Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-09-2024 05:33

General

  • Target

    https://www.roblox.com.bi/users/5445740091/profile

Score
3/10

Malware Config

Signatures

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.roblox.com.bi/users/5445740091/profile
    1⤵
    • Enumerates system info in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:3204
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb02cf46f8,0x7ffb02cf4708,0x7ffb02cf4718
      2⤵
        PID:4848
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,16984796666176707718,2528935768931265881,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:2
        2⤵
          PID:3772
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,16984796666176707718,2528935768931265881,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:3424
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,16984796666176707718,2528935768931265881,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2728 /prefetch:8
          2⤵
            PID:3244
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,16984796666176707718,2528935768931265881,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
            2⤵
              PID:2120
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,16984796666176707718,2528935768931265881,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
              2⤵
                PID:2092
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,16984796666176707718,2528935768931265881,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5376 /prefetch:1
                2⤵
                  PID:1120
                • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,16984796666176707718,2528935768931265881,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5900 /prefetch:8
                  2⤵
                    PID:1464
                  • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,16984796666176707718,2528935768931265881,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5900 /prefetch:8
                    2⤵
                    • Suspicious behavior: EnumeratesProcesses
                    PID:1008
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,16984796666176707718,2528935768931265881,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5468 /prefetch:1
                    2⤵
                      PID:4560
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,16984796666176707718,2528935768931265881,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4596 /prefetch:1
                      2⤵
                        PID:4668
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,16984796666176707718,2528935768931265881,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5388 /prefetch:1
                        2⤵
                          PID:4460
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,16984796666176707718,2528935768931265881,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4232 /prefetch:1
                          2⤵
                            PID:1360
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,16984796666176707718,2528935768931265881,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1940 /prefetch:1
                            2⤵
                              PID:1664
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,16984796666176707718,2528935768931265881,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4700 /prefetch:2
                              2⤵
                              • Suspicious behavior: EnumeratesProcesses
                              PID:4368
                          • C:\Windows\System32\CompPkgSrv.exe
                            C:\Windows\System32\CompPkgSrv.exe -Embedding
                            1⤵
                              PID:4592
                            • C:\Windows\System32\CompPkgSrv.exe
                              C:\Windows\System32\CompPkgSrv.exe -Embedding
                              1⤵
                                PID:2472

                              Network

                              MITRE ATT&CK Enterprise v15

                              Replay Monitor

                              Loading Replay Monitor...

                              Downloads

                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

                                Filesize

                                328B

                                MD5

                                1d39ac11cd2dcd7280767832a188654e

                                SHA1

                                7dd1e0aec3fe8affc0fd4987d94b9c8dbde22194

                                SHA256

                                ec65f3ab5d6ba97cbf897964f82fd254a982b125786e80e6aa88ec228641a793

                                SHA512

                                f06b5bcc51d94b56f23cf6e4327a38e0f5f5e52883bde6dc1c2eb00cb6b72a0b6b4a1133f506f7980714f44c9f85f6d6909348fd77d7ea574dcac5d52c287dd5

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                Filesize

                                152B

                                MD5

                                53bc70ecb115bdbabe67620c416fe9b3

                                SHA1

                                af66ec51a13a59639eaf54d62ff3b4f092bb2fc1

                                SHA256

                                b36cad5c1f7bc7d07c7eaa2f3cad2959ddb5447d4d3adcb46eb6a99808e22771

                                SHA512

                                cad44933b94e17908c0eb8ac5feeb53d03a7720d97e7ccc8724a1ed3021a5bece09e1f9f3cec56ce0739176ebbbeb20729e650f8bca04e5060c986b75d8e4921

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                Filesize

                                152B

                                MD5

                                e765f3d75e6b0e4a7119c8b14d47d8da

                                SHA1

                                cc9f7c7826c2e1a129e7d98884926076c3714fc0

                                SHA256

                                986443556d3878258b710d9d9efbf4f25f0d764c3f83dc54217f2b12a6eccd89

                                SHA512

                                a1872a849f27da78ebe9adb9beb260cb49ed5f4ca2d403f23379112bdfcd2482446a6708188100496e45db1517cdb43aba8bb93a75e605713c3f97cd716b1079

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

                                Filesize

                                3KB

                                MD5

                                afb23e309bccf2e87f64f38f784459aa

                                SHA1

                                2ae117a8677e322a48b243b5dc7e8697398faeac

                                SHA256

                                5f305f1071d3fa5eb9355b52b31dce54e12723660aa53cdda471f28d92dfe0c2

                                SHA512

                                f9e3df481c0465d35c1000e1b93bbec79403801256a8ed433f04bfdd60a0561be8a68c73e92830d5a0c8fcef75dfd2ac948e83d7c34455d48c751fa10f8b6025

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

                                Filesize

                                2KB

                                MD5

                                68535b53cd31e37ddca82f650bd6ec66

                                SHA1

                                9387098633c2178bb84487a188084f301763d417

                                SHA256

                                713f75e249c920c26f853730833c30845a2d803628ac72ccc9bb56436e2f2fe4

                                SHA512

                                7b399f1be3b9f161b12cf91d100d47197b5979acdcd42842f0218a5a49651f085fc1ce355c6ee92ee01ed899eebc515226348bf376a296da4f4890a33c7be8c1

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

                                Filesize

                                3KB

                                MD5

                                2959e1d79a4ee606538f689bcc936e2c

                                SHA1

                                da039ed89a4e659b7db3b9088414453b2b2cc939

                                SHA256

                                5cd4aae5d6dbdf0abfa553bac3b722d5ae22773fee4ec436465ef1f87d03bc73

                                SHA512

                                bed6c3c68f06a71b412d23ecbe2a324b8e38044cb4ffa8b40bf9e4a42a07d52267f0a5c67f831232869998a6d3282bf6f59886057fe114ce1f1b420a0cda158d

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

                                Filesize

                                3KB

                                MD5

                                6673850811664d3f88b8716229d91665

                                SHA1

                                0d26180d9c989b3d25c2cd1f4deb0ee3616dcbc8

                                SHA256

                                41cce9d52e644c3d51fb8289c010f354e6a95bcc3cd187bf7b898758e0016f0f

                                SHA512

                                a7f68aef63be41918fbb5855f043355971fc0e67b819403213ab122bf8801f67d7a2208e154bfb4ed6cdc0f601de25b120d0fef8c431829b393cc45ef500144b

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                Filesize

                                7KB

                                MD5

                                c4eff6183bf2a327e4a56c46d6c8921f

                                SHA1

                                ce542c2a89bd2d34258a100d9fdb3fce24aded11

                                SHA256

                                b26a3d173eeb36f0c6f4991973fbc77a72914a4630797d901ee75f04bccfe633

                                SHA512

                                e05ce9f001ecc2d593d6eae8bb9e1068f1e5ff6494a1ee83817df1e5e64eefe3e7a87c92b48d5c654d810036c694621705fe95e4beb9bcc0ded72e3111d7a8f6

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                Filesize

                                5KB

                                MD5

                                308fa3facc3dd2b4e7b84f211f4a974e

                                SHA1

                                46742de0ee9b69b9afc53c9af2e974a4ba8ab380

                                SHA256

                                349e7b3198762b12f883ec92c2b6d377885df264bb5c10509f3e53ed0052353e

                                SHA512

                                e124ffee8de54b0d24e16400c936fe94f113f128ccb451860541c6bf6421e53c605516c5defb99ee5cfe95e54619bbfa7fa90245ed0dc1c188d02c13ea9e669f

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                Filesize

                                6KB

                                MD5

                                b8c1a6abd48dcf9a70bc4f1ca256928b

                                SHA1

                                ddee362356060bdb42a5e4e291ba5dc8c7e864d8

                                SHA256

                                b02d819c82400577c2486f52dd0567c2f792177d632193c5bf2227e359a67396

                                SHA512

                                39d520c3b5f0aadb85ea5d4c55723e5723f1d9d99f1601beb348da0915275d7f9884189d0369957c783ba22c435ae908b93bcf2b01c27a2302f8debd4b897d6c

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

                                Filesize

                                1KB

                                MD5

                                146fad4aaa45812250e8dc6900765be1

                                SHA1

                                821997464a59eab2f99c91f8750044b110c247fa

                                SHA256

                                78f9cf33ed7dc3b30df480ab115fe0a887c9be21247479884f1bb15019e080f5

                                SHA512

                                9487c7c20a45626cdda33e7dbdea92e04cbb8404f2ea59c5ed74e1e45b78a616a2745b2e45fc5aa23678337960a7e11fe27405f28cdba992d5dd23b6d5347d97

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

                                Filesize

                                1KB

                                MD5

                                5395cc1b37c5417a8d6152f5e954b42f

                                SHA1

                                284d709ae006bc4b556475e060668d5345ed45cf

                                SHA256

                                b7f2d68303c0486727ba539886ba68232bff2c9a6bc7a16d87052fd016a26dcc

                                SHA512

                                c3a5c443ac54c98a8760c8a74ac3eeac0d5096ac87bdf6f25e84846c2413bc4db1d33dd189f974322e29fe4fde3c106787112105837179f60996734d30afd3b5

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

                                Filesize

                                1KB

                                MD5

                                8bd4ca75637c098b9f6384f5d3090267

                                SHA1

                                15e4e1368602e344fc189f47b5d77c2e09043478

                                SHA256

                                588cad68807bde17a955a2d53831ab79bb7073a9f9472d0ae43cea16984c15c5

                                SHA512

                                ae99f0ddb415da9f56336f383aabc1d9fa1dbe6350b4b215ba4ce6bcd9bd6b5372e3c9f0cc4dcaae970264002c3e4613bb7b09ff60637d2e182fd4711fe5ecf5

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

                                Filesize

                                1KB

                                MD5

                                f528af2e6710246e9ef6b07fb5ba49cc

                                SHA1

                                e31258c39ebeb15446ea2cfcf3de931f2118cb3b

                                SHA256

                                2af86aef124296eea67bb10dcf1c27bc00d691f3fa6888c6579b47cf534d7b10

                                SHA512

                                68d391538e15f97890aca65477317575793d673b479fd2f9c6c9ae052ea2f6085afa33580f63c8af1d3b1dd65a7585d577b27677278506f8d45b7130736446c8

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

                                Filesize

                                1KB

                                MD5

                                ac48f53513716973b48b95468adb170f

                                SHA1

                                3af968c8db9ab0ca7803997d23e6aede041438d9

                                SHA256

                                2527d58a2704e9e306482f9c0aa648cf11f6cba34dc9a3b7dcaa5f6049594d2f

                                SHA512

                                4d7960bbd12dff9a18470b27514b20506b6c5ac958e9cb00e41098d59c389346407a1f4d50e519ded74a2f5787b14dc48fb467e4fb4a8c028d813648b3c63b85

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57d736.TMP

                                Filesize

                                1KB

                                MD5

                                a403a4f3dcadcb53024e55813c58c351

                                SHA1

                                84459ac77c0beb24ae65a2fc8b8ea980c0ebedd4

                                SHA256

                                40c1d62d9d0efa3527bd085462ad33797790956a587edbe1febebdb90b1846a2

                                SHA512

                                c504c8fc5744a9b9f775faf356408880e4ba3c3c4abd23b0a57fca9d23f625a9d211aeef1daf6340a1d47b16e65176e340b7625fd2d7bddf7c796f8d111f17cf

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                Filesize

                                16B

                                MD5

                                6752a1d65b201c13b62ea44016eb221f

                                SHA1

                                58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                SHA256

                                0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                SHA512

                                9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                Filesize

                                11KB

                                MD5

                                dc5fb9d2159662e2f691b3ec695374d3

                                SHA1

                                39efc04d80e9fac77264a50af99e993fceb236ac

                                SHA256

                                a2aeb996a7f1e59c421502bdd08c410fc6a7379d07b37370c3e4d822589e7657

                                SHA512

                                9f2ca9faea54c956029d664287d212fc6a27306414bbb0362f6b0533bd6300dd397c411e0fd3395d5e3b8b40ccb7d0aff6cf4ae1e7086662410fc18def6b05d7

                              • \??\pipe\LOCAL\crashpad_3204_JUCKQGENINYXSRBB

                                MD5

                                d41d8cd98f00b204e9800998ecf8427e

                                SHA1

                                da39a3ee5e6b4b0d3255bfef95601890afd80709

                                SHA256

                                e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                SHA512

                                cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e