hxxps://www[.]roblox[.]com/users/3904137565/profile

Analysis

max time kernel
53s
max time network
54s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21/11/2024, 09:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.roblox.com/users/3904137565/profile

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3544	msedge.exe
3544	msedge.exe
4384	msedge.exe
4384	msedge.exe
2044	identity_helper.exe
2044	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4384 wrote to memory of 4872	4384	msedge.exe	83
PID 4384 wrote to memory of 4872	4384	msedge.exe	83
PID 4384 wrote to memory of 216	4384	msedge.exe	84
PID 4384 wrote to memory of 216	4384	msedge.exe	84
PID 4384 wrote to memory of 216	4384	msedge.exe	84
PID 4384 wrote to memory of 216	4384	msedge.exe	84
PID 4384 wrote to memory of 216	4384	msedge.exe	84
PID 4384 wrote to memory of 216	4384	msedge.exe	84
PID 4384 wrote to memory of 216	4384	msedge.exe	84
PID 4384 wrote to memory of 216	4384	msedge.exe	84
PID 4384 wrote to memory of 216	4384	msedge.exe	84
PID 4384 wrote to memory of 216	4384	msedge.exe	84
PID 4384 wrote to memory of 216	4384	msedge.exe	84
PID 4384 wrote to memory of 216	4384	msedge.exe	84
PID 4384 wrote to memory of 216	4384	msedge.exe	84
PID 4384 wrote to memory of 216	4384	msedge.exe	84
PID 4384 wrote to memory of 216	4384	msedge.exe	84
PID 4384 wrote to memory of 216	4384	msedge.exe	84
PID 4384 wrote to memory of 216	4384	msedge.exe	84
PID 4384 wrote to memory of 216	4384	msedge.exe	84
PID 4384 wrote to memory of 216	4384	msedge.exe	84
PID 4384 wrote to memory of 216	4384	msedge.exe	84
PID 4384 wrote to memory of 216	4384	msedge.exe	84
PID 4384 wrote to memory of 216	4384	msedge.exe	84
PID 4384 wrote to memory of 216	4384	msedge.exe	84
PID 4384 wrote to memory of 216	4384	msedge.exe	84
PID 4384 wrote to memory of 216	4384	msedge.exe	84
PID 4384 wrote to memory of 216	4384	msedge.exe	84
PID 4384 wrote to memory of 216	4384	msedge.exe	84
PID 4384 wrote to memory of 216	4384	msedge.exe	84
PID 4384 wrote to memory of 216	4384	msedge.exe	84
PID 4384 wrote to memory of 216	4384	msedge.exe	84
PID 4384 wrote to memory of 216	4384	msedge.exe	84
PID 4384 wrote to memory of 216	4384	msedge.exe	84
PID 4384 wrote to memory of 216	4384	msedge.exe	84
PID 4384 wrote to memory of 216	4384	msedge.exe	84
PID 4384 wrote to memory of 216	4384	msedge.exe	84
PID 4384 wrote to memory of 216	4384	msedge.exe	84
PID 4384 wrote to memory of 216	4384	msedge.exe	84
PID 4384 wrote to memory of 216	4384	msedge.exe	84
PID 4384 wrote to memory of 216	4384	msedge.exe	84
PID 4384 wrote to memory of 216	4384	msedge.exe	84
PID 4384 wrote to memory of 3544	4384	msedge.exe	85
PID 4384 wrote to memory of 3544	4384	msedge.exe	85
PID 4384 wrote to memory of 892	4384	msedge.exe	86
PID 4384 wrote to memory of 892	4384	msedge.exe	86
PID 4384 wrote to memory of 892	4384	msedge.exe	86
PID 4384 wrote to memory of 892	4384	msedge.exe	86
PID 4384 wrote to memory of 892	4384	msedge.exe	86
PID 4384 wrote to memory of 892	4384	msedge.exe	86
PID 4384 wrote to memory of 892	4384	msedge.exe	86
PID 4384 wrote to memory of 892	4384	msedge.exe	86
PID 4384 wrote to memory of 892	4384	msedge.exe	86
PID 4384 wrote to memory of 892	4384	msedge.exe	86
PID 4384 wrote to memory of 892	4384	msedge.exe	86
PID 4384 wrote to memory of 892	4384	msedge.exe	86
PID 4384 wrote to memory of 892	4384	msedge.exe	86
PID 4384 wrote to memory of 892	4384	msedge.exe	86
PID 4384 wrote to memory of 892	4384	msedge.exe	86
PID 4384 wrote to memory of 892	4384	msedge.exe	86
PID 4384 wrote to memory of 892	4384	msedge.exe	86
PID 4384 wrote to memory of 892	4384	msedge.exe	86
PID 4384 wrote to memory of 892	4384	msedge.exe	86
PID 4384 wrote to memory of 892	4384	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://www.roblox.com/users/3904137565/profile
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff094d46f8,0x7fff094d4708,0x7fff094d4718
  2⤵
  PID:4872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,3652886663770135762,6547624037109561378,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2192 /prefetch:2
  2⤵
  PID:216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2164,3652886663770135762,6547624037109561378,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2244 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2164,3652886663770135762,6547624037109561378,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2828 /prefetch:8
  2⤵
  PID:892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,3652886663770135762,6547624037109561378,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
  2⤵
  PID:1568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,3652886663770135762,6547624037109561378,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
  2⤵
  PID:800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,3652886663770135762,6547624037109561378,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4752 /prefetch:1
  2⤵
  PID:1088
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2164,3652886663770135762,6547624037109561378,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5224 /prefetch:8
  2⤵
  PID:1952
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2164,3652886663770135762,6547624037109561378,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5224 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,3652886663770135762,6547624037109561378,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5412 /prefetch:1
  2⤵
  PID:2872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,3652886663770135762,6547624037109561378,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5424 /prefetch:1
  2⤵
  PID:4880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,3652886663770135762,6547624037109561378,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5072 /prefetch:1
  2⤵
  PID:5076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,3652886663770135762,6547624037109561378,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5300 /prefetch:1
  2⤵
  PID:3320

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:752

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
85ba073d7015b6ce7da19235a275f6da

SHA1
a23c8c2125e45a0788bac14423ae1f3eab92cf00

SHA256
5ad04b8c19bf43b550ad725202f79086168ecccabe791100fba203d9aa27e617

SHA512
eb4fd72d7030ea1a25af2b59769b671a5760735fb95d18145f036a8d9e6f42c903b34a7e606046c740c644fab0bb9f5b7335c1869b098f121579e71f10f5a9c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7de1bbdc1f9cf1a58ae1de4951ce8cb9

SHA1
010da169e15457c25bd80ef02d76a940c1210301

SHA256
6e390bbc0d03a652516705775e8e9a7b7936312a8a5bea407f9d7d9fa99d957e

SHA512
e4a33f2128883e71ab41e803e8b55d0ac17cbc51be3bde42bed157df24f10f34ad264f74ef3254dbe30d253aca03158fde21518c2b78aaa05dae8308b1c5f30c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
79f00fc69030132d30e8797f1bd2e4b9

SHA1
c84f14f4a14d87e4b837cc9f569b4c199664a4cb

SHA256
67c999251206d4a0ffa98d2dda8a4e251d994d3503bd3da30c4886155c1cc3c7

SHA512
750e404737d08b351ff14dba27dbf84b727fd3f239af5688bf6e7b21d0356ffb482fa3933a95d6d8a71b069110a118eb23943b8b932779d4f70edda3b23897b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c8c6293fc0a77d9548b9048d828f50e0

SHA1
3f230b77296c804aa2bd6f3b056cd15162190d8d

SHA256
ec166dd8078c6ad3020af998980ad222e87c2733e8528059f793dc0fcb7d3060

SHA512
ff7a966e4d6c8248306a32b3961835e851ee21cdf4d92cec04909ae1ad93af7a5cd42706867d993c34235ce95abfc984c809dcc7029a46f40f0550217f12e736

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
290339e80028ba1a97fae0e1f9777b02

SHA1
21e7da4b0c5cdd0e75801c35ca27cff698ed5639

SHA256
5cab647770695de5b83040388522f5bfbde5601fdab28879dd89c0aaffaf66d8

SHA512
efb5a77068a42acb94c8b319a6b78a7cc4832ee2af7319b7f0d36df8b40efc40ef05747488bf2249639212ac3582572502c909dec33540b39eb916a1ebc453a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
5af47b080f3ba9a41e5119336a8b9139

SHA1
10fd41ffc039aa94bd6312bdb9f6c08ae8572560

SHA256
b74fd9e823f2bf961797eb1c6d9f97b9ec3872a20f12397f1ceb790d02fb6f47

SHA512
4bc39bf009f120ef28cecc77e102cc2dd9efff2c5d736335b9e518b7b2c2f0cf6d377001a27c3c451a5d55d55cd692a6254172a30d71c7d92e7cbf9570142627

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e0d73bd5bd6f1b00bb12d104a2dff505

SHA1
e0088c297b0f88578186f3b63a0d445e70de4663

SHA256
6ffc38897f936a98d2fb82cccdce680cd77a917f5b5b4fe7e7ed25d262923944

SHA512
1613314353c735190be942c5e235ceef22124a7749a26c2389afecea91a319cff83ead0d0d3ab3b98555b1a827b86c2e3835c5b795a3f2b37844cbe26719a527

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
80982fbeef09e5e02d76d1caf6063590

SHA1
8f6bceb48884b54e68fc8d57d50e628a409141f2

SHA256
d82bacad48e2ffa990087ff4d4d78da882f34cfdb32d35cf231c32958b1e2806

SHA512
719acc72c7bf8ca97dc7be128b68b7ce834993f7b67141fd8dedaabccaff6716f5a811e0afd5135c3cd17c346e70c52bb82065fceaa77b0f8f10473f5d3bb2c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
c324a1feb458788eb3a4600d321b6403

SHA1
e42f310bdc07f4c409330e938fdbf7145c0da686

SHA256
a66ec7c228e26e40a75b908050b127f84a9cfad721e9c11bc89c714291371072

SHA512
506acb1d744c6b1fc46065ca4ff70f3efcbefe74ac3235e07103d11032bb9e0c4ad281615063795b34645b22652ad56e2d2681464e5557984063009e0a698545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
19bcd28a622bae8e6d2c82c501e534cd

SHA1
51f1e1e13031d9fef71f0b8a527afa3bee067578

SHA256
aa85e95d10bb373514ff0bb2d0171405fa5b71ec00e3dbaf60bf701721f7d462

SHA512
7cf6186f5aa23e9659316514d80071dd672ef51aaae99971e95d4aca24f3453be8965889b078bce930e5ef91edc9b21248ad84f241f231c44be679c13262dc45

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5807bb.TMP

Filesize
3KB

MD5
62f684690903a710d5b67a4f7ecada22

SHA1
6f476f7c7791fd5415b1a00094137c023cbfb917

SHA256
aaeca5c64ecfa49951374190d9e76546fc7ecec27934836a0f9510d9235c9f0c

SHA512
f6e87091d448fab2a10d42e505a7517a72b3d3db80021b8b87893207dda54c2c020789684da9ccd445845691890d997f803a1ac3f52de2097e03a6d8e3750ad2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
53ebe7a0366e7d0f8e03caf05ffed91b

SHA1
a033c2eca3748f80f462868e61ef243c67093891

SHA256
dd26c42e4b0448ba748828bface0ef3ca61480c07fa3fe9d390821672e7718ea

SHA512
0805b1a62759a28f2b10878b4c4ed294bff5fe737b09bdf93ebab179cfdcd394153802a00ae01fbd11fb58eba3bfb563b974e71a1c6eaa695fcfa003bc27111c

Download Submit