hxxps://www-oblox[.]com/games/8737602449/PLS-DONATE?privateServerLinkCode=00641079869772729376469291396786

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
15-07-2024 12:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www-oblox.com/games/8737602449/PLS-DONATE?privateServerLinkCode=00641079869772729376469291396786

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 8 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949\Moniker = "cr.sb.cdmf5200eafd3ad904629cbb0f87a78a3c7211081fe"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949\Children	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\cr.sb.cdmf5200eafd3ad904629cbb0f87a78a3c7211081fe	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\cr.sb.cdmf5200eafd3ad904629cbb0f87a78a3c7211081fe\Children	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-464762018-485119342-1613148473-1000\{33C12C1F-AE15-4F33-A5DC-306AD3C454B7}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949\DisplayName = "Chrome Sandbox"	msedge.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
1032	msedge.exe
1032	msedge.exe
4552	msedge.exe
4552	msedge.exe
772	identity_helper.exe
772	identity_helper.exe
4148	msedge.exe
3396	msedge.exe
3396	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs

pid	Process
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4552 wrote to memory of 4988	4552	msedge.exe	83
PID 4552 wrote to memory of 4988	4552	msedge.exe	83
PID 4552 wrote to memory of 4600	4552	msedge.exe	85
PID 4552 wrote to memory of 4600	4552	msedge.exe	85
PID 4552 wrote to memory of 4600	4552	msedge.exe	85
PID 4552 wrote to memory of 4600	4552	msedge.exe	85
PID 4552 wrote to memory of 4600	4552	msedge.exe	85
PID 4552 wrote to memory of 4600	4552	msedge.exe	85
PID 4552 wrote to memory of 4600	4552	msedge.exe	85
PID 4552 wrote to memory of 4600	4552	msedge.exe	85
PID 4552 wrote to memory of 4600	4552	msedge.exe	85
PID 4552 wrote to memory of 4600	4552	msedge.exe	85
PID 4552 wrote to memory of 4600	4552	msedge.exe	85
PID 4552 wrote to memory of 4600	4552	msedge.exe	85
PID 4552 wrote to memory of 4600	4552	msedge.exe	85
PID 4552 wrote to memory of 4600	4552	msedge.exe	85
PID 4552 wrote to memory of 4600	4552	msedge.exe	85
PID 4552 wrote to memory of 4600	4552	msedge.exe	85
PID 4552 wrote to memory of 4600	4552	msedge.exe	85
PID 4552 wrote to memory of 4600	4552	msedge.exe	85
PID 4552 wrote to memory of 4600	4552	msedge.exe	85
PID 4552 wrote to memory of 4600	4552	msedge.exe	85
PID 4552 wrote to memory of 4600	4552	msedge.exe	85
PID 4552 wrote to memory of 4600	4552	msedge.exe	85
PID 4552 wrote to memory of 4600	4552	msedge.exe	85
PID 4552 wrote to memory of 4600	4552	msedge.exe	85
PID 4552 wrote to memory of 4600	4552	msedge.exe	85
PID 4552 wrote to memory of 4600	4552	msedge.exe	85
PID 4552 wrote to memory of 4600	4552	msedge.exe	85
PID 4552 wrote to memory of 4600	4552	msedge.exe	85
PID 4552 wrote to memory of 4600	4552	msedge.exe	85
PID 4552 wrote to memory of 4600	4552	msedge.exe	85
PID 4552 wrote to memory of 4600	4552	msedge.exe	85
PID 4552 wrote to memory of 4600	4552	msedge.exe	85
PID 4552 wrote to memory of 4600	4552	msedge.exe	85
PID 4552 wrote to memory of 4600	4552	msedge.exe	85
PID 4552 wrote to memory of 4600	4552	msedge.exe	85
PID 4552 wrote to memory of 4600	4552	msedge.exe	85
PID 4552 wrote to memory of 4600	4552	msedge.exe	85
PID 4552 wrote to memory of 4600	4552	msedge.exe	85
PID 4552 wrote to memory of 4600	4552	msedge.exe	85
PID 4552 wrote to memory of 4600	4552	msedge.exe	85
PID 4552 wrote to memory of 1032	4552	msedge.exe	86
PID 4552 wrote to memory of 1032	4552	msedge.exe	86
PID 4552 wrote to memory of 2892	4552	msedge.exe	87
PID 4552 wrote to memory of 2892	4552	msedge.exe	87
PID 4552 wrote to memory of 2892	4552	msedge.exe	87
PID 4552 wrote to memory of 2892	4552	msedge.exe	87
PID 4552 wrote to memory of 2892	4552	msedge.exe	87
PID 4552 wrote to memory of 2892	4552	msedge.exe	87
PID 4552 wrote to memory of 2892	4552	msedge.exe	87
PID 4552 wrote to memory of 2892	4552	msedge.exe	87
PID 4552 wrote to memory of 2892	4552	msedge.exe	87
PID 4552 wrote to memory of 2892	4552	msedge.exe	87
PID 4552 wrote to memory of 2892	4552	msedge.exe	87
PID 4552 wrote to memory of 2892	4552	msedge.exe	87
PID 4552 wrote to memory of 2892	4552	msedge.exe	87
PID 4552 wrote to memory of 2892	4552	msedge.exe	87
PID 4552 wrote to memory of 2892	4552	msedge.exe	87
PID 4552 wrote to memory of 2892	4552	msedge.exe	87
PID 4552 wrote to memory of 2892	4552	msedge.exe	87
PID 4552 wrote to memory of 2892	4552	msedge.exe	87
PID 4552 wrote to memory of 2892	4552	msedge.exe	87
PID 4552 wrote to memory of 2892	4552	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www-oblox.com/games/8737602449/PLS-DONATE?privateServerLinkCode=00641079869772729376469291396786
