80a6c864b32e7f7b497629806ace23b4eb1f71419de8064e99dc6299299dbc88

Analysis

max time kernel
95s
max time network
203s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
16/06/2024, 09:50

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

80a6c864b32e7f7b497629806ace23b4eb1f71419de8064e99dc6299299dbc88.exe
Size

54.2MB
MD5

2582debad247a1586a34c060a5fad4bc
SHA1

d87216f84e29f9f679f06cca8cb7c483e958f090
SHA256

80a6c864b32e7f7b497629806ace23b4eb1f71419de8064e99dc6299299dbc88
SHA512

b252044984c6e6055f56b18edbcbbda6e2f8b8c1826802ce9a27a80495a9c7c1b6469233fb48c8b9a6b9c6f5a349051b896df1f21a9bbe76af1cf81a185c1629
SSDEEP

1572864:xFKmlJuZyNiyG/e4A/E0HuLr3a9uqnkVYDYvSL+p5o31P2:nKgCy6G4esalnCIdqr82

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4996	Candy's Space Adventures Game.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Candy's Space Adventures v46.17\Data\Original\W10a.$$A	80a6c864b32e7f7b497629806ace23b4eb1f71419de8064e99dc6299299dbc88.exe
File created	C:\Program Files (x86)\Candy's Space Adventures v46.17\Images\Sky\Sky_02.$$A	80a6c864b32e7f7b497629806ace23b4eb1f71419de8064e99dc6299299dbc88.exe
File created	C:\Program Files (x86)\Candy's Space Adventures v46.17\Sons\Item\sonVial.$$A	80a6c864b32e7f7b497629806ace23b4eb1f71419de8064e99dc6299299dbc88.exe
File created	C:\Program Files (x86)\Candy's Space Adventures v46.17\Images\Menu\MenuFichier.$$A	80a6c864b32e7f7b497629806ace23b4eb1f71419de8064e99dc6299299dbc88.exe
File created	C:\Program Files (x86)\Candy's Space Adventures v46.17\Images\Menu\MenuSave.$$A	80a6c864b32e7f7b497629806ace23b4eb1f71419de8064e99dc6299299dbc88.exe
File created	C:\Program Files (x86)\Candy's Space Adventures v46.17\Modeles\Lilly\Animaux\Autres\Colibri.$$A	80a6c864b32e7f7b497629806ace23b4eb1f71419de8064e99dc6299299dbc88.exe
File created	C:\Program Files (x86)\Candy's Space Adventures v46.17\Sons\Bonjour\Chouette_Toopy.$$A	80a6c864b32e7f7b497629806ace23b4eb1f71419de8064e99dc6299299dbc88.exe
File created	C:\Program Files (x86)\Candy's Space Adventures v46.17\Web\Website Candy's Space Adventures Link.$$A	80a6c864b32e7f7b497629806ace23b4eb1f71419de8064e99dc6299299dbc88.exe
File created	C:\Program Files (x86)\Candy's Space Adventures v46.17\Images\Char\Puit1.$$A	80a6c864b32e7f7b497629806ace23b4eb1f71419de8064e99dc6299299dbc88.exe
File created	C:\Program Files (x86)\Candy's Space Adventures v46.17\Sons\Candy\Rage_Candy.$$A	80a6c864b32e7f7b497629806ace23b4eb1f71419de8064e99dc6299299dbc88.exe
File created	C:\Program Files (x86)\Candy's Space Adventures v46.17\Modeles\Lilly\NPC\GamTex1.$$A	80a6c864b32e7f7b497629806ace23b4eb1f71419de8064e99dc6299299dbc88.exe
File created	C:\Program Files (x86)\Candy's Space Adventures v46.17\Modeles\Objets\Portail\texCloche.$$A	80a6c864b32e7f7b497629806ace23b4eb1f71419de8064e99dc6299299dbc88.exe
File created	C:\Program Files (x86)\Candy's Space Adventures v46.17\Modeles\Potion\Vial0.$$A	80a6c864b32e7f7b497629806ace23b4eb1f71419de8064e99dc6299299dbc88.exe
File created	C:\Program Files (x86)\Candy's Space Adventures v46.17\Modeles\Space\Stations_Services\Station_Service_00.$$A	80a6c864b32e7f7b497629806ace23b4eb1f71419de8064e99dc6299299dbc88.exe
File created	C:\Program Files (x86)\Candy's Space Adventures v46.17\Modeles\Objets\Autres\texHerbe.$$A	80a6c864b32e7f7b497629806ace23b4eb1f71419de8064e99dc6299299dbc88.exe
File created	C:\Program Files (x86)\Candy's Space Adventures v46.17\Modeles\Space\WormHoles\WormHoles.$$A	80a6c864b32e7f7b497629806ace23b4eb1f71419de8064e99dc6299299dbc88.exe
File created	C:\Program Files (x86)\Candy's Space Adventures v46.17\Sons\Evil\Evil3b.$$A	80a6c864b32e7f7b497629806ace23b4eb1f71419de8064e99dc6299299dbc88.exe
File created	C:\Program Files (x86)\Candy's Space Adventures v46.17\Sons\Saut\You4_Toopy.$$A	80a6c864b32e7f7b497629806ace23b4eb1f71419de8064e99dc6299299dbc88.exe
File created	C:\Program Files (x86)\Candy's Space Adventures v46.17\Data\Original\W12a.$$A	80a6c864b32e7f7b497629806ace23b4eb1f71419de8064e99dc6299299dbc88.exe
File created	C:\Program Files (x86)\Candy's Space Adventures v46.17\Images\Lens\lens3.$$A	80a6c864b32e7f7b497629806ace23b4eb1f71419de8064e99dc6299299dbc88.exe
File created	C:\Program Files (x86)\Candy's Space Adventures v46.17\Modeles\Fruits\Poire.$$A	80a6c864b32e7f7b497629806ace23b4eb1f71419de8064e99dc6299299dbc88.exe
File created	C:\Program Files (x86)\Candy's Space Adventures v46.17\Modeles\Lilly\Animaux\Autres\Lion.$$A	80a6c864b32e7f7b497629806ace23b4eb1f71419de8064e99dc6299299dbc88.exe
File created	C:\Program Files (x86)\Candy's Space Adventures v46.17\Modeles\Meubles\texHerbe.$$A	80a6c864b32e7f7b497629806ace23b4eb1f71419de8064e99dc6299299dbc88.exe
File created	C:\Program Files (x86)\Candy's Space Adventures v46.17\Sons\Elem\sonElec.$$A	80a6c864b32e7f7b497629806ace23b4eb1f71419de8064e99dc6299299dbc88.exe
File created	C:\Program Files (x86)\Candy's Space Adventures v46.17\Data\Objets\Obj58.$$A	80a6c864b32e7f7b497629806ace23b4eb1f71419de8064e99dc6299299dbc88.exe
File created	C:\Program Files (x86)\Candy's Space Adventures v46.17\Data\Original\W34.$$A	80a6c864b32e7f7b497629806ace23b4eb1f71419de8064e99dc6299299dbc88.exe
File created	C:\Program Files (x86)\Candy's Space Adventures v46.17\Data\Original\W4.$$A	80a6c864b32e7f7b497629806ace23b4eb1f71419de8064e99dc6299299dbc88.exe
File created	C:\Program Files (x86)\Candy's Space Adventures v46.17\Modeles\Items\unOs.$$A	80a6c864b32e7f7b497629806ace23b4eb1f71419de8064e99dc6299299dbc88.exe
File created	C:\Program Files (x86)\Candy's Space Adventures v46.17\Modeles\Lilly\Royaume\Trefle\ToitTrefle.$$A	80a6c864b32e7f7b497629806ace23b4eb1f71419de8064e99dc6299299dbc88.exe
File created	C:\Program Files (x86)\Candy's Space Adventures v46.17\Data\Map\16.$$A	80a6c864b32e7f7b497629806ace23b4eb1f71419de8064e99dc6299299dbc88.exe
File created	C:\Program Files (x86)\Candy's Space Adventures v46.17\Data\Original\W20a.$$A	80a6c864b32e7f7b497629806ace23b4eb1f71419de8064e99dc6299299dbc88.exe
File created	C:\Program Files (x86)\Candy's Space Adventures v46.17\Data\Original\W42.$$A	80a6c864b32e7f7b497629806ace23b4eb1f71419de8064e99dc6299299dbc88.exe
File created	C:\Program Files (x86)\Candy's Space Adventures v46.17\Modeles\Lilly\Royaume\Trefle\ChateauTrefle_interieur_lm.$$A	80a6c864b32e7f7b497629806ace23b4eb1f71419de8064e99dc6299299dbc88.exe
File created	C:\Program Files (x86)\Candy's Space Adventures v46.17\Data\Objets\Obj18.$$A	80a6c864b32e7f7b497629806ace23b4eb1f71419de8064e99dc6299299dbc88.exe
File created	C:\Program Files (x86)\Candy's Space Adventures v46.17\Modeles\Objets\Autres\Waterfalls.$$A	80a6c864b32e7f7b497629806ace23b4eb1f71419de8064e99dc6299299dbc88.exe
File created	C:\Program Files (x86)\Candy's Space Adventures v46.17\CandySpace.$$A	80a6c864b32e7f7b497629806ace23b4eb1f71419de8064e99dc6299299dbc88.exe
File created	C:\Program Files (x86)\Candy's Space Adventures v46.17\Data\Map\41.$$A	80a6c864b32e7f7b497629806ace23b4eb1f71419de8064e99dc6299299dbc88.exe
File created	C:\Program Files (x86)\Candy's Space Adventures v46.17\Modeles\Arbres\Ecorse_Arbre.$$A	80a6c864b32e7f7b497629806ace23b4eb1f71419de8064e99dc6299299dbc88.exe
File created	C:\Program Files (x86)\Candy's Space Adventures v46.17\Data\Map\62.$$A	80a6c864b32e7f7b497629806ace23b4eb1f71419de8064e99dc6299299dbc88.exe
File created	C:\Program Files (x86)\Candy's Space Adventures v46.17\Data\Objets\Obj33.$$A	80a6c864b32e7f7b497629806ace23b4eb1f71419de8064e99dc6299299dbc88.exe
File created	C:\Program Files (x86)\Candy's Space Adventures v46.17\Images\Lum\Goutte.$$A	80a6c864b32e7f7b497629806ace23b4eb1f71419de8064e99dc6299299dbc88.exe
File created	C:\Program Files (x86)\Candy's Space Adventures v46.17\Images\Menu\Jauge\Jauge_01.$$A	80a6c864b32e7f7b497629806ace23b4eb1f71419de8064e99dc6299299dbc88.exe
File created	C:\Program Files (x86)\Candy's Space Adventures v46.17\Modeles\Lilly\Animaux\Autres\Renard.$$A	80a6c864b32e7f7b497629806ace23b4eb1f71419de8064e99dc6299299dbc88.exe
File created	C:\Program Files (x86)\Candy's Space Adventures v46.17\Modeles\Lilly\NPC\NPCTex9.$$A	80a6c864b32e7f7b497629806ace23b4eb1f71419de8064e99dc6299299dbc88.exe
File created	C:\Program Files (x86)\Candy's Space Adventures v46.17\Data\Original\W6a.$$A	80a6c864b32e7f7b497629806ace23b4eb1f71419de8064e99dc6299299dbc88.exe
File created	C:\Program Files (x86)\Candy's Space Adventures v46.17\Modeles\Meubles\Horloge.$$A	80a6c864b32e7f7b497629806ace23b4eb1f71419de8064e99dc6299299dbc88.exe
File created	C:\Program Files (x86)\Candy's Space Adventures v46.17\Modeles\Objets\Autres\Roses.$$A	80a6c864b32e7f7b497629806ace23b4eb1f71419de8064e99dc6299299dbc88.exe
File created	C:\Program Files (x86)\Candy's Space Adventures v46.17\Modeles\Arbres\Branches_Sapins.$$A	80a6c864b32e7f7b497629806ace23b4eb1f71419de8064e99dc6299299dbc88.exe
File created	C:\Program Files (x86)\Candy's Space Adventures v46.17\Modeles\Space\Etoiles\Etoiles_00.$$A	80a6c864b32e7f7b497629806ace23b4eb1f71419de8064e99dc6299299dbc88.exe
File created	C:\Program Files (x86)\Candy's Space Adventures v46.17\Data\Objets\Obj48.$$A	80a6c864b32e7f7b497629806ace23b4eb1f71419de8064e99dc6299299dbc88.exe
File created	C:\Program Files (x86)\Candy's Space Adventures v46.17\Modeles\Lilly\Animaux\Autres\Tortue1.$$A	80a6c864b32e7f7b497629806ace23b4eb1f71419de8064e99dc6299299dbc88.exe
File created	C:\Program Files (x86)\Candy's Space Adventures v46.17\Modeles\Fruits\Banane.$$A	80a6c864b32e7f7b497629806ace23b4eb1f71419de8064e99dc6299299dbc88.exe
File created	C:\Program Files (x86)\Candy's Space Adventures v46.17\Modeles\Lilly\Lillians\Lillian.$$A	80a6c864b32e7f7b497629806ace23b4eb1f71419de8064e99dc6299299dbc88.exe
File created	C:\Program Files (x86)\Candy's Space Adventures v46.17\Modeles\Objets\Autres\Avion.$$A	80a6c864b32e7f7b497629806ace23b4eb1f71419de8064e99dc6299299dbc88.exe
File created	C:\Program Files (x86)\Candy's Space Adventures v46.17\Data\Map\46.$$A	80a6c864b32e7f7b497629806ace23b4eb1f71419de8064e99dc6299299dbc88.exe
File created	C:\Program Files (x86)\Candy's Space Adventures v46.17\Modeles\Lilly\NPC\NPCTex3.$$A	80a6c864b32e7f7b497629806ace23b4eb1f71419de8064e99dc6299299dbc88.exe
File created	C:\Program Files (x86)\Candy's Space Adventures v46.17\Modeles\Space\Nef\Tir.$$A	80a6c864b32e7f7b497629806ace23b4eb1f71419de8064e99dc6299299dbc88.exe
File created	C:\Program Files (x86)\Candy's Space Adventures v46.17\Sons\Noopy\sonWaf2.$$A	80a6c864b32e7f7b497629806ace23b4eb1f71419de8064e99dc6299299dbc88.exe
File created	C:\Program Files (x86)\Candy's Space Adventures v46.17\Images\Lum\NoteMusique.$$A	80a6c864b32e7f7b497629806ace23b4eb1f71419de8064e99dc6299299dbc88.exe
File created	C:\Program Files (x86)\Candy's Space Adventures v46.17\Modeles\Lilly\Lillians\LillianTex.$$A	80a6c864b32e7f7b497629806ace23b4eb1f71419de8064e99dc6299299dbc88.exe
File created	C:\Program Files (x86)\Candy's Space Adventures v46.17\Data\Original\W36a.$$A	80a6c864b32e7f7b497629806ace23b4eb1f71419de8064e99dc6299299dbc88.exe
File created	C:\Program Files (x86)\Candy's Space Adventures v46.17\Modeles\Lilly\Animaux\Autres\Blaky.$$A	80a6c864b32e7f7b497629806ace23b4eb1f71419de8064e99dc6299299dbc88.exe
File created	C:\Program Files (x86)\Candy's Space Adventures v46.17\Modeles\Lilly\NPC\Xylvan\XylTex8.$$A	80a6c864b32e7f7b497629806ace23b4eb1f71419de8064e99dc6299299dbc88.exe
File created	C:\Program Files (x86)\Candy's Space Adventures v46.17\Sons\Noopy\sonWaf.$$A	80a6c864b32e7f7b497629806ace23b4eb1f71419de8064e99dc6299299dbc88.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3532	msedge.exe
3532	msedge.exe
5088	msedge.exe
5088	msedge.exe
3256	identity_helper.exe
3256	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5088 wrote to memory of 1116	5088	msedge.exe	92
PID 5088 wrote to memory of 1116	5088	msedge.exe	92
PID 5088 wrote to memory of 4788	5088	msedge.exe	93
PID 5088 wrote to memory of 4788	5088	msedge.exe	93
PID 5088 wrote to memory of 4788	5088	msedge.exe	93
PID 5088 wrote to memory of 4788	5088	msedge.exe	93
PID 5088 wrote to memory of 4788	5088	msedge.exe	93
PID 5088 wrote to memory of 4788	5088	msedge.exe	93
PID 5088 wrote to memory of 4788	5088	msedge.exe	93
PID 5088 wrote to memory of 4788	5088	msedge.exe	93
PID 5088 wrote to memory of 4788	5088	msedge.exe	93
PID 5088 wrote to memory of 4788	5088	msedge.exe	93
PID 5088 wrote to memory of 4788	5088	msedge.exe	93
PID 5088 wrote to memory of 4788	5088	msedge.exe	93
PID 5088 wrote to memory of 4788	5088	msedge.exe	93
PID 5088 wrote to memory of 4788	5088	msedge.exe	93
PID 5088 wrote to memory of 4788	5088	msedge.exe	93
PID 5088 wrote to memory of 4788	5088	msedge.exe	93
PID 5088 wrote to memory of 4788	5088	msedge.exe	93
PID 5088 wrote to memory of 4788	5088	msedge.exe	93
PID 5088 wrote to memory of 4788	5088	msedge.exe	93
PID 5088 wrote to memory of 4788	5088	msedge.exe	93
PID 5088 wrote to memory of 4788	5088	msedge.exe	93
PID 5088 wrote to memory of 4788	5088	msedge.exe	93
PID 5088 wrote to memory of 4788	5088	msedge.exe	93
PID 5088 wrote to memory of 4788	5088	msedge.exe	93
PID 5088 wrote to memory of 4788	5088	msedge.exe	93
PID 5088 wrote to memory of 4788	5088	msedge.exe	93
PID 5088 wrote to memory of 4788	5088	msedge.exe	93
PID 5088 wrote to memory of 4788	5088	msedge.exe	93
PID 5088 wrote to memory of 4788	5088	msedge.exe	93
PID 5088 wrote to memory of 4788	5088	msedge.exe	93
PID 5088 wrote to memory of 4788	5088	msedge.exe	93
PID 5088 wrote to memory of 4788	5088	msedge.exe	93
PID 5088 wrote to memory of 4788	5088	msedge.exe	93
PID 5088 wrote to memory of 4788	5088	msedge.exe	93
PID 5088 wrote to memory of 4788	5088	msedge.exe	93
PID 5088 wrote to memory of 4788	5088	msedge.exe	93
PID 5088 wrote to memory of 4788	5088	msedge.exe	93
PID 5088 wrote to memory of 4788	5088	msedge.exe	93
PID 5088 wrote to memory of 4788	5088	msedge.exe	93
PID 5088 wrote to memory of 4788	5088	msedge.exe	93
PID 5088 wrote to memory of 3532	5088	msedge.exe	94
PID 5088 wrote to memory of 3532	5088	msedge.exe	94
PID 5088 wrote to memory of 5048	5088	msedge.exe	95
PID 5088 wrote to memory of 5048	5088	msedge.exe	95
PID 5088 wrote to memory of 5048	5088	msedge.exe	95
PID 5088 wrote to memory of 5048	5088	msedge.exe	95
PID 5088 wrote to memory of 5048	5088	msedge.exe	95
PID 5088 wrote to memory of 5048	5088	msedge.exe	95
PID 5088 wrote to memory of 5048	5088	msedge.exe	95
PID 5088 wrote to memory of 5048	5088	msedge.exe	95
PID 5088 wrote to memory of 5048	5088	msedge.exe	95
PID 5088 wrote to memory of 5048	5088	msedge.exe	95
PID 5088 wrote to memory of 5048	5088	msedge.exe	95
PID 5088 wrote to memory of 5048	5088	msedge.exe	95
PID 5088 wrote to memory of 5048	5088	msedge.exe	95
PID 5088 wrote to memory of 5048	5088	msedge.exe	95
PID 5088 wrote to memory of 5048	5088	msedge.exe	95
PID 5088 wrote to memory of 5048	5088	msedge.exe	95
PID 5088 wrote to memory of 5048	5088	msedge.exe	95
PID 5088 wrote to memory of 5048	5088	msedge.exe	95
PID 5088 wrote to memory of 5048	5088	msedge.exe	95
PID 5088 wrote to memory of 5048	5088	msedge.exe	95

C:\Users\Admin\AppData\Local\Temp\80a6c864b32e7f7b497629806ace23b4eb1f71419de8064e99dc6299299dbc88.exe
"C:\Users\Admin\AppData\Local\Temp\80a6c864b32e7f7b497629806ace23b4eb1f71419de8064e99dc6299299dbc88.exe"
1⤵
- Drops file in Program Files directory
PID:3796

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.xilvandesign.com/CandySpatialAdventures/aide2_CandySpatial.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffa5c2d46f8,0x7ffa5c2d4708,0x7ffa5c2d4718
  2⤵
  PID:1116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1960,15152986799599904357,9123648063295667199,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2064 /prefetch:2
  2⤵
  PID:4788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1960,15152986799599904357,9123648063295667199,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1960,15152986799599904357,9123648063295667199,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2920 /prefetch:8
  2⤵
  PID:5048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,15152986799599904357,9123648063295667199,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
  2⤵
  PID:3744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,15152986799599904357,9123648063295667199,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
  2⤵
  PID:4752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,15152986799599904357,9123648063295667199,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4168 /prefetch:1
  2⤵
  PID:1076
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1960,15152986799599904357,9123648063295667199,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3368 /prefetch:8
  2⤵
  PID:4676
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1960,15152986799599904357,9123648063295667199,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3368 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3256

