fe6ef89f60d6ee9658e4a95126daf760ab983996cdc32b11fa7cd222e52059d1

Resubmissions

20-02-2024 15:50

240220-s93d8abe65 8

20-02-2024 15:31

240220-syjgzabc44 8

20-02-2024 15:24

240220-ss225abb57 8

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
20-02-2024 15:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Overwatch Server Blocker.exe
Size

248KB
MD5

2dd1ef815043e4cad7a8824bda5749b4
SHA1

ba1ce1ac279195d0d94142ddddf33169730a12f9
SHA256

fe6ef89f60d6ee9658e4a95126daf760ab983996cdc32b11fa7cd222e52059d1
SHA512

b96fa87ac5f7ad14e338f3314e91a5b05b65bcea9affaa4f37ac78385507642a45ee5a3b2237c2fca50ff0dfd9f6a8a42c308e3703fa065544e1fb24160ffb94
SSDEEP

3072:Zg95y39boeOQ9WwzzLjE5UPtJ0zLjE5UZS1VlVo:Zg95c9b/ztPcztZmV

Score

8^/10

evasion

Malware Config

Signatures

Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 4 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1060	netsh.exe
564	netsh.exe
3380	netsh.exe
4284	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	Overwatch Server Blocker.exe

Executes dropped EXE 1 IoCs

pid	Process
4792	ME Game Servers Blocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 108610.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
5084	msedge.exe
5084	msedge.exe
4940	msedge.exe
4940	msedge.exe
5044	msedge.exe
5044	msedge.exe
740	msedge.exe
740	msedge.exe
944	identity_helper.exe
944	identity_helper.exe
548	msedge.exe
548	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs

pid	Process
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1472	Overwatch Server Blocker.exe

Suspicious use of FindShellTrayWindow 36 IoCs

pid	Process
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1472 wrote to memory of 2236	1472	Overwatch Server Blocker.exe	89
PID 1472 wrote to memory of 2236	1472	Overwatch Server Blocker.exe	89
PID 1472 wrote to memory of 2236	1472	Overwatch Server Blocker.exe	89
PID 1472 wrote to memory of 2660	1472	Overwatch Server Blocker.exe	91
PID 1472 wrote to memory of 2660	1472	Overwatch Server Blocker.exe	91
PID 1472 wrote to memory of 2660	1472	Overwatch Server Blocker.exe	91
PID 2236 wrote to memory of 1060	2236	cmd.exe	93
PID 2236 wrote to memory of 1060	2236	cmd.exe	93
PID 2236 wrote to memory of 1060	2236	cmd.exe	93
PID 2660 wrote to memory of 564	2660	cmd.exe	94
PID 2660 wrote to memory of 564	2660	cmd.exe	94
PID 2660 wrote to memory of 564	2660	cmd.exe	94
PID 1472 wrote to memory of 3664	1472	Overwatch Server Blocker.exe	96
PID 1472 wrote to memory of 3664	1472	Overwatch Server Blocker.exe	96
PID 1472 wrote to memory of 3664	1472	Overwatch Server Blocker.exe	96
PID 3664 wrote to memory of 3380	3664	cmd.exe	98
PID 3664 wrote to memory of 3380	3664	cmd.exe	98
PID 3664 wrote to memory of 3380	3664	cmd.exe	98
PID 1472 wrote to memory of 2020	1472	Overwatch Server Blocker.exe	99
PID 1472 wrote to memory of 2020	1472	Overwatch Server Blocker.exe	99
PID 1472 wrote to memory of 2020	1472	Overwatch Server Blocker.exe	99
PID 2020 wrote to memory of 4284	2020	cmd.exe	101
PID 2020 wrote to memory of 4284	2020	cmd.exe	101
PID 2020 wrote to memory of 4284	2020	cmd.exe	101
PID 1472 wrote to memory of 4752	1472	Overwatch Server Blocker.exe	105
PID 1472 wrote to memory of 4752	1472	Overwatch Server Blocker.exe	105
PID 1472 wrote to memory of 5044	1472	Overwatch Server Blocker.exe	106
PID 1472 wrote to memory of 5044	1472	Overwatch Server Blocker.exe	106
PID 4752 wrote to memory of 3344	4752	msedge.exe	108
PID 4752 wrote to memory of 3344	4752	msedge.exe	108
PID 5044 wrote to memory of 1596	5044	msedge.exe	107
PID 5044 wrote to memory of 1596	5044	msedge.exe	107
PID 1472 wrote to memory of 4300	1472	Overwatch Server Blocker.exe	109
PID 1472 wrote to memory of 4300	1472	Overwatch Server Blocker.exe	109
PID 4300 wrote to memory of 1656	4300	msedge.exe	110
PID 4300 wrote to memory of 1656	4300	msedge.exe	110
PID 4752 wrote to memory of 640	4752	msedge.exe	114
PID 4752 wrote to memory of 640	4752	msedge.exe	114
PID 4752 wrote to memory of 640	4752	msedge.exe	114
PID 4752 wrote to memory of 640	4752	msedge.exe	114
PID 4752 wrote to memory of 640	4752	msedge.exe	114
PID 4752 wrote to memory of 640	4752	msedge.exe	114
PID 4752 wrote to memory of 640	4752	msedge.exe	114
PID 4752 wrote to memory of 640	4752	msedge.exe	114
PID 4752 wrote to memory of 640	4752	msedge.exe	114
PID 4752 wrote to memory of 640	4752	msedge.exe	114
PID 4752 wrote to memory of 640	4752	msedge.exe	114
PID 4752 wrote to memory of 640	4752	msedge.exe	114
PID 4752 wrote to memory of 640	4752	msedge.exe	114
PID 4752 wrote to memory of 640	4752	msedge.exe	114
PID 4752 wrote to memory of 640	4752	msedge.exe	114
PID 4752 wrote to memory of 640	4752	msedge.exe	114
PID 4752 wrote to memory of 640	4752	msedge.exe	114
PID 4752 wrote to memory of 640	4752	msedge.exe	114
PID 4752 wrote to memory of 640	4752	msedge.exe	114
PID 4752 wrote to memory of 640	4752	msedge.exe	114
PID 4752 wrote to memory of 640	4752	msedge.exe	114
PID 4752 wrote to memory of 640	4752	msedge.exe	114
PID 4752 wrote to memory of 640	4752	msedge.exe	114
PID 4752 wrote to memory of 640	4752	msedge.exe	114
PID 4752 wrote to memory of 640	4752	msedge.exe	114
PID 4752 wrote to memory of 640	4752	msedge.exe	114
PID 4752 wrote to memory of 640	4752	msedge.exe	114
PID 4752 wrote to memory of 640	4752	msedge.exe	114

C:\Users\Admin\AppData\Local\Temp\Overwatch Server Blocker.exe
"C:\Users\Admin\AppData\Local\Temp\Overwatch Server Blocker.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1472
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C netsh advfirewall firewall set rule name="Block Overwatch ME Server by Tamoza" new enable=yes
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2236
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall set rule name="Block Overwatch ME Server by Tamoza" new enable=yes
    3⤵
    - Modifies Windows Firewall
    PID:1060
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C netsh advfirewall firewall set rule name="Block Overwatch ME Server by Tamoza" new enable=no
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2660
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall set rule name="Block Overwatch ME Server by Tamoza" new enable=no
    3⤵
    - Modifies Windows Firewall
    PID:564
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C netsh advfirewall firewall set rule name="Block Overwatch ME Server by Tamoza" new enable=yes
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3664
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall set rule name="Block Overwatch ME Server by Tamoza" new enable=yes
    3⤵
    - Modifies Windows Firewall
    PID:3380
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C netsh advfirewall firewall set rule name="Block Overwatch ME Server by Tamoza" new enable=no
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2020
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall set rule name="Block Overwatch ME Server by Tamoza" new enable=no
    3⤵
    - Modifies Windows Firewall
    PID:4284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://tamoza.net/
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4752
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcdfb246f8,0x7ffcdfb24708,0x7ffcdfb24718
    3⤵
    PID:3344
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2056,464592642822706572,4650618621224898011,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5084
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,464592642822706572,4650618621224898011,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:2
    3⤵
    PID:640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://tamoza.net/
  2⤵
  - Enumerates system info in registry
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:5044
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffcdfb246f8,0x7ffcdfb24708,0x7ffcdfb24718
    3⤵
    PID:1596
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,8058749229817652717,3366765290257252945,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4940
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,8058749229817652717,3366765290257252945,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:2
    3⤵
    PID:4028
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2144,8058749229817652717,3366765290257252945,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2720 /prefetch:8
    3⤵
    PID:3040
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,8058749229817652717,3366765290257252945,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:1
    3⤵
    PID:3452
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,8058749229817652717,3366765290257252945,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
    3⤵
    PID:1308
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,8058749229817652717,3366765290257252945,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3736 /prefetch:1
    3⤵
    PID:4408
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,8058749229817652717,3366765290257252945,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4632 /prefetch:1
    3⤵
    PID:4396
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,8058749229817652717,3366765290257252945,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3984 /prefetch:1
    3⤵
    PID:5088
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,8058749229817652717,3366765290257252945,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4016 /prefetch:1
    3⤵
    PID:4928
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,8058749229817652717,3366765290257252945,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5748 /prefetch:8
    3⤵
    PID:4908
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,8058749229817652717,3366765290257252945,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5748 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:944
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,8058749229817652717,3366765290257252945,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6116 /prefetch:1
    3⤵
    PID:1736
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,8058749229817652717,3366765290257252945,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6012 /prefetch:1
    3⤵
    PID:4816
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,8058749229817652717,3366765290257252945,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6304 /prefetch:1
    3⤵
    PID:2008
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,8058749229817652717,3366765290257252945,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6368 /prefetch:1
    3⤵
    PID:4772
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,8058749229817652717,3366765290257252945,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4984 /prefetch:1
    3⤵
    PID:5084
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2144,8058749229817652717,3366765290257252945,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6612 /prefetch:8
    3⤵
    PID:640
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,8058749229817652717,3366765290257252945,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6340 /prefetch:1
    3⤵
    PID:3132
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2144,8058749229817652717,3366765290257252945,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6932 /prefetch:8
    3⤵
    PID:4688
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,8058749229817652717,3366765290257252945,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7000 /prefetch:1
    3⤵
    PID:4856
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2144,8058749229817652717,3366765290257252945,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6224 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:548
- - C:\Users\Admin\Downloads\ME Game Servers Blocker.exe
    "C:\Users\Admin\Downloads\ME Game Servers Blocker.exe"
    3⤵
    - Executes dropped EXE
    PID:4792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://tamoza.net/
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4300
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcdfb246f8,0x7ffcdfb24708,0x7ffcdfb24718
    3⤵
    PID:1656
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,14082285045248858109,14935034465004236284,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://tamoza.net/
  2⤵
  PID:3944
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffcdfb246f8,0x7ffcdfb24708,0x7ffcdfb24718
    3⤵
    PID:1972

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3748

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b120b8eb29ba345cb6b9dc955049a7fc

SHA1
aa73c79bff8f6826fe88f535b9f572dcfa8d62b1

SHA256
2eecf596d7c3d76183fc34c506e16da3575edfa398da67fa5d26c2dc4e6bcded

SHA512
c094f0fae696135d98934144d691cee8a4f76c987da6b5abdb2d6b14e0fc2cfcf9142c67c6a76fb09c889db34e608d58f510c844c0e16d753aea0249cfc14bbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d5564ccbd62bac229941d2812fc4bfba

SHA1
0483f8496225a0f2ca0d2151fab40e8f4f61ab6d

SHA256
d259ff04090cbde3b87a54554d6e2b8a33ba81e9483acbbe3e6bad15cbde4921

SHA512
300cda7933e8af577bdc1b20e6d4279d1e418cdb0571c928b1568bfea3c231ba632ccb67313ae73ddeae5586d85db95caffaedd23e973d437f8496a8c5a15025

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
102KB

MD5
e1c894bf3fbd58b78d850ce33d6f3983

SHA1
08d182fede0e0f35c2d3937dad01b695f7f805d9

SHA256
4e3e0243085becdecfd2e3cbbaa3ac44c3f66b994315796dcf7a6b9e09d703ad

SHA512
177508aaf0b27631c3d038cd4652e93a879095f7e0bd6d295be33790dd16a91015eb0b84627a349c76c8b30029e03c4c41b199f5f680a39ca4439800db750792

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000e

Filesize
76KB

MD5
9bc4986a04f803b5c8408a4154834c79

SHA1
0022e64dd1616dd5ea15fa60bfedd33301f10a40

SHA256
349bbfa98ffdd5b198fe11bda65818d6ae3d087d4fdd61496f8859a76dc613da

SHA512
d771d10bb1a558b7b7564d06aac97bcd92fe1b8a2a6a9c78e025a2a1a7f363acbf866febc3874d2faba9e97892af4ac73e672d9a63c5baa7aa649c712738bb94

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000f

Filesize
62KB

MD5
971c13e1c229547b027a5d1524baaa9c

SHA1
25b9e81c672619adccf19993cd1edae7c3e6f368

SHA256
b4df6ede847bb2f3192da28b942eb37b67a0af8291a43eb289c0a3fee2beba21

SHA512
44e01fcb0fd87b58ccff4fe47b17dd80418556f53d1b7237dea6c9ebb76d7123b1f111232526c90a03d18acfc894da2dd2bd6b0f04e5618497a4e74e4f9d1ada

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000012

Filesize
74KB

MD5
ab5996a24d9057b260b16d40226d46f8

SHA1
ad9c44639be4bcde638cff3742f57f00bc4f5033

SHA256
4cdceec7a2a8c635e58b2fa704c89d4c6cdc50da64ec45a214eb962302185c77

SHA512
93757c04801d94194cbb9928c4e250af8b01f7c28d3244bb7a330473fa6d1980d018eebbad9ace9ea80d9bc38050030d97a6f334ee24dcbf948c9c80e3906fe2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000013

Filesize
64KB

MD5
83e23f24bba07cc052fea397c3287c46

SHA1
44763f51df28e7eefb65ac151d4d976daf1b56af

SHA256
192c59cbcfe6f42115f846fd71871df22183d52995fd8ae83cd5841e89f24ec2

SHA512
8ddd37cf79a3b34eb6235111c60ab6c45dc3213f83b0d134b80e28e22577ab22d0fcb039d640f268e02e44778c0ce68001d1405dc7994d99ac10f579d40a6cac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\f84f582692866199_0

Filesize
20KB

MD5
0f4400f17d7a6453a0bd6d99992d844f

SHA1
c8cc2757278439aa53ea607bfab55c37a84e2796

SHA256
5e1ac15c00f0491548bab3fc440744d677cbed3e2bcbc3f21fc8f90104168e8c

SHA512
cc779a791e300f95a1877ceaf32fa3a61d72b9c3e78b28c1c9e2c2aae84e173bf8e585e8ebec5554d71cbd580a0bdf56cf06a6cd48f7b9662b73cec534360036

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
121db62e6c05fe50b7a384fa16dec044

SHA1
372d630f9496fe12e419387b1fc4974ea81ea487

SHA256
2ed33ce5f6a184a45fde19b820b27c587c8147fc18033750babaee7fb963e4d7

SHA512
2a3e12747a1b3d42f5a0f32de4c1aa1074832dc6fb5d41a5536d7aaf23d1a8d91116776badf8e05e81d811ee596cacf6c79277fba59a52ec1da72c11d8c0dd5a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
67f26e8d462bc5d288c0533c788ee813

SHA1
a547c18073aa7d5bd44d21f69032c4b80fcfc91b

SHA256
80d735d3ca1ccc4aeeba658d34d8b2a1eafee0b23fef52aedb00e65a572d0a76

SHA512
4e88ca84f4137e0da73bf8737ad61d1ce2a7c227c62fa2d992539a028ed8e48dca5f075a1bcd4117e41ae7541b37cb7a97610dd74b44ba21a25452c1044f0fc5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
03619bed5a047d32fb63f4de337433cb

SHA1
82765f9b3f89d89493ac038cd9e2d630d152cae0

SHA256
38158876e5af42d7f221dbe14f74efde8ea7b786a2608ff32c4c234d2a9ae131

SHA512
a5043f2debb373676bda923c856235750c8ebd67a6030e7f52be11fc5a2a0e52bbc336b490e3246054ea94fe971f3f97f6ca5f1e6b316f1376105ae48a4df140

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
47958db7d511f5407f18e87bca7bc769

SHA1
1aca801a5f63c2545e06b7068770031560940ec1

SHA256
916c402143d6d92200069e0978e40f159348434ce533b5cd3693e11e1a778963

SHA512
5b0eacd7d43fc03bc1c090bdd163a9f4d531a26810205be4620213a19e7c5756e0a0d433c3be3a7538d58163ae6e6eef789566dc44f602346d3a1d8f1124b46e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
1d1c7c7f0b54eb8ba4177f9e91af9dce

SHA1
2b0f0ceb9a374fec8258679c2a039fbce4aff396

SHA256
555c13933eae4e0b0e992713ed8118e2980442f89fbdfb06d3914b607edbbb18

SHA512
4c8930fe2c805c54c0076408aba3fbfb08c24566fba9f6a409b5b1308d39c7b26c96717d43223632f1f71d2e9e68a01b43a60031be8f1ca7a541fe0f56f4d9f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
927ed585e4e470e17f812e7b77effd98

SHA1
739e92700cf11515f6830ed4714f37a8497dfe4d

SHA256
4325abb97c47e4771e3270807be8eb7befd4e81bff23e618f4d32dc11873e935

SHA512
b1082cb403438be8c62bd57da5cee4e6b7803706e0d38efa51b523eca76715871d3254713a27e06315634fa903586a172d6a42b78372294907d4c43b0ec73d31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
205074e33b46fd377003174c1ac9b66b

SHA1
eed4969bae7c888fed46cfc22b79aa412e44c967

SHA256
71cdb12f08248a5292a90aab0e2cd8ce2ea5793224e895313cd9f45dc6693661

SHA512
310a28d0c5a1d8360b838c31b45e7c2384a80c971dcb0bfaa0e8ed5ce7bbc73efce3a6ae4e1cae39919bf789322837d9225e3bfa7a6d9fc0eea17aa157472556

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe596c3d.TMP

Filesize
371B

MD5
d13dbd7bd47615524e2f7f1e29017e36

SHA1
4bd2fd2bbed0e88c6132d16372c78ccaf0559126

SHA256
e4ca216bb495e0d3335cf61967597032d3b48efedb7fb9e3010b673ecb02c101

SHA512
353dceec17773c7141f198ddfb0f7dbba868ad53679abf251ee251bc3474af993eb4d5f8ea24e4c533f562a9ed59e53045af57d9cc5c0c1e5d4333dd3c28700a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
66d45cd517b877e5a4e000d0341f404f

SHA1
68a0dd709a1337a024d3e807b52e644b0dcb0ff5

SHA256
e662b9c40a9d6049851aba9ff3bc3d7ed4fe20040cd08484283f4fcae5f9fcc6

SHA512
d9830523d544ddfb2a53bf47cc0bf20b5f0cb5798c3c040fcca8123b54efefd0ced5d4ae124c4db236cf40892b3a341a60eed925d03f69776e8ca810ce43e509

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
2743e9af2c3b122c62cd9c8ee99cde3c

SHA1
90805a0c9aa0cc4a40c90ecb28b2efaf10ced79e

SHA256
2886eff882d62ba0c3080fae4b12378d35f3a9892e6a294f91877e317b92f66f

SHA512
5e6d6d1e483e687825f9903946994e0326b518c8bbae979f37e5e70f29cdb15e72b2399ddc455d7650448e59347b06324a1376154fc8c20fdbc107165c305965

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
032d9b474ac2487b8b0f64c168ed7baa

SHA1
ab3b05c7eecb5ea3cd02248a0a5c8a71478ef837

SHA256
a022306c105487181ecc9c9e4616f41e63874b28515fc5bbf1704460098eeb54

SHA512
8ff4499918e318b6c54c9a80adce0fa30fac0077c392796268431164161a85654c1a585aac9ad0bc5f618f1ee043537fc780570b4fa1b2a82761cd70d2d4d5f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
13600b4461448cbf07f2f19db2da871c

SHA1
2196d90c2758f7f9bf806ad2379c39ddd5493a26

SHA256
d9b0e2a68ba4977ff8efeb95d90b478e709a584ad189c4a423258cdad8e16aed

SHA512
16d163ed70762695d97eb1ce6dd4907f4a000372a3fa469fcd85856bae6a1ec4f56dab8b999d4f8a9a7ca5990198e058c3bff6e539d6acba8363a05309faafde

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 108610.crdownload

Filesize
552KB

MD5
4a8eabb71f09b1d7eafa4773423c6b58

SHA1
2005a97bc92421241c0ca33a412ab930133ddc4b

SHA256
f88e12d71709f40bc1d04fc12e5d69f0eece222b4afa1cfe6d2fb7c22694ee73

SHA512
5b4914da53d479f05b6b50c926965685f8cbdae44837156f43fa272c7b4c1b17a83a10d468a1a3aa25605a69f03b88031271bbe1ed6750554e84d33a54c8287e

Download Submit
memory/1472-5-0x0000000004EF0000-0x0000000004EFA000-memory.dmp

Filesize
40KB

Download
memory/1472-3-0x0000000004E30000-0x0000000004EC2000-memory.dmp

Filesize
584KB

Download
memory/1472-7-0x0000000007CE0000-0x0000000007CF8000-memory.dmp

Filesize
96KB

Download
memory/1472-6-0x0000000004FC0000-0x0000000004FD0000-memory.dmp

Filesize
64KB

Download
memory/1472-1-0x00000000749C0000-0x0000000075170000-memory.dmp

Filesize
7.7MB

Download
memory/1472-9-0x0000000004FC0000-0x0000000004FD0000-memory.dmp

Filesize
64KB

Download
memory/1472-4-0x0000000004FC0000-0x0000000004FD0000-memory.dmp

Filesize
64KB

Download
memory/1472-8-0x00000000749C0000-0x0000000075170000-memory.dmp

Filesize
7.7MB

Download
memory/1472-10-0x0000000004FC0000-0x0000000004FD0000-memory.dmp

Filesize
64KB

Download
memory/1472-2-0x0000000005500000-0x0000000005AA4000-memory.dmp

Filesize
5.6MB

Download
memory/1472-0-0x0000000000410000-0x0000000000454000-memory.dmp

Filesize
272KB

Download
memory/4792-466-0x00000000003D0000-0x0000000000460000-memory.dmp

Filesize
576KB

Download
memory/4792-467-0x00000000749C0000-0x0000000075170000-memory.dmp

Filesize
7.7MB

Download
memory/4792-468-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

Filesize
64KB

Download