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffca15846f8,0x7ffca1584708,0x7ffca1584718
  2⤵
  PID:4988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,15022805027933086805,2465176797641181879,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:2
  2⤵
  PID:4600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,15022805027933086805,2465176797641181879,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2288 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,15022805027933086805,2465176797641181879,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2864 /prefetch:8
  2⤵
  PID:2892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15022805027933086805,2465176797641181879,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
  2⤵
  PID:1916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15022805027933086805,2465176797641181879,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
  2⤵
  PID:1860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15022805027933086805,2465176797641181879,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4928 /prefetch:1
  2⤵
  PID:4568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15022805027933086805,2465176797641181879,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3588 /prefetch:1
  2⤵
  PID:2032
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,15022805027933086805,2465176797641181879,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4960 /prefetch:8
  2⤵
  PID:4576
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,15022805027933086805,2465176797641181879,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4960 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15022805027933086805,2465176797641181879,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4880 /prefetch:1
  2⤵
  PID:3196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15022805027933086805,2465176797641181879,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4664 /prefetch:1
  2⤵
  PID:1084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15022805027933086805,2465176797641181879,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5060 /prefetch:1
  2⤵
  PID:2896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15022805027933086805,2465176797641181879,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5640 /prefetch:1
  2⤵
  PID:3660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15022805027933086805,2465176797641181879,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5456 /prefetch:1
  2⤵
  PID:1608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15022805027933086805,2465176797641181879,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3932 /prefetch:1
  2⤵
  PID:1296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15022805027933086805,2465176797641181879,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5508 /prefetch:1
  2⤵
  PID:4732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15022805027933086805,2465176797641181879,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5408 /prefetch:1
  2⤵
  PID:4664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15022805027933086805,2465176797641181879,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5536 /prefetch:1
  2⤵
  PID:2384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=media.mojom.MediaFoundationService --field-trial-handle=2120,15022805027933086805,2465176797641181879,131072 --lang=en-US --service-sandbox-type=mf_cdm --mojo-platform-channel-handle=6220 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2120,15022805027933086805,2465176797641181879,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6340 /prefetch:8
  2⤵
  PID:1584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2120,15022805027933086805,2465176797641181879,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6372 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:3396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,15022805027933086805,2465176797641181879,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4828 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1688

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4860

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4328

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
04b60a51907d399f3685e03094b603cb

SHA1
228d18888782f4e66ca207c1a073560e0a4cc6e7

SHA256
87a9d9f1bd99313295b2ce703580b9d37c3a68b9b33026fdda4c2530f562e6a3

SHA512
2a8e3da94eaf0a6c4a2f29da6fec2796ba6a13cad6425bb650349a60eb3204643fc2fd1ab425f0251610cb9cce65e7dba459388b4e00c12ba3434a1798855c91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9622e603d436ca747f3a4407a6ca952e

SHA1
297d9aed5337a8a7290ea436b61458c372b1d497

SHA256
ace0e47e358fba0831b508cd23949a503ae0e6a5c857859e720d1b6479ff2261

SHA512
f774c5c44f0fcdfb45847626f6808076dccabfbcb8a37d00329ec792e2901dc59636ef15c95d84d0080272571542d43b473ce11c2209ac251bee13bd611b200a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\2778fef9-537b-4fb6-972a-bc588fd20451.tmp

Filesize
6KB

MD5
be86ec4705c0dfd03703ffe3faef0842

SHA1
2bdc33bcb82eff3613ebd2a958b3ce1210b8c4d6

SHA256
7ad8469d6f84bfec65e0bc0afbf498ffdfa64050c19eab70c32963043641b267

SHA512
3a418f971333452379f32a160bd439bdd527ba2f80be924bca8c5b008cef4c4f1a17d034f6b13116197318ef1d571c4b3851774039479f74091bdc8f77d0a466

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
b6d316abe591ca7f2296f0e69274a0d9

SHA1
eb64494da9b229b4de8700dcb70ae872e357fbfa

SHA256
71d41b74dac96b0cf8e0f4fc5011d763ac4c3e3cec94bf9eddae9aaaa0a0c1ee

SHA512
ec00325d74e2515906cc72ecb03c6b68f1143be8f26733d1016e0fb9c3d582d58123f320591ea48477b2c03b7eb2c09226fdc94c5d32cb2a710d88c41a8809c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
2baf1ed64316fa4bfd39fc9498ffcb4c

SHA1
75e760dbfc146e8f6777722fb27b3aa8336ede3f

SHA256
e646bcae76a120e51ce97a79bc11afdb6ed1c5e077e88642ddf514d98062f3c7

SHA512
18e3be6eaeb87a1ad1f60de974b514759256f9939aa8427c1f7ede1164ae54e45253fbf1faebe18583dedeb35f9dae0c0d9e725178bfe91ce693980144ac65a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
d0ba6334cb78b4ef0f1d2b3ccd549e3d

SHA1
282505395ab694ddb423e9d477ae00f8dff4b3a5

SHA256
1d68522c9e7fdb6b4d736dc1715e307fc1131426149ce37f1c9a658dc2979efb

SHA512
0bf848f0baec4b357f15b48303ab9184646f68f3cd31e015c4a2fbb16209d852f20c0fddf4dbc4a9abb46bc2c2839d592fa8eee2d430d46b8c28a18e74e53c87

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8485455b14afdfb5af74e842712214cc

SHA1
839ea85a9d59f9507fbc85bdea1f1805648b51bd

SHA256
2728f1ab3013b4d10cd33627eaa7c13b93a883da384c42f8580f725e8b32655d

SHA512
56d77b166d4843482f4dd24354595826d25c5044e0f976da20bd885c2497b714f0017a98c53d429c3ed63c01263a07cea3e7bd349038240d9aa55704d39dc728

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f731711099bf99984962fd0b51ea2bb9

SHA1
675ca32cbe5661c637df285286dd87533ea90e30

SHA256
9f7e1efe65ea39d6ae2fab08fd185ee8f91a19498be1f143b5dec84f49b00f69

SHA512
b7568a34a96407d5c84643f23fb9e5a4b57cf0768a85d75bfa7dfeccf1213b0487c6da050b8443be73fcd60e622e2d69210443969cd07d50e77b551496b9fa3b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
c097c90459018ae54fb16c2ad0f0bb76

SHA1
68f85d542f1d4c26dbfd535aad724bc6db88c80a

SHA256
747111457eaba959a15dba386a26d0d1047a0cd32b72e6e79ab18493734d1a15

SHA512
0dc5d65824a8a188a72f508149a9a188331cf47482e38c39e235ba8b4456f8cc17d58f89bdea57c32db88a37f1f511bb2374a4542be7c6ec9e10c5067aae267d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
b165efa5428a153189355cb68a777d59

SHA1
ec6efa1054866ea1fe9c151beaa585c126821348

SHA256
4a2b955ecb7b8584ca4de6df2caaf2fc8a8a160cb729a57b97434689055fede6

SHA512
ecef8e9f287f567a103d62a1419f4001539e52912a639dc9d7fe71a8ad1d65f25e71a49c81baac849ea54b6bf1d80547be6037301f10818f9d653691d2e6a47b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
bd04cb9b266bf58b3d9c69ddfa416bd4

