fec2fa724b8b3c9c3086cd0ef2696027ab3d840a8049b6bde3464c209e57ffa83cbc3df6115500fbe36a9acb222830c1aac4dc7a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\2d5457a7-3e98-4c64-862b-73059ffb2f62.tmp
Filesize
6KB

MD5
4dcc49f71192e8b138ce3a1054c3d2d3

SHA1
eff26fd00c2439bedf65975605df3caf6e55dbbe

SHA256
43d8da05e301f47a50b206866b414bce5fb6cb0bb722c0fd229595c2c0193135

SHA512
5a4e79eb71bb1a56d4f8ca92bb32edf93b02c0e8716bad5f77fdf4d5631c38097196151a1645e48e257f1d3f1055599fe1f140dde3c070490f1de2322acde975

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000037
Filesize
49KB

MD5
8991c3ec80ec8fbc41382a55679e3911

SHA1
8cc8cee91d671038acd9e3ae611517d6801b0909

SHA256
f55bacd4a20fef96f5c736a912d1947be85c268df18003395e511c1e860e8800

SHA512
4968a21d8cb9821282d10ba2d19f549a07f996b9fa2cdbcc677ac9901627c71578b1fc65db3ca78e56a47da382e89e52ac16fee8437caa879ece2cfba48c5a6d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
2KB

MD5
3ab010c995103710686eff80b858fa83

SHA1
f7e9f16d2b73a71fff48c7fb04ad85d96ca6e162

SHA256
61bc3f35ff8651bcfcd80f7d4d3ce29cf5c9438cce9d0c821d9e5b9cd162932d

SHA512
d36b74ecf28c439a115b0ee55a18997d490365d607fe2fbcfabfb78f603f2c91609082078b5248ac02e1059e745a366526f8170a6438753bc398e8d0068f7647

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
2KB

MD5
18d5d47238d109a5a9bb8d83c9d8f647

SHA1
4df08b6b55589921a38f0763fda800429ed7a3b6

SHA256
d4342a0e29bac71d3240702db693aeb5e723ca92be536ee476bc0ef51b098c4e

SHA512
0702016dad28140db98a4d0adf781480a67605bbc99529e0d694ba7dccef35ad7bb0655364880b09d26b12d0db1da3b4bf17a1d9410f910e66a4012ee37f16ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
2KB

MD5
bd3967ee086b319746485d03098cdb56

SHA1
a1655ea004a87eb5ad47e36e4cd8f28e61ac11bf

SHA256
e72d45a1002afb05ddaf26cf3732aa9342166e5c4e1165522baedb63d61380ea

SHA512
50f1739c418b6342b8cad28ad7e1087a330ec0a13b460564107e0cb1d5b3429167379acef36a88924df9ff61705f5c02fa78c752093b62436114b92ac726deed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
c962356a358040f09ca89f154a8d933f

SHA1
e4d3e450159b3a053e013a365d09f265c6bf1002

SHA256
8b8b31dc2dd58cb89fda819ef6450d844620d7955f0ec50d5889c2a568ada31f

SHA512
2132f1fdba6adf8258fa7e52cdf16372d80bf48fc5e93b73be51f667f128813b3de071b1b17eaef512f6002b38cdf514686b23e61ba22c4ed667a0c0e514167c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
8KB

MD5
60c764381ae4178043a599107f5a4b01

SHA1
f73913307b98ce90ee204cb651142b50f7ea862b

SHA256
a59bb55036cf6cda855a9a54a300a9a87bb7e40d82c5a9800c3c78bd00aa7e88

SHA512
1a48953d9949ba82bfe9e0d337efa8133cf97bbeb5ae076bc349c66ec59fb8e8debfe45fd39266c0f5adf86a2e1e252e1b88e19b8e192ee514d61e44ae03a7aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
de0ef8587340b259c888562e9340db57

SHA1
47f773d82919f6cb41eed70375fa7ee8fb818ed7

SHA256
d372b4010cb36129cd886e61860b519385061da2981a7fa2a2e8ea3a4498b27a

SHA512
641848a1c0a26f573b963cb4b328598df1d34484bc17949be1e6d6384b109feb4a68c5becb9132c2a5b8f20af5ffd14d3d1076fa0d44927a9e7d90bcb6546c9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
38903a679bce56ed8bb39c6a62f3d24e

SHA1
e0d01ae32291f328b14e3f0d5a449e1a18d2f668

SHA256
dfbe69baef68c9a01a0e37236bb1d9f2db26b182907c6e6f3a8667f16a58a70f

SHA512
0c8a6303bfc7a75423319005ca9c2962ae8e10abf84d654da2326b970966e4120c9baf704a62a646e7e63e68f2669a147e49874677d19c2d7233863bc5be0982

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
8KB

MD5
6dc02ab7adcc90a2f574c26c2dc53e33

SHA1
fa6b6856a3e5d336c3f75999735d7fa7ff67ba2d

SHA256
fd0f40f4a82809110253eb5c140f770282f81523dd06a86f31e2dc89edc588ef

SHA512
ceefbe77d719a841cfd82540f64219600125a5d6ba06b79c754ce6757ff2bf49d30e87093cf8cec805cb7af54179ca492bf60e7dfbf80170136e752b0e49eb18

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
f7b8550dfcca30f2b6f7d6a832d216ea

SHA1
de1e3e19062291867763cc8afd76a51654033ee2

SHA256
0c1cd43defef38eafd5f05189520f0372f307858bea8f6369a53dab6ebd71e07

SHA512
d36850d5817dd6ec19edbee51f8982a92696e223544386d8e73ee152459443ff56e3476aaf019fabb0a43d2740588cb7eba4f7781ebd3e76afe381edd7bccc89

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
873B

MD5
1871efce89e6d876c1a127558bd55287

SHA1
876db69d3e2c825c26bee0e2a4a96da850568fa8

SHA256
d1d287ff6da857cf8f08378576c5bb20ce6004fee11795a5af01e8c65740b37d

SHA512
7ccb20e0fbe9a01da38491e1298962d5de341f777de17b35f870dcbab9c337ee015370e9f5758a50ea89bc714c12e5de2c88c61e2f6f8f55f08dc9efc8bd6167

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
d196cf0bee6505cfc924b6eec75cffb0

SHA1
bee414a2f1e735d2aadcb7bf6b322456831fb4b6

SHA256
f8bc547b584e3ca53f40aa16501e82639687265c4d151fd818773d8ee1003215

SHA512
e6cea1b6f0d6d59d4f87988ebe2a271b07e17ecbb6bdf8f225b6906f92c4fb2fe815cb8669451edabd712099920eb01edd59a26356b271f7063f677fa550b34c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58842f.TMP
Filesize
538B

MD5
e156dac31eff35151e87af1902ae1b2a

SHA1
2d4fca54d7d90c6b40228903cbf357be9f995062

SHA256
d2689ac16dd76e59f8ac93f1f85aa87ec778f95aede6297cb5cf7861caa99ee9

SHA512
129540d3a7cfbc049b1175609974cbd52651aaa370a2ce11e8a0e8fab020a3ca2ae3d5e3c056b4efc03a60bd5e1b67938b45db502fa96382a06bb4c454b1b226

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
dbb60768790d04f54eb468d44e92bc4d

SHA1
3b5d6e2fcdf7e2f0bb7b9a15a498a18b1b8e428d

SHA256
00876d901a18eaf8a02a4160a46be98764821895e7bec4890425e431643875c3

SHA512
7fb8cc35c9886739461b0b1c4a51d77711ac1b7d973f073c7891b48f8575a3d41ca4ea6a01b8cc37fba135295a9918acbae03ea26a17d3c4e314d669633b8468

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
b0a2147ddb2f18dfe8e30c05297ab46a

SHA1
d266951188a1ab1ebba388c5aedd17d85b735e92

SHA256
f4bf347ab83280183acdb16846401bc1612b75ea55eb7d75a3cad0fb48724554

SHA512
55b180cfc677dfa3afc737f0e76f76d3cf4022b316da86e73105e915102ea53342294a2ff99c0596e4af413e7d279127c0305f1e312b48c512757ad2d6be056e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
a6ad251cb17623d70e609f6b03f83362

SHA1
6be8af7bdbebab48c83b9e6824372a98f8587c66

SHA256
1ade92e068998068ba06bc250a8eefc43283794f5ee72e3029227473d1b178cc

SHA512
485cfb9bd967d045f267a5433c93df4860eefd8527d3b5ea22916721c339d6b6eec6a1b6849d14893fa554af55505087ade9c974149048ca203a55244bc676af

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
Filesize
10KB

MD5
e0236413295e49948baeeb46d884acef

SHA1
c24f80184264ef596722c1a84b8dedde9bdad557

SHA256
11af5d1895a6e5952ebf08f72ad5121d828a5e2f8dc0656875d527e886ca54e8

SHA512
d99fd945c37dee141ea4e4f2e2460f482230bb679d8a63131348685a7dbebce074c9543161672fc525cd0c84d41d29e2ee78f6e3a7b8f7d18ca40eefcb95e5c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\GamingRepair.exe
Filesize
557KB

MD5
8a4e72a29c08ae2cd13bc8ec414b8fc6

SHA1
26f8d73bc6f5ace5cec6e3652fc6410a71298498

SHA256
6513546697c3c9deb50d8dbb0cc9aa0be55487538ed482ec16b6264579de1539

SHA512
77eba566c65de1327bcacadb1483f538b4e5da67c3607398d745173ade25e987f59524a5ecf065dd5f95e26654cbb5a48dc80fae995d5d2dd63c63b2cd98fb98

Download Submit
C:\Users\Admin\Downloads\MinecraftInstaller.exe
Filesize
32.3MB

MD5
4f02ac057355b5dc73ea28aecd2d56b4

SHA1
32591cb75779a3e308a44e75a76f821e7dee11e0

SHA256
83a5f942b2a15eab4826ef1709ec6a7f9637a7ec0fce16585776848797307fa4

SHA512
9eb08f85559df6af9192bec8904097d4e43a832ba9e9cc1c7be1a366af8d103c3a6db3886f00927ae5eb62055fbc770c7b5a3d2a122a0b460b51136083015368

Download Submit
C:\Users\Admin\Downloads\MinecraftInstaller.exe:Zone.Identifier
Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
\??\pipe\LOCAL\crashpad_2424_UZPDRHGMQFYKOUXE
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2108-587-0x0000000007EE0000-0x0000000007EE8000-memory.dmp

Filesize
32KB

Download
memory/2108-599-0x000000000B720000-0x000000000B758000-memory.dmp

Filesize
224KB

Download
memory/2108-600-0x000000000B1F0000-0x000000000B1FE000-memory.dmp

Filesize
56KB

Download
memory/2108-589-0x000000000AA90000-0x000000000AA98000-memory.dmp

Filesize
32KB

Download
memory/2108-585-0x0000000007170000-0x0000000007332000-memory.dmp

Filesize
1.8MB

Download
memory/2108-727-0x0000000007BF0000-0x0000000007BFA000-memory.dmp

Filesize
40KB

Download
memory/2108-728-0x000000000CA00000-0x000000000CA26000-memory.dmp

Filesize
152KB

Download
memory/2108-584-0x00000000002B0000-0x0000000002306000-memory.dmp

Filesize
32.3MB

Download