hxxps://rule34video[.]com/categories/roblox/

max time kernel
31s
max time network
33s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
08/08/2024, 06:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://rule34video.com/categories/roblox/

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3552	msedge.exe
3552	msedge.exe
1320	msedge.exe
1320	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1320 wrote to memory of 1764	1320	msedge.exe	79
PID 1320 wrote to memory of 1764	1320	msedge.exe	79
PID 1320 wrote to memory of 916	1320	msedge.exe	80
PID 1320 wrote to memory of 916	1320	msedge.exe	80
PID 1320 wrote to memory of 916	1320	msedge.exe	80
PID 1320 wrote to memory of 916	1320	msedge.exe	80
PID 1320 wrote to memory of 916	1320	msedge.exe	80
PID 1320 wrote to memory of 916	1320	msedge.exe	80
PID 1320 wrote to memory of 916	1320	msedge.exe	80
PID 1320 wrote to memory of 916	1320	msedge.exe	80
PID 1320 wrote to memory of 916	1320	msedge.exe	80
PID 1320 wrote to memory of 916	1320	msedge.exe	80
PID 1320 wrote to memory of 916	1320	msedge.exe	80
PID 1320 wrote to memory of 916	1320	msedge.exe	80
PID 1320 wrote to memory of 916	1320	msedge.exe	80
PID 1320 wrote to memory of 916	1320	msedge.exe	80
PID 1320 wrote to memory of 916	1320	msedge.exe	80
PID 1320 wrote to memory of 916	1320	msedge.exe	80
PID 1320 wrote to memory of 916	1320	msedge.exe	80
PID 1320 wrote to memory of 916	1320	msedge.exe	80
PID 1320 wrote to memory of 916	1320	msedge.exe	80
PID 1320 wrote to memory of 916	1320	msedge.exe	80
PID 1320 wrote to memory of 916	1320	msedge.exe	80
PID 1320 wrote to memory of 916	1320	msedge.exe	80
PID 1320 wrote to memory of 916	1320	msedge.exe	80
PID 1320 wrote to memory of 916	1320	msedge.exe	80
PID 1320 wrote to memory of 916	1320	msedge.exe	80
PID 1320 wrote to memory of 916	1320	msedge.exe	80
PID 1320 wrote to memory of 916	1320	msedge.exe	80
PID 1320 wrote to memory of 916	1320	msedge.exe	80
PID 1320 wrote to memory of 916	1320	msedge.exe	80
PID 1320 wrote to memory of 916	1320	msedge.exe	80
PID 1320 wrote to memory of 916	1320	msedge.exe	80
PID 1320 wrote to memory of 916	1320	msedge.exe	80
PID 1320 wrote to memory of 916	1320	msedge.exe	80
PID 1320 wrote to memory of 916	1320	msedge.exe	80
PID 1320 wrote to memory of 916	1320	msedge.exe	80
PID 1320 wrote to memory of 916	1320	msedge.exe	80
PID 1320 wrote to memory of 916	1320	msedge.exe	80
PID 1320 wrote to memory of 916	1320	msedge.exe	80
PID 1320 wrote to memory of 916	1320	msedge.exe	80
PID 1320 wrote to memory of 916	1320	msedge.exe	80
PID 1320 wrote to memory of 3552	1320	msedge.exe	81
PID 1320 wrote to memory of 3552	1320	msedge.exe	81
PID 1320 wrote to memory of 4424	1320	msedge.exe	82
PID 1320 wrote to memory of 4424	1320	msedge.exe	82
PID 1320 wrote to memory of 4424	1320	msedge.exe	82
PID 1320 wrote to memory of 4424	1320	msedge.exe	82
PID 1320 wrote to memory of 4424	1320	msedge.exe	82
PID 1320 wrote to memory of 4424	1320	msedge.exe	82
PID 1320 wrote to memory of 4424	1320	msedge.exe	82
PID 1320 wrote to memory of 4424	1320	msedge.exe	82
PID 1320 wrote to memory of 4424	1320	msedge.exe	82
PID 1320 wrote to memory of 4424	1320	msedge.exe	82
PID 1320 wrote to memory of 4424	1320	msedge.exe	82
PID 1320 wrote to memory of 4424	1320	msedge.exe	82
PID 1320 wrote to memory of 4424	1320	msedge.exe	82
PID 1320 wrote to memory of 4424	1320	msedge.exe	82
PID 1320 wrote to memory of 4424	1320	msedge.exe	82
PID 1320 wrote to memory of 4424	1320	msedge.exe	82
PID 1320 wrote to memory of 4424	1320	msedge.exe	82
PID 1320 wrote to memory of 4424	1320	msedge.exe	82
PID 1320 wrote to memory of 4424	1320	msedge.exe	82
PID 1320 wrote to memory of 4424	1320	msedge.exe	82

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://rule34video.com/categories/roblox/
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff956e73cb8,0x7ff956e73cc8,0x7ff956e73cd8
  2⤵
  PID:1764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1900,2474057708734960869,4158691233354544773,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1932 /prefetch:2
  2⤵
  PID:916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1900,2474057708734960869,4158691233354544773,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1900,2474057708734960869,4158691233354544773,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2540 /prefetch:8
  2⤵
  PID:4424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,2474057708734960869,4158691233354544773,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
  2⤵
  PID:396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,2474057708734960869,4158691233354544773,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
  2⤵
  PID:236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,2474057708734960869,4158691233354544773,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5712 /prefetch:1
  2⤵
  PID:920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,2474057708734960869,4158691233354544773,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
  2⤵
  PID:2536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,2474057708734960869,4158691233354544773,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5668 /prefetch:1
  2⤵
  PID:4700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,2474057708734960869,4158691233354544773,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5796 /prefetch:1
  2⤵
  PID:4972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,2474057708734960869,4158691233354544773,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4776 /prefetch:1
  2⤵
  PID:5080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,2474057708734960869,4158691233354544773,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6092 /prefetch:1
  2⤵
  PID:2016

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2008

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b4ae6009e2df12ce252d03722e8f4288

SHA1
44de96f65d69cbae416767040f887f68f8035928

SHA256
7778069a1493fdb62e6326ba673f03d9a8f46bc0eea949aabbbbc00dcdaddf9d

SHA512
bb810721e52c77793993470692bb2aab0466f13ed4576e4f4cfa6bc5fcfc59c13552299feb6dfd9642ea07b19a5513d90d0698d09ca1d15e0598133929c05fe1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4bf4b59c3deb1688a480f8e56aab059d

SHA1
612c83e7027b3bfb0e9d2c9efad43c5318e731bb

SHA256
867ab488aa793057395e9c10f237603cfb180689298871cdf0511132f9628c82

SHA512
2ec6c89f9653f810e9f80f532abaff2a3c0276f6d299dce1b1eadf6a59e8072ed601a4f9835db25d4d2610482a00dd5a0852d0ef828678f5c5ed33fe64dddca9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
cd7ca44526f7b8fb9a0f7c2aa8c1677a

SHA1
0f0dadc10d0746dbd4e77aa90ad9fda51eb8661a

SHA256
d3417f83c5762c621282354fc8ee35c7eb1a05bcadec08e65391b9961b3b7419

SHA512
ffe5bbfa9d320be65e1208045eb5d44aebe168c318db0cff02aad41af4a1d98bb216bd208e7633d404577fcb3bdabff73b1eb97e481d9df2af423db39919b8dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
14e0d125dac7d7b3f1b286e0b60374df

SHA1
b09cf85cc913069e6fb58b851d73b3ff933c20a7

SHA256
e08d279e3456c8401ae544573a794330754e0a218cdbb9159de214721b028fce

SHA512
7bd21ca84dd0e4bd758f3ce6417acb367c132591dc35aec770a23baa29c417128a0cb4e644a6b4d6b2dfe17090b263a24fdacc510365eeb89da21e62f225de44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
3612daaf7b473b82f35093cd4cd84e88

SHA1
7d7b8cb14e8566f6c23d9259c7e39cda7e6bd163

SHA256
5b062dd7bdf2d3bdcfd8cb82b6462c35448effc14c35fe5dff50c0d861413b1b

SHA512
0c802c7f642f6cd4b6f073a139ee13aee8d449adc02d3784c5cdc21a76a3612720688cf551498a37cc65cc79d0db6be47bfddb56d4322674d081d639ad709b77

Download Submit