Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
27/01/2025, 15:11
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://link-target.net/1232779/roblox-c00lki dd-script
Resource
win10v2004-20241007-en
General
-
Target
https://link-target.net/1232779/roblox-c00lki dd-script
Malware Config
Signatures
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 61 api.ipify.org 81 api.ipify.org -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1045960512-3948844814-3059691613-1000\{ED295B27-5205-49B2-9717-EC2987D146D0} msedge.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 2552 msedge.exe 2552 msedge.exe 4320 msedge.exe 4320 msedge.exe 1492 msedge.exe 1492 msedge.exe 1228 identity_helper.exe 1228 identity_helper.exe 232 msedge.exe 232 msedge.exe 232 msedge.exe 232 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
pid Process 4320 msedge.exe 4320 msedge.exe 4320 msedge.exe 4320 msedge.exe 4320 msedge.exe 4320 msedge.exe 4320 msedge.exe 4320 msedge.exe 4320 msedge.exe 4320 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 4320 msedge.exe 4320 msedge.exe 4320 msedge.exe 4320 msedge.exe 4320 msedge.exe 4320 msedge.exe 4320 msedge.exe 4320 msedge.exe 4320 msedge.exe 4320 msedge.exe 4320 msedge.exe 4320 msedge.exe 4320 msedge.exe 4320 msedge.exe 4320 msedge.exe 4320 msedge.exe 4320 msedge.exe 4320 msedge.exe 4320 msedge.exe 4320 msedge.exe 4320 msedge.exe 4320 msedge.exe 4320 msedge.exe 4320 msedge.exe 4320 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 4320 msedge.exe 4320 msedge.exe 4320 msedge.exe 4320 msedge.exe 4320 msedge.exe 4320 msedge.exe 4320 msedge.exe 4320 msedge.exe 4320 msedge.exe 4320 msedge.exe 4320 msedge.exe 4320 msedge.exe 4320 msedge.exe 4320 msedge.exe 4320 msedge.exe 4320 msedge.exe 4320 msedge.exe 4320 msedge.exe 4320 msedge.exe 4320 msedge.exe 4320 msedge.exe 4320 msedge.exe 4320 msedge.exe 4320 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4320 wrote to memory of 4000 4320 msedge.exe 83 PID 4320 wrote to memory of 4000 4320 msedge.exe 83 PID 4320 wrote to memory of 264 4320 msedge.exe 84 PID 4320 wrote to memory of 264 4320 msedge.exe 84 PID 4320 wrote to memory of 264 4320 msedge.exe 84 PID 4320 wrote to memory of 264 4320 msedge.exe 84 PID 4320 wrote to memory of 264 4320 msedge.exe 84 PID 4320 wrote to memory of 264 4320 msedge.exe 84 PID 4320 wrote to memory of 264 4320 msedge.exe 84 PID 4320 wrote to memory of 264 4320 msedge.exe 84 PID 4320 wrote to memory of 264 4320 msedge.exe 84 PID 4320 wrote to memory of 264 4320 msedge.exe 84 PID 4320 wrote to memory of 264 4320 msedge.exe 84 PID 4320 wrote to memory of 264 4320 msedge.exe 84 PID 4320 wrote to memory of 264 4320 msedge.exe 84 PID 4320 wrote to memory of 264 4320 msedge.exe 84 PID 4320 wrote to memory of 264 4320 msedge.exe 84 PID 4320 wrote to memory of 264 4320 msedge.exe 84 PID 4320 wrote to memory of 264 4320 msedge.exe 84 PID 4320 wrote to memory of 264 4320 msedge.exe 84 PID 4320 wrote to memory of 264 4320 msedge.exe 84 PID 4320 wrote to memory of 264 4320 msedge.exe 84 PID 4320 wrote to memory of 264 4320 msedge.exe 84 PID 4320 wrote to memory of 264 4320 msedge.exe 84 PID 4320 wrote to memory of 264 4320 msedge.exe 84 PID 4320 wrote to memory of 264 4320 msedge.exe 84 PID 4320 wrote to memory of 264 4320 msedge.exe 84 PID 4320 wrote to memory of 264 4320 msedge.exe 84 PID 4320 wrote to memory of 264 4320 msedge.exe 84 PID 4320 wrote to memory of 264 4320 msedge.exe 84 PID 4320 wrote to memory of 264 4320 msedge.exe 84 PID 4320 wrote to memory of 264 4320 msedge.exe 84 PID 4320 wrote to memory of 264 4320 msedge.exe 84 PID 4320 wrote to memory of 264 4320 msedge.exe 84 PID 4320 wrote to memory of 264 4320 msedge.exe 84 PID 4320 wrote to memory of 264 4320 msedge.exe 84 PID 4320 wrote to memory of 264 4320 msedge.exe 84 PID 4320 wrote to memory of 264 4320 msedge.exe 84 PID 4320 wrote to memory of 264 4320 msedge.exe 84 PID 4320 wrote to memory of 264 4320 msedge.exe 84 PID 4320 wrote to memory of 264 4320 msedge.exe 84 PID 4320 wrote to memory of 264 4320 msedge.exe 84 PID 4320 wrote to memory of 2552 4320 msedge.exe 85 PID 4320 wrote to memory of 2552 4320 msedge.exe 85 PID 4320 wrote to memory of 3684 4320 msedge.exe 86 PID 4320 wrote to memory of 3684 4320 msedge.exe 86 PID 4320 wrote to memory of 3684 4320 msedge.exe 86 PID 4320 wrote to memory of 3684 4320 msedge.exe 86 PID 4320 wrote to memory of 3684 4320 msedge.exe 86 PID 4320 wrote to memory of 3684 4320 msedge.exe 86 PID 4320 wrote to memory of 3684 4320 msedge.exe 86 PID 4320 wrote to memory of 3684 4320 msedge.exe 86 PID 4320 wrote to memory of 3684 4320 msedge.exe 86 PID 4320 wrote to memory of 3684 4320 msedge.exe 86 PID 4320 wrote to memory of 3684 4320 msedge.exe 86 PID 4320 wrote to memory of 3684 4320 msedge.exe 86 PID 4320 wrote to memory of 3684 4320 msedge.exe 86 PID 4320 wrote to memory of 3684 4320 msedge.exe 86 PID 4320 wrote to memory of 3684 4320 msedge.exe 86 PID 4320 wrote to memory of 3684 4320 msedge.exe 86 PID 4320 wrote to memory of 3684 4320 msedge.exe 86 PID 4320 wrote to memory of 3684 4320 msedge.exe 86 PID 4320 wrote to memory of 3684 4320 msedge.exe 86 PID 4320 wrote to memory of 3684 4320 msedge.exe 86
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://link-target.net/1232779/roblox-c00lki dd-script1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4320 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb596c46f8,0x7ffb596c4708,0x7ffb596c47182⤵PID:4000
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1360,12074620476578120364,4195289624686977271,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2072 /prefetch:22⤵PID:264
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1360,12074620476578120364,4195289624686977271,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:2552
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1360,12074620476578120364,4195289624686977271,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2924 /prefetch:82⤵PID:3684
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1360,12074620476578120364,4195289624686977271,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:12⤵PID:2248
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1360,12074620476578120364,4195289624686977271,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:12⤵PID:3848
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1360,12074620476578120364,4195289624686977271,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4716 /prefetch:12⤵PID:3936
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1360,12074620476578120364,4195289624686977271,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3544 /prefetch:12⤵PID:968
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1360,12074620476578120364,4195289624686977271,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5296 /prefetch:82⤵PID:628
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1360,12074620476578120364,4195289624686977271,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5420 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1492
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1360,12074620476578120364,4195289624686977271,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4012 /prefetch:12⤵PID:4964
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1360,12074620476578120364,4195289624686977271,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4856 /prefetch:12⤵PID:1152
