Analysis
-
max time kernel
81s -
max time network
82s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system -
submitted
05-07-2024 19:52
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://download2264.mediafire.com/wz37pq9ajpigjN8GSaquW2qAwfMYu2R5lRCrj7NfsRyqjtgz9nTrgA0_xCzFEhOfdxQDzLL0ku23cp2nWy6wgZD9DOJ2QGjV5lK-rmhq0HdgfVyHOKr0Ti3QytnAW4anPF3Odu2s1LadWQJ70g27OB_YEm0d9m1NeAVF1tDf_CmzKNo/qqzn0ppo5v8fy0w/ROBLOX+EXECUTOR.zip
Resource
win10v2004-20240704-en
General
Malware Config
Extracted
lumma
https://bitchsafettyudjwu.shop/api
Signatures
-
Executes dropped EXE 6 IoCs
Processes:
software.exeopen if it doesn't open 1.exesoftware.exeopen if it doesn't open 1.exesoftware.exeopen if it doesn't open 1.exepid process 732 software.exe 5568 open if it doesn't open 1.exe 2856 software.exe 3012 open if it doesn't open 1.exe 4264 software.exe 1956 open if it doesn't open 1.exe -
Loads dropped DLL 6 IoCs
Processes:
software.exeopen if it doesn't open 1.exesoftware.exeopen if it doesn't open 1.exesoftware.exeopen if it doesn't open 1.exepid process 732 software.exe 5568 open if it doesn't open 1.exe 2856 software.exe 3012 open if it doesn't open 1.exe 4264 software.exe 1956 open if it doesn't open 1.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 6 IoCs
Processes:
software.exeopen if it doesn't open 1.exesoftware.exeopen if it doesn't open 1.exesoftware.exeopen if it doesn't open 1.exedescription pid process target process PID 732 set thread context of 5260 732 software.exe MSBuild.exe PID 5568 set thread context of 3212 5568 open if it doesn't open 1.exe aspnet_regiis.exe PID 2856 set thread context of 5540 2856 software.exe MSBuild.exe PID 3012 set thread context of 1620 3012 open if it doesn't open 1.exe aspnet_regiis.exe PID 4264 set thread context of 3992 4264 software.exe MSBuild.exe PID 1956 set thread context of 2300 1956 open if it doesn't open 1.exe aspnet_regiis.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 1 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000_Classes\Local Settings msedge.exe -
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exeaspnet_regiis.exeaspnet_regiis.exeaspnet_regiis.exepid process 1268 msedge.exe 1268 msedge.exe 3568 msedge.exe 3568 msedge.exe 5232 identity_helper.exe 5232 identity_helper.exe 5792 msedge.exe 5792 msedge.exe 3212 aspnet_regiis.exe 3212 aspnet_regiis.exe 3212 aspnet_regiis.exe 3212 aspnet_regiis.exe 1620 aspnet_regiis.exe 1620 aspnet_regiis.exe 1620 aspnet_regiis.exe 1620 aspnet_regiis.exe 2300 aspnet_regiis.exe 2300 aspnet_regiis.exe 2300 aspnet_regiis.exe 2300 aspnet_regiis.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 17 IoCs
Processes:
msedge.exepid process 3568 msedge.exe 3568 msedge.exe 3568 msedge.exe 3568 msedge.exe 3568 msedge.exe 3568 msedge.exe 3568 msedge.exe 3568 msedge.exe 3568 msedge.exe 3568 msedge.exe 3568 msedge.exe 3568 msedge.exe 3568 msedge.exe 3568 msedge.exe 3568 msedge.exe 3568 msedge.exe 3568 msedge.exe -
Suspicious use of AdjustPrivilegeToken 22 IoCs
Processes:
7zG.exeMSBuild.exeMSBuild.exeMSBuild.exedescription pid process Token: SeRestorePrivilege 6000 7zG.exe Token: 35 6000 7zG.exe Token: SeSecurityPrivilege 6000 7zG.exe Token: SeSecurityPrivilege 6000 7zG.exe Token: SeDebugPrivilege 5260 MSBuild.exe Token: SeBackupPrivilege 5260 MSBuild.exe Token: SeSecurityPrivilege 5260 MSBuild.exe Token: SeSecurityPrivilege 5260 MSBuild.exe Token: SeSecurityPrivilege 5260 MSBuild.exe Token: SeSecurityPrivilege 5260 MSBuild.exe Token: SeDebugPrivilege 5540 MSBuild.exe Token: SeBackupPrivilege 5540 MSBuild.exe Token: SeSecurityPrivilege 5540 MSBuild.exe Token: SeSecurityPrivilege 5540 MSBuild.exe Token: SeSecurityPrivilege 5540 MSBuild.exe Token: SeSecurityPrivilege 5540 MSBuild.exe Token: SeDebugPrivilege 3992 MSBuild.exe Token: SeBackupPrivilege 3992 MSBuild.exe Token: SeSecurityPrivilege 3992 MSBuild.exe Token: SeSecurityPrivilege 3992 MSBuild.exe Token: SeSecurityPrivilege 3992 MSBuild.exe Token: SeSecurityPrivilege 3992 MSBuild.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
msedge.exepid process 3568 msedge.exe 3568 msedge.exe 3568 msedge.exe 3568 msedge.exe 3568 msedge.exe 3568 msedge.exe 3568 msedge.exe 3568 msedge.exe 3568 msedge.exe 3568 msedge.exe 3568 msedge.exe 3568 msedge.exe 3568 msedge.exe 3568 msedge.exe 3568 msedge.exe 3568 msedge.exe 3568 msedge.exe 3568 msedge.exe 3568 msedge.exe 3568 msedge.exe 3568 msedge.exe 3568 msedge.exe 3568 msedge.exe 3568 msedge.exe 3568 msedge.exe 3568 msedge.exe 3568 msedge.exe 3568 msedge.exe 3568 msedge.exe 3568 msedge.exe 3568 msedge.exe 3568 msedge.exe 3568 msedge.exe 3568 msedge.exe 3568 msedge.exe 3568 msedge.exe 3568 msedge.exe 3568 msedge.exe 3568 msedge.exe 3568 msedge.exe 3568 msedge.exe 3568 msedge.exe 3568 msedge.exe 3568 msedge.exe 3568 msedge.exe 3568 msedge.exe 3568 msedge.exe 3568 msedge.exe 3568 msedge.exe 3568 msedge.exe 3568 msedge.exe 3568 msedge.exe 3568 msedge.exe 3568 msedge.exe 3568 msedge.exe 3568 msedge.exe 3568 msedge.exe 3568 msedge.exe 3568 msedge.exe 3568 msedge.exe 3568 msedge.exe 3568 msedge.exe 3568 msedge.exe 3568 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 3568 msedge.exe 3568 msedge.exe 3568 msedge.exe 3568 msedge.exe 3568 msedge.exe 3568 msedge.exe 3568 msedge.exe 3568 msedge.exe 3568 msedge.exe 3568 msedge.exe 3568 msedge.exe 3568 msedge.exe 3568 msedge.exe 3568 msedge.exe 3568 msedge.exe 3568 msedge.exe 3568 msedge.exe 3568 msedge.exe 3568 msedge.exe 3568 msedge.exe 3568 msedge.exe 3568 msedge.exe 3568 msedge.exe 3568 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 3568 wrote to memory of 5076 3568 msedge.exe msedge.exe PID 3568 wrote to memory of 5076 3568 msedge.exe msedge.exe PID 3568 wrote to memory of 4532 3568 msedge.exe msedge.exe PID 3568 wrote to memory of 4532 3568 msedge.exe msedge.exe PID 3568 wrote to memory of 4532 3568 msedge.exe msedge.exe PID 3568 wrote to memory of 4532 3568 msedge.exe msedge.exe PID 3568 wrote to memory of 4532 3568 msedge.exe msedge.exe PID 3568 wrote to memory of 4532 3568 msedge.exe msedge.exe PID 3568 wrote to memory of 4532 3568 msedge.exe msedge.exe PID 3568 wrote to memory of 4532 3568 msedge.exe msedge.exe PID 3568 wrote to memory of 4532 3568 msedge.exe msedge.exe PID 3568 wrote to memory of 4532 3568 msedge.exe msedge.exe PID 3568 wrote to memory of 4532 3568 msedge.exe msedge.exe PID 3568 wrote to memory of 4532 3568 msedge.exe msedge.exe PID 3568 wrote to memory of 4532 3568 msedge.exe msedge.exe PID 3568 wrote to memory of 4532 3568 msedge.exe msedge.exe PID 3568 wrote to memory of 4532 3568 msedge.exe msedge.exe PID 3568 wrote to memory of 4532 3568 msedge.exe msedge.exe PID 3568 wrote to memory of 4532 3568 msedge.exe msedge.exe PID 3568 wrote to memory of 4532 3568 msedge.exe msedge.exe PID 3568 wrote to memory of 4532 3568 msedge.exe msedge.exe PID 3568 wrote to memory of 4532 3568 msedge.exe msedge.exe PID 3568 wrote to memory of 4532 3568 msedge.exe msedge.exe PID 3568 wrote to memory of 4532 3568 msedge.exe msedge.exe PID 3568 wrote to memory of 4532 3568 msedge.exe msedge.exe PID 3568 wrote to memory of 4532 3568 msedge.exe msedge.exe PID 3568 wrote to memory of 4532 3568 msedge.exe msedge.exe PID 3568 wrote to memory of 4532 3568 msedge.exe msedge.exe PID 3568 wrote to memory of 4532 3568 msedge.exe msedge.exe PID 3568 wrote to memory of 4532 3568 msedge.exe msedge.exe PID 3568 wrote to memory of 4532 3568 msedge.exe msedge.exe PID 3568 wrote to memory of 4532 3568 msedge.exe msedge.exe PID 3568 wrote to memory of 4532 3568 msedge.exe msedge.exe PID 3568 wrote to memory of 4532 3568 msedge.exe msedge.exe PID 3568 wrote to memory of 4532 3568 msedge.exe msedge.exe PID 3568 wrote to memory of 4532 3568 msedge.exe msedge.exe PID 3568 wrote to memory of 4532 3568 msedge.exe msedge.exe PID 3568 wrote to memory of 4532 3568 msedge.exe msedge.exe PID 3568 wrote to memory of 4532 3568 msedge.exe msedge.exe PID 3568 wrote to memory of 4532 3568 msedge.exe msedge.exe PID 3568 wrote to memory of 4532 3568 msedge.exe msedge.exe PID 3568 wrote to memory of 4532 3568 msedge.exe msedge.exe PID 3568 wrote to memory of 1268 3568 msedge.exe msedge.exe PID 3568 wrote to memory of 1268 3568 msedge.exe msedge.exe PID 3568 wrote to memory of 4792 3568 msedge.exe msedge.exe PID 3568 wrote to memory of 4792 3568 msedge.exe msedge.exe PID 3568 wrote to memory of 4792 3568 msedge.exe msedge.exe PID 3568 wrote to memory of 4792 3568 msedge.exe msedge.exe PID 3568 wrote to memory of 4792 3568 msedge.exe msedge.exe PID 3568 wrote to memory of 4792 3568 msedge.exe msedge.exe PID 3568 wrote to memory of 4792 3568 msedge.exe msedge.exe PID 3568 wrote to memory of 4792 3568 msedge.exe msedge.exe PID 3568 wrote to memory of 4792 3568 msedge.exe msedge.exe PID 3568 wrote to memory of 4792 3568 msedge.exe msedge.exe PID 3568 wrote to memory of 4792 3568 msedge.exe msedge.exe PID 3568 wrote to memory of 4792 3568 msedge.exe msedge.exe PID 3568 wrote to memory of 4792 3568 msedge.exe msedge.exe PID 3568 wrote to memory of 4792 3568 msedge.exe msedge.exe PID 3568 wrote to memory of 4792 3568 msedge.exe msedge.exe PID 3568 wrote to memory of 4792 3568 msedge.exe msedge.exe PID 3568 wrote to memory of 4792 3568 msedge.exe msedge.exe PID 3568 wrote to memory of 4792 3568 msedge.exe msedge.exe PID 3568 wrote to memory of 4792 3568 msedge.exe msedge.exe PID 3568 wrote to memory of 4792 3568 msedge.exe msedge.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://download2264.mediafire.com/wz37pq9ajpigjN8GSaquW2qAwfMYu2R5lRCrj7NfsRyqjtgz9nTrgA0_xCzFEhOfdxQDzLL0ku23cp2nWy6wgZD9DOJ2QGjV5lK-rmhq0HdgfVyHOKr0Ti3QytnAW4anPF3Odu2s1LadWQJ70g27OB_YEm0d9m1NeAVF1tDf_CmzKNo/qqzn0ppo5v8fy0w/ROBLOX+EXECUTOR.zip1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3568 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe2cd646f8,0x7ffe2cd64708,0x7ffe2cd647182⤵PID:5076
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,17490498197181572236,864574875285216187,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:22⤵PID:4532
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,17490498197181572236,864574875285216187,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2568 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:1268
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2088,17490498197181572236,864574875285216187,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2916 /prefetch:82⤵PID:4792
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,17490498197181572236,864574875285216187,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:12⤵PID:4568
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,17490498197181572236,864574875285216187,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:12⤵PID:264
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,17490498197181572236,864574875285216187,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4808 /prefetch:12⤵PID:2228
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,17490498197181572236,864574875285216187,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5096 /prefetch:12⤵PID:3736
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,17490498197181572236,864574875285216187,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4104 /prefetch:12⤵PID:5044
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,17490498197181572236,864574875285216187,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5988 /prefetch:12⤵PID:1560
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,17490498197181572236,864574875285216187,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6120 /prefetch:12⤵PID:3772
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,17490498197181572236,864574875285216187,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6252 /prefetch:12⤵PID:4132
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,17490498197181572236,864574875285216187,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6696 /prefetch:12⤵PID:4280
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,17490498197181572236,864574875285216187,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6928 /prefetch:12⤵PID:4760
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,17490498197181572236,864574875285216187,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7140 /prefetch:12⤵PID:4940
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,17490498197181572236,864574875285216187,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7388 /prefetch:12⤵PID:884
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,17490498197181572236,864574875285216187,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7480 /prefetch:12⤵PID:1020
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,17490498197181572236,864574875285216187,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7824 /prefetch:12⤵PID:3952
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,17490498197181572236,864574875285216187,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7284 /prefetch:82⤵PID:1480
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,17490498197181572236,864574875285216187,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7284 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5232
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2088,17490498197181572236,864574875285216187,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=7396 /prefetch:82⤵PID:5348
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,17490498197181572236,864574875285216187,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7368 /prefetch:12⤵PID:5356
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,17490498197181572236,864574875285216187,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5636 /prefetch:12⤵PID:5368
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,17490498197181572236,864574875285216187,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7036 /prefetch:12⤵PID:5376
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2088,17490498197181572236,864574875285216187,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5412 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5792
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2228
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4436
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:5920
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\ROBLOX EXECUTOR\" -spe -an -ai#7zMap4070:92:7zEvent175331⤵
- Suspicious use of AdjustPrivilegeToken
PID:6000
-
C:\Users\Admin\Downloads\ROBLOX EXECUTOR\software.exe"C:\Users\Admin\Downloads\ROBLOX EXECUTOR\software.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:732 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5260
-
-
C:\Users\Admin\Downloads\ROBLOX EXECUTOR\open if it doesn't open 1.exe"C:\Users\Admin\Downloads\ROBLOX EXECUTOR\open if it doesn't open 1.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:5568 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3212
-
-
C:\Users\Admin\Downloads\ROBLOX EXECUTOR\software.exe"C:\Users\Admin\Downloads\ROBLOX EXECUTOR\software.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:2856 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5540
-
-
C:\Users\Admin\Downloads\ROBLOX EXECUTOR\open if it doesn't open 1.exe"C:\Users\Admin\Downloads\ROBLOX EXECUTOR\open if it doesn't open 1.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:3012 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1620
-
-
C:\Users\Admin\Downloads\ROBLOX EXECUTOR\software.exe"C:\Users\Admin\Downloads\ROBLOX EXECUTOR\software.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:4264 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3992
-
-
C:\Users\Admin\Downloads\ROBLOX EXECUTOR\open if it doesn't open 1.exe"C:\Users\Admin\Downloads\ROBLOX EXECUTOR\open if it doesn't open 1.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:1956 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2300
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD57ebe314bf617dc3e48b995a6c352740c
SHA1538f643b7b30f9231a3035c448607f767527a870
SHA25648178f884b8a4dd96e330b210b0530667d9473a7629fc6b4ad12b614bf438ee8
SHA5120ba9d8f4244c15285e254d27b4bff7c49344ff845c48bc0bf0d8563072fab4d6f7a6abe6b6742e8375a08e9a3b3e5d5dc4937ab428dbe2dd8e62892fda04507e
-
Filesize
42B
MD584cfdb4b995b1dbf543b26b86c863adc
SHA1d2f47764908bf30036cf8248b9ff5541e2711fa2
SHA256d8988d672d6915b46946b28c06ad8066c50041f6152a91d37ffa5cf129cc146b
SHA512485f0ed45e13f00a93762cbf15b4b8f996553baa021152fae5aba051e3736bcd3ca8f4328f0e6d9e3e1f910c96c4a9ae055331123ee08e3c2ce3a99ac2e177ce
-
Filesize
152B
MD5fbc957a83b42f65c351e04ce810c1c11
SHA178dcdf88beec5a9c112c145f239aefb1203d55ad
SHA2567bb59b74f42792a15762a77ca69f52bf5cc4506261a67f78cd673a2d398e6128
SHA512efad54eb0bd521c30bc4a96b9d4cb474c4ca42b4c108e08983a60c880817f61bc19d97538cc09a54b2db95ab9c8996f790672e19fb3851a5d93f174acdfac0ce
-
Filesize
152B
MD55b6ff6669a863812dff3a9e76cb311e4
SHA1355f7587ad1759634a95ae191b48b8dbaa2f1631
SHA256c7fb7eea8bea4488bd4605df51aa560c0e1b11660e9228863eb4ad1be0a07906
SHA512d153b1412fadda28c0582984e135b819ba330e01d3299bb4887062ffd6d3303da4f2c4b64a3de277773f4756da361e7bc5885c226ae2a5cfdd16ee60512e2e5e
-
Filesize
31KB
MD5c03ff64e7985603de96e7f84ec7dd438
SHA1dfc067c6cb07b81281561fdfe995aca09c18d0e9
SHA2560db8e9f0a185bd5dd2ec4259db0a0e89363afa953069f5238a0537671de6f526
SHA512bb0fd94c5a8944a99f792f336bb8a840f23f6f0f1cb9661b156511a9984f0bb6c96baf05b7c1cf0efb83f43a224ecea52740432e3cfc85e0799428765eefb692
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize1KB
MD513eca81ee15f6082f1d15bbf884fe4b5
SHA1b1a970a9407700868b8d2e42ecc4c3c7b7925840
SHA2565d00a5cadfd98da785933e80e2992e52ff3c84c4189b6646da383cbe10691521
SHA51208a3e3d6858fda05798316107b815715c2222e51d9278bcbb4fd69c80683ffd1630d9e9b032e660112e1c99f99337f7be1a033adeaad898123c6f7a64e39ff19
-
Filesize
128KB
MD574c7f4825ba90a45584c3c2bc540cb81
SHA124dad800b9e2f263f67f03a391c3c91e3285ce22
SHA256a68a6a75055d51936e97b91150d5029fb89854ee6e3c067f638340122c9e5e69
SHA5121ea47c9df184ca8e681105cba6b8c0bb6767dd1d0d372711a29057d29d17e876bdf176d9b8222a99e5d8d70b43e8b5d242b5f18c8468e8f607696cc14901123e
-
Filesize
8KB
MD58ef41134303a7918ddae06311e3195bc
SHA1b01eaf14de26471d1ab9513eaf875f474bd23ffa
SHA256966cc7b42350a742fc1e67eb71cc520a2c06e596c984be3fdea155c917756bf7
SHA5120cf63f2b80db663c9c40a611de856a44dde2470c72b1f252f605f1d8a8444cdf25a69d7196e807eb35403a2f1c88d2bd26fc1c277bd470770f59375d6c6a12c6
-
Filesize
6KB
MD586e191305bf65e65954dc43cffc331fa
SHA1de6899557eb3265635b139d5ec3d92ee8dc02471
SHA2567a9a27f5024edd742440f49c0d843cc35b0132ab20131c845d844bed2e1c91ed
SHA512745b29496a5b64e6a576325229342a1cda708d9001153f728ae44b76e35f3b7d12fd932c890d58c6911332f3febb7550d01105eb653f7a1066335fc2d02b640a
-
Filesize
10KB
MD5eb00fd4e5489bbaf93336f72ad8158b8
SHA16c934691b40703b893106ebe6745742e8ad348cb
SHA25684567eb151b57b3369070e8ee197a8da90ee02fc7535df0a3784a514a3340039
SHA5127fc960f49b27bd278b5e7a0c82bd44cc7cc7e456bdcf8194140f2863c8f2bc54070141537f92b02d159f7006a4aa9479db711e0f3e4e86fef03b0ffe76777d28
-
Filesize
11KB
MD54bcb14536ee6257214dd6692184e8edb
SHA19f726244f100c0a861bd42d9a452266b1a53456f
SHA256d7cc703d78ee377f77d6ece47a6f70b9551655f2441c53117182af9bf55c544d
SHA5120dbef5b574821dece18b90686516911dd6227b08ab8ea1cedea6ed7eeff61ef99d1cb504d4820c726997754804b5bd2642974c925bc8ddd678ad8c679d83bf5e
-
Filesize
11KB
MD5ca6c8de08ffdb0e394eda6abf9ecb705
SHA15a7459b8d54e3cd4840a603b5b6334c9348ed57a
SHA256b7fd37a7805a6a26f0c92de31fcefeee9c1061b128204285f2c18a39966b9953
SHA5124aa780fc09ecec3ce303f6dd7e4e66d18dd45f56464881a7331771da54cfa47ecd545f3ebbb24bf4d9ed62ee6f24e6c42b0412c18f87c52a6e4cc3f3426b3ba3
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11B
MD5838a7b32aefb618130392bc7d006aa2e
SHA15159e0f18c9e68f0e75e2239875aa994847b8290
SHA256ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa
SHA5129e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9
-
Filesize
11KB
MD54bc7ec627b7f6df49454679862ea8670
SHA16f147e2096214846244be1c63d2b5c50780c580f
SHA256155ce90b8e5c2a40d064e444a3e212083959e4f057c11f52f8a6e3324797b2fc
SHA512e1d947c4befee93f5413d2a5d817a62ab46418c5394047d5d37f599190a7217601bc8bbbe28bce76f385c34ae7119a01ae5bf63de85007c3993851c9e3f86545
-
Filesize
11KB
MD5a04378802472c37747a9a9a897b8fd15
SHA154c5f809edf13b193325a3bdbe247de52ee5135b
SHA25637dee594adf91d625360280da1d8811c22031ac27d17be590c42a5088adfcd6c
SHA5129a4423bfe8586d7045410897dbf12a90cd0f04e331074ddca3f36901ec9dc6d1fdc33154156e83e654efc2b7ba48f4b936d1aa14e35ff8f56a53ecdc9ae729b0
-
Filesize
11KB
MD5e4bb856b5ef42f94958fb13b93b1c340
SHA1db388b5265743d3eae1f74257a6e32d1bccd2fdb
SHA256cd3ac3f32afc8e8823630a4fd401164e1b94f5b0716c2b6e417a22269afdcc55
SHA51203d3c223df928fd43ebbf5e85dc349131e036497bb54a708673449d87548326a34dc8d24b2f784de7266e21a90eb4c85996860d9b2b54e2329b472c81530908c
-
Filesize
514KB
MD51f0fc020b7cedc79197c4e24b1a92016
SHA13698dde19a547cf2ba36022d84405c5a2f77509e
SHA25627504a021fb620542e0d7a56095c9e8a4dec35d5b3484e7303683c8f314776f8
SHA512a98972dafe581036ba936e750b7a338a18ecc17d93847360d212bb8b9ce55d966dbd6f65edceb2deffc231795b1ce84de9bf5b95aef92d99ae8055caf321c9f1
-
Filesize
444KB
MD5e4b0860bacee7710415f26ef08fa80f1
SHA1171f6c90458a742bfd010468a284c9547ac01a24
SHA256839ce601d5bd5d6352ccd4a600c14be61662977e0757a7b8ae457bf789691cf7
SHA5127f8ab0326adb3cfbbead879011ca26b54964701ebe1d34fe2f01fdd363b999393af0d03a64676cb8a399cbb2c79c54ec63f6c5aab042006d05d43dd4d52e9e82
-
Filesize
20.5MB
MD574dc984e169e557091ba25bc347617f2
SHA167f5f7cb828a4aff5b37cb50b43b5770f28dc272
SHA256c6fe767ee05ccd1860141d65c6960bf2e58b7b9f6acfb1d794676697abc87f93
SHA51245bd37fc3492ff2e0a155976a55acedee7a140605339591a4a66e00b24a3eab50d8ca8323e8ec763f6122e7fa4d790b85756bd7682c69292c5eeefe016505dfe
-
Filesize
628KB
MD5291f4d80b5103ef4bfc629929b1ba761
SHA1fcd844347d6bcb708a64ac0fb0ac6ae18cedf4fc
SHA256cc8c406dc36f27c1645cfe2614b231a005cb01091e10433744420b20174cda0a
SHA51214b38684c2a8974557110729ddd4c9945ddfd5d7029e3d24da879bd4c10166b2e11c2cadfb1faf08ff11ff737c427278e82829cc892f6e42e49ec6afda69a895
-
Filesize
639KB
MD5d800a3590b4c74280d5e2644924acc9f
SHA1d0520ab9c79bed8a2daa2212fb74576dce485fa2
SHA25690a8c5dd171ab92c15dcba18c00fc850044373dad9aec5d2599d7487b65f14a5
SHA512782588be632ba779c4c846aa9bac98d978c49e528ccb2b962820b7810e90194f665c1d0f49153f2aada548b0456075ad0ae921db2fcc7c9b27c0c736f57b3866
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e