hxxp://wwm-roblox[.]com/games/6403373529/UPDATE-Slap-Battles?privateServerLinkCode=96710708575114978712317766150509

Resubmissions

22-06-2024 13:30

240622-qr4hfszdqc 10

22-06-2024 13:26

240622-qp1c1szdje 10

Analysis

max time kernel
83s
max time network
88s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
22-06-2024 13:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://wwm-roblox.com/games/6403373529/UPDATE-Slap-Battles?privateServerLinkCode=96710708575114978712317766150509

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 8 IoCs

Processes:

msedge.exemsedge.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949\DisplayName = "Chrome Sandbox"	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949\Moniker = "cr.sb.cdmf5200eafd3ad904629cbb0f87a78a3c7211081fe"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949\Children	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\cr.sb.cdmf5200eafd3ad904629cbb0f87a78a3c7211081fe	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\cr.sb.cdmf5200eafd3ad904629cbb0f87a78a3c7211081fe\Children	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-200405930-3877336739-3533750831-1000\{6DDA92CD-52FF-4AC6-9721-8A5F60B7DBF3}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949	msedge.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exe

pid	process
4092	msedge.exe
4092	msedge.exe
4848	msedge.exe
4848	msedge.exe
412	identity_helper.exe
412	identity_helper.exe
5508	msedge.exe
5592	msedge.exe
5592	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs

Processes:

msedge.exe

pid	process
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 4848 wrote to memory of 2540	4848	msedge.exe	msedge.exe
PID 4848 wrote to memory of 2540	4848	msedge.exe	msedge.exe
PID 4848 wrote to memory of 4864	4848	msedge.exe	msedge.exe
PID 4848 wrote to memory of 4864	4848	msedge.exe	msedge.exe
PID 4848 wrote to memory of 4864	4848	msedge.exe	msedge.exe
PID 4848 wrote to memory of 4864	4848	msedge.exe	msedge.exe
PID 4848 wrote to memory of 4864	4848	msedge.exe	msedge.exe
PID 4848 wrote to memory of 4864	4848	msedge.exe	msedge.exe
PID 4848 wrote to memory of 4864	4848	msedge.exe	msedge.exe
PID 4848 wrote to memory of 4864	4848	msedge.exe	msedge.exe
PID 4848 wrote to memory of 4864	4848	msedge.exe	msedge.exe
PID 4848 wrote to memory of 4864	4848	msedge.exe	msedge.exe
PID 4848 wrote to memory of 4864	4848	msedge.exe	msedge.exe
PID 4848 wrote to memory of 4864	4848	msedge.exe	msedge.exe
PID 4848 wrote to memory of 4864	4848	msedge.exe	msedge.exe
PID 4848 wrote to memory of 4864	4848	msedge.exe	msedge.exe
PID 4848 wrote to memory of 4864	4848	msedge.exe	msedge.exe
PID 4848 wrote to memory of 4864	4848	msedge.exe	msedge.exe
PID 4848 wrote to memory of 4864	4848	msedge.exe	msedge.exe
PID 4848 wrote to memory of 4864	4848	msedge.exe	msedge.exe
PID 4848 wrote to memory of 4864	4848	msedge.exe	msedge.exe
PID 4848 wrote to memory of 4864	4848	msedge.exe	msedge.exe
PID 4848 wrote to memory of 4864	4848	msedge.exe	msedge.exe
PID 4848 wrote to memory of 4864	4848	msedge.exe	msedge.exe
PID 4848 wrote to memory of 4864	4848	msedge.exe	msedge.exe
PID 4848 wrote to memory of 4864	4848	msedge.exe	msedge.exe
PID 4848 wrote to memory of 4864	4848	msedge.exe	msedge.exe
PID 4848 wrote to memory of 4864	4848	msedge.exe	msedge.exe
PID 4848 wrote to memory of 4864	4848	msedge.exe	msedge.exe
PID 4848 wrote to memory of 4864	4848	msedge.exe	msedge.exe
PID 4848 wrote to memory of 4864	4848	msedge.exe	msedge.exe
PID 4848 wrote to memory of 4864	4848	msedge.exe	msedge.exe
PID 4848 wrote to memory of 4864	4848	msedge.exe	msedge.exe
PID 4848 wrote to memory of 4864	4848	msedge.exe	msedge.exe
PID 4848 wrote to memory of 4864	4848	msedge.exe	msedge.exe
PID 4848 wrote to memory of 4864	4848	msedge.exe	msedge.exe
PID 4848 wrote to memory of 4864	4848	msedge.exe	msedge.exe
PID 4848 wrote to memory of 4864	4848	msedge.exe	msedge.exe
PID 4848 wrote to memory of 4864	4848	msedge.exe	msedge.exe
PID 4848 wrote to memory of 4864	4848	msedge.exe	msedge.exe
PID 4848 wrote to memory of 4864	4848	msedge.exe	msedge.exe
PID 4848 wrote to memory of 4864	4848	msedge.exe	msedge.exe
PID 4848 wrote to memory of 4092	4848	msedge.exe	msedge.exe
PID 4848 wrote to memory of 4092	4848	msedge.exe	msedge.exe
PID 4848 wrote to memory of 5108	4848	msedge.exe	msedge.exe
PID 4848 wrote to memory of 5108	4848	msedge.exe	msedge.exe
PID 4848 wrote to memory of 5108	4848	msedge.exe	msedge.exe
PID 4848 wrote to memory of 5108	4848	msedge.exe	msedge.exe
PID 4848 wrote to memory of 5108	4848	msedge.exe	msedge.exe
PID 4848 wrote to memory of 5108	4848	msedge.exe	msedge.exe
PID 4848 wrote to memory of 5108	4848	msedge.exe	msedge.exe
PID 4848 wrote to memory of 5108	4848	msedge.exe	msedge.exe
PID 4848 wrote to memory of 5108	4848	msedge.exe	msedge.exe
PID 4848 wrote to memory of 5108	4848	msedge.exe	msedge.exe
PID 4848 wrote to memory of 5108	4848	msedge.exe	msedge.exe
PID 4848 wrote to memory of 5108	4848	msedge.exe	msedge.exe
PID 4848 wrote to memory of 5108	4848	msedge.exe	msedge.exe
PID 4848 wrote to memory of 5108	4848	msedge.exe	msedge.exe
PID 4848 wrote to memory of 5108	4848	msedge.exe	msedge.exe
PID 4848 wrote to memory of 5108	4848	msedge.exe	msedge.exe
PID 4848 wrote to memory of 5108	4848	msedge.exe	msedge.exe
PID 4848 wrote to memory of 5108	4848	msedge.exe	msedge.exe
PID 4848 wrote to memory of 5108	4848	msedge.exe	msedge.exe
PID 4848 wrote to memory of 5108	4848	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://wwm-roblox.com/games/6403373529/UPDATE-Slap-Battles?privateServerLinkCode=96710708575114978712317766150509
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4848