SHA1
dbba8e563bd5b055580e56fa48af29f50728138d

SHA256
21948b936df63e45a39ae397f429bf02e149ea0484c5b7302ba1961e99d9f107

SHA512
fc9d38a9faeaf135c5712f2bb6850d255c41233ef6f3868cffe916979dbdaa8648fdf897cde78dccfc5f64c6046ba8ddd358cb69807b83e0dc1060da971e7dce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
c80cc064de5cac7a145e0712853fa2c0

SHA1
0865f6b6f7e3f9901d59052b0277ad0b7a89dd3c

SHA256
06233002bfebb9c02ebcb42735f58a746486c0e7c0550dc29ed7f1ed4d55f04a

SHA512
6f782f7807caa1d212fece41612e72b239d3edf37add5b30e8e346b87a9d4ad26cb38dbbc0b997343a1a3c9cc5fa499ee7afc8c9dfb13a19c7f89391198d4be6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
18e02b15e04511d5b347323611f1d3f4

SHA1
eb06489a2015b94a258338a38a98195ec977eb62

SHA256
5ab0c71df9d9ea628408072ed077aa76b5f8182a9e4bbbb8b8eae8f3e4e1decc

SHA512
8a3f0b82da822ff1ddcbb084fb3bd07c74c5f2003c98baefe148679d53d39c9c1dda9b870d4d58fdfdf273a5ac57d2c7eb31477b7de3da1b14e884b1cde1741c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
3b8230d0652583774f846b39e3281392

SHA1
d76cc382a418f0a8493cc691d8dfb0687071d40f

SHA256
53b7ab14b9cfd04d46fdb8c7ed0cf920e7d0f6180e3dc551c2929ac2abccabcd

SHA512
58caad6d9cab0058cf46359f7234375e685e21e3455a76b704e02d1dc3d65124d3be2db619e064b0bd42042f1050c836632117e255ad9db93b79bc26914e59e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
ad8defc394e7a6a45c1388936a600755

SHA1
d604d4c55ba1a3a7d97799e2e21562c6384cf71b

SHA256
e113cb764270c2e633f06a81dab87aa5497955d7749761baad927789a3386ef2

SHA512
7cf487c52acce6f74678c0e1868415b6c92cc4b0d376ae90f5de0dc45a403daae19c6b2f5928133040f6edc99ab599835c137ab4c032d0689454beef15f08687

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
1a657fd82587483cf67bc8407d21979a

SHA1
e53f4dc1314f3b5fde8f41954afec2b2a5891e3a

SHA256
f22f30613b1ff16badcc2e5d0aea6ad940ae71d1251a485e2b13f3a588e7453b

SHA512
548072a193c51264739243ba0a615a0b743b1f6176e7bd608471adc0f86c7f8ed83e9bcb734e0661b4cd504b5152945d149f2ca6525b0bea79478272143def5a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
2e422536da2cd3793da6e36dab6ceeea

SHA1
0a50a92f2f7b441c9ebeb6dcfd4ddbf963e0e499

SHA256
f59bd0962ab7e9fb5c6909651322d5aff9d893554307f12e627ee0101e7f3fc3

SHA512
83e055eac5ceb504fd06e88663dd14656341494f3a0a8903b8e84623318dc473f053f13c32b812eb81757caa41d7326ec6a4b99cbc7c2555984c6f855a58bada

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe585752.TMP

Filesize
1KB

MD5
5eb8f2219f686a2070ecbc71626f13d1

SHA1
a56721d30c47e2d5395b8653c5e35292b236194f

SHA256
2a16a20b9c20898f20caff938d3dae9b332e1b01f50307776583ad2555025dab

SHA512
84acc8d55946c0697b55030de5e7651f54dad11dda301030638e2350f21c53e57a4bf824e6f57f1ca8a6183e90cc0127d30d581b23552680bfd7372a9192137e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
a8af326dccdc20e2d90974552052a681

SHA1
f0292ae20806bbd04ca6caa50e7d9e130914b00a

SHA256
b322c67333da82a0aa370a0a232d5264e6b3563ac8af57d9acf63f8f5ec343b3

SHA512
f1174defd54010f01d4ccaa220c220b200556590d17b48f4f782a88d3b8b6e539b806fc86d3f7fd6841aeb3f4cdc21eb087060377a0adc239af4bd7a592e2201

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit