11b54d87d7200e36d2bdb59e54f6d705ad6fb7b6e652344004ce3e26d914be30

Analysis

max time kernel
108s
max time network
113s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
15-07-2024 21:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BloxFlipPredictorFree.html
Size

8KB
MD5

e8f38b837c086587dffdc4eb8b2db230
SHA1

2308b80483dbce4fbf134ea0bba22bc6729c0a6e
SHA256

11b54d87d7200e36d2bdb59e54f6d705ad6fb7b6e652344004ce3e26d914be30
SHA512

01d4742fee247ae2b59d9e28fab266f723b1df21b5668ee6746745923278fc20cd064c85e22ea0f10ce7b11c21c262695fd6825204dbb7ca08605dea1384566a
SSDEEP

192:XF7xI5ZnZRSrVSpSz2v+FWT/KTFyTAvSfuaV0iBpBiu:XF7xI5ZnwCsD5yTAvSfuaV0iBpBiu

Score

8^/10

persistence

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 4 IoCs

pid	Process
1368	JavaSetup8u411.exe
1616	JavaSetup8u411.exe
3100	JavaSetup8u411.exe
5140	JavaSetup8u411.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Home = "C:\\Program Files\\Java\\jre-1.8\\bin\\javaw.exe -jar C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\.tmp\\1721078853945.tmp"	reg.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 680339.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2784	msedge.exe
2784	msedge.exe
4816	msedge.exe
4816	msedge.exe
376	identity_helper.exe
376	identity_helper.exe
1552	msedge.exe
1552	msedge.exe
4576	msedge.exe
4576	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs

pid	Process
4816	msedge.exe
4816	msedge.exe
4816	msedge.exe
4816	msedge.exe
4816	msedge.exe
4816	msedge.exe
4816	msedge.exe
4816	msedge.exe
4816	msedge.exe
4816	msedge.exe
4816	msedge.exe
4816	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	6044	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	6044	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 43 IoCs

pid	Process
4816	msedge.exe
4816	msedge.exe
4816	msedge.exe
4816	msedge.exe
4816	msedge.exe
4816	msedge.exe
4816	msedge.exe
4816	msedge.exe
4816	msedge.exe
4816	msedge.exe
4816	msedge.exe
4816	msedge.exe
4816	msedge.exe
4816	msedge.exe
4816	msedge.exe
4816	msedge.exe
4816	msedge.exe
4816	msedge.exe
4816	msedge.exe
4816	msedge.exe
4816	msedge.exe
4816	msedge.exe
4816	msedge.exe
4816	msedge.exe
4816	msedge.exe
4816	msedge.exe
4816	msedge.exe
4816	msedge.exe
4816	msedge.exe
4816	msedge.exe
4816	msedge.exe
4816	msedge.exe
4816	msedge.exe
4816	msedge.exe
4816	msedge.exe
4816	msedge.exe
4816	msedge.exe
4816	msedge.exe
4816	msedge.exe
4816	msedge.exe
4816	msedge.exe
4816	msedge.exe
4816	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4816	msedge.exe
4816	msedge.exe
4816	msedge.exe
4816	msedge.exe
4816	msedge.exe
4816	msedge.exe
4816	msedge.exe
4816	msedge.exe
4816	msedge.exe
4816	msedge.exe
4816	msedge.exe
4816	msedge.exe
4816	msedge.exe
4816	msedge.exe
4816	msedge.exe
4816	msedge.exe
4816	msedge.exe
4816	msedge.exe
4816	msedge.exe
4816	msedge.exe
4816	msedge.exe
4816	msedge.exe
4816	msedge.exe
4816	msedge.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
1616	JavaSetup8u411.exe
1616	JavaSetup8u411.exe
1616	JavaSetup8u411.exe
4212	javaw.exe
4212	javaw.exe
4212	javaw.exe
4212	javaw.exe
5140	JavaSetup8u411.exe
5140	JavaSetup8u411.exe
5140	JavaSetup8u411.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4816 wrote to memory of 4900	4816	msedge.exe	84
PID 4816 wrote to memory of 4900	4816	msedge.exe	84
PID 4816 wrote to memory of 2384	4816	msedge.exe	85
PID 4816 wrote to memory of 2384	4816	msedge.exe	85
PID 4816 wrote to memory of 2384	4816	msedge.exe	85
PID 4816 wrote to memory of 2384	4816	msedge.exe	85
PID 4816 wrote to memory of 2384	4816	msedge.exe	85
PID 4816 wrote to memory of 2384	4816	msedge.exe	85
PID 4816 wrote to memory of 2384	4816	msedge.exe	85
PID 4816 wrote to memory of 2384	4816	msedge.exe	85
PID 4816 wrote to memory of 2384	4816	msedge.exe	85
PID 4816 wrote to memory of 2384	4816	msedge.exe	85
PID 4816 wrote to memory of 2384	4816	msedge.exe	85
PID 4816 wrote to memory of 2384	4816	msedge.exe	85
PID 4816 wrote to memory of 2384	4816	msedge.exe	85
PID 4816 wrote to memory of 2384	4816	msedge.exe	85
PID 4816 wrote to memory of 2384	4816	msedge.exe	85
PID 4816 wrote to memory of 2384	4816	msedge.exe	85
PID 4816 wrote to memory of 2384	4816	msedge.exe	85
PID 4816 wrote to memory of 2384	4816	msedge.exe	85
PID 4816 wrote to memory of 2384	4816	msedge.exe	85
PID 4816 wrote to memory of 2384	4816	msedge.exe	85
PID 4816 wrote to memory of 2384	4816	msedge.exe	85
PID 4816 wrote to memory of 2384	4816	msedge.exe	85
PID 4816 wrote to memory of 2384	4816	msedge.exe	85
PID 4816 wrote to memory of 2384	4816	msedge.exe	85
PID 4816 wrote to memory of 2384	4816	msedge.exe	85
PID 4816 wrote to memory of 2384	4816	msedge.exe	85
PID 4816 wrote to memory of 2384	4816	msedge.exe	85
PID 4816 wrote to memory of 2384	4816	msedge.exe	85
PID 4816 wrote to memory of 2384	4816	msedge.exe	85
PID 4816 wrote to memory of 2384	4816	msedge.exe	85
PID 4816 wrote to memory of 2384	4816	msedge.exe	85
PID 4816 wrote to memory of 2384	4816	msedge.exe	85
PID 4816 wrote to memory of 2384	4816	msedge.exe	85
PID 4816 wrote to memory of 2384	4816	msedge.exe	85
PID 4816 wrote to memory of 2384	4816	msedge.exe	85
PID 4816 wrote to memory of 2384	4816	msedge.exe	85
PID 4816 wrote to memory of 2384	4816	msedge.exe	85
PID 4816 wrote to memory of 2384	4816	msedge.exe	85
PID 4816 wrote to memory of 2384	4816	msedge.exe	85
PID 4816 wrote to memory of 2384	4816	msedge.exe	85
PID 4816 wrote to memory of 2784	4816	msedge.exe	86
PID 4816 wrote to memory of 2784	4816	msedge.exe	86
PID 4816 wrote to memory of 2324	4816	msedge.exe	87
PID 4816 wrote to memory of 2324	4816	msedge.exe	87
PID 4816 wrote to memory of 2324	4816	msedge.exe	87
PID 4816 wrote to memory of 2324	4816	msedge.exe	87
PID 4816 wrote to memory of 2324	4816	msedge.exe	87
PID 4816 wrote to memory of 2324	4816	msedge.exe	87
PID 4816 wrote to memory of 2324	4816	msedge.exe	87
PID 4816 wrote to memory of 2324	4816	msedge.exe	87
PID 4816 wrote to memory of 2324	4816	msedge.exe	87
PID 4816 wrote to memory of 2324	4816	msedge.exe	87
PID 4816 wrote to memory of 2324	4816	msedge.exe	87
PID 4816 wrote to memory of 2324	4816	msedge.exe	87
PID 4816 wrote to memory of 2324	4816	msedge.exe	87
PID 4816 wrote to memory of 2324	4816	msedge.exe	87
PID 4816 wrote to memory of 2324	4816	msedge.exe	87
PID 4816 wrote to memory of 2324	4816	msedge.exe	87
PID 4816 wrote to memory of 2324	4816	msedge.exe	87
PID 4816 wrote to memory of 2324	4816	msedge.exe	87
PID 4816 wrote to memory of 2324	4816	msedge.exe	87
PID 4816 wrote to memory of 2324	4816	msedge.exe	87

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
3636	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\BloxFlipPredictorFree.html
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb261046f8,0x7ffb26104708,0x7ffb26104718
  2⤵
  PID:4900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,7571855494900276179,10486826076909305113,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:2
  2⤵
  PID:2384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,7571855494900276179,10486826076909305113,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,7571855494900276179,10486826076909305113,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2732 /prefetch:8
  2⤵
  PID:2324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,7571855494900276179,10486826076909305113,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
  2⤵
  PID:2744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,7571855494900276179,10486826076909305113,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3452 /prefetch:1
  2⤵
  PID:3624
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,7571855494900276179,10486826076909305113,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5136 /prefetch:8
  2⤵
  PID:1952
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,7571855494900276179,10486826076909305113,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5136 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,7571855494900276179,10486826076909305113,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4076 /prefetch:1
  2⤵
  PID:3552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,7571855494900276179,10486826076909305113,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5404 /prefetch:1
  2⤵
  PID:1652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,7571855494900276179,10486826076909305113,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5512 /prefetch:1
  2⤵
  PID:2840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,7571855494900276179,10486826076909305113,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5356 /prefetch:1
  2⤵
  PID:1168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,7571855494900276179,10486826076909305113,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6000 /prefetch:1
  2⤵
  PID:1368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,7571855494900276179,10486826076909305113,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5920 /prefetch:1
  2⤵
  PID:4064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,7571855494900276179,10486826076909305113,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5524 /prefetch:1
  2⤵
  PID:1412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2140,7571855494900276179,10486826076909305113,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6080 /prefetch:8
  2⤵
  PID:2868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,7571855494900276179,10486826076909305113,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6056 /prefetch:1
  2⤵
  PID:1640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2140,7571855494900276179,10486826076909305113,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6536 /prefetch:8
  2⤵
  PID:944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2140,7571855494900276179,10486826076909305113,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5268 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1552
- C:\Users\Admin\Downloads\JavaSetup8u411.exe
  "C:\Users\Admin\Downloads\JavaSetup8u411.exe"
  2⤵
  - Executes dropped EXE
  PID:1368
- - C:\Users\Admin\AppData\Local\Temp\jds241347359.tmp\JavaSetup8u411.exe
    "C:\Users\Admin\AppData\Local\Temp\jds241347359.tmp\JavaSetup8u411.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,7571855494900276179,10486826076909305113,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5348 /prefetch:1
  2⤵
  PID:5464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2140,7571855494900276179,10486826076909305113,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6212 /prefetch:8
  2⤵
  PID:6004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,7571855494900276179,10486826076909305113,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6080 /prefetch:1
  2⤵
  PID:5200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2140,7571855494900276179,10486826076909305113,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4712 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4576

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2844

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1336

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x500 0x4e0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:6044

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5340

C:\Program Files\Java\jre-1.8\bin\javaw.exe
"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\Downloads\BloxflipPredictor\BloxflipPredictor\BloxflipPredictor.jar"
1⤵
- Suspicious use of SetWindowsHookEx
PID:4212
- C:\Windows\SYSTEM32\attrib.exe
  attrib +H C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1721078853945.tmp
  2⤵
  - Views/modifies file attributes
  PID:3636
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c "REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files\Java\jre-1.8\bin\javaw.exe -jar C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1721078853945.tmp" /f"
  2⤵
  PID:5616
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files\Java\jre-1.8\bin\javaw.exe -jar C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1721078853945.tmp" /f
    3⤵
    - Adds Run key to start application
    PID:5660

C:\Windows\SysWOW64\werfault.exe
werfault.exe /h /shared Global\5416c800f633493aa0617c2ac5241e91 /t 4204 /p 1616
1⤵
PID:5940

C:\Users\Admin\Downloads\JavaSetup8u411.exe
"C:\Users\Admin\Downloads\JavaSetup8u411.exe"
1⤵
- Executes dropped EXE
PID:3100
- C:\Users\Admin\AppData\Local\Temp\jds241417453.tmp\JavaSetup8u411.exe
  "C:\Users\Admin\AppData\Local\Temp\jds241417453.tmp\JavaSetup8u411.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5140

C:\Windows\SysWOW64\werfault.exe
werfault.exe /h /shared Global\3d9515b0a49948ba944d35368e6605e7 /t 2848 /p 5140
1⤵
PID:5700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
9a14822e89e361b141e6a75c03497505

SHA1
ae2522278293b345be66f78d0104247ef661295c

SHA256
a868b9ac888608c74b39e15b52d85b9315dda65620d20a28f0f0dc9653cae82e

SHA512
4fa35a5f9797f68b5f5dec73ff7c12ab8c139340a62f679644607a797dd0efa00b4a6f723e8249c028ec15b19b5190e46a65c7822eecc2c426d744d08011e364

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
471B

MD5
a4f834be39f4fbe05b5e772abc26789f

SHA1
3c9501e9b26ebd5029d70054d9385011d93b9c77

SHA256
05c21e403a0dc69895339e6636a173445fa5f975dad9a26cae4f35c767b59e6b

SHA512
0e3e05a18860c863618e61750df7588a55594116e12b3d46f0566baecafee420f2234b21c3e906398ff04b685e610b13285a304a8a95635ec0e83ed185d14b32

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
400B

MD5
f5db45ab60379ad902f3d1a89d9853c7

SHA1
2a665017a5c705755b9d92aa3630b0a38894c8fd

SHA256
087cbe99dd5b6527b76178dc52dea8ede46e8f7aa42f30eade9c7204d6d96ca7

SHA512
a8d8c2759827921280968976c757a7bb2069bcb425a3a3118a1f631f4088bed68696baa4bd02c166a1085b29cb293cde27b2d8f121670feb277b7ed38e9f7948

Download Submit
C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_411\Java3BillDevices.png

Filesize
27KB

MD5
8e52efc6798ed074072f527309a1ba25

SHA1
347d4c6b4f92e7315d9b199a97dd5cf7d86b2431

SHA256
12491ebc4eb99bf014d3bc44f770114bde013e84cbec2633303559a8c6e5f991

SHA512
0653c6e7f94ac36fe555db3eda8465f99d17cdbab91ea6413c6bd68dbbbb4db5df06e5d62768f6f4dfcef8d207d771e0b6924adfe403b92729bc4c5689e4fca7

Download Submit
C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_411\au.msi

Filesize
861KB

MD5
647fa109799f37acab9cce273c1d9c56

SHA1
a0eea46f8887798af81bbeea114202fac086018b

SHA256
22a29c36524ad403e0af94b39920ac93b75576bf95fc741f66ea03ce4830612b

SHA512
89cee892d5c6e1d2a9d24f94910de88949c5a886223566b727e30b4668cc59bcca79e7cf77fc6a18065cf5add6b4e04a9543ea0f8f892cd96e54bcfed7c0ce75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
584971c8ba88c824fd51a05dddb45a98

SHA1
b7c9489b4427652a9cdd754d1c1b6ac4034be421

SHA256
e2d8de6c2323bbb3863ec50843d9b58a22e911fd626d31430658b9ea942cd307

SHA512
5dbf1a4631a04d1149d8fab2b8e0e43ccd97b7212de43b961b9128a8bf03329164fdeb480154a8ffea5835f28417a7d2b115b8bf8d578d00b13c3682aa5ca726

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b28ef7d9f6d74f055cc49876767c886c

SHA1
d6b3267f36c340979f8fc3e012fdd02c468740bf

SHA256
fa6804456884789f4bdf9c3f5a4a8f29e0ededde149c4384072f3d8cc85bcc37

SHA512
491f893c8f765e5d629bce8dd5067cef4e2ebc558d43bfb05e358bca43e1a66ee1285519bc266fd0ff5b5e09769a56077b62ac55fa8797c1edf6205843356e75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
744B

MD5
a3c03151e7db12e738e6123d41221bf9

SHA1
daae99b060b6d39eb5614a5bf6cb34e2fa0736d5

SHA256
5a8d139a4e98110cfe699ea55f7290de1dcdee2154c5091f3b5294ef1815c281

SHA512
a297899199ffd0d0c78ecb0fb84288b84ffe842486ed41d6384505b629b31993332add9ca8894136d472589d27a8345c3f98c7bb8a65fc7ea2bbc84f72c8afb5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
768B

MD5
e460b703ac399f401c252da651d87481

SHA1
04c9932022784013acace4df318c86b3187c48f1

SHA256
353ff7a1bfa032366b1d9da6a8753e4e72da2f6e9f558a5c6ddb31804e6590a8

SHA512
d17e9e6111f66dbf8f6bb2995ad43a24a30e1a0e04d855f788bb6a1e83d26bd8ba1ef74b32f7830e70ea66863e050a6cdeb809ec49a415fbdac9eeb32188f576

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
c5b1b586b9e6d5236b95e29523928056

SHA1
6303e63816f01398022796bae4d3b5814737f60e

SHA256
55edc52ef6ba3293ff2748784926a2b2770671f9018ab7cf3590e3dfc9d52f54

SHA512
9a2a41e5c4fc5e82b70860df26499ad6745756f2f3fa9681f88966a9109d6f12bc19e43679ac296b4d54dfeaf8a37ca3c1940ad86eed682ce44a35a464de5b83

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b2f4a0170803cf40a2896d476ae82f5c

SHA1
839eebda4d6d7aa33f89f8c7b1886e1e07f4158b

SHA256
c3037542545ff9c386a73888ef83732fa45380794d77b3f820be0abce616f1d4

SHA512
5b938949fa9fc6f1409cdf1199f97755584e5254e5138a1a77fd9bf78ee2b05c8e09e0b8c21aa0885fcf72e774697e0892ec6121017e5066b3ab2aaef24a9b6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
756d5b1e390f9be4913ed71505129495

SHA1
e56f2d09d9b01fb3e8d4f42438bcf8958f8b7fd8

SHA256
98cff17aaa1fe3ba290f017ad5677bf84b2a4472d7bc7cc845f75b21b5b41567

SHA512
f7f92089a9941850ba380ede79325cccbd15ef0ecb7148e1cf47aed4e0836246ae7d091816690c1e79d25e99b14dcfb66c833777c8d8fb4105ac1910472e990b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
db12ea91b99b27034fe60fa6ab7b096e

SHA1
fcd23f45b87ee797b19e31eb008696eea95daed6

SHA256
74a43ea15cc20860d1b8bd78838be46f25470c1f53ae447946084444f776f4a9

SHA512
8ee4ca4da62de4daf12a630b26c7b357b0907b017b6549c846fdf153d641a900c62a101d1df1e23e8089ec875d1ba47264563ca4cdd45b3aee63dbbdcc9039de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c78d5503f2114cb6be7e90ec52b4add1

SHA1
40f0a6cef5a149c80b8ba9e5278b98db9747fa27

SHA256
0ef6c61f22f0b27c321d3eb9ff0e88d0e5b49eb601301dfda3890c598e9541bb

SHA512
9cba91f7488096eaed510c724b24e9edd38754dd6c0115a595fbf02441c78bf10341638e38b8185b0f433ddafbb8f4d6842acdb81ef54c1e2bce056b8ccdb0fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
3723f155a47451d7b0b6abcea331386e

SHA1
70bc14a154e4c585cab432e3a018405cbd3be895

SHA256
62e8b71772e1c6b1ed9ba89a48a49a64b2e4da994227321dbfeacfaf0d83ecad

SHA512
d3a80a680ecf293dbbd0213fc24f170f0ff2f5c612b76f854e34a6358ca91e8da1471014e1f9dcd141300d2722c2f0e5b9d6cd95b6cb94fa27c1b25d5d731d5d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe636d85.TMP

Filesize
48B

MD5
526846351a20a0fee223ef7d77a57b8a

SHA1
c6118f5f682bb5351413235321ef78ccd2f4e248

SHA256
c1cfe0053d37554c9dbce91924e92a2ab30895000b39b3c76fae8638ccc1b4e5

SHA512
472bb089c3ff34a2c08c6a56228d696432c0ec89d51e23167e1d11c5398b816f9139871870d00f755610e6e2dde8588c98cda9d295c9a9f0d905ccd87b14a273

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
998e130990d7c212117f109e668ac0e3

SHA1
e7f1e44c4b8f9f39f6668a199f10ab1445a45be7

SHA256
6e5dee289c8f70838782f064620eed9ea6bb950922717a107a7bc914ab6c12c0

SHA512
7d61a773ef27c51ca969394f59cc55d0773b9e111c56e7f1dbcd1c930c2e723c4b8e40437f68f9d2c2fa049de29f388125d7ac7d11021d9dac073f63068a62fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
83110e0af79ef0461f6b463596e21cfb

SHA1
3e14216a451c383197ccf1ad5552be7bad54e1a4

SHA256
bea822ad064f0cd518e28558efdfcb4b4dca76a942cdd205149eb834b1372680

SHA512
a425c8d553e79433a8e9dbabaa2dcfda4ee223e325997ab59b684282c376aeee18d25366cc11c69bdb10bc7ee0647d36c187e232061fbcbdbf3e0613b0d0f509

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe62a1d8.TMP

Filesize
1KB

MD5
7f2841f9f592f15f54b379a61327a021

SHA1
a2b2c1bf21666efb98c265c9eb9e42b67ed68087

SHA256
f2301108fd52f60b9f7ed004d9c337d531350c3793be19c89f2f35623ff746e1

SHA512
e6f6dfea6c1a5d4a6d266aaf285f3b63de2c34fad6dbc8279f77a0f46333f626c8c2ad9bb224cceeb614ae905653b79e5828f4f6f2f1bf5a9931f10f01c4cdde

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
8cfa0b5341f378e9a3ae8492cdbf08d4

SHA1
f797e097432943db9451013a90f066f74d77154c

SHA256
e827d6bdcf9487dd04c6587b0c127f3234f5e00a37071eb154e25f6a9206dea8

SHA512
5d6ecd6d788ab8a311794aa0da482ec154a2501f6f13fad83e4fd20561750ac965318d704ee2e83834094f9c4a9b4ed3135b0e31411de22d3d0f9fcb71d29344

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
713d74770d7534f91580c3b4200c0df4

SHA1
72aa5e1f1da1c7ffd0ffb09c8f76a493650b944a

SHA256
46ca2b1a37bdac99183de41bf2aa95a625a1e26ff32a920cc7689d405886e784

SHA512
c5090c56e62a4e9c6eb94b9611860ba66e0d80624a434e79c98b9a576fc9ba8ac6b7694359d0744db980f80926a0cadf0e3ce02fdd596caa50a8037adc95da35

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
4bfb37bed06f7676823d38c6e5bb1011

SHA1
5b12573030198b5599037a38fd22c0bba65c0f21

SHA256
0d1cf4e026d41d0974963c5d82ed7cb81582a5edd5b09ee98f3b9bc58427821c

SHA512
74e58697847e27ab3dce05aabd736ae3e2533aa43b736da0a8c0b08534f4bb7fbc244b74b8a7e90a1d4a988df8e907a84bbc25882c23f852810a6f7e46134db0

Download Submit
C:\Users\Admin\AppData\Local\Temp\jds241347359.tmp\JavaSetup8u411.exe

Filesize
1.9MB

MD5
a9b69edaaf925ea6a71679d9a0f56266

SHA1
efe45a8e10c3d559b4800b0974f65bf0e87c747b

SHA256
e37988551194fccbbb82fc0a159a9b9abb242cdaed14a331cbceb0f5195e18f4

SHA512
663f2dc7a6faa7c2a0db5ad3d60b9e0909543b77285a048a1b3c7b20d3cd2a8607202bfc8a0d4b597ec517a7b0ed01f446a4a9c722a750a07f5ece56dff74e23

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
164KB

MD5
b9d6ebbc224dcc28e156341a8bc1d80b

SHA1
f16300666093e54aa3398367ff8fb32113140d4c

SHA256
6005207f7661ce93845e186d970c9bb4751645daab718bb98689d1c722a99fed

SHA512
d19a4547e7d25f1ca20974f5d54ba34629f5242f86eb5f782ba32ea1ab99d317bbacc731b3bf6206335491fd595c9f5ab569ce936982707e9eaebd6eb38245ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
165KB

MD5
8f50ef1d9bf158b1da368178715de3dc

SHA1
ea7c7e538156cefcdf639a9983fe4b38709e7eb0

SHA256
2fe743dae20c5750396d7876d3df6623ef1f582e6900ebfa602ae014f3da39f3

SHA512
5f658b5fff52ed8f99d0203a6c905009cf7abed88e350aa8773923853e8c4af256cb782ae7588ae6c81a999b0789c5baefdd00584f7c31251520f74a8a782e82

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
194KB

MD5
97cb7a30683f551185afd7a5644f4f66

SHA1
f03a09c59221686197d965e2dc336ae1514064b3

SHA256
149c7b8d9e54f6106b51c60d60a30b29b9bdfb54a45c0264df548ab1ec7ce233

SHA512
24be7c8283c6a125f25b670e47fa4d672542fe3240bd9d3307ab29155844adfaebeafd113ebfecff3dde00e4a21192ab14b07a1eb4a9bce95e5a241110ebc69f

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
197KB

MD5
3017d6eee6daa0e2076ea57ebbf1cee0

SHA1
2abfeeedb23ae8ae4ec91e389391c4b882b6a63e

SHA256
205920cba6e7fc0ec44dfdaa9f64a788986bf60c6ecf7ac5ac96d6af6d753f3e

SHA512
4b45f53fb438d88fd13c2871561602be8b9bfe8af96070368f5b0e6dade5e184f8a9f2f611fad77dcf2ada66eb6b4c6e1412db37d19a48a323f597b7864ba8fa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1721078853945.tmp

Filesize
690KB

MD5
9e8c6d38ec41bc08a6c895dd9c7cda9c

SHA1
c691901a6dd9fc7d305537165377d3d6825e8ccb

SHA256
07080b357031457e3956f5584704f312e774695e6b909b10f710224ae174c8d9

SHA512
a35d050b2115d802f9c7237347e022667c3f85811b7395fae54c42937b44b4b610366fddb45dc2180c2314b6a42b854647c9c59158f5e544a82f1c4355d7d81e

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 680339.crdownload

Filesize
2.2MB

MD5
c8e59f75cb74e2a8d644368d5a06ca68

SHA1
562af1976898764ffc35df1d523e98fa95630e8a

SHA256
6e68df42609b8b7b9104a20ddbffefad8339afa4e1667139eace9601e9fa0c58

SHA512
74a6bd15ed411d3ce70ecd40e71f09aec019752cfc004a1adf5e738ef6a448249d47cca82064c80fdc4ab70a6ce5268bdf0957cbbe6901488728427ea3dde127

Download Submit
memory/4212-594-0x00000218B9DD0000-0x00000218B9DD1000-memory.dmp

Filesize
4KB

Download
memory/4212-583-0x00000218B9DD0000-0x00000218B9DD1000-memory.dmp

Filesize
4KB

Download
memory/4212-578-0x00000218B9DD0000-0x00000218B9DD1000-memory.dmp

Filesize
4KB

Download
memory/4212-567-0x00000218B9DD0000-0x00000218B9DD1000-memory.dmp

Filesize
4KB

Download