2d79af8e1ff3465703e1dc73d3ef2182fd269ea2609c8afabdf1b80693405c1d

Analysis

max time kernel
131s
max time network
133s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
02-08-2024 16:24

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

HorionInjector.exe
Size

147KB
MD5

6b5b6e625de774e5c285712b7c4a0da7
SHA1

317099aef530afbe3a0c5d6a2743d51e04805267
SHA256

2d79af8e1ff3465703e1dc73d3ef2182fd269ea2609c8afabdf1b80693405c1d
SHA512

104609adf666588af4e152ec7891cedafd89ad8d427063d03fb42a228babefc59428b0c8b1430cb3fc319a5014d2ee1083ff2b74fa585cab2d86cdad346e8b08
SSDEEP

3072:ckgHqUGSCoEslON/q178+oO3BAE4T/DvueX:cNHqUGSCPBh+7VST/Ke

Score

10^/10

defense_evasion discovery evasion

Malware Config

Signatures

Modifies security service 2 TTPs 1 IoCs
evasion

Modify Registry
T1112

Windows Service
T1543.003

Processes:

GamingRepair.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "3" GamingRepair.exe
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

MinecraftInstaller.exeGamingRepair.exe

pid process

4944 MinecraftInstaller.exe
3652 GamingRepair.exe
Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs
When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.
defense_evasion

SIP and Trust Provider Hijacking
T1553.003

Processes:

msedge.exe

description ioc process

File opened for modification C:\Users\Admin\Downloads\MinecraftInstaller.exe:Zone.Identifier msedge.exe
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

MinecraftInstaller.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MinecraftInstaller.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "3"	GamingRepair.exe

pid	process
4944	MinecraftInstaller.exe
3652	GamingRepair.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\MinecraftInstaller.exe:Zone.Identifier	msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MinecraftInstaller.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

GamingRepair.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	GamingRepair.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	GamingRepair.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 15 IoCs

Processes:

LogonUI.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "253"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe

Modifies registry class 2 IoCs

Processes:

msedge.exeMiniSearchHost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1287768749-810021449-2672985988-1000\{0A620A09-B7D6-43A8-B048-9F3228220280}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe

NTFS ADS 2 IoCs

Processes:

msedge.exemsedge.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 628683.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\MinecraftInstaller.exe:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

msedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exe

pid	process
3952	msedge.exe
3952	msedge.exe
4692	msedge.exe
4692	msedge.exe
4904	msedge.exe
4904	msedge.exe
660	identity_helper.exe
660	identity_helper.exe
5112	msedge.exe
5112	msedge.exe
3700	msedge.exe
3700	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 17 IoCs

Processes:

msedge.exe

pid	process
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

HorionInjector.exeMinecraftInstaller.exe

description pid process

Token: SeDebugPrivilege 640 HorionInjector.exe
Token: SeDebugPrivilege 4944 MinecraftInstaller.exe

description	pid	process
Token: SeDebugPrivilege	640	HorionInjector.exe
Token: SeDebugPrivilege	4944	MinecraftInstaller.exe

Suspicious use of FindShellTrayWindow 63 IoCs

Processes:

msedge.exe

pid	process
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

Processes:

msedge.exe

pid	process
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

MiniSearchHost.exeLogonUI.exe

pid process

444 MiniSearchHost.exe
1788 LogonUI.exe

pid	process
444	MiniSearchHost.exe
1788	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 4692 wrote to memory of 988	4692	msedge.exe	msedge.exe
PID 4692 wrote to memory of 988	4692	msedge.exe	msedge.exe
PID 4692 wrote to memory of 2764	4692	msedge.exe	msedge.exe
PID 4692 wrote to memory of 2764	4692	msedge.exe	msedge.exe
PID 4692 wrote to memory of 2764	4692	msedge.exe	msedge.exe
PID 4692 wrote to memory of 2764	4692	msedge.exe	msedge.exe
PID 4692 wrote to memory of 2764	4692	msedge.exe	msedge.exe
PID 4692 wrote to memory of 2764	4692	msedge.exe	msedge.exe
PID 4692 wrote to memory of 2764	4692	msedge.exe	msedge.exe
PID 4692 wrote to memory of 2764	4692	msedge.exe	msedge.exe
PID 4692 wrote to memory of 2764	4692	msedge.exe	msedge.exe
PID 4692 wrote to memory of 2764	4692	msedge.exe	msedge.exe
PID 4692 wrote to memory of 2764	4692	msedge.exe	msedge.exe
PID 4692 wrote to memory of 2764	4692	msedge.exe	msedge.exe
PID 4692 wrote to memory of 2764	4692	msedge.exe	msedge.exe
PID 4692 wrote to memory of 2764	4692	msedge.exe	msedge.exe
PID 4692 wrote to memory of 2764	4692	msedge.exe	msedge.exe
PID 4692 wrote to memory of 2764	4692	msedge.exe	msedge.exe
PID 4692 wrote to memory of 2764	4692	msedge.exe	msedge.exe
PID 4692 wrote to memory of 2764	4692	msedge.exe	msedge.exe
PID 4692 wrote to memory of 2764	4692	msedge.exe	msedge.exe
PID 4692 wrote to memory of 2764	4692	msedge.exe	msedge.exe
PID 4692 wrote to memory of 2764	4692	msedge.exe	msedge.exe
PID 4692 wrote to memory of 2764	4692	msedge.exe	msedge.exe
PID 4692 wrote to memory of 2764	4692	msedge.exe	msedge.exe
PID 4692 wrote to memory of 2764	4692	msedge.exe	msedge.exe
PID 4692 wrote to memory of 2764	4692	msedge.exe	msedge.exe
PID 4692 wrote to memory of 2764	4692	msedge.exe	msedge.exe
PID 4692 wrote to memory of 2764	4692	msedge.exe	msedge.exe
PID 4692 wrote to memory of 2764	4692	msedge.exe	msedge.exe
PID 4692 wrote to memory of 2764	4692	msedge.exe	msedge.exe
PID 4692 wrote to memory of 2764	4692	msedge.exe	msedge.exe
PID 4692 wrote to memory of 2764	4692	msedge.exe	msedge.exe
PID 4692 wrote to memory of 2764	4692	msedge.exe	msedge.exe
PID 4692 wrote to memory of 2764	4692	msedge.exe	msedge.exe
PID 4692 wrote to memory of 2764	4692	msedge.exe	msedge.exe
PID 4692 wrote to memory of 2764	4692	msedge.exe	msedge.exe
PID 4692 wrote to memory of 2764	4692	msedge.exe	msedge.exe
PID 4692 wrote to memory of 2764	4692	msedge.exe	msedge.exe
PID 4692 wrote to memory of 2764	4692	msedge.exe	msedge.exe
PID 4692 wrote to memory of 2764	4692	msedge.exe	msedge.exe
PID 4692 wrote to memory of 2764	4692	msedge.exe	msedge.exe
PID 4692 wrote to memory of 3952	4692	msedge.exe	msedge.exe
PID 4692 wrote to memory of 3952	4692	msedge.exe	msedge.exe
PID 4692 wrote to memory of 4948	4692	msedge.exe	msedge.exe
PID 4692 wrote to memory of 4948	4692	msedge.exe	msedge.exe
PID 4692 wrote to memory of 4948	4692	msedge.exe	msedge.exe
PID 4692 wrote to memory of 4948	4692	msedge.exe	msedge.exe
PID 4692 wrote to memory of 4948	4692	msedge.exe	msedge.exe
PID 4692 wrote to memory of 4948	4692	msedge.exe	msedge.exe
PID 4692 wrote to memory of 4948	4692	msedge.exe	msedge.exe
PID 4692 wrote to memory of 4948	4692	msedge.exe	msedge.exe
PID 4692 wrote to memory of 4948	4692	msedge.exe	msedge.exe
PID 4692 wrote to memory of 4948	4692	msedge.exe	msedge.exe
PID 4692 wrote to memory of 4948	4692	msedge.exe	msedge.exe
PID 4692 wrote to memory of 4948	4692	msedge.exe	msedge.exe
PID 4692 wrote to memory of 4948	4692	msedge.exe	msedge.exe
PID 4692 wrote to memory of 4948	4692	msedge.exe	msedge.exe
PID 4692 wrote to memory of 4948	4692	msedge.exe	msedge.exe
PID 4692 wrote to memory of 4948	4692	msedge.exe	msedge.exe
PID 4692 wrote to memory of 4948	4692	msedge.exe	msedge.exe
PID 4692 wrote to memory of 4948	4692	msedge.exe	msedge.exe
PID 4692 wrote to memory of 4948	4692	msedge.exe	msedge.exe
PID 4692 wrote to memory of 4948	4692	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\HorionInjector.exe
"C:\Users\Admin\AppData\Local\Temp\HorionInjector.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:640

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4692

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff76383cb8,0x7fff76383cc8,0x7fff76383cd8
2⤵
PID:988

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1888,5643421696827714499,17651216657008323135,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1904 /prefetch:2
2⤵
PID:2764

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1888,5643421696827714499,17651216657008323135,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2308 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3952

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1888,5643421696827714499,17651216657008323135,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2524 /prefetch:8
2⤵
PID:4948

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,5643421696827714499,17651216657008323135,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
2⤵
PID:2740

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,5643421696827714499,17651216657008323135,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
2⤵
PID:1348

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,5643421696827714499,17651216657008323135,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4840 /prefetch:1
2⤵
PID:4640

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,5643421696827714499,17651216657008323135,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4056 /prefetch:1
2⤵
PID:2996

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1888,5643421696827714499,17651216657008323135,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3504 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4904

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,5643421696827714499,17651216657008323135,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5164 /prefetch:1
2⤵
PID:1696

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,5643421696827714499,17651216657008323135,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4832 /prefetch:1
2⤵
PID:1064

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1888,5643421696827714499,17651216657008323135,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4004 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:660

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1888,5643421696827714499,17651216657008323135,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3412 /prefetch:8
2⤵
PID:1136

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1888,5643421696827714499,17651216657008323135,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=3340 /prefetch:8
2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:5112

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,5643421696827714499,17651216657008323135,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4532 /prefetch:1
2⤵
PID:2740

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,5643421696827714499,17651216657008323135,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3676 /prefetch:1
2⤵
PID:3560

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,5643421696827714499,17651216657008323135,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5188 /prefetch:1
2⤵
PID:3988

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,5643421696827714499,17651216657008323135,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
2⤵
PID:5004

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,5643421696827714499,17651216657008323135,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5580 /prefetch:1
2⤵
PID:2536

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,5643421696827714499,17651216657008323135,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5184 /prefetch:1
2⤵
PID:4544

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,5643421696827714499,17651216657008323135,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5992 /prefetch:1
2⤵
PID:3204

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,5643421696827714499,17651216657008323135,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4740 /prefetch:1
2⤵
PID:1040

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,5643421696827714499,17651216657008323135,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1792 /prefetch:1
2⤵
PID:740

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,5643421696827714499,17651216657008323135,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6124 /prefetch:1
2⤵
PID:1232

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,5643421696827714499,17651216657008323135,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6084 /prefetch:1
2⤵
PID:1064

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1888,5643421696827714499,17651216657008323135,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4952 /prefetch:8
2⤵
PID:3040

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1888,5643421696827714499,17651216657008323135,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3512 /prefetch:8
2⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:3700

C:\Users\Admin\Downloads\MinecraftInstaller.exe
"C:\Users\Admin\Downloads\MinecraftInstaller.exe"
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4944

C:\Users\Admin\AppData\Local\Temp\GamingRepair.exe
"C:\Users\Admin\AppData\Local\Temp\GamingRepair.exe" scenarioMinecraft
3⤵
- Modifies security service
- Executes dropped EXE
- Checks processor information in registry
PID:3652

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4484

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:752

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:444

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3a3f055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
03a56f81ee69dd9727832df26709a1c9

SHA1
ab6754cc9ebd922ef3c37b7e84ff20e250cfde3b

SHA256
65d97e83b315d9140f3922b278d08352809f955e2a714fedfaea6283a5300e53

SHA512
e9915f11e74c1bcf7f80d1bcdc8175df820af30f223a17c0fe11b6808e5a400550dcbe59b64346b7741c7c77735abefaf2c988753e11d086000522a05a0f7781

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d30a5618854b9da7bcfc03aeb0a594c4

SHA1
7f37105d7e5b1ecb270726915956c2271116eab7

SHA256
3494c446aa3cb038f1d920b26910b7fe1f4286db78cb3f203ad02cb93889c1a8

SHA512
efd488fcd1729017a596ddd2950bff07d5a11140cba56ff8e0c62ef62827b35c22857bc4f5f5ea11ccc2e1394c0b3ee8651df62a25e66710f320e7a2cf4d1a77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000050

Filesize
49KB

MD5
8991c3ec80ec8fbc41382a55679e3911

SHA1
8cc8cee91d671038acd9e3ae611517d6801b0909

SHA256
f55bacd4a20fef96f5c736a912d1947be85c268df18003395e511c1e860e8800

SHA512
4968a21d8cb9821282d10ba2d19f549a07f996b9fa2cdbcc677ac9901627c71578b1fc65db3ca78e56a47da382e89e52ac16fee8437caa879ece2cfba48c5a6d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
8e9b6f56f87e1c021e568f5cae11b0d7

SHA1
96d1f07e82addbf0d1741b6a9e12380a690036bc

SHA256
b1f5294d629bd63af2c0a4fcb0fd981d07015204e68d9a8dce7fd57cc596e18e

SHA512
ea76f55c36799c984363c14f37b700159e276f0ae2cd0a68e739b5d9e28579ba03eebfa1a0edfc3417a4de2fd622badc5f85dfb05a9cc0939be94dab8784106d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
77fcfc300bb2d093216bbf4ad0c5f67c

SHA1
694e7d07e563d9b0ca54e885ad800a243a2e5948

SHA256
d4672b450ab1859978f7b435cf3410351a25e226ce5b039882b78aa23e5b7764

SHA512
375eb923e13db49d355c7662424585ce274b4040174766b302031812b969eeea8d374389f1b1a4f773406ea004f67c080295ef9e1dee8a3c33a5f170ba79f0fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
391ae352fd7a73419350cc0695579e0d

SHA1
bc5e8957a6ce6acd66b8afa219d2884495910654

SHA256
75a3b045329a58b261ff5a90deaa83f4126f4e7cca2e641b2f7e5bcb00372db9

SHA512
c243cb77d93d63369949295987263c1e3a5d990b0dae360e117ca3664e12d3b31c9fffd1512da845ddab1d3a17046d6876836fd31f3f136728e3ad018a7b679e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7dd61600b8e63ce3d1517433d66a95d7

SHA1
c76d188bdeb48b3d20b3a3d83c6bc49dd9ec09db

SHA256
dd1c7b7ea1e5c893a3d1ddeb7c71f82354d369adedbe18e87f7eaaf6a38b01ca

SHA512
1fa30fdce9848d6747179d0dbf101221acef4656fdc3164074cc7ee70b3e9f744a38825db4e803e08a937187a254688f049d9da5d8be7026a6932d4e25aa78cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d883abf276dfc084b226dd98b2ec1b58

SHA1
02945e5e05c19919ce6803eff75d53e804cff81a

SHA256
eac0f18c5e7857ffc3c1459408349b454519b66966821afb2d3713be8ab44f8c

SHA512
5bb24a0f74430ca47f3f3257c511363c78aa217acf1843a4f86db61cd2c70b41566deee3f04cf19a997f1e91ab23201e4d5e8ef9faf0143d27795a5382f9fbca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
821e7827312a60793638c015fd2de1ff

SHA1
f4de0232295a18a9e492f66e0d340019d15173c7

SHA256
aa8ba79771a06b7d13b4074e8b7fd585184d30dc391b956307ac482ca739a27b

SHA512
3320737524c47cb9f9e363fe79ac46a2642d2dbac60454f97fdcfef1d51b475640f7f5557afb688dd7cdadb6fbf82fd886177e1402b86833c2f68598f06a9029

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
257ad9e610af123f4c1c462c7d3b844c

SHA1
370bac0f1e4242cd38aa3d3476af505fbc61aab3

SHA256
3c9a09defbf6b4eb0108573e97fca02f74618302cb0d40e4442c410d43f273c0

SHA512
09121a779badad3a7f965e9b081f00fe61ca09afe5c69e5b3b0b261092b88725d151b6de04414b1753d492fd2fb097661deaa28d765ae51c8fa8c19ce9cd7ec0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
03429cf1ef3cfaeeb4450cef2d8d0418

SHA1
efb48b08ee770856c08a90d6435a2779bba6f927

SHA256
7a86a20e17fba744df9ca617e7680421ad7b0621efca6897805ad1e3fd752681

SHA512
86472fa6792211d17e8c235792fe350213549d8a8e03cab845cf91bbeba29a1c4e0e850c4c24aa9009e5403055f5f3501c769ad02570909adfe409cae919f112

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
873B

MD5
35356cf7e24323ffdabd0f0a40e79ec9

SHA1
23114326465b39ce21391581907d01a59b860613

SHA256
6b191433d60e917081fe694f1352a5bdcf94bfad4f5ed9c5ce7fc77bed5341f0

SHA512
ef4b7f6ff646bbb9f9f15b38950dad4bfdae3522a7c3a116f77e4a0cd65786ab0d6539854b0918b142665c9f459a36b12c6d5dadbe97784bf6a9d0640e9426eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58848d.TMP

Filesize
538B

MD5
cd108cef62f7f1e2a0de31d7ae9c1fc5

SHA1
48c67845451c8acf079d6fe75fb06689d3981298

SHA256
ae2da5600afbdd79c94374dbb976ba6199511d844d68870bd1c5209682472551

SHA512
3e1600ca134a1549f69eb506155c14312e1806fe44d08b1323a692d797aa697f79eb1d0afe4b866d47b1c96f45ad6f2ffc3fa7c0075fb4733289ea3e4af66b30

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
f8db7f7e8c8caa5ef5e336a476912262

SHA1
215ce700fea4750b8e55e92f37492ed51826fe32

SHA256
ecca701dafe1809a9e0cb90af2e5bbcb11399a0679490df0dc6ab835e5b77402

SHA512
c2d74ca08ec381e19c68de1800a5e61bd4379adc8543f84070fefa4a9f60bab39b7cfb19fe7c90275385449a791139beb4c62029fe57829b71712aa153c88edc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
5546b62c517bf6453ee04443f97d10dc

SHA1
19d6e60feb6f386cbf6d7ddb1edbd68844adec79

SHA256
8f5d318640e8ee07437b904620ffbbc44300c986c1baf7e426d048cccbb771b0

SHA512
73170cd21f351f762c80727da9cb7e2acb5c504ab12c8618da3118ff3a1a65ba434865c2b04773ca854d1c8817ae738cdf73258ab91c5866f070e9b6337b98fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
4e5b97c42c3c052117942ce15160c876

SHA1
047c6d38b4c71651e211ec5c01dbcb615783c2f9

SHA256
187f927847eb71c314930598758135944883bb85eccd095edbbc21c665d4db2a

SHA512
ff2349953940ef2fb1dd6ca08b054afd33550778e4bba6f6509ef264faac58b22f951b489b49a5d79a0539a44c1921476713f2b35e750c8cd231864e199f1c87

Download Submit
C:\Users\Admin\AppData\Local\Temp\GamingRepair.exe

Filesize
557KB

MD5
8a4e72a29c08ae2cd13bc8ec414b8fc6

SHA1
26f8d73bc6f5ace5cec6e3652fc6410a71298498

SHA256
6513546697c3c9deb50d8dbb0cc9aa0be55487538ed482ec16b6264579de1539

SHA512
77eba566c65de1327bcacadb1483f538b4e5da67c3607398d745173ade25e987f59524a5ecf065dd5f95e26654cbb5a48dc80fae995d5d2dd63c63b2cd98fb98

Download Submit
C:\Users\Admin\Downloads\MinecraftInstaller.exe

Filesize
32.3MB

MD5
4f02ac057355b5dc73ea28aecd2d56b4

SHA1
32591cb75779a3e308a44e75a76f821e7dee11e0

SHA256
83a5f942b2a15eab4826ef1709ec6a7f9637a7ec0fce16585776848797307fa4

SHA512
9eb08f85559df6af9192bec8904097d4e43a832ba9e9cc1c7be1a366af8d103c3a6db3886f00927ae5eb62055fbc770c7b5a3d2a122a0b460b51136083015368

Download Submit
C:\Users\Admin\Downloads\MinecraftInstaller.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
\??\pipe\LOCAL\crashpad_4692_VFOVCLEEEHBMEPTH

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/640-1-0x00007FFF7B633000-0x00007FFF7B635000-memory.dmp

Filesize
8KB

Download
memory/640-9-0x00007FFF7B630000-0x00007FFF7C0F2000-memory.dmp

Filesize
10.8MB

Download
memory/640-4-0x00007FFF7B630000-0x00007FFF7C0F2000-memory.dmp

Filesize
10.8MB

Download
memory/640-634-0x00007FFF7B630000-0x00007FFF7C0F2000-memory.dmp

Filesize
10.8MB

Download
memory/640-135-0x00007FFF7B630000-0x00007FFF7C0F2000-memory.dmp

Filesize
10.8MB

Download
memory/640-7-0x00000188F60B0000-0x00000188F60E8000-memory.dmp

Filesize
224KB

Download
memory/640-2-0x00007FFF7B630000-0x00007FFF7C0F2000-memory.dmp

Filesize
10.8MB

Download
memory/640-0-0x00000188EF7B0000-0x00000188EF7D8000-memory.dmp

Filesize
160KB

Download
memory/640-40-0x00007FFF7B630000-0x00007FFF7C0F2000-memory.dmp

Filesize
10.8MB

Download
memory/640-8-0x00000188F16F0000-0x00000188F16FE000-memory.dmp

Filesize
56KB

Download
memory/640-5-0x00007FFF7B630000-0x00007FFF7C0F2000-memory.dmp

Filesize
10.8MB

Download
memory/640-6-0x00000188F16D0000-0x00000188F16D8000-memory.dmp

Filesize
32KB

Download
memory/640-3-0x00000188F2090000-0x00000188F214A000-memory.dmp

Filesize
744KB

Download
memory/4944-581-0x0000000008840000-0x0000000008848000-memory.dmp

Filesize
32KB

Download
memory/4944-583-0x000000000B450000-0x000000000B458000-memory.dmp

Filesize
32KB

Download
memory/4944-585-0x000000000B530000-0x000000000B53E000-memory.dmp

Filesize
56KB

Download
memory/4944-584-0x000000000BCA0000-0x000000000BCD8000-memory.dmp

Filesize
224KB

Download
memory/4944-587-0x0000000008560000-0x000000000856A000-memory.dmp

Filesize
40KB

Download
memory/4944-588-0x000000000D750000-0x000000000D776000-memory.dmp

Filesize
152KB

Download
memory/4944-578-0x0000000000D10000-0x0000000002D66000-memory.dmp

Filesize
32.3MB

Download
memory/4944-579-0x0000000007BC0000-0x0000000007D82000-memory.dmp

Filesize
1.8MB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads