Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows11-21h2_x64 -
resource
win11-20240611-en -
resource tags
arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system -
submitted
13-06-2024 18:10
Static task
static1
Behavioral task
behavioral1
Sample
Screenshot 2024-06-08 1.10.46 PM.png
Resource
win11-20240611-en
General
-
Target
Screenshot 2024-06-08 1.10.46 PM.png
-
Size
87KB
-
MD5
43bfac5ae117b7303c02220af885ffc4
-
SHA1
795bdf71b59ef1e389b410068875d250003c6cdd
-
SHA256
600168731609f20a9c76bd184d8d5c887524fb27d1d3f62b60f73f2a4074e292
-
SHA512
4a94340ef9357b711bfdb00964e409762acf7e286558da65c9b46d4839c15a7100529389bbc56e982b628f70e289c65bef0bc426864ef5384e45af1872bcb6b2
-
SSDEEP
1536:oJBkqSqJX2SWfgjcYrimoGl2bLAGhoHqQ5o6XVwM2htxlimpjKfxX2:oJBkqSLSWYYYloIGhn5uGhTlipZX2
Malware Config
Signatures
-
Modifies security service 2 TTPs 1 IoCs
Processes:
GamingRepair.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "3" GamingRepair.exe -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
MinecraftInstaller.exeGamingRepair.exepid process 2108 MinecraftInstaller.exe 3856 GamingRepair.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
GamingRepair.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 GamingRepair.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz GamingRepair.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 2 IoCs
Processes:
MiniSearchHost.exemsedge.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\Local Settings\MuiCache MiniSearchHost.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1276817940-128734381-631578427-1000\{C9B40891-A44D-41E5-8694-D52D8182EAEC} msedge.exe -
NTFS ADS 2 IoCs
Processes:
msedge.exemsedge.exedescription ioc process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 763290.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\MinecraftInstaller.exe:Zone.Identifier msedge.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exepid process 4040 msedge.exe 4040 msedge.exe 2424 msedge.exe 2424 msedge.exe 3996 identity_helper.exe 3996 identity_helper.exe 2012 msedge.exe 2012 msedge.exe 3584 msedge.exe 3584 msedge.exe 2236 msedge.exe 2236 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 18 IoCs
Processes:
msedge.exepid process 2424 msedge.exe 2424 msedge.exe 2424 msedge.exe 2424 msedge.exe 2424 msedge.exe 2424 msedge.exe 2424 msedge.exe 2424 msedge.exe 2424 msedge.exe 2424 msedge.exe 2424 msedge.exe 2424 msedge.exe 2424 msedge.exe 2424 msedge.exe 2424 msedge.exe 2424 msedge.exe 2424 msedge.exe 2424 msedge.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
MinecraftInstaller.exedescription pid process Token: SeDebugPrivilege 2108 MinecraftInstaller.exe -
Suspicious use of FindShellTrayWindow 43 IoCs
Processes:
msedge.exepid process 2424 msedge.exe 2424 msedge.exe 2424 msedge.exe 2424 msedge.exe 2424 msedge.exe 2424 msedge.exe 2424 msedge.exe 2424 msedge.exe 2424 msedge.exe 2424 msedge.exe 2424 msedge.exe 2424 msedge.exe 2424 msedge.exe 2424 msedge.exe 2424 msedge.exe 2424 msedge.exe 2424 msedge.exe 2424 msedge.exe 2424 msedge.exe 2424 msedge.exe 2424 msedge.exe 2424 msedge.exe 2424 msedge.exe 2424 msedge.exe 2424 msedge.exe 2424 msedge.exe 2424 msedge.exe 2424 msedge.exe 2424 msedge.exe 2424 msedge.exe 2424 msedge.exe 2424 msedge.exe 2424 msedge.exe 2424 msedge.exe 2424 msedge.exe 2424 msedge.exe 2424 msedge.exe 2424 msedge.exe 2424 msedge.exe 2424 msedge.exe 2424 msedge.exe 2424 msedge.exe 2424 msedge.exe -
Suspicious use of SendNotifyMessage 12 IoCs
Processes:
msedge.exepid process 2424 msedge.exe 2424 msedge.exe 2424 msedge.exe 2424 msedge.exe 2424 msedge.exe 2424 msedge.exe 2424 msedge.exe 2424 msedge.exe 2424 msedge.exe 2424 msedge.exe 2424 msedge.exe 2424 msedge.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
MiniSearchHost.exepid process 1308 MiniSearchHost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 2424 wrote to memory of 3540 2424 msedge.exe msedge.exe PID 2424 wrote to memory of 3540 2424 msedge.exe msedge.exe PID 2424 wrote to memory of 1380 2424 msedge.exe msedge.exe PID 2424 wrote to memory of 1380 2424 msedge.exe msedge.exe PID 2424 wrote to memory of 1380 2424 msedge.exe msedge.exe PID 2424 wrote to memory of 1380 2424 msedge.exe msedge.exe PID 2424 wrote to memory of 1380 2424 msedge.exe msedge.exe PID 2424 wrote to memory of 1380 2424 msedge.exe msedge.exe PID 2424 wrote to memory of 1380 2424 msedge.exe msedge.exe PID 2424 wrote to memory of 1380 2424 msedge.exe msedge.exe PID 2424 wrote to memory of 1380 2424 msedge.exe msedge.exe PID 2424 wrote to memory of 1380 2424 msedge.exe msedge.exe PID 2424 wrote to memory of 1380 2424 msedge.exe msedge.exe PID 2424 wrote to memory of 1380 2424 msedge.exe msedge.exe PID 2424 wrote to memory of 1380 2424 msedge.exe msedge.exe PID 2424 wrote to memory of 1380 2424 msedge.exe msedge.exe PID 2424 wrote to memory of 1380 2424 msedge.exe msedge.exe PID 2424 wrote to memory of 1380 2424 msedge.exe msedge.exe PID 2424 wrote to memory of 1380 2424 msedge.exe msedge.exe PID 2424 wrote to memory of 1380 2424 msedge.exe msedge.exe PID 2424 wrote to memory of 1380 2424 msedge.exe msedge.exe PID 2424 wrote to memory of 1380 2424 msedge.exe msedge.exe PID 2424 wrote to memory of 1380 2424 msedge.exe msedge.exe PID 2424 wrote to memory of 1380 2424 msedge.exe msedge.exe PID 2424 wrote to memory of 1380 2424 msedge.exe msedge.exe PID 2424 wrote to memory of 1380 2424 msedge.exe msedge.exe PID 2424 wrote to memory of 1380 2424 msedge.exe msedge.exe PID 2424 wrote to memory of 1380 2424 msedge.exe msedge.exe PID 2424 wrote to memory of 1380 2424 msedge.exe msedge.exe PID 2424 wrote to memory of 1380 2424 msedge.exe msedge.exe PID 2424 wrote to memory of 1380 2424 msedge.exe msedge.exe PID 2424 wrote to memory of 1380 2424 msedge.exe msedge.exe PID 2424 wrote to memory of 1380 2424 msedge.exe msedge.exe PID 2424 wrote to memory of 1380 2424 msedge.exe msedge.exe PID 2424 wrote to memory of 1380 2424 msedge.exe msedge.exe PID 2424 wrote to memory of 1380 2424 msedge.exe msedge.exe PID 2424 wrote to memory of 1380 2424 msedge.exe msedge.exe PID 2424 wrote to memory of 1380 2424 msedge.exe msedge.exe PID 2424 wrote to memory of 1380 2424 msedge.exe msedge.exe PID 2424 wrote to memory of 1380 2424 msedge.exe msedge.exe PID 2424 wrote to memory of 1380 2424 msedge.exe msedge.exe PID 2424 wrote to memory of 1380 2424 msedge.exe msedge.exe PID 2424 wrote to memory of 4040 2424 msedge.exe msedge.exe PID 2424 wrote to memory of 4040 2424 msedge.exe msedge.exe PID 2424 wrote to memory of 1160 2424 msedge.exe msedge.exe PID 2424 wrote to memory of 1160 2424 msedge.exe msedge.exe PID 2424 wrote to memory of 1160 2424 msedge.exe msedge.exe PID 2424 wrote to memory of 1160 2424 msedge.exe msedge.exe PID 2424 wrote to memory of 1160 2424 msedge.exe msedge.exe PID 2424 wrote to memory of 1160 2424 msedge.exe msedge.exe PID 2424 wrote to memory of 1160 2424 msedge.exe msedge.exe PID 2424 wrote to memory of 1160 2424 msedge.exe msedge.exe PID 2424 wrote to memory of 1160 2424 msedge.exe msedge.exe PID 2424 wrote to memory of 1160 2424 msedge.exe msedge.exe PID 2424 wrote to memory of 1160 2424 msedge.exe msedge.exe PID 2424 wrote to memory of 1160 2424 msedge.exe msedge.exe PID 2424 wrote to memory of 1160 2424 msedge.exe msedge.exe PID 2424 wrote to memory of 1160 2424 msedge.exe msedge.exe PID 2424 wrote to memory of 1160 2424 msedge.exe msedge.exe PID 2424 wrote to memory of 1160 2424 msedge.exe msedge.exe PID 2424 wrote to memory of 1160 2424 msedge.exe msedge.exe PID 2424 wrote to memory of 1160 2424 msedge.exe msedge.exe PID 2424 wrote to memory of 1160 2424 msedge.exe msedge.exe PID 2424 wrote to memory of 1160 2424 msedge.exe msedge.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\Screenshot 2024-06-08 1.10.46 PM.png"1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8f33c3cb8,0x7ff8f33c3cc8,0x7ff8f33c3cd82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1920,17840876933480699225,11621679804659203347,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1932 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1920,17840876933480699225,11621679804659203347,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2292 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1920,17840876933480699225,11621679804659203347,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2752 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,17840876933480699225,11621679804659203347,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,17840876933480699225,11621679804659203347,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,17840876933480699225,11621679804659203347,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4980 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,17840876933480699225,11621679804659203347,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5004 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1920,17840876933480699225,11621679804659203347,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3388 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1920,17840876933480699225,11621679804659203347,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5244 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,17840876933480699225,11621679804659203347,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5472 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,17840876933480699225,11621679804659203347,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5392 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,17840876933480699225,11621679804659203347,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3864 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,17840876933480699225,11621679804659203347,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4564 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,17840876933480699225,11621679804659203347,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5676 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,17840876933480699225,11621679804659203347,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4960 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1920,17840876933480699225,11621679804659203347,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5548 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1920,17840876933480699225,11621679804659203347,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5040 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,17840876933480699225,11621679804659203347,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5352 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,17840876933480699225,11621679804659203347,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2492 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,17840876933480699225,11621679804659203347,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1984 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,17840876933480699225,11621679804659203347,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5064 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,17840876933480699225,11621679804659203347,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5508 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,17840876933480699225,11621679804659203347,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5176 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,17840876933480699225,11621679804659203347,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4684 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,17840876933480699225,11621679804659203347,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6208 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1920,17840876933480699225,11621679804659203347,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6608 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1920,17840876933480699225,11621679804659203347,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4936 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Downloads\MinecraftInstaller.exe"C:\Users\Admin\Downloads\MinecraftInstaller.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\GamingRepair.exe"C:\Users\Admin\AppData\Local\Temp\GamingRepair.exe" scenarioMinecraft3⤵
- Modifies security service
- Executes dropped EXE
- Checks processor information in registry
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5a74887034b3a720c50e557d5b1c790bf
SHA1fb245478258648a65aa189b967590eef6fb167be
SHA256f25b27187fad2b82ac76fae98dfdddc1c04f4e8370d112d45c1dd17a8908c250
SHA512888c3fceb1a28a41c5449f5237ca27c7cbd057ce407f1542973478a31aa84ce9b77943130ca37551c31fa7cd737b9195b7374f886a969b39148a531530a91af3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD564f055a833e60505264595e7edbf62f6
SHA1dad32ce325006c1d094b7c07550aca28a8dac890
SHA2567172dc46924936b8dcee2d0c39535d098c2dbf510402c5bbb269399aed4d4c99
SHA51286644776207d0904bc3293b4fec2fa724b8b3c9c3086cd0ef2696027ab3d840a8049b6bde3464c209e57ffa83cbc3df6115500fbe36a9acb222830c1aac4dc7a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\2d5457a7-3e98-4c64-862b-73059ffb2f62.tmpFilesize
6KB
MD54dcc49f71192e8b138ce3a1054c3d2d3
SHA1eff26fd00c2439bedf65975605df3caf6e55dbbe
SHA25643d8da05e301f47a50b206866b414bce5fb6cb0bb722c0fd229595c2c0193135
SHA5125a4e79eb71bb1a56d4f8ca92bb32edf93b02c0e8716bad5f77fdf4d5631c38097196151a1645e48e257f1d3f1055599fe1f140dde3c070490f1de2322acde975
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000037Filesize
49KB
MD58991c3ec80ec8fbc41382a55679e3911
SHA18cc8cee91d671038acd9e3ae611517d6801b0909
SHA256f55bacd4a20fef96f5c736a912d1947be85c268df18003395e511c1e860e8800
SHA5124968a21d8cb9821282d10ba2d19f549a07f996b9fa2cdbcc677ac9901627c71578b1fc65db3ca78e56a47da382e89e52ac16fee8437caa879ece2cfba48c5a6d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
2KB
MD53ab010c995103710686eff80b858fa83
SHA1f7e9f16d2b73a71fff48c7fb04ad85d96ca6e162
SHA25661bc3f35ff8651bcfcd80f7d4d3ce29cf5c9438cce9d0c821d9e5b9cd162932d
SHA512d36b74ecf28c439a115b0ee55a18997d490365d607fe2fbcfabfb78f603f2c91609082078b5248ac02e1059e745a366526f8170a6438753bc398e8d0068f7647
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
111B
MD5807419ca9a4734feaf8d8563a003b048
SHA1a723c7d60a65886ffa068711f1e900ccc85922a6
SHA256aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631
SHA512f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
2KB
MD518d5d47238d109a5a9bb8d83c9d8f647
SHA14df08b6b55589921a38f0763fda800429ed7a3b6
SHA256d4342a0e29bac71d3240702db693aeb5e723ca92be536ee476bc0ef51b098c4e
SHA5120702016dad28140db98a4d0adf781480a67605bbc99529e0d694ba7dccef35ad7bb0655364880b09d26b12d0db1da3b4bf17a1d9410f910e66a4012ee37f16ef
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
2KB
MD5bd3967ee086b319746485d03098cdb56
SHA1a1655ea004a87eb5ad47e36e4cd8f28e61ac11bf
SHA256e72d45a1002afb05ddaf26cf3732aa9342166e5c4e1165522baedb63d61380ea
SHA51250f1739c418b6342b8cad28ad7e1087a330ec0a13b460564107e0cb1d5b3429167379acef36a88924df9ff61705f5c02fa78c752093b62436114b92ac726deed
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD5c962356a358040f09ca89f154a8d933f
SHA1e4d3e450159b3a053e013a365d09f265c6bf1002
SHA2568b8b31dc2dd58cb89fda819ef6450d844620d7955f0ec50d5889c2a568ada31f
SHA5122132f1fdba6adf8258fa7e52cdf16372d80bf48fc5e93b73be51f667f128813b3de071b1b17eaef512f6002b38cdf514686b23e61ba22c4ed667a0c0e514167c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
8KB
MD560c764381ae4178043a599107f5a4b01
SHA1f73913307b98ce90ee204cb651142b50f7ea862b
SHA256a59bb55036cf6cda855a9a54a300a9a87bb7e40d82c5a9800c3c78bd00aa7e88
SHA5121a48953d9949ba82bfe9e0d337efa8133cf97bbeb5ae076bc349c66ec59fb8e8debfe45fd39266c0f5adf86a2e1e252e1b88e19b8e192ee514d61e44ae03a7aa
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5de0ef8587340b259c888562e9340db57
SHA147f773d82919f6cb41eed70375fa7ee8fb818ed7
SHA256d372b4010cb36129cd886e61860b519385061da2981a7fa2a2e8ea3a4498b27a
SHA512641848a1c0a26f573b963cb4b328598df1d34484bc17949be1e6d6384b109feb4a68c5becb9132c2a5b8f20af5ffd14d3d1076fa0d44927a9e7d90bcb6546c9b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD538903a679bce56ed8bb39c6a62f3d24e
SHA1e0d01ae32291f328b14e3f0d5a449e1a18d2f668
SHA256dfbe69baef68c9a01a0e37236bb1d9f2db26b182907c6e6f3a8667f16a58a70f
SHA5120c8a6303bfc7a75423319005ca9c2962ae8e10abf84d654da2326b970966e4120c9baf704a62a646e7e63e68f2669a147e49874677d19c2d7233863bc5be0982
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
8KB
MD56dc02ab7adcc90a2f574c26c2dc53e33
SHA1fa6b6856a3e5d336c3f75999735d7fa7ff67ba2d
SHA256fd0f40f4a82809110253eb5c140f770282f81523dd06a86f31e2dc89edc588ef
SHA512ceefbe77d719a841cfd82540f64219600125a5d6ba06b79c754ce6757ff2bf49d30e87093cf8cec805cb7af54179ca492bf60e7dfbf80170136e752b0e49eb18
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD5f7b8550dfcca30f2b6f7d6a832d216ea
SHA1de1e3e19062291867763cc8afd76a51654033ee2
SHA2560c1cd43defef38eafd5f05189520f0372f307858bea8f6369a53dab6ebd71e07
SHA512d36850d5817dd6ec19edbee51f8982a92696e223544386d8e73ee152459443ff56e3476aaf019fabb0a43d2740588cb7eba4f7781ebd3e76afe381edd7bccc89
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
873B
MD51871efce89e6d876c1a127558bd55287
SHA1876db69d3e2c825c26bee0e2a4a96da850568fa8
SHA256d1d287ff6da857cf8f08378576c5bb20ce6004fee11795a5af01e8c65740b37d
SHA5127ccb20e0fbe9a01da38491e1298962d5de341f777de17b35f870dcbab9c337ee015370e9f5758a50ea89bc714c12e5de2c88c61e2f6f8f55f08dc9efc8bd6167
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD5d196cf0bee6505cfc924b6eec75cffb0
SHA1bee414a2f1e735d2aadcb7bf6b322456831fb4b6
