dc266b9e3211edf40e181375dba003b41ffd4ce4233eceef31eb830817c40a71

Resubmissions

02-02-2024 00:26

240202-armxpsbhcm 3

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
02-02-2024 00:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Screenshot 2024-01-31 6.33.12 PM.png
Size

298KB
MD5

50b568064f231c4ca5a5e3c03a356143
SHA1

dcb4428d6210c076c3acf534bea68f36e2b16a11
SHA256

dc266b9e3211edf40e181375dba003b41ffd4ce4233eceef31eb830817c40a71
SHA512

7bef0182f7d140688a8de85a55941196d27201d98b89a8a1a883875ea0a7612c04a7c2327482b5ac951bd7225a9e2522f588c00bb7b5f4ee2c4fdebe5d0a81d5
SSDEEP

6144:XGcLdLaKjTj0saNuBkrc6UuZa2f74wrwlmcnKkE3m:Xj5LBTj3kquZZ7B07KHm

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 7 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\cr.sb.cdmf5200eafd3ad904629cbb0f87a78a3c7211081fe\Children	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949\DisplayName = "Chrome Sandbox"	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949\Moniker = "cr.sb.cdmf5200eafd3ad904629cbb0f87a78a3c7211081fe"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949\Children	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\cr.sb.cdmf5200eafd3ad904629cbb0f87a78a3c7211081fe	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1676	msedge.exe
1676	msedge.exe
1784	msedge.exe
1784	msedge.exe
916	identity_helper.exe
916	identity_helper.exe
880	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
4044	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs

pid	Process
1784	msedge.exe
1784	msedge.exe
1784	msedge.exe
1784	msedge.exe
1784	msedge.exe
1784	msedge.exe
1784	msedge.exe
1784	msedge.exe
1784	msedge.exe
1784	msedge.exe
1784	msedge.exe
1784	msedge.exe
1784	msedge.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
1784	msedge.exe
1784	msedge.exe
1784	msedge.exe
1784	msedge.exe
1784	msedge.exe
1784	msedge.exe
1784	msedge.exe
1784	msedge.exe
1784	msedge.exe
1784	msedge.exe
1784	msedge.exe
1784	msedge.exe
1784	msedge.exe
1784	msedge.exe
1784	msedge.exe
1784	msedge.exe
1784	msedge.exe
1784	msedge.exe
1784	msedge.exe
1784	msedge.exe
1784	msedge.exe
1784	msedge.exe
1784	msedge.exe
1784	msedge.exe
1784	msedge.exe
1784	msedge.exe
1784	msedge.exe

Suspicious use of SendNotifyMessage 26 IoCs

pid	Process
1784	msedge.exe
1784	msedge.exe
1784	msedge.exe
1784	msedge.exe
1784	msedge.exe
1784	msedge.exe
1784	msedge.exe
1784	msedge.exe
1784	msedge.exe
1784	msedge.exe
1784	msedge.exe
1784	msedge.exe
1784	msedge.exe
1784	msedge.exe
1784	msedge.exe
1784	msedge.exe
1784	msedge.exe
1784	msedge.exe
1784	msedge.exe
1784	msedge.exe
1784	msedge.exe
1784	msedge.exe
1784	msedge.exe
1784	msedge.exe
1784	msedge.exe
1784	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1784 wrote to memory of 4840	1784	msedge.exe	96
PID 1784 wrote to memory of 4840	1784	msedge.exe	96
PID 1784 wrote to memory of 1504	1784	msedge.exe	98
PID 1784 wrote to memory of 1504	1784	msedge.exe	98
PID 1784 wrote to memory of 1504	1784	msedge.exe	98
PID 1784 wrote to memory of 1504	1784	msedge.exe	98
PID 1784 wrote to memory of 1504	1784	msedge.exe	98
PID 1784 wrote to memory of 1504	1784	msedge.exe	98
PID 1784 wrote to memory of 1504	1784	msedge.exe	98
PID 1784 