4e839b8267d170c054a00292d0d93440b9709066db6f787132f866dcfa8a9dd4

Resubmissions

23/07/2024, 00:52

240723-a76dzsxhnh 7

23/07/2024, 00:47

240723-a5lxkaxgkd 8

23/07/2024, 00:44

240723-a3t56axfkf 7

Analysis

max time kernel
25s
max time network
26s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
23/07/2024, 00:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

EclipsePlayerLauncher.exe
Size

874KB
MD5

7a1acb733866558632ab929bef57828a
SHA1

3351f2d2648aaeadad4d6e7d212152f6ed7bc615
SHA256

4e839b8267d170c054a00292d0d93440b9709066db6f787132f866dcfa8a9dd4
SHA512

b074123fd9b8e01528ef49c9d46a20c9c33b634e5b367b8f8e575f6b63687319648c822ae4d54b71bcfa8477f087c1cb29bfa72a64a58c3436cd72e11714d91c
SSDEEP

12288:ljh5+ZymNqi1Uc6Tn0aYWBsTKIgCTsjfLxLS+AMDRFJh8H:ljeZjN5t6Tn0a7VI9TifLxm+AMD/Jhe

Score

7^/10

discovery evasion spyware stealer trojan

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	EclipsePlayerLauncher.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	EclipsePlayerLauncher.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Eclipse\Versions\version-five\content\textures\Exit.png	EclipsePlayerLauncher.exe
File opened for modification	C:\Program Files (x86)\Eclipse\Versions\version-five\content\textures\particles\sparkles_main.dds	EclipsePlayerLauncher.exe
File created	C:\Program Files (x86)\Eclipse\Versions\version-five\content\textures\ui\Settings\Help\[email protected]	EclipsePlayerLauncher.exe
File created	C:\Program Files (x86)\Eclipse\Versions\version-five\PlatformContent\android\textures\sky\sky512_ft.tex	EclipsePlayerLauncher.exe
File opened for modification	C:\Program Files (x86)\Eclipse\Versions\version-five\PlatformContent\durango\scripts\ui\Modules\SoundManager.lua	EclipsePlayerLauncher.exe
File opened for modification	C:\Program Files (x86)\Eclipse\Versions\version-five\PlatformContent\durango\textures\grass\normal.dds	EclipsePlayerLauncher.exe
File opened for modification	C:\Program Files (x86)\Eclipse\Versions\version-five\PlatformContent\durango\textures\ui\Shell\Images\Robux\RobuxSquare03.png	EclipsePlayerLauncher.exe
File created	C:\Program Files (x86)\Eclipse\Versions\version-five\PlatformContent\durango\scripts\ui\Modules\StorePane.lua	EclipsePlayerLauncher.exe
File opened for modification	C:\Program Files (x86)\Eclipse\Versions\version-five\content\sounds\metalgrass2.mp3	EclipsePlayerLauncher.exe
File opened for modification	C:\Program Files (x86)\Eclipse\Versions\version-five\content\textures\ui\PlayerList\CharacterImageBackground.png	EclipsePlayerLauncher.exe
File created	C:\Program Files (x86)\Eclipse\Versions\version-five\PlatformContent\durango\scripts\ui\Modules\ConfirmPrompt.lua	EclipsePlayerLauncher.exe
File opened for modification	C:\Program Files (x86)\Eclipse\Versions\version-five\SDL2.dll	EclipsePlayerLauncher.exe
File created	C:\Program Files (x86)\Eclipse\Versions\version-five\content\fonts\characterCameraScript.rbxmx	EclipsePlayerLauncher.exe
File opened for modification	C:\Program Files (x86)\Eclipse\Versions\version-five\content\textures\ui\[email protected]	EclipsePlayerLauncher.exe
File created	C:\Program Files (x86)\Eclipse\Versions\version-five\PlatformContent\android\textures\pebble\normaldetail.pvr	EclipsePlayerLauncher.exe
File created	C:\Program Files (x86)\Eclipse\Versions\version-five\PlatformContent\durango\textures\pebble\normaldetail.dds	EclipsePlayerLauncher.exe
File created	C:\Program Files (x86)\Eclipse\Versions\version-five\PlatformContent\durango\textures\ui\Shell\Images\Robux\Robux01.png	EclipsePlayerLauncher.exe
File created	C:\Program Files (x86)\Eclipse\Versions\version-five\PlatformContent\ios\textures\terrain\diffuse.pvr	EclipsePlayerLauncher.exe
File created	C:\Program Files (x86)\Eclipse\Versions\version-five\PlatformContent\pc\textures\aluminum\normal.dds	EclipsePlayerLauncher.exe
File created	C:\Program Files (x86)\Eclipse\Versions\version-five\content\textures\chatBubble_bot_notify_money.png	EclipsePlayerLauncher.exe
File opened for modification	C:\Program Files (x86)\Eclipse\Versions\version-five\content\textures\ui\CorrodedMetal.png	EclipsePlayerLauncher.exe
File created	C:\Program Files (x86)\Eclipse\Versions\version-five\content\textures\ui\scrollbuttonDown_dn.png	EclipsePlayerLauncher.exe
File created	C:\Program Files (x86)\Eclipse\Versions\version-five\PlatformContent\durango\textures\concrete\diffuse.dds	EclipsePlayerLauncher.exe
File created	C:\Program Files (x86)\Eclipse\Versions\version-five\PlatformContent\durango\textures\ui\Shell\Images\Robux\RobuxSquare04.png	EclipsePlayerLauncher.exe
File created	C:\Program Files (x86)\Eclipse\Versions\version-five\content\fonts\humanoidSoundNewLocal.rbxmx	EclipsePlayerLauncher.exe
File opened for modification	C:\Program Files (x86)\Eclipse\Versions\version-five\content\textures\advancedMove.png	EclipsePlayerLauncher.exe
File created	C:\Program Files (x86)\Eclipse\Versions\version-five\content\textures\ui\InsertButton.png	EclipsePlayerLauncher.exe
File created	C:\Program Files (x86)\Eclipse\Versions\version-five\content\textures\ui\Scroll\scroll-middle.png	EclipsePlayerLauncher.exe
File opened for modification	C:\Program Files (x86)\Eclipse\Versions\version-five\content\textures\ui\Settings\MenuBarAssets\MenuSelection.png	EclipsePlayerLauncher.exe
File created	C:\Program Files (x86)\Eclipse\Versions\version-five\content\textures\ui\Settings\Slider\[email protected]	EclipsePlayerLauncher.exe
File created	C:\Program Files (x86)\Eclipse\Versions\version-five\PlatformContent\durango\sounds\ui\Shell\MoveSelection.mp3	EclipsePlayerLauncher.exe
File opened for modification	C:\Program Files (x86)\Eclipse\Versions\version-five\shaders\source\smoothplastic.hlsl	EclipsePlayerLauncher.exe
File opened for modification	C:\Program Files (x86)\Eclipse\Versions\version-five\PlatformContent\durango\textures\grass\normaldetail.dds	EclipsePlayerLauncher.exe
File created	C:\Program Files (x86)\Eclipse\Versions\version-five\PlatformContent\durango\textures\ui\Shell\ScreenAdjustment\[email protected]	EclipsePlayerLauncher.exe
File created	C:\Program Files (x86)\Eclipse\Versions\version-five\PlatformContent\pc\textures\water\normal_16.dds	EclipsePlayerLauncher.exe
File created	C:\Program Files (x86)\Eclipse\Versions\version-five\content\sounds\action_jump.mp3	EclipsePlayerLauncher.exe
File created	C:\Program Files (x86)\Eclipse\Versions\version-five\content\sounds\woodgrass2.mp3	EclipsePlayerLauncher.exe
File opened for modification	C:\Program Files (x86)\Eclipse\Versions\version-five\content\textures\DropperCursor.png	EclipsePlayerLauncher.exe
File opened for modification	C:\Program Files (x86)\Eclipse\Versions\version-five\content\textures\water_Subsurface.dds	EclipsePlayerLauncher.exe
File created	C:\Program Files (x86)\Eclipse\Versions\version-five\PlatformContent\ios\textures\rust\diffuse.pvr	EclipsePlayerLauncher.exe
File opened for modification	C:\Program Files (x86)\Eclipse\Versions\version-five\PlatformContent\ios\textures\water\normal_06.pvr	EclipsePlayerLauncher.exe
File created	C:\Program Files (x86)\Eclipse\Versions\version-five\PlatformContent\pc\textures\woodplanks\normaldetail.dds	EclipsePlayerLauncher.exe
File created	C:\Program Files (x86)\Eclipse\Versions\version-five\content\scripts\CoreScripts\BuildToolsScripts\PersonalServerScript.lua	EclipsePlayerLauncher.exe
File opened for modification	C:\Program Files (x86)\Eclipse\Versions\version-five\content\textures\ui\Scroll\scroll-top.png	EclipsePlayerLauncher.exe
File opened for modification	C:\Program Files (x86)\Eclipse\Versions\version-five\content\textures\ui\Settings\MenuBarIcons\[email protected]	EclipsePlayerLauncher.exe
File opened for modification	C:\Program Files (x86)\Eclipse\Versions\version-five\PlatformContent\android\textures\water\normal_22.pvr	EclipsePlayerLauncher.exe
File opened for modification	C:\Program Files (x86)\Eclipse\Versions\version-five\PlatformContent\android\textures\wood\diffuse.pvr	EclipsePlayerLauncher.exe
File opened for modification	C:\Program Files (x86)\Eclipse\Versions\version-five\PlatformContent\durango\textures\terrain\diffuse.dds	EclipsePlayerLauncher.exe
File opened for modification	C:\Program Files (x86)\Eclipse\Versions\version-five\content\scripts\Libraries\RbxStamper.lua	EclipsePlayerLauncher.exe
File opened for modification	C:\Program Files (x86)\Eclipse\Versions\version-five\content\sounds\uuhhh.mp3	EclipsePlayerLauncher.exe
File opened for modification	C:\Program Files (x86)\Eclipse\Versions\version-five\content\sounds\woodmetal.mp3	EclipsePlayerLauncher.exe
File opened for modification	C:\Program Files (x86)\Eclipse\Versions\version-five\content\sounds\woodmetal2.mp3	EclipsePlayerLauncher.exe
File opened for modification	C:\Program Files (x86)\Eclipse\Versions\version-five\content\textures\ui\Settings\MenuBarIcons\[email protected]	EclipsePlayerLauncher.exe
File created	C:\Program Files (x86)\Eclipse\Versions\version-five\content\textures\ui\Universal.png	EclipsePlayerLauncher.exe
File created	C:\Program Files (x86)\Eclipse\Versions\version-five\PlatformContent\durango\scripts\ui\Modules\AppHub.lua	EclipsePlayerLauncher.exe
File opened for modification	C:\Program Files (x86)\Eclipse\Versions\version-five\PlatformContent\durango\textures\ui\Shell\Background\Home_screen_01.png	EclipsePlayerLauncher.exe
File created	C:\Program Files (x86)\Eclipse\Versions\version-five\content\textures\chatBubble_botBlue_tail.png	EclipsePlayerLauncher.exe
File created	C:\Program Files (x86)\Eclipse\Versions\version-five\content\textures\Cursors\Gamepad\[email protected]	EclipsePlayerLauncher.exe
File created	C:\Program Files (x86)\Eclipse\Versions\version-five\content\textures\DialogQuest.png	EclipsePlayerLauncher.exe
File opened for modification	C:\Program Files (x86)\Eclipse\Versions\version-five\content\textures\loading\darkLoadingTexture.png	EclipsePlayerLauncher.exe
File opened for modification	C:\Program Files (x86)\Eclipse\Versions\version-five\content\textures\ui\dialog_ellipses.png	EclipsePlayerLauncher.exe
File opened for modification	C:\Program Files (x86)\Eclipse\Versions\version-five\content\textures\ui\InsertButton.png	EclipsePlayerLauncher.exe
File created	C:\Program Files (x86)\Eclipse\Versions\version-five\PlatformContent\android\textures\grass\specular.pvr	EclipsePlayerLauncher.exe
File created	C:\Program Files (x86)\Eclipse\Versions\version-five\PlatformContent\durango\scripts\ui\Modules\ImageOverlay.lua	EclipsePlayerLauncher.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Internet Explorer settings 1 TTPs 10 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{23C9A42C-76EA-4259-BBC0-051CF995CE29}	EclipsePlayerLauncher.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{23C9A42C-76EA-4259-BBC0-051CF995CE29}\AppName = "RobloxPlayerLauncher.exe"	EclipsePlayerLauncher.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{23C9A42C-76EA-4259-BBC0-051CF995CE29}\AppPath = "C:\\Program Files (x86)\\Eclipse\\Versions\\version-five\\"	EclipsePlayerLauncher.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{23C9A42C-76EA-4259-BBC0-051CF995CE29}\Policy = "3"	EclipsePlayerLauncher.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{992635A7-D231-402E-85FD-DD275D8B24C6}	EclipsePlayerLauncher.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{992635A7-D231-402E-85FD-DD275D8B24C6}\AppName = "RobloxPlayerBeta.exe"	EclipsePlayerLauncher.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{992635A7-D231-402E-85FD-DD275D8B24C6}\Policy = "3"	EclipsePlayerLauncher.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{992635A7-D231-402E-85FD-DD275D8B24C6}\AppPath = "C:\\Program Files (x86)\\Eclipse\\Versions\\version-five\\"	EclipsePlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\eclipse-player-eclipse2016	EclipsePlayerLauncher.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\eclipse-player-eclipse2016\WarnOnOpen = "0"	EclipsePlayerLauncher.exe

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\eclipse-player-eclipse2016\DefaultIcon	EclipsePlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\eclipse-player-eclipse2016\shell\open\command	EclipsePlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\eclipse-player-eclipse2016\shell	EclipsePlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\eclipse-player-eclipse2016\shell\open	EclipsePlayerLauncher.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\eclipse-player-eclipse2016\shell\open\command\ = "\"C:\\Program Files (x86)\\Eclipse\\Versions\\version-five\\RobloxPlayerLauncher.exe\" %1"	EclipsePlayerLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\eclipse-player-eclipse2016	EclipsePlayerLauncher.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\eclipse-player-eclipse2016\ = "URL: Roblox Protocol"	EclipsePlayerLauncher.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\eclipse-player-eclipse2016\URL Protocol	EclipsePlayerLauncher.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\eclipse-player-eclipse2016\DefaultIcon\ = "C:\\Program Files (x86)\\Eclipse\\Versions\\version-five\\RobloxPlayerLauncher.exe"	EclipsePlayerLauncher.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1876	EclipsePlayerLauncher.exe
1876	EclipsePlayerLauncher.exe
396	msedge.exe
396	msedge.exe
1448	msedge.exe
1448	msedge.exe
3252	identity_helper.exe
3252	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1876 wrote to memory of 1448	1876	EclipsePlayerLauncher.exe	95
PID 1876 wrote to memory of 1448	1876	EclipsePlayerLauncher.exe	95
PID 1448 wrote to memory of 2752	1448	msedge.exe	96
PID 1448 wrote to memory of 2752	1448	msedge.exe	96
PID 1448 wrote to memory of 2208	1448	msedge.exe	97
PID 1448 wrote to memory of 2208	1448	msedge.exe	97
PID 1448 wrote to memory of 2208	1448	msedge.exe	97
PID 1448 wrote to memory of 2208	1448	msedge.exe	97
PID 1448 wrote to memory of 2208	1448	msedge.exe	97
PID 1448 wrote to memory of 2208	1448	msedge.exe	97
PID 1448 wrote to memory of 2208	1448	msedge.exe	97
PID 1448 wrote to memory of 2208	1448	msedge.exe	97
PID 1448 wrote to memory of 2208	1448	msedge.exe	97
PID 1448 wrote to memory of 2208	1448	msedge.exe	97
PID 1448 wrote to memory of 2208	1448	msedge.exe	97
PID 1448 wrote to memory of 2208	1448	msedge.exe	97
PID 1448 wrote to memory of 2208	1448	msedge.exe	97
PID 1448 wrote to memory of 2208	1448	msedge.exe	97
PID 1448 wrote to memory of 2208	1448	msedge.exe	97
PID 1448 wrote to memory of 2208	1448	msedge.exe	97
PID 1448 wrote to memory of 2208	1448	msedge.exe	97
PID 1448 wrote to memory of 2208	1448	msedge.exe	97
PID 1448 wrote to memory of 2208	1448	msedge.exe	97
PID 1448 wrote to memory of 2208	1448	msedge.exe	97
PID 1448 wrote to memory of 2208	1448	msedge.exe	97
PID 1448 wrote to memory of 2208	1448	msedge.exe	97
PID 1448 wrote to memory of 2208	1448	msedge.exe	97
PID 1448 wrote to memory of 2208	1448	msedge.exe	97
PID 1448 wrote to memory of 2208	1448	msedge.exe	97
PID 1448 wrote to memory of 2208	1448	msedge.exe	97
PID 1448 wrote to memory of 2208	1448	msedge.exe	97
PID 1448 wrote to memory of 2208	1448	msedge.exe	97
PID 1448 wrote to memory of 2208	1448	msedge.exe	97
PID 1448 wrote to memory of 2208	1448	msedge.exe	97
PID 1448 wrote to memory of 2208	1448	msedge.exe	97
PID 1448 wrote to memory of 2208	1448	msedge.exe	97
PID 1448 wrote to memory of 2208	1448	msedge.exe	97
PID 1448 wrote to memory of 2208	1448	msedge.exe	97
PID 1448 wrote to memory of 2208	1448	msedge.exe	97
PID 1448 wrote to memory of 2208	1448	msedge.exe	97
PID 1448 wrote to memory of 2208	1448	msedge.exe	97
PID 1448 wrote to memory of 2208	1448	msedge.exe	97
PID 1448 wrote to memory of 2208	1448	msedge.exe	97
PID 1448 wrote to memory of 2208	1448	msedge.exe	97
PID 1448 wrote to memory of 396	1448	msedge.exe	98
PID 1448 wrote to memory of 396	1448	msedge.exe	98
PID 1448 wrote to memory of 2220	1448	msedge.exe	99
PID 1448 wrote to memory of 2220	1448	msedge.exe	99
PID 1448 wrote to memory of 2220	1448	msedge.exe	99
PID 1448 wrote to memory of 2220	1448	msedge.exe	99
PID 1448 wrote to memory of 2220	1448	msedge.exe	99
PID 1448 wrote to memory of 2220	1448	msedge.exe	99
PID 1448 wrote to memory of 2220	1448	msedge.exe	99
PID 1448 wrote to memory of 2220	1448	msedge.exe	99
PID 1448 wrote to memory of 2220	1448	msedge.exe	99
PID 1448 wrote to memory of 2220	1448	msedge.exe	99
PID 1448 wrote to memory of 2220	1448	msedge.exe	99
PID 1448 wrote to memory of 2220	1448	msedge.exe	99
PID 1448 wrote to memory of 2220	1448	msedge.exe	99
PID 1448 wrote to memory of 2220	1448	msedge.exe	99
PID 1448 wrote to memory of 2220	1448	msedge.exe	99
PID 1448 wrote to memory of 2220	1448	msedge.exe	99
PID 1448 wrote to memory of 2220	1448	msedge.exe	99
PID 1448 wrote to memory of 2220	1448	msedge.exe	99

C:\Users\Admin\AppData\Local\Temp\EclipsePlayerLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\EclipsePlayerLauncher.exe"
1⤵
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.eclipse2016.top/download/thankyou
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1448
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xa4,0x108,0x7ffc92e846f8,0x7ffc92e84708,0x7ffc92e84718
    3⤵
    PID:2752
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,3243648476273846970,2114221747349870264,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2
    3⤵
    PID:2208
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2160,3243648476273846970,2114221747349870264,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2252 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:396
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2160,3243648476273846970,2114221747349870264,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2800 /prefetch:8
    3⤵
    PID:2220
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,3243648476273846970,2114221747349870264,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
    3⤵
    PID:4000
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,3243648476273846970,2114221747349870264,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
    3⤵
    PID:4588
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,3243648476273846970,2114221747349870264,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4720 /prefetch:8
    3⤵
    PID:2032
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,3243648476273846970,2114221747349870264,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4720 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3252
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,3243648476273846970,2114221747349870264,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5092 /prefetch:1
    3⤵
    PID:1876
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,3243648476273846970,2114221747349870264,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5140 /prefetch:1
    3⤵
    PID:1316

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4656

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Eclipse\Versions\version-five\PlatformContent\android\textures\diamondplate\normaldetail.pvr

Filesize
76B

MD5
c95b632eaa85ee45533c92f9072b1b7f

SHA1
940a0f804a6e22fa81abc194f5fabe20fa3bfb06

SHA256
f0f8c09f264a70500007579b065d78dd2cfdccb647ee2c3e386ffd36cbe0937a

SHA512
9f5e1d55c6452a853d7a6564ed3ecfbb009ab5fc94b800b07cdeaa814a6c8cb4fc11abba8285af0659093a0db3c8cabf9b139793263e662d7b6e6c00c70a5980

Download Submit
C:\Program Files (x86)\Eclipse\Versions\version-five\PlatformContent\durango\textures\cobblestone\normaldetail.dds

Filesize
176B

MD5
620e055b9e500e85a131d8be2a65c11e

SHA1
d7fa8af56bfcfd48f38931e3ef8606585664a248

SHA256
2a51ad9239a2102af2c08ee23e18407c3500770a931332a722c643ffca90a60e

SHA512
551a93a5cffbc008f6d6b122f4c45d686faf1ef5a90975b8b2ef906123d7981e40efc644494957544832f5f605dac434714239a17baea97fcb38175d589d8794

Download Submit
C:\Program Files (x86)\Eclipse\Versions\version-five\PlatformContent\ios\textures\diamondplate\normaldetail.pvr

Filesize
148B

MD5
76b5c6a7250cb51ef7e5393dbe7f5668

SHA1
b06bcf998544656116b60e930fe973e220359a0d

SHA256
07d105fd1973fcc0183714e21d509b04f71cfc9891982e9547ca17fd493310d0

SHA512
d5bea6224a3da9c7185b5f94fb0c6c05ab03a71c1b81d81c0f67cfcc717a1a564670cbcd39a54167a09bcb0f8fe124fa296c774985dcdc2375ee5f2f58ac2732

Download Submit
C:\Program Files (x86)\Eclipse\Versions\version-five\PlatformContent\pc\textures\aluminum\diffuse.dds

Filesize
152B

MD5
b79e6464c2a4e060275c1a947d2c46fc

SHA1
cbc5d75c02e4613e9002e39e9ef1d00d63183fd8

SHA256
8552dc6e0cb6d92005d531258fdb0648f943c720eafff55b51659ec80b7c3e3c

SHA512
79f8c6437f1e73b2b130fbdad2e4890bd0510cc47cfa77fa96f44e1ff4dcaf7718a7677df929e423f5623d59a94e1876d72be73c0be411128b29702237c9d0fe

Download Submit
C:\Program Files (x86)\Eclipse\Versions\version-five\PlatformContent\pc\textures\concrete\specular.dds

Filesize
170KB

MD5
a4dcc342dcb963f298003a63d488ab76

SHA1
e5656b38670fae67de13e70f09ed6258aa365289

SHA256
454ee746e774d4a1611cadb2552eacc28167ff3f3306018198a8e203274ccb47

SHA512
6074081ad0cdd4f69d3ded98bd34f7c7ecb91dbb92e3146ec4013156e4ee2c728ca00d3ce5f45d312438df2cbe5a7a09dbab2957489ac4ce2e7af8a9408c19fb

Download Submit
C:\Program Files (x86)\Eclipse\Versions\version-five\RobloxPlayerLauncher.exe

Filesize
874KB

MD5
7a1acb733866558632ab929bef57828a

SHA1
3351f2d2648aaeadad4d6e7d212152f6ed7bc615

SHA256
4e839b8267d170c054a00292d0d93440b9709066db6f787132f866dcfa8a9dd4

SHA512
b074123fd9b8e01528ef49c9d46a20c9c33b634e5b367b8f8e575f6b63687319648c822ae4d54b71bcfa8477f087c1cb29bfa72a64a58c3436cd72e11714d91c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
60ead4145eb78b972baf6c6270ae6d72

SHA1
e71f4507bea5b518d9ee9fb2d523c5a11adea842

SHA256
b9e99e7387a915275e8fe4ac0b0c0cd330b4632814d5c9c446beb2755f1309a7

SHA512
8cdbafd2783048f5f54f22e13f6ef890936d5b986b0bb3fa86d2420a5bfecf7bedc56f46e6d5f126eae79f492315843c134c441084b912296e269f384a73ccde

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1f9d180c0bcf71b48e7bc8302f85c28f

SHA1
ade94a8e51c446383dc0a45edf5aad5fa20edf3c

SHA256
a17d56c41d524453a78e3f06e0d0b0081e79d090a4b75d0b693ddbc39f6f7fdc

SHA512
282863df0e51288049587886ed37ad1cf5b6bfeed86454ea3b9f2bb7f0a1c591f3540c62712ebfcd6f1095e1977446dd5b13b904bb52b6d5c910a1efc208c785

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
0983eb9ccda8a9546205a459061d2d6f

SHA1
64ab88d6ba7122eec24987ac97671f8dc420450a

SHA256
8832b01b2e72673d7fae8b0c7479d50271ccb6ceeb5b867c24534c1ec3e7ff23

SHA512
748ccbf52d6d928cd0f36acfe35b42660e9daa9035f4b63433e2bf2ef9a1869858f158ca53d6bf442f20a0619c40af6bd590a0e17439eb83080ce18308cb4b82

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\Desktop\Eclipse Player.lnk

Filesize
1KB

MD5
c375720b2b9dc708ea790847fba87c1a

SHA1
aeba6ae2c4ee37b667acfbc993056392766034ed

SHA256
14fbf859cd692e5efa4340864acab9e0a2887fe9311d11f5f838608c1054cacb

SHA512
974d5855d88b6b41f7975d6f714fe545c90c518887fd1be478f534c446df2cac52d148872e873d2dd7424dea29ad2d845c2bad86373af30703c651a9ada2c900

Download Submit