SHA256f8bc547b584e3ca53f40aa16501e82639687265c4d151fd818773d8ee1003215
SHA512e6cea1b6f0d6d59d4f87988ebe2a271b07e17ecbb6bdf8f225b6906f92c4fb2fe815cb8669451edabd712099920eb01edd59a26356b271f7063f677fa550b34c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58842f.TMPFilesize
538B
MD5e156dac31eff35151e87af1902ae1b2a
SHA12d4fca54d7d90c6b40228903cbf357be9f995062
SHA256d2689ac16dd76e59f8ac93f1f85aa87ec778f95aede6297cb5cf7861caa99ee9
SHA512129540d3a7cfbc049b1175609974cbd52651aaa370a2ce11e8a0e8fab020a3ca2ae3d5e3c056b4efc03a60bd5e1b67938b45db502fa96382a06bb4c454b1b226
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5dbb60768790d04f54eb468d44e92bc4d
SHA13b5d6e2fcdf7e2f0bb7b9a15a498a18b1b8e428d
SHA25600876d901a18eaf8a02a4160a46be98764821895e7bec4890425e431643875c3
SHA5127fb8cc35c9886739461b0b1c4a51d77711ac1b7d973f073c7891b48f8575a3d41ca4ea6a01b8cc37fba135295a9918acbae03ea26a17d3c4e314d669633b8468
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD5b0a2147ddb2f18dfe8e30c05297ab46a
SHA1d266951188a1ab1ebba388c5aedd17d85b735e92
SHA256f4bf347ab83280183acdb16846401bc1612b75ea55eb7d75a3cad0fb48724554
SHA51255b180cfc677dfa3afc737f0e76f76d3cf4022b316da86e73105e915102ea53342294a2ff99c0596e4af413e7d279127c0305f1e312b48c512757ad2d6be056e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD5a6ad251cb17623d70e609f6b03f83362
SHA16be8af7bdbebab48c83b9e6824372a98f8587c66
SHA2561ade92e068998068ba06bc250a8eefc43283794f5ee72e3029227473d1b178cc
SHA512485cfb9bd967d045f267a5433c93df4860eefd8527d3b5ea22916721c339d6b6eec6a1b6849d14893fa554af55505087ade9c974149048ca203a55244bc676af
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.datFilesize
10KB
MD5e0236413295e49948baeeb46d884acef
SHA1c24f80184264ef596722c1a84b8dedde9bdad557
SHA25611af5d1895a6e5952ebf08f72ad5121d828a5e2f8dc0656875d527e886ca54e8
SHA512d99fd945c37dee141ea4e4f2e2460f482230bb679d8a63131348685a7dbebce074c9543161672fc525cd0c84d41d29e2ee78f6e3a7b8f7d18ca40eefcb95e5c6
-
C:\Users\Admin\AppData\Local\Temp\GamingRepair.exeFilesize
557KB
MD58a4e72a29c08ae2cd13bc8ec414b8fc6
SHA126f8d73bc6f5ace5cec6e3652fc6410a71298498
SHA2566513546697c3c9deb50d8dbb0cc9aa0be55487538ed482ec16b6264579de1539
SHA51277eba566c65de1327bcacadb1483f538b4e5da67c3607398d745173ade25e987f59524a5ecf065dd5f95e26654cbb5a48dc80fae995d5d2dd63c63b2cd98fb98
-
C:\Users\Admin\Downloads\MinecraftInstaller.exeFilesize
32.3MB
MD54f02ac057355b5dc73ea28aecd2d56b4
SHA132591cb75779a3e308a44e75a76f821e7dee11e0
SHA25683a5f942b2a15eab4826ef1709ec6a7f9637a7ec0fce16585776848797307fa4
SHA5129eb08f85559df6af9192bec8904097d4e43a832ba9e9cc1c7be1a366af8d103c3a6db3886f00927ae5eb62055fbc770c7b5a3d2a122a0b460b51136083015368
-
C:\Users\Admin\Downloads\MinecraftInstaller.exe:Zone.IdentifierFilesize
26B
MD5fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98
-
\??\pipe\LOCAL\crashpad_2424_UZPDRHGMQFYKOUXEMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/2108-587-0x0000000007EE0000-0x0000000007EE8000-memory.dmpFilesize
32KB
-
memory/2108-599-0x000000000B720000-0x000000000B758000-memory.dmpFilesize
224KB
-
memory/2108-600-0x000000000B1F0000-0x000000000B1FE000-memory.dmpFilesize
56KB
-
memory/2108-589-0x000000000AA90000-0x000000000AA98000-memory.dmpFilesize
32KB
-
memory/2108-585-0x0000000007170000-0x0000000007332000-memory.dmpFilesize
1.8MB
-
memory/2108-727-0x0000000007BF0000-0x0000000007BFA000-memory.dmpFilesize
40KB
-
memory/2108-728-0x000000000CA00000-0x000000000CA26000-memory.dmpFilesize
152KB
-
memory/2108-584-0x00000000002B0000-0x0000000002306000-memory.dmpFilesize
32.3MB