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3292

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:708

C:\Program Files (x86)\Candy's Space Adventures v46.17\Candy's Space Adventures Game.exe
"C:\Program Files (x86)\Candy's Space Adventures v46.17\Candy's Space Adventures Game.exe"
1⤵
- Executes dropped EXE
PID:4996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Candy's Space Adventures v46.17\Candy's Space Adventures Config.exe

Filesize
1020KB

MD5
f9dffea4d3a07a7c83b0cc7b011e58db

SHA1
82dd94714b57c5599b9e81d946fa54f47664f5c6

SHA256
4da3eeffc12fe71c6f63e4f2a49591d8232b420ba2424fd35c8f7e38752d4071

SHA512
64df8ce08c6fabf0ef7b94c6a121a2f35dce01308be58c58ab3a3d5aa998c0ef14f86f1db649163bda677c7a5cd492797934899ac3c9458086c844056189fcfe

Download Submit
C:\Program Files (x86)\Candy's Space Adventures v46.17\Candy's Space Adventures Game.exe

Filesize
3.1MB

MD5
ef23079a503fbefe4971a24b8f04a662

SHA1
7a41f90dd5d1da72c69c2a2c939bec8896e514ec

SHA256
061f566602880efdfced104ab4a6b8f6acd15b6556f8c6bb4baea04efe39a4b1

SHA512
c88423c3cee41e8bf4b370f8669b9bdfb5062d6519ff3aa12cc44e14ab130dc49fd7c794403587a0a9d71e36043f86fd6aee265bdbf8b93f189cc61bd61e4cde

Download Submit
C:\Program Files (x86)\Candy's Space Adventures v46.17\Modeles\Lilly\Royaume\Pique\Bloc.$$A

Filesize
48KB

MD5
9f739de63a7ef8ba77375ebd7be2f4de

SHA1
aa86875284365efe9a5ea64ce121db1d8def9af4

SHA256
db700f137757b2f039e642e614d8ba0f0e5ea0714559fa86e13908c3ce290d0a

SHA512
40517fc1f5cf7f4e34443abd93ef8c9e6606c8f4bd07907b693c87b605b983cf94b2c3aecfa61b26cf3d45d70671386dc872e818e2dc2afde43cb8a16dc96c45

Download Submit
C:\Program Files (x86)\Candy's Space Adventures v46.17\Modeles\Lilly\Royaume\Pique\Coeur.$$A

Filesize
48KB

MD5
86adac1b6dc5d47087019e738c4663f5

SHA1
4c8c15bcced1389db96bfa4ccea8eb847b5d35a6

SHA256
77fa057b56d647ad789c7d5fdce980549637b169366f76362d3af2f6e5c2e8e8

SHA512
17b0bcce39da406ddf2637356f7d1ffe924fe8687c50e592eecab5e1ee868d31b4823213878d1e42614360495422f8bde5bbc0f3afea861cb0c5f178f83fc838

Download Submit
C:\Program Files (x86)\Candy's Space Adventures v46.17\Modeles\Lilly\Royaume\Pique\Colonne0.$$A

Filesize
192KB

MD5
997981dac48502e5ca7ed7771042bcb2

SHA1
2e5c66e3f063c65924a83f3a90dd6c0d90fbcb49

SHA256
3ba54d9a5a9db260a83b8e15dc3f80876b0c8f24fabcf48d829364d719cde954

SHA512
372d755b75da5723f234099420b62f650303a16129211ac66df7138c01c49eff619f842a5974eca67bfae97a9112fe6e19b66de2c2e90a1b9a45656c105c693b

Download Submit
C:\Program Files (x86)\Candy's Space Adventures v46.17\Modeles\Lilly\Royaume\Pique\texPortail.$$A

Filesize
192KB

MD5
9a5e469ce1ba8d34065fdd8f562637ff

SHA1
2122f74d602fc78d77e96ea8bf7a91c632c15e3b

SHA256
a15467d9493228edb2b75e94afdc0ce1376c04076a9c3be60a8ad94aec471b63

SHA512
3294e805007fa94550f1ddb7a7a8dc620b7f30dfd1df4e810ab4be6fff9ac71e5fd729e9750ac324818f1c99ada45f1790618f94c266082df68dc718eeecee37

Download Submit
C:\Program Files (x86)\Candy's Space Adventures v46.17\Modeles\Meubles\texHerbe.$$A

Filesize
133KB

MD5
5215513833e2efeeea8a216466cde093

SHA1
99d4a4e86ef71a072a47c49d489a15e84de08af4

SHA256
e072e60b408d05af86959102497f610a5705116d6b4d9115ce7aa39b8cb11ba6

SHA512
0ade9d0181501eb392edcd89125f28aa03e04a720f2ca777f8603547ec3371bc921a3c0341383d50ac4096f8230971055bb4bc0e5013e5d634410967e39e3258

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3a09f853479af373691d131247040276

SHA1
1b6f098e04da87e9cf2d3284943ec2144f36ac04

SHA256
a358de2c0eba30c70a56022c44a3775aa99ffa819cd7f42f7c45ac358b5e739f

SHA512
341cf0f363621ee02525cd398ae0d462319c6a80e05fd25d9aca44234c42a3071b51991d4cf102ac9d89561a1567cbe76dfeaad786a304bec33821ca77080016

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
db9081c34e133c32d02f593df88f047a

SHA1
a0da007c14fd0591091924edc44bee90456700c6

SHA256
c9cd202ebb55fe8dd3e5563948bab458e947d7ba33bc0f38c6b37ce5d0bd7c3e

SHA512
12f9809958b024571891fae646208a76f3823ae333716a5cec303e15c38281db042b7acf95bc6523b6328ac9c8644794d39a0e03d9db196f156a6ee1fb4f2744

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
eb7ae495f6a3c75f8b8225b18d53096c

SHA1
65284f7b0d2023b5f9547325295dadda18678160

SHA256
069f5878049bf0f04395e2da249e234b7c3a1011317d9a4d47ef243f452d54f1

SHA512
1a6d3b76fde082adb668b2056588120dcb169e1dfd142f0174fc0d892ef5b1875ba4ad17fec0fd55d6284799ddb6248852ec8bffef56db9a912b1fc2826649cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b7425875c3a38252c67357ebe66c5342

SHA1
0327ef8236797621a628880b5d3760d2a898c0e6

SHA256
c22a65657f0339a565ad72021b042f8448330e8913d5b0116036eb0bcb489221

SHA512
9081af820f01daf854ad26cc610d5e219450fc4fc3a0c1b1d1ffda52b0aae5804893c958683a47846d7ad57b2a3af8311fc5bee0a15a6de2d10b1bc149852b2b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
80b2a4ab1450b0c8b4f3b6113cb48feb

SHA1
2362926851fcc92ab1fb863e35c4f93c741cb2b5

SHA256
e2417dcb3e80f19d18c0b8cb8203ff417d9414a0a8ef10d23e004750ea9565ac

SHA512
336115371ddc6e78039efcd798662902f5c49d173bc701cf75d5792a9d47aec291a8900e12678fcc7f5eb1275145bf2505ee045325206efe03ced1d9d22e05af

Download Submit
C:\Users\Admin\Desktop\Candy's Space Adventures Config.lnk

Filesize
1KB

MD5
6789edf86875c22627458191f50fc036

SHA1
45f43a0784fd2b452b94624a005066dd6101cf30

SHA256
08c7f69a1ef3f5a1803db386cc57847251c43067ae578a3425ca2e01133ef580

SHA512
d51fcb43c1f19605ee356de8da2ca4e67d2736e8aa26b76de75ae4a9d7651b0d0d33335e31d564833733bc9b408a8245bcf94516a0e81f7ed95a3019bb12c00b

Download Submit
C:\Users\Admin\Desktop\Candy's Space Adventures Game Link.lnk

Filesize
1KB

MD5
afb12ddcde7799fe028447d04a93643f

SHA1
108634984b9d1931e09e8ac805574d7d204e3416

SHA256
d329a948ad9f4015cc7f589f69ca3c268394bf132b8ee497960c8b215503f828

SHA512
190832fad6665b690aaf34114b37465ca50ad511c670feb4c53e1370f69eca33346813935e0ad2db2a3b9e9ebd7e753dc92807f72929befad5a8cdf7394eee7d

Download Submit
C:\Users\Admin\Desktop\Candy's Space Adventures Game.lnk

Filesize
1KB

MD5
258cfb20ebf3138355cb7a4edd7a0f5b

SHA1
2f60a8b03594eb58991470febd551e2c99f2ac55

SHA256
da193a9dee0acd620fc3b80bca78d85fd2a14606f12736feeae0969a2dd2785c

SHA512
67f89fabf8e3047d06de6564b6cd04519e574f82cd4e129ff8a18d8446157ea0c9b45f9a22720abfa9723bf8bb99c6c2f88feee93e2f062bfa2968e8601feb62

Download Submit
C:\Users\Admin\Desktop\Candy's Space Adventures Help Link.lnk

Filesize
1KB

MD5
381d88170360aa18e878c4125bdb90ab

SHA1
f3afb82b0c7180d734361192427c5d1fcccc46e3

SHA256
b41e7aa6179fcf829489a5cd4880daa1db97400de9b2529cdd563eff22a7ac6c

SHA512
3eaef2055d5d61d73eea804e1029819c0919a1f9d52e097093020a8c7957efc405b5d0888d42b35cb37be54a936f65e0196cc870ee5e31da2e18d368ff5e3fbe

Download Submit
C:\Users\Admin\Desktop\Xilvan Design Website.lnk

Filesize
1KB

MD5
20955ee41647534afdac87d6c1229001

SHA1
b162b3aaa6b7327969b26d040a673ebce65d3714

SHA256
6c3ee2a78f8d330c3cd8d1dd4fbbb4db0238668b81729b759ae7fbe70f92c8bd

SHA512
3499065848825245d1aa9db13725b35d3150b379cfdf84b282372234b7ce75502af9b3ba2b3fbf79acb76538e8461e512c9566ce818a5b5da3df121ce073405d

Download Submit