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8a8e446f8,0x7ff8a8e44708,0x7ff8a8e44718
2⤵
PID:2540

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1952,10338048472388394228,1342161719781632120,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1988 /prefetch:2
2⤵
PID:4864

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1952,10338048472388394228,1342161719781632120,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2504 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4092

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1952,10338048472388394228,1342161719781632120,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2820 /prefetch:8
2⤵
PID:5108

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,10338048472388394228,1342161719781632120,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
2⤵
PID:1616

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,10338048472388394228,1342161719781632120,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1
2⤵
PID:396

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,10338048472388394228,1342161719781632120,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4168 /prefetch:1
2⤵
PID:4844

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,10338048472388394228,1342161719781632120,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5296 /prefetch:1
2⤵
PID:2468

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1952,10338048472388394228,1342161719781632120,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4192 /prefetch:8
2⤵
PID:2716

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1952,10338048472388394228,1342161719781632120,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5948 /prefetch:8
2⤵
PID:4352

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1952,10338048472388394228,1342161719781632120,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5948 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:412

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,10338048472388394228,1342161719781632120,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4884 /prefetch:1
2⤵
PID:5180

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,10338048472388394228,1342161719781632120,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3028 /prefetch:1
2⤵
PID:5428

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=media.mojom.MediaFoundationService --field-trial-handle=1952,10338048472388394228,1342161719781632120,131072 --lang=en-US --service-sandbox-type=mf_cdm --mojo-platform-channel-handle=3080 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5508

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1952,10338048472388394228,1342161719781632120,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6184 /prefetch:8
2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:5592

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,10338048472388394228,1342161719781632120,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3180 /prefetch:1
2⤵
PID:5716

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,10338048472388394228,1342161719781632120,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1848 /prefetch:1
2⤵
PID:5772

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,10338048472388394228,1342161719781632120,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4880 /prefetch:1
2⤵
PID:3748

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,10338048472388394228,1342161719781632120,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5500 /prefetch:1
2⤵
PID:3564

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,10338048472388394228,1342161719781632120,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2740 /prefetch:1
2⤵
PID:1888

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,10338048472388394228,1342161719781632120,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6480 /prefetch:1
2⤵
PID:1732

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,10338048472388394228,1342161719781632120,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5092 /prefetch:1
2⤵
PID:1428

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4996

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1568

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3428

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x49c 0x48c
1⤵
PID:1896

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5560

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
477462b6ad8eaaf8d38f5e3a4daf17b0

SHA1
86174e670c44767c08a39cc2a53c09c318326201

SHA256
e6bbd4933b9baa1df4bb633319174de07db176ec215e71c8568d27c5c577184d

SHA512
a0acc2ef7fd0fcf413572eeb94d1e38aa6a682195cc03d6eaaaa0bc9e5f4b2c0033da0b835f4617aebc52069d0a10b52fc31ed53c2fe7943a480b55b7481dd4e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
b704c9ca0493bd4548ac9c69dc4a4f27

SHA1
a3e5e54e630dabe55ca18a798d9f5681e0620ba7

SHA256
2ebd5229b9dc642afba36a27c7ac12d90196b1c50985c37e94f4c17474e15411

SHA512
69c8116fb542b344a8c55e2658078bd3e0d3564b1e4c889b072dbc99d2b070dacbc4394dedbc22a4968a8cf9448e71f69ec71ded018c1bacc0e195b3b3072d32

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005
Filesize
20KB

MD5
afcb8f6daa231449d6d7860e77c234ba

SHA1
2444cf8aa73e178e5fe0d086291aa8d88eec5e47

SHA256
30ba5079f7e3c1707c60a0ebdb32dd35418005738101b6c7acb04e670a1a96d7

SHA512
7cd7550616477654f52c0bb14ac49d4b9945243eaa78f05a37bfec8f0801697c7cd3d65bad7595ff45fb5bc071b199701af0bec2f579c18c28d03039b3ff0d8e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000a
Filesize
59KB

MD5
99adec199701191fda80529b0506e475

SHA1
ba63a6135825ed9f463762fdb1fe8e4a3cab26e7

SHA256
86301cee42e07c559f6e99eb7e7270015f1b0617d1169feb1310508d4c6e004b

SHA512
c4ae0733870ef45a493685a3871c77dc2f9373d6104b429d38d508b5e6b0263114b0680e46e57ca20dc236cd45a4f6be4a1d1fd54945015f6bcfbd379e911267

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00004c
Filesize
147KB

MD5
759ab24cf5846f06c5cdb324ee4887ea

SHA1
41969c5b737bc40bbb54817da755e3aa7d02f3c6

SHA256
7037e6c967c38477a5fcd583c74892e16b7a9066cd60287c7035bf0760d05471

SHA512
3470ae07eb7c54feee1e791e63a365cfb0da42f570a66e6c84faf5db6bf8395173c6cb60e8c5cf28eae409f26ea5433c3c5d6ea32eb07e5997c979c6e3ccf4be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
5KB

MD5
d6b30708d8450d6f0ab0a202de1c4c87

SHA1
859a9d141bb60475c79df9f2bcd00edea9e909fa

SHA256
463ead5dfa3b28bf7eed50a3e08d171798d2ae71bd567f37e040d5bdefbf880e

SHA512
85e6737138113ee12e0e99024d944d727451f4e3918f0bfa14e51e8eb34b377182a0033a8a9b22e5aaf8241a2c2484182a3ae77f33daee8148e15fa3a46bfcaf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.roblox.com_0.indexeddb.leveldb\MANIFEST-000001
Filesize
23B

MD5
3fd11ff447c1ee23538dc4d9724427a3

SHA1
1335e6f71cc4e3cf7025233523b4760f8893e9c9

SHA256
720a78803b84cbcc8eb204d5cf8ea6ee2f693be0ab2124ddf2b81455de02a3ed

SHA512
10a3bd3813014eb6f8c2993182e1fa382d745372f8921519e1d25f70d76f08640e84cb8d0b554ccd329a6b4e6de6872328650fefa91f98c3c0cfc204899ee824

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
9KB

MD5
f22cc5891165767c043ff655978e2b03

SHA1
0ea162d683a5bd7f5868fdff47b89156255e99ec

SHA256
db961fb086ead984e0bb801158185212d9a7a7fe8d04e843dad2a499b05dfffa

SHA512
9fd40e7fc0c535bc42ef96afcd1845a53173d7bbfdc36381fb9aec8b76a9341d7fc3ce904c27b8b87cdad42e7350a572859e9c75a02b29204c86d8e379806d90

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
e0af671e4b14d7e4d58b048b89195f44

SHA1
54c07d13e594e78c70c46c11e5e8ef61a31a1d33

SHA256
cc022e4a078e8739775bed9b9f1da113b94f992dd6933bb5f7fe18b4de61f7a5

SHA512
7ece2df51b8d300c2f8592b814f6845bd459e71e1df3a90e1cc96b0ae954840c4ccbfbd9706a12413ab1a2a3dbf7dc2b4de3779c251bad1b85de53b3cd426540

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
b180b057d1c31d5719a7ffcb6a1493cf

SHA1
ac3288994617ecec5b5b0e06c61d3b98e2f776b8

SHA256
b430b0810a3f58e26bb5c1e87a790a64a21a867a2cf4ad0b6ddb91a49ccfa682

SHA512
4b8f165f8e52dacc7963b8d1c6db0d111c5cbf936c224567a19d2baa808cdabe21b5034ea480df4ba8c1049681a1398a6928498b2abeadb86fe246710f01d1b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
a51333de2a58b877a1266199d46d38a0

SHA1
bd17ed5d51c45a02a61173925db14a8ed5fdda5d

SHA256
6df279069c2e0ad0086522ae88b0ed1f27a7b9add4ff6bed8ea3e535f329c0fa

SHA512
9308168a0853e1f7adb7012d4032a5b1dee9a7db43fe918dc65d285bc68afbb23e1e5edc22a9ff14f9e0408e87f1504caa926494f74ac9a4fe479be1d61ec84a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
bbf4602e4360810f1c11663dc898329e

SHA1
4f038cd49320d679085145c3afdaff3fd8ce5895

SHA256
19ea3efa848d18eaf29f853125b798679c406b69153f85d4e29f64e39e7a7adb

SHA512
2ea3bdbbf52256f7488ce995d1a6e1e8547a3d851b099b423e8ca132df29738151608c4d853cf2fcc9768b1c0a115cb93096e401d6f7e9838245c74181583fa0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
d285fa5f451ae6a6686c3ad5e44ed51a

SHA1
e050b8d2b25807a30cc8fae2d384ed5d5b13b64a

SHA256
4da8177ae896cfbfd6d9d27069837aa73e41258391e492389864b12065d2ed6d

SHA512
0106b20bbc696ec89eacfabb26fdf39ca5d2164b860c4b750f5fbac3dc031a3c13f653b5583da1116faf889839d787a1b39c884e7f166b15181552be95b305e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
56c51b2bc319c94fab86249e428fdaf8

SHA1
ade8aefa9ae804fb7543a06403e8d75b8af5459c

SHA256
a89007b811e1c5e91afa88951c75a55d1a2e9e56e0e77529159e8a90a20436e4

SHA512
9f6c6b43f92ba9a59a260070ec8422378c91a7ecd7ce9d862fd39bf046f97e04aba9d2339bc461a860cd24f27723e2f4d0b44c12215bca016ab61959d6f7b329

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
8KB

MD5
b991815a9c98e650f77e3d8096c014e2

SHA1
f70e597ddbfc7cf584a6c8e7a34776f9e50d1110

SHA256
87ddf348d0da65a64381c0fbcf7f403826c11c0da877a43ecd7a24a359bb4087

SHA512
ba7dc48f78f6ba1c3c98805a7a7d6e52c07ea0f6eb0441f7b9802bc15519b6894c9ad4d1245046987c96575fc99bb976fe197fef6fc9312eac43ec4d55aed1d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
2KB

MD5
a1ed676ab9a74a160d6416796a2caddd

SHA1
ae63ef6fe61bacc847ac388daf58f8804550f48d

SHA256
d461f4f0e3e9355b4d88d207026b320cbe9e2851405edaa6ae4d2947e19cdbe5

SHA512
77dd91f64ec1ed3c2063e8459942888613aef24838273c2b8af645547b5fef85eccd79f44792bdcb77836e6c617a836cdeda0c65226fdf65d6e14006e93476a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
2KB

MD5
cca26b4f58534d3f4e6cce8a100a1070

SHA1
62609ca8686263439eeb24bd5b045454b9d81cbb

SHA256
e0fceef5f88652d6d6f3db08f1e0381f1b5ef1398ace58e25779b3d7a74993c6

SHA512
9d98dee1650f8edced69ddb4cc65a5fef7d7c1ca6775e09cd1e7102c2f20c3cb0c8b651a2f25f984f237b721a39677943700bca7e6f15c69285366e888626383

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
3KB

MD5
c70d8025a96f48c2b1a938834f7769e7

SHA1
afe78a7356de22e1a039ff1d950b8d437095c7c2

SHA256
d9d6ce3ff11026613122366f7df54a4cf753a24d6dfe9e5647c6619cdbf6562d

SHA512
466e7f1e351ab1cfbe3c0ee03f4a2157f80b45de151ff642e906b7587a37b2253290c9f01728b33ccd487a6455895815091657f226cc4d40162187ee50b63603

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
3KB

MD5
be0b3a8887f8e5d812730a30032b0407

SHA1
bf00ff7e51af58973883dc88e1a8afb64908da06

SHA256
fff8b3964ef0225a09c191c0c5be6c84f71f11fcbd75ff371efc56bc5833998c

SHA512
694abb7dc7e22225b76f898bfb9b570151b27a397542c9aeda902d3380e4d823f364303b2d2cb4c1d1ab4865a188a0ef60fbd35a74cce91a467eb4b6f0265137

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
3KB

MD5
f9b22bdadd855e016f5ffcaa65382bf7

SHA1
8466d2b147770df38f886bb0d395b9045d55d256

SHA256
41aed082ff240ca6895beb7545da726c4846c3ea190d942ce553fd5911965755

SHA512
0da8b3ea059348eb5b855372de0a248e5f029a9a18757202cf0c2b1bc7d34a44057ad5d05fdbb584d89fd75e6d8d0174160bb632d57a0ebb8c46ee2246d1f30b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
3KB

MD5
0a63dd7481f122368ddcec3f3956e706

SHA1
7f451f33be4916fbd891410fe4d7bb3e0e41b0d1

SHA256
cbc1aa84333c4fa757e1cde1c4e35eaf2b6a48d2015d411325c7e379856b01c6

SHA512
9940532bfe8633409eb189082dd0fc44869646a56a35d3af96fa0fe11882e4121be520ca30bae6a05a4457e0ac5c75c2421509ba56096530abbceea5d4c3f7a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe579fca.TMP
Filesize
1KB

MD5
5a5fd3e53ec0d0690e2848e5293f016a

SHA1
41139bc8ab6ad194ec4bc64f5b3bc0d0ab12a44b

SHA256
808743d2f2b9cc2ceb74ce47355f67e8bd4f5e4cf93e4256dbc5b08eb42f45a8

SHA512
e6a9a93f6f0a4944881aed18beae15d82d8994c137e098dc4edf29f6a6a5b7db2d0ffdfb8266d9bfd5d7101c54e0d6f349c17a5271f504415c053e104cfbfa20

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
e958430229c388b3e746b12353cf8a73

SHA1
130f6c2795354ceb96e4e1252356d7b27cfaea9b

SHA256
323d6e3019deb01dbace9d3931e5be98847d4f731b0615c80461d90989e923a2

SHA512
073b0ff9d92c5468c5ef913280c86809221d9352a1f5bdb6187cc6c43088cc06f78854c5566aecf1411786a9013c354d06ca7e5d97cbed4a8eb7e6a2a007819e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic
Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
\??\pipe\LOCAL\crashpad_4848_PZNAVTWUFKBCFZFH
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit