hxxps://domslayer342[.]itch[.]io/five-nights-at-freddys

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
11/08/2024, 00:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://domslayer342.itch.io/five-nights-at-freddys

Score

8^/10

discovery

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
5672	FiveNightsatFreddys.exe

Loads dropped DLL 9 IoCs

pid	Process
5672	FiveNightsatFreddys.exe
5672	FiveNightsatFreddys.exe
5672	FiveNightsatFreddys.exe
5672	FiveNightsatFreddys.exe
5672	FiveNightsatFreddys.exe
5672	FiveNightsatFreddys.exe
5672	FiveNightsatFreddys.exe
5672	FiveNightsatFreddys.exe
5672	FiveNightsatFreddys.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Videos\Captures\desktop.ini	svchost.exe

Network Service Discovery 1 TTPs 1 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
4112	GameBarPresenceWriter.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FiveNightsatFreddys.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2392887640-1187051047-2909758433-1000\{508730D0-736F-4DE3-AB23-7798B20D96C1}	svchost.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 634098.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1260	msedge.exe
1260	msedge.exe
1888	msedge.exe
1888	msedge.exe
1868	identity_helper.exe
1868	identity_helper.exe
5252	msedge.exe
5252	msedge.exe
5340	msedge.exe
5340	msedge.exe
5340	msedge.exe
5340	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5672	FiveNightsatFreddys.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs

pid	Process
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	4508	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4508	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe
1888	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
5672	FiveNightsatFreddys.exe
6020	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1888 wrote to memory of 5048	1888	msedge.exe	87
PID 1888 wrote to memory of 5048	1888	msedge.exe	87
PID 1888 wrote to memory of 4296	1888	msedge.exe	88
PID 1888 wrote to memory of 4296	1888	msedge.exe	88
PID 1888 wrote to memory of 4296	1888	msedge.exe	88
PID 1888 wrote to memory of 4296	1888	msedge.exe	88
PID 1888 wrote to memory of 4296	1888	msedge.exe	88
PID 1888 wrote to memory of 4296	1888	msedge.exe	88
PID 1888 wrote to memory of 4296	1888	msedge.exe	88
PID 1888 wrote to memory of 4296	1888	msedge.exe	88
PID 1888 wrote to memory of 4296	1888	msedge.exe	88
PID 1888 wrote to memory of 4296	1888	msedge.exe	88
PID 1888 wrote to memory of 4296	1888	msedge.exe	88
PID 1888 wrote to memory of 4296	1888	msedge.exe	88
PID 1888 wrote to memory of 4296	1888	msedge.exe	88
PID 1888 wrote to memory of 4296	1888	msedge.exe	88
PID 1888 wrote to memory of 4296	1888	msedge.exe	88
PID 1888 wrote to memory of 4296	1888	msedge.exe	88
PID 1888 wrote to memory of 4296	1888	msedge.exe	88
PID 1888 wrote to memory of 4296	1888	msedge.exe	88
PID 1888 wrote to memory of 4296	1888	msedge.exe	88
PID 1888 wrote to memory of 4296	1888	msedge.exe	88
PID 1888 wrote to memory of 4296	1888	msedge.exe	88
PID 1888 wrote to memory of 4296	1888	msedge.exe	88
PID 1888 wrote to memory of 4296	1888	msedge.exe	88
PID 1888 wrote to memory of 4296	1888	msedge.exe	88
PID 1888 wrote to memory of 4296	1888	msedge.exe	88
PID 1888 wrote to memory of 4296	1888	msedge.exe	88
PID 1888 wrote to memory of 4296	1888	msedge.exe	88
PID 1888 wrote to memory of 4296	1888	msedge.exe	88
PID 1888 wrote to memory of 4296	1888	msedge.exe	88
PID 1888 wrote to memory of 4296	1888	msedge.exe	88
PID 1888 wrote to memory of 4296	1888	msedge.exe	88
PID 1888 wrote to memory of 4296	1888	msedge.exe	88
PID 1888 wrote to memory of 4296	1888	msedge.exe	88
PID 1888 wrote to memory of 4296	1888	msedge.exe	88
PID 1888 wrote to memory of 4296	1888	msedge.exe	88
PID 1888 wrote to memory of 4296	1888	msedge.exe	88
PID 1888 wrote to memory of 4296	1888	msedge.exe	88
PID 1888 wrote to memory of 4296	1888	msedge.exe	88
PID 1888 wrote to memory of 4296	1888	msedge.exe	88
PID 1888 wrote to memory of 4296	1888	msedge.exe	88
PID 1888 wrote to memory of 1260	1888	msedge.exe	89
PID 1888 wrote to memory of 1260	1888	msedge.exe	89
PID 1888 wrote to memory of 2280	1888	msedge.exe	90
PID 1888 wrote to memory of 2280	1888	msedge.exe	90
PID 1888 wrote to memory of 2280	1888	msedge.exe	90
PID 1888 wrote to memory of 2280	1888	msedge.exe	90
PID 1888 wrote to memory of 2280	1888	msedge.exe	90
PID 1888 wrote to memory of 2280	1888	msedge.exe	90
PID 1888 wrote to memory of 2280	1888	msedge.exe	90
PID 1888 wrote to memory of 2280	1888	msedge.exe	90
PID 1888 wrote to memory of 2280	1888	msedge.exe	90
PID 1888 wrote to memory of 2280	1888	msedge.exe	90
PID 1888 wrote to memory of 2280	1888	msedge.exe	90
PID 1888 wrote to memory of 2280	1888	msedge.exe	90
PID 1888 wrote to memory of 2280	1888	msedge.exe	90
PID 1888 wrote to memory of 2280	1888	msedge.exe	90
PID 1888 wrote to memory of 2280	1888	msedge.exe	90
PID 1888 wrote to memory of 2280	1888	msedge.exe	90
PID 1888 wrote to memory of 2280	1888	msedge.exe	90
PID 1888 wrote to memory of 2280	1888	msedge.exe	90
PID 1888 wrote to memory of 2280	1888	msedge.exe	90
PID 1888 wrote to memory of 2280	1888	msedge.exe	90

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://domslayer342.itch.io/five-nights-at-freddys
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffaae9546f8,0x7ffaae954708,0x7ffaae954718
  2⤵
  PID:5048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,8780291019113638853,1640806141137914894,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:2
  2⤵
  PID:4296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,8780291019113638853,1640806141137914894,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,8780291019113638853,1640806141137914894,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2764 /prefetch:8
  2⤵
  PID:2280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,8780291019113638853,1640806141137914894,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2152 /prefetch:1
  2⤵
  PID:924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,8780291019113638853,1640806141137914894,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
  2⤵
  PID:2364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,8780291019113638853,1640806141137914894,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4152 /prefetch:1
  2⤵
  PID:1148
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,8780291019113638853,1640806141137914894,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5428 /prefetch:8
  2⤵
  PID:4812
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,8780291019113638853,1640806141137914894,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5428 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,8780291019113638853,1640806141137914894,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5536 /prefetch:1
  2⤵
  PID:4164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,8780291019113638853,1640806141137914894,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5568 /prefetch:1
  2⤵
  PID:4024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,8780291019113638853,1640806141137914894,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5268 /prefetch:1
  2⤵
  PID:2024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2128,8780291019113638853,1640806141137914894,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4804 /prefetch:8
  2⤵
  PID:3872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2128,8780291019113638853,1640806141137914894,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6260 /prefetch:8
  2⤵
  PID:4692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,8780291019113638853,1640806141137914894,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6268 /prefetch:1
  2⤵
  PID:5060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,8780291019113638853,1640806141137914894,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6276 /prefetch:1
  2⤵
  PID:444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,8780291019113638853,1640806141137914894,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5520 /prefetch:1
  2⤵
  PID:5292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,8780291019113638853,1640806141137914894,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5584 /prefetch:1
  2⤵
  PID:5460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,8780291019113638853,1640806141137914894,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6288 /prefetch:1
  2⤵
  PID:5468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,8780291019113638853,1640806141137914894,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6252 /prefetch:1
  2⤵
  PID:5908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,8780291019113638853,1640806141137914894,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5808 /prefetch:1
  2⤵
  PID:4316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2128,8780291019113638853,1640806141137914894,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6540 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5252
- C:\Users\Admin\Downloads\FiveNightsatFreddys.exe
  "C:\Users\Admin\Downloads\FiveNightsatFreddys.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:5672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,8780291019113638853,1640806141137914894,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2204 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5340

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3400

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3796

C:\Windows\System32\GameBarPresenceWriter.exe
"C:\Windows\System32\GameBarPresenceWriter.exe" -ServerName:Windows.Gaming.GameBar.Internal.PresenceWriterServer
1⤵
- Network Service Discovery
PID:4112

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:6020

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
1⤵
- Drops desktop.ini file(s)
- Checks processor information in registry
- Modifies registry class
PID:6096

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x50c 0x410
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
eeaa8087eba2f63f31e599f6a7b46ef4

SHA1
f639519deee0766a39cfe258d2ac48e3a9d5ac03

SHA256
50fe80c9435f601c30517d10f6a8a0ca6ff8ca2add7584df377371b5a5dbe2d9

SHA512
eaabfad92c84f422267615c55a863af12823c5e791bdcb30cabe17f72025e07df7383cf6cf0f08e28aa18a31c2aac5985cf5281a403e22fbcc1fb5e61c49fc3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b9569e123772ae290f9bac07e0d31748

SHA1
5806ed9b301d4178a959b26d7b7ccf2c0abc6741

SHA256
20ab88e23fb88186b82047cd0d6dc3cfa23422e4fd2b8f3c8437546a2a842c2b

SHA512
cfad8ce716ac815b37e8cc0e30141bfb3ca7f0d4ef101289bddcf6ed3c579bc34d369f2ec2f2dab98707843015633988eb97f1e911728031dd897750b8587795

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
696B

MD5
64054b37c0eb4fc637ac67c8118ff4ca

SHA1
877c80e0c0a31bea92091064bfb137430f0f9498

SHA256
559202b322e231a73092f40706fa0f7f0eeb2a327d9862df5687084aa75edbea

SHA512
99b35de13bde27b9c7591f50c103f6c5bd49de7f18173c2c3582d6f11bd32aea3f28db05231c17a19e17a2f664762fd92e0ed96798f1081ce4896f590332b9c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
07ebcd490ab714fede103f08cb947458

SHA1
0d556dcd2d062f0390a0a8fb4cadf38638738881

SHA256
c46f01eb5a2c2fb62c2871a90935c12b4d24282680b8d4f755c01aa4b624355f

SHA512
9449c64ea3db3b5e847637a883edb840d1ed7d9358ac7ecf8c3e82343ce99afe7593c078af3e0ee262dad799aead5c7f50391faee542868bbc3585428d18b012

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8c83090a5bb70fcee4d56ad176bd0b6e

SHA1
e0e31f689ed3e0e2f0ca2b463e22a013f2764b37

SHA256
31429a0b17d28b4dd3f6c2475a0988f484c603b2c4bde4f25a2d404a26f8fb12

SHA512
26ba2be2b42c0706a42d1cad481dd118d09daf33d6303a2fbf5bb5e19697a0fb8e37bb0dd48c0e63dadea81e66f63e72acc1d2b679d1e22d22ee542f5d7110c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
15ece927b4efb442991ce6907ecd0b5d

SHA1
0498334b0b214c6d6722aa0766e0a6fea8bb505f

SHA256
1c5c1660344406ec7dccf99557ed20bd4cdf2aeed71cd5b745b2fbb7f42a28b7

SHA512
8e5e69fb3a9015808d71f44a311945fceec8e37773b4e156ea8871c5ac0ba725e9ce7daa4f8d2e20693ac2548ca17f83365558a6354f1e4b2b8181401d09f4ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
367B

MD5
eb7cac5f097799d462f59beb921e38e2

SHA1
1c71d99de95d3933170138f0d7aa2391b1f51a6a

SHA256
e5f9b3b9d05e407a4ce38e9944024051d23a54fcca2d18422e32ea09caf544ed

SHA512
79a225cb21b46cb69cac5eeaccd55f25bec59cb3d56ed9b423ab3d9576b87a5d3eee8c007205f9588fed32480c91c55c5ff4a18374fe02bc68b0db3202ea3b01

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe581b53.TMP

Filesize
367B

MD5
b498d4b45028681b64115140dbe44ff7

SHA1
7ea6521ddb40e05c5adc3ac0ac421fc6aef1df38

SHA256
4b12f49fe24a0354ed7c31422b044e3ee47ac8e2e3ebae5db0fe039bf054d551

SHA512
1fdcb74ec07c737ed309f141b95f88269fdd27cf1678ad8667c90809185dcfd12fd36028a1e7918216f49d81375ab96e93ade52ecb53b87b20572b115088a110

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
e5b0c551c92c949b8d4894b65a887b0a

SHA1
323843f1250f11a4662e03a2ec1c127cdd32ac35

SHA256
cd44afcddef198a6b77f0824144df1452c12b8a02bfd605a7bb2963f17754578

SHA512
687b2cb5a3eca919825a5ad99d032e4072596f4b29020b4574b229f24f1c4d7d9a9ec258f502183766561b5b0d229af483e3e598bac88b9ce0e64f252b30cae1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
fffa0714511e3c8d71b91048c8af11bb

SHA1
d0cc0571c04b4212190a912524ef282552ab7129

SHA256
3155530ba64ec76cc0b74f340f02fc4748aa66d880bed75c46dadfef7d56c38e

SHA512
9129615fa3918e6b85678171daba4db7be88c90e31ac444428bd631c53661ee4c44ef7fe280a723da0d3d237c4553a56547b27440c0a7dcf5ce2e1a002f63ffd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
7bc5914056b162c3e43683694991eb01

SHA1
4341ce924f068a1524dad0a905ac5609add53ef8

SHA256
6a9faabd193f52bf497d39b7f61714f71f8339da7e573a8cb3ea31754a49f7b7

SHA512
a695302fd9116162c14b388f9bbf057aad2ac8c2f04e440ce41833bce4f34211d537681c2a2b7642ac068a2511d4fd28e4b27844f1b48e2f1aa7d9f647762f84

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrt4A72.tmp\Perspective.mfx

Filesize
15KB

MD5
9f064bdcb066daa428db0ed9e33e785d

SHA1
3c0df73cf247ce49d1010fe0e2f722424fe43f4f

SHA256
090925a4cd961f22b1ecd2fba4ce04ab063e26507a1dc09b1d6a40c4860a8777

SHA512
4a510ce13c379e8cb5ccb9f9c69e28e9440f48156c8c4c1fef6987495cace7c028d45530ac961f47786e8f503f90c54310cb1ccf43d7fd584506461c1bd616d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrt4A72.tmp\cctrans.dll

Filesize
64KB

MD5
a20165b7e7dfee46a59e48c175523af0

SHA1
6ed627806753d11e1a121689369668294d15be74

SHA256
cba1c0fa69bc6b106408d06878390a5699cd2b25adfed1a2610ee01ae2524cbe

SHA512
a9295b814fe77aa4ba4dec5cbed790858852f775799fe9da01bf07d67fa294d4ca1c5a68c9255c3fb716d0dbeb8b5a5ea38b8ec72263f40957beafe7bf323cd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrt4A72.tmp\kcclock.mfx

Filesize
36KB

MD5
35fa0df588606e5a382e7c155b28d0ff

SHA1
0552d9a6124b11d3ccea7ff8170b3a84c2afd0a7

SHA256
d320a4aeb6940a6a8589a99e5e16abb086e96c4c3376fdf4f066c0e125302247

SHA512
0421292d49fcf3bc87091f52fdc6def36cf7ace90123ee16289e6893c57d8ff23b72c8e9ad2261b9267c7c13f9de9d8c38246d6d68d3bad97c8967470d81ef64

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrt4A72.tmp\kcini.mfx

Filesize
28KB

MD5
5522465eba7c81f1fb67d6ad1a5df233

SHA1
0ec415bfaa9db6984cf922d5503d9fde67d0b3e2

SHA256
82c4f5af3c25a8daf60185833d3d61f2e8e2851ad640b59af54060eab6bc859e

SHA512
30d0ed91bf072e7b7367a708eb6a7d92cc0f326249ffdd44a0d94c3b8feb37b38387141c88add61a578393a186e9fb379d42ab0018aa14e917705e4344233f6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrt4A72.tmp\mmf2d3d9.dll

Filesize
1.1MB

MD5
22284d6bb382967ff72363f828050e13

SHA1
5c98e25d24aacafffded9353c9526be0128c6dbd

SHA256
9eaa342059785bd584df956574c637e6d0e6016a099221a56e0397f8c86cd93f

SHA512
2e5a5bf115b1d2a07d0647b6f4925ab84301ca6354e3f3beb8d44f51900ff21b06b97b23128160fd94dfd33116d03094ca47c49143ae98473eaaed441f9705b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrt4A72.tmp\mmfs2.dll

Filesize
459KB

MD5
4cf7bb74d8104280b7e986f4df21109d

SHA1
edc21a43136afddbf4786593e84b934d40591b74

SHA256
c0d56cefb509e5600ac6b430adcaf53b81881d3fff4e62b7ede158d66d826622

SHA512
2bbac48354657659795697e67508d777ee595348e1fb3d4b6c65d8618c346b3be0052b1e2e2fe669dcca19c3c00d59d1833acc21d88a97efbde2694935e3c292

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrt4A72.tmp\waveflt.sft

Filesize
8KB

MD5
f76739536860a0bdb4a7e3bbb0c06d08

SHA1
b21581aa36eda87db8845caf58c668749e26b29f

SHA256
41136b09b033a20b9acc430620ea095ff76afbdc7aebe7f26f7d2b4315afddef

SHA512
6e65f23a4c1e3b0068b190f9aaaedcfa0466b0185cd6bbafa5f6f6940c8bc332e7c8c611d1b3b63bb2c5fcda48bbe2a678d81a3819940ecc0c701d6fec4194c7

Download Submit
C:\Users\Admin\Videos\Captures\desktop.ini

Filesize
190B

MD5
b0d27eaec71f1cd73b015f5ceeb15f9d

SHA1
62264f8b5c2f5034a1e4143df6e8c787165fbc2f

SHA256
86d9f822aeb989755fac82929e8db369b3f5f04117ef96fd76e3d5f920a501d2

SHA512
7b5c9783a0a14b600b156825639d24cbbc000f5066c48ce9fecc195255603fc55129aaaca336d7ce6ad4e941d5492b756562f2c7a1d151fcfc2dabac76f3946c

Download Submit
memory/5672-283-0x0000000008250000-0x0000000008260000-memory.dmp

Filesize
64KB

Download