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1360,12074620476578120364,4195289624686977271,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4828 /prefetch:82⤵PID:2804
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1360,12074620476578120364,4195289624686977271,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4828 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1228
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1360,12074620476578120364,4195289624686977271,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4832 /prefetch:12⤵PID:3440
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1360,12074620476578120364,4195289624686977271,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5640 /prefetch:12⤵PID:2648
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1360,12074620476578120364,4195289624686977271,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5488 /prefetch:12⤵PID:1016
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1360,12074620476578120364,4195289624686977271,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5432 /prefetch:12⤵PID:2420
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1360,12074620476578120364,4195289624686977271,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2752 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:232
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4928
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3544
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5bffcefacce25cd03f3d5c9446ddb903d
SHA18923f84aa86db316d2f5c122fe3874bbe26f3bab
SHA25623e7cbbf64c81122c3cb30a0933c10a320e254447771737a326ce37a0694d405
SHA512761dae5315b35ec0b2fe68019881397f5d2eadba3963aba79a89f8953a0cd705012d7faf3a204a5f36008926b9f614980e333351596b06ce7058d744345ce2e7
-
Filesize
152B
MD5d22073dea53e79d9b824f27ac5e9813e
SHA16d8a7281241248431a1571e6ddc55798b01fa961
SHA25686713962c3bb287964678b148ee08ea83fb83483dff8be91c8a6085ca560b2a6
SHA51297152091ee24b6e713b8ec8123cb62511f8a7e8a6c6c3f2f6727d0a60497be28814613b476009b853575d4931e5df950e28a41afbf6707cb672206f1219c4413
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize720B
MD5723efcb2e4aca7dc257e8dba1807c93e
SHA1a9c47f9c851ce35e43f896e46f751a4fa43ff5ff
SHA256beb6b39f212378471d63dcef01cb0a7a431424ad5fb8fc741774682085cbf8b2
SHA5124cca2c1c4805bfb48e2de8851e4f49f7221bac510c70767ba727188b7565525d7ec88d92045e5024037503130f91e944c553f42353b17e518cc59896861d7aee
-
Filesize
3KB
MD55ee1673d67bc00391a3cb64e28cbac86
SHA1be470d5c2c198e99cc87ce2cb69513d79f13c780
SHA2569144105cd6221f1235f703b01089fe3d605c054d135d4a20d92bb07e6e8f69d7
SHA512e5b96902be6e4e6caff05bc8551197bd1a2494fcd459be77aa4a3363667372aaabd464c1ef4c34c9c3c698242bbf390f88e35e05d8d506cfde0bce16341a459a
-
Filesize
7KB
MD5b2cd57a61a791e75743a71f3d244b497
SHA1df40f208cfcbe6ae5b36e9662a6b3d10ec6b5fb1
SHA256cf96da5c2e089f49fb2fd218e8be6052778707af737d5aab176c84d4effa1d5e
SHA512a4b96d0a6a2f5f085ce876f411226fd7e6f9d41bd666b799cd645a0c6a35226a91bbf5997a0cdcedefa2651ca0e35aadaea5478d502fe7304eca7700efde2ebd
-
Filesize
5KB
MD5b203126033fe61b1b1167be6b95d5184
SHA10dd58b84689129f5913607c4068eec446706ad37
SHA256440b291226978851dd2e6214812f8abe941a58a33edba48da7047885e8b2a907
SHA5125c65f6c7293735109dd63b9d4f4cb86c2924cdba329157730ef30abd965c94de5fdd10b9688cf7df43f6e476bc0bc10e912ba0bf9afc68236e954dfaa301c171
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD5974eaa1a44e8f51092be3566d25a38fe
SHA1b3740bdf148ded4230db4506d5377217eae52f1c
SHA2565bad2b8aec3a49292229d5f6cd9b62e9de8b8dc19e71af43621da4389911c46f
SHA512d2007a4d610eadb6dbee93952061277aa1f110ff4926216f92a4dd4a0b198c98b0b5b361d67c30ed7af13caf77978395dfa3f5dd8112406f500bb8035ec2019d