hxxp://robloxhackers[.]lol

Analysis

max time kernel
1048s
max time network
1045s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
13/09/2024, 13:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://robloxhackers.lol

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3912	msedge.exe
3912	msedge.exe
3492	msedge.exe
3492	msedge.exe
4620	identity_helper.exe
4620	identity_helper.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4736	msedge.exe
4736	msedge.exe
3788	javaw.exe
3788	javaw.exe
3788	javaw.exe
3788	javaw.exe
3788	javaw.exe
3788	javaw.exe
3788	javaw.exe
3788	javaw.exe
3788	javaw.exe
3788	javaw.exe
3788	javaw.exe
3788	javaw.exe
3788	javaw.exe
3788	javaw.exe
3788	javaw.exe
3788	javaw.exe
3788	javaw.exe
3788	javaw.exe
3788	javaw.exe
3788	javaw.exe
3788	javaw.exe
3788	javaw.exe
3788	javaw.exe
3788	javaw.exe
3788	javaw.exe
3788	javaw.exe
3788	javaw.exe
3788	javaw.exe
3788	javaw.exe
3788	javaw.exe
3788	javaw.exe
3788	javaw.exe
3788	javaw.exe
3788	javaw.exe
3788	javaw.exe
3788	javaw.exe
3788	javaw.exe
3788	javaw.exe
3788	javaw.exe
3788	javaw.exe
3788	javaw.exe
3788	javaw.exe
3788	javaw.exe
3788	javaw.exe
3788	javaw.exe
3788	javaw.exe
3788	javaw.exe
3788	javaw.exe
3788	javaw.exe
3788	javaw.exe
3788	javaw.exe
3788	javaw.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs

pid	Process
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3788	javaw.exe
Token: SeDebugPrivilege	3788	javaw.exe
Token: SeDebugPrivilege	3788	javaw.exe
Token: SeDebugPrivilege	3788	javaw.exe
Token: SeDebugPrivilege	3788	javaw.exe
Token: SeDebugPrivilege	3788	javaw.exe
Token: SeDebugPrivilege	3788	javaw.exe
Token: SeDebugPrivilege	3788	javaw.exe
Token: SeDebugPrivilege	3788	javaw.exe
Token: SeDebugPrivilege	3788	javaw.exe
Token: SeDebugPrivilege	3788	javaw.exe
Token: SeDebugPrivilege	3788	javaw.exe
Token: SeDebugPrivilege	3788	javaw.exe
Token: SeDebugPrivilege	3788	javaw.exe
Token: SeDebugPrivilege	3788	javaw.exe
Token: SeDebugPrivilege	3788	javaw.exe
Token: SeDebugPrivilege	3788	javaw.exe
Token: SeDebugPrivilege	3788	javaw.exe
Token: SeDebugPrivilege	3788	javaw.exe
Token: SeDebugPrivilege	3788	javaw.exe
Token: SeDebugPrivilege	3788	javaw.exe
Token: SeDebugPrivilege	3788	javaw.exe
Token: SeDebugPrivilege	3788	javaw.exe
Token: SeDebugPrivilege	3788	javaw.exe
Token: SeDebugPrivilege	3788	javaw.exe
Token: SeDebugPrivilege	3788	javaw.exe
Token: SeDebugPrivilege	3788	javaw.exe
Token: SeDebugPrivilege	3788	javaw.exe
Token: SeDebugPrivilege	3788	javaw.exe
Token: SeDebugPrivilege	3788	javaw.exe
Token: SeDebugPrivilege	3788	javaw.exe
Token: SeDebugPrivilege	3788	javaw.exe
Token: SeDebugPrivilege	3788	javaw.exe
Token: SeDebugPrivilege	3788	javaw.exe
Token: SeDebugPrivilege	3788	javaw.exe
Token: SeDebugPrivilege	3788	javaw.exe
Token: SeDebugPrivilege	3788	javaw.exe
Token: SeDebugPrivilege	3788	javaw.exe
Token: SeDebugPrivilege	3788	javaw.exe
Token: SeDebugPrivilege	3788	javaw.exe
Token: SeDebugPrivilege	3788	javaw.exe
Token: SeDebugPrivilege	3788	javaw.exe
Token: SeDebugPrivilege	3788	javaw.exe
Token: SeDebugPrivilege	3788	javaw.exe
Token: SeDebugPrivilege	3788	javaw.exe
Token: SeDebugPrivilege	3788	javaw.exe
Token: SeDebugPrivilege	3788	javaw.exe
Token: SeDebugPrivilege	3788	javaw.exe
Token: SeDebugPrivilege	3788	javaw.exe
Token: SeDebugPrivilege	3788	javaw.exe
Token: SeDebugPrivilege	3788	javaw.exe
Token: SeDebugPrivilege	3788	javaw.exe
Token: SeDebugPrivilege	3788	javaw.exe
Token: SeDebugPrivilege	3788	javaw.exe
Token: SeDebugPrivilege	3788	javaw.exe
Token: SeDebugPrivilege	3788	javaw.exe
Token: SeDebugPrivilege	3788	javaw.exe
Token: SeDebugPrivilege	3788	javaw.exe
Token: SeDebugPrivilege	3788	javaw.exe
Token: SeDebugPrivilege	3788	javaw.exe
Token: SeDebugPrivilege	3788	javaw.exe
Token: SeDebugPrivilege	3788	javaw.exe
Token: SeDebugPrivilege	3788	javaw.exe
Token: SeDebugPrivilege	3788	javaw.exe

Suspicious use of FindShellTrayWindow 47 IoCs

pid	Process
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
3788	javaw.exe
3788	javaw.exe
3788	javaw.exe
3788	javaw.exe
3788	javaw.exe
3788	javaw.exe
4800	javaw.exe
4800	javaw.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3492 wrote to memory of 3460	3492	msedge.exe	83
PID 3492 wrote to memory of 3460	3492	msedge.exe	83
PID 3492 wrote to memory of 4212	3492	msedge.exe	84
PID 3492 wrote to memory of 4212	3492	msedge.exe	84
PID 3492 wrote to memory of 4212	3492	msedge.exe	84
PID 3492 wrote to memory of 4212	3492	msedge.exe	84
PID 3492 wrote to memory of 4212	3492	msedge.exe	84
PID 3492 wrote to memory of 4212	3492	msedge.exe	84
PID 3492 wrote to memory of 4212	3492	msedge.exe	84
PID 3492 wrote to memory of 4212	3492	msedge.exe	84
PID 3492 wrote to memory of 4212	3492	msedge.exe	84
PID 3492 wrote to memory of 4212	3492	msedge.exe	84
PID 3492 wrote to memory of 4212	3492	msedge.exe	84
PID 3492 wrote to memory of 4212	3492	msedge.exe	84
PID 3492 wrote to memory of 4212	3492	msedge.exe	84
PID 3492 wrote to memory of 4212	3492	msedge.exe	84
PID 3492 wrote to memory of 4212	3492	msedge.exe	84
PID 3492 wrote to memory of 4212	3492	msedge.exe	84
PID 3492 wrote to memory of 4212	3492	msedge.exe	84
PID 3492 wrote to memory of 4212	3492	msedge.exe	84
PID 3492 wrote to memory of 4212	3492	msedge.exe	84
PID 3492 wrote to memory of 4212	3492	msedge.exe	84
PID 3492 wrote to memory of 4212	3492	msedge.exe	84
PID 3492 wrote to memory of 4212	3492	msedge.exe	84
PID 3492 wrote to memory of 4212	3492	msedge.exe	84
PID 3492 wrote to memory of 4212	3492	msedge.exe	84
PID 3492 wrote to memory of 4212	3492	msedge.exe	84
PID 3492 wrote to memory of 4212	3492	msedge.exe	84
PID 3492 wrote to memory of 4212	3492	msedge.exe	84
PID 3492 wrote to memory of 4212	3492	msedge.exe	84
PID 3492 wrote to memory of 4212	3492	msedge.exe	84
PID 3492 wrote to memory of 4212	3492	msedge.exe	84
PID 3492 wrote to memory of 4212	3492	msedge.exe	84
PID 3492 wrote to memory of 4212	3492	msedge.exe	84
PID 3492 wrote to memory of 4212	3492	msedge.exe	84
PID 3492 wrote to memory of 4212	3492	msedge.exe	84
PID 3492 wrote to memory of 4212	3492	msedge.exe	84
PID 3492 wrote to memory of 4212	3492	msedge.exe	84
PID 3492 wrote to memory of 4212	3492	msedge.exe	84
PID 3492 wrote to memory of 4212	3492	msedge.exe	84
PID 3492 wrote to memory of 4212	3492	msedge.exe	84
PID 3492 wrote to memory of 4212	3492	msedge.exe	84
PID 3492 wrote to memory of 3912	3492	msedge.exe	85
PID 3492 wrote to memory of 3912	3492	msedge.exe	85
PID 3492 wrote to memory of 4872	3492	msedge.exe	86
PID 3492 wrote to memory of 4872	3492	msedge.exe	86
PID 3492 wrote to memory of 4872	3492	msedge.exe	86
PID 3492 wrote to memory of 4872	3492	msedge.exe	86
PID 3492 wrote to memory of 4872	3492	msedge.exe	86
PID 3492 wrote to memory of 4872	3492	msedge.exe	86
PID 3492 wrote to memory of 4872	3492	msedge.exe	86
PID 3492 wrote to memory of 4872	3492	msedge.exe	86
PID 3492 wrote to memory of 4872	3492	msedge.exe	86
PID 3492 wrote to memory of 4872	3492	msedge.exe	86
PID 3492 wrote to memory of 4872	3492	msedge.exe	86
PID 3492 wrote to memory of 4872	3492	msedge.exe	86
PID 3492 wrote to memory of 4872	3492	msedge.exe	86
PID 3492 wrote to memory of 4872	3492	msedge.exe	86
PID 3492 wrote to memory of 4872	3492	msedge.exe	86
PID 3492 wrote to memory of 4872	3492	msedge.exe	86
PID 3492 wrote to memory of 4872	3492	msedge.exe	86
PID 3492 wrote to memory of 4872	3492	msedge.exe	86
PID 3492 wrote to memory of 4872	3492	msedge.exe	86
PID 3492 wrote to memory of 4872	3492	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://robloxhackers.lol
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd472946f8,0x7ffd47294708,0x7ffd47294718
  2⤵
  PID:3460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,5628717112006275383,17587245792570173257,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:2
  2⤵
  PID:4212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,5628717112006275383,17587245792570173257,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,5628717112006275383,17587245792570173257,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2840 /prefetch:8
  2⤵
  PID:4872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,5628717112006275383,17587245792570173257,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
  2⤵
  PID:4464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,5628717112006275383,17587245792570173257,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
  2⤵
  PID:3144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,5628717112006275383,17587245792570173257,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4000 /prefetch:1
  2⤵
  PID:3696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,5628717112006275383,17587245792570173257,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5024 /prefetch:1
  2⤵
  PID:1532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,5628717112006275383,17587245792570173257,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5220 /prefetch:1
  2⤵
  PID:4324
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,5628717112006275383,17587245792570173257,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5576 /prefetch:8
  2⤵
  PID:1300
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,5628717112006275383,17587245792570173257,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5576 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,5628717112006275383,17587245792570173257,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5608 /prefetch:1
  2⤵
  PID:2816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,5628717112006275383,17587245792570173257,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5624 /prefetch:1
  2⤵
  PID:5048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,5628717112006275383,17587245792570173257,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5644 /prefetch:1
  2⤵
  PID:1616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,5628717112006275383,17587245792570173257,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5996 /prefetch:1
  2⤵
  PID:3840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,5628717112006275383,17587245792570173257,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5628 /prefetch:1
  2⤵
  PID:4508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,5628717112006275383,17587245792570173257,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5188 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,5628717112006275383,17587245792570173257,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3756 /prefetch:1
  2⤵
  PID:852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2096,5628717112006275383,17587245792570173257,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=1380 /prefetch:8
  2⤵
  PID:3864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,5628717112006275383,17587245792570173257,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5176 /prefetch:1
  2⤵
  PID:3176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2096,5628717112006275383,17587245792570173257,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6208 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,5628717112006275383,17587245792570173257,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6516 /prefetch:1
  2⤵
  PID:3044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2096,5628717112006275383,17587245792570173257,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6716 /prefetch:8
  2⤵
  PID:3956
- C:\Program Files\Java\jre-1.8\bin\javaw.exe
  "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\Downloads\Download Loader.jar"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:4800

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4600

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4020

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4608

C:\Program Files\Java\jre-1.8\bin\javaw.exe
"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\Downloads\r8x2vh5c56.jar"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
1e8832fb0b7e140899e3c4cea63bbb43

SHA1
b71583f8d4927492f91d3683d0ce50486e0e2470

SHA256
9ff127b29e33974ba308b6f760fe1203c9242ba3b6cb115b3336eee87a1e23bb

SHA512
5e28c45da9330da9cb7600ed49dd0c6bb10db5c207aec86045f88d31276a2d4bb7f7dca44af027bf86e8d89f53575ddfe17fe30e66e73bad6dfcf695697566e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ab8ce148cb7d44f709fb1c460d03e1b0

SHA1
44d15744015155f3e74580c93317e12d2cc0f859

SHA256
014006a90e43ea9a1903b08b843a5aab8ad3823d22e26e5b113fad5f9fa620ff

SHA512
f685423b1eaee18a2a06030b4b2977335f62499c0041c142a92f6e6f846c2b9ce54324b6ae94efbbb303282dcda70e2b1597c748fddc251c0b3122a412c2d7c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
38f59a47b777f2fc52088e96ffb2baaf

SHA1
267224482588b41a96d813f6d9e9d924867062db

SHA256
13569c5681c71dc42ab57d34879f5a567d7b94afe0e8f6d7c6f6c1314fb0087b

SHA512
4657d13e1bb7cdd7e83f5f2562f5598cca12edf839626ae96da43e943b5550fab46a14b9018f1bec90de88cc714f637605531ccda99deb9e537908ddb826113b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
576B

MD5
8f06fcb34476771502955646a6cfbbb3

SHA1
f88a07b0d9737f8f69312eb64f2f56a903a258bc

SHA256
2e8d519400d79cdad64990c7c5615a7bbb37767095623390d2b15f5e69b4d373

SHA512
b9e2bc5e790d108c1258ced0d84bc010ff090aa15382aa59918438563d9a252d365bb8afecb70ab5b9255f961b27fb6d2e8b711b7130d5b210b5879e885a7c5e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
528B

MD5
b3277af2e434ba41f0d0dcc79af65a42

SHA1
99b6d1268208a50973524ac425f13e09dda74825

SHA256
10e56b3a59999b12c2bbc34a000188a98901974f5c34c3baa2fd7fe75c84a742

SHA512
71ab181492a4c6ff0bd27eb86ec7f8f384dc26c62102751cb08b94ea336a3f1fb1972d1b6b00f831bc22a06cab64b1d89510dfb60905feac24d39c031cd520aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
120B

MD5
7b4935e952008b7c50cfc7bce59063cb

SHA1
597b669196bec4821371cbb9fd42ead3e186f9f2

SHA256
7487a68c598816813dd447575eefdf34cc2fb670ac4369708282d6243b9f2a29

SHA512
1d41a32a367f27e09970999e3ee98016cfb8e94edaea844c049fa1da939656f78c9f2d82e6c1e5e652beb7df421e68f89465863a2ca55ce3c6d8df523ccee7c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
557B

MD5
f274dc86e8b4d27ac0d917bc83e57cd7

SHA1
add8420b93ea2665c39adaf2fc25c8b4cc36ebb8

SHA256
b2e8f9481a1c15583d9131f88ab333efcc3dcd80bb747f7694bab293c628bee2

SHA512
793094a03d7fa3736603e89abdef1518d9a6dc68e230d5858023060f3b2f0c6fe9f6f3dca4cc0e874c38c7657ea8a57484fd95d7ae73abe2ac99d42c578133e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
ef715f7ad3a74a05a3e4ed7452e560f7

SHA1
bc882bd46ff5c40de8cffed12fce47c543446cb5

SHA256
05da2b14098a0f8fc43ee94798f9740aea853130ce8f90fba9b3343a10049df0

SHA512
a6897eb24db25afa61541446eb7a9bdda02ecb48e346ea920f745ceae39813b81d86a84956f31a7ba2a90b91d78a8c9bd97f5943e2ec32a9b6f286e7d0493611

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
46f5f9e2a0f36438c80e2c2577ce85a9

SHA1
5baada412b36b81338df062fa51abd0ed176e15c

SHA256
ae0e336e1db48f92e4d5461380d54cf1844c0caaa291ab29fc1d1ce8a249f985

SHA512
f32be090940e7b97e42ce0aea12c311225b032fad37244368ee9404446d10e702d3a3d5e3c94bc7e0b65e05fd44c8e7bcd3b9e30c153cdff5df8d1ed8d1233a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
97292de4b91b372f94ca0b389701671d

SHA1
5fff3b55fe26eaac6c4fdae43266c713dc6506f4

SHA256
39754b73e620cff2b3f671eababefcc81b987a917e31424d1cf94388d629d77e

SHA512
a54ddd2e38f32f3bd59e1bd27accc4e675184d59dd3fb9b8bcf7b9e0f9f76c782ccd2a46e393633527700544856d96a02923fbccec0d356245d7929a7eaa7687

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
c6ffeebb5956e55e7d8973bad0da64f3

SHA1
82379c7699af76da9cc474c27f5c972ed7eda5c9

SHA256
9e70f76414fd126151a9dc4c50d6acb1973c95a85e3176d5b9d7e891f6c014da

SHA512
43eeffec9cdd017eb5ea1258f9b2e38bf44f0b7932f4cbb3caa16ab110c52b83a518bd9381262bbc8296c99a379fa888ea65507c7b0bee605b3fa9b4ca52bef2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
1b99f4e4989d509d30d56f670469ce19

SHA1
861b76620dff18132855a4d185517f83a1fbe10d

SHA256
81dee210bb2339ae1cd48999d7f8e133b62d51774e0751e75fd1c1882902681b

SHA512
eca3e8bee5d72479f5983021c9e6f0221dbac26378c5919b67d801ebc03a21d0dc8c7de5a4e8fc4ccbb7f7e2e542a459c4bec4c6effe73972090366a9e82d8d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
fa251c4a7db7141ffc0c53d4de40838e

SHA1
287b39c52263c30d9dafef09c60e2903e8f887de

SHA256
c49f421d0c0c5c5a51c672440087a11b5587cdaa03df7cf4ce816f01d269708f

SHA512
86fca22d7244cfb59ebe9087a5f24d2b194234a97b3d7f42c1f06a3c2a48673dbaba22b58489c53d5b331555ccb2e7b370124b18a8d98c08300e1bfb93b8a40a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
3947b6f193d81e8565713333fe26099a

SHA1
7341836620fd855557aacd53279cf1956c58a025

SHA256
2a136013b2fe1554309d5d656270fc1ba02102d4d7c1c195e9ec3fb449af9113

SHA512
edb93871a98156079b54221065a6beb6836b336afaa1d14f4adfdc5465ab663382ec61415e7c4ae9315b3233f224188ff6b617b3672edf6a7129d5ff950c07e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
388248875db23eaac527eb7c1b2c5939

SHA1
d1ea343b49754bbcbeb07abe72414863ea00ea4f

SHA256
b4aaf1be8c1f1905b48f3543df2370fb297db5932e56d065ebcbad2eec0311ec

SHA512
c37b46ad0812db8ea214f7afb1fcecd18673549cdf53f48c9ae1e8527270a8b9c9269334e1e5c421d2972568c0ea7079b6c21524bb1c8ea85ecee7a1ae204e1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
32b0c7dab0f733b5128f19a1f59278ba

SHA1
15c0227bb1749eab6b33f4ede2a76aa78b49180d

SHA256
ba57262878372cd543d2a232c20bb5468a8cd331b2b8b25988ece1afca0d31fb

SHA512
844621ef98a422f873b8cec30af2981807021389c49145e81ee5bfe0c6a5ff2aa3aa8092f200422e017ce44dd8eb57d5585c5a081b4bc624fcf318c71a03f3c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
705B

MD5
42eddcaa6128ca04792189bbdf6667dc

SHA1
17ab4e0184ce18ab4e5dd79aeafdef0753999bdf

SHA256
1bfe2eb6d00383cc12c1180a74749317aab80847b880a7a5a0154cc4155b5c59

SHA512
e5970ba1f9c1aeecd605f95c129c870bf08781e1ec6172f1d25f9374e11aee207d2b18b719638598d003598c0c017afef84b7f2eb420cfa1353d59d89564afe8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
370B

MD5
e7789945e929a1891111d3d81f39d2b1

SHA1
22ff8fc9dd3c9b0967cb6071e6f7cf1ff4da3aaf

SHA256
9ece509a2c0175a538970a23e88a06f0423e26dad7f94e2376565d511a27e44e

SHA512
24132148810345c63fbd0e40df09b324998ed808e0f93825cef359eb4e3883e262fb629a6c9114c8d915948bf3754698d984915787eb8a62033cf523e137e55e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe595318.TMP

Filesize
370B

MD5
140603e186272e29f99a8b9a082f18ae

SHA1
0806afcb880fbb1d783bc24c60c4b8c166ff7a50

SHA256
419d0101ed1f6aa0de8fec300369126b31aa3fe0c7fe6eabf406559326c5f5cf

SHA512
f272dc7019cf5e0352d9c58eaaa27fb1cedb34233f99b57e858a05d0d2ccea6f5af6381a72a9d9643476f8089d0ef399a5e474f5fba40168f9ce417ea993a588

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
9f321b6ca02b622bae7c1add7e06e259

SHA1
6f2f192e141fa567dea48714ff8426a596183a61

SHA256
738b73cdd8d952472b5574abe16823b5cc24be3c2f534f44189b44a5a757c921

SHA512
46ee0e613582a2159213ed2a0eeb07bbe5be0310ba6cb9c21ec5ab0c521b9ef57d2a19793b50d4fa47f31f209ccffee48de928ab746956aebc68d3e58e180394

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
1bdb990b0e7ce492a4679d699cc13771

SHA1
618b9b20a290047412acd71f69022bb9e28ce071

SHA256
aebe734fd2f89c3d252b11038477e64eaca364ad812479e138fecf684bf61d11

SHA512
0d325ea047eab81e51636bc8c16c269a4e1744846e46fb74c6492955acd76e74e9a8e4060f190afbc7cbe7f53f81117f11e28c1bf4d8a4e97ce936cf5b4fbde4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
7194eeddc5e05fece3023b3e30b18154

SHA1
f7a345d997303f3e6e7c83c98b3a1a08cfb851e0

SHA256
dd873db2e9fabb75bf2aaa747d5674b758ff9615b21179ba19666b93f20b866c

SHA512
cd18645c1d19ecbb308e59d03895a5dd98261c7ef373dd819f05c2fe06be483396ff23351932417acf033d5936362376ff6310674b2ed92b584658735f6c278c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\Downloads\r8x2vh5c56.jar

Filesize
2.2MB

MD5
8e48fc3bda0bc899ba7c38b5bd2ac165

SHA1
bff45691858d8278b55b46af99ab0b5890564e53

SHA256
648ca4f9c2964bea3e91685a32e0381c803d648cc358b39ae4071fd3be77fed6

SHA512
a807a35eee990b75d85417bdddc3aabbe1275319ccd982c08b7bd929eb175992b96d7728a4615885b1368c9693550968a899b2d308fc8a0c9c3b1420ad7bc5d0

Download Submit
memory/3788-392-0x000001B3930B0000-0x000001B3930B1000-memory.dmp

Filesize
4KB

Download
memory/3788-450-0x000001B3923E0000-0x000001B3923E1000-memory.dmp

Filesize
4KB

Download
memory/3788-474-0x000001B3923E0000-0x000001B3923E1000-memory.dmp

Filesize
4KB

Download
memory/3788-400-0x000001B3923E0000-0x000001B3923E1000-memory.dmp

Filesize
4KB

Download
memory/3788-425-0x000001B3923E0000-0x000001B3923E1000-memory.dmp

Filesize
4KB

Download
memory/3788-371-0x000001B3923E0000-0x000001B3923E1000-memory.dmp

Filesize
4KB

Download
memory/3788-353-0x000001B3923E0000-0x000001B3923E1000-memory.dmp

Filesize
4KB

Download
memory/3788-421-0x000001B3923E0000-0x000001B3923E1000-memory.dmp

Filesize
4KB

Download
memory/3788-415-0x000001B3923E0000-0x000001B3923E1000-memory.dmp

Filesize
4KB

Download
memory/4800-604-0x000001915C160000-0x000001915C161000-memory.dmp

Filesize
4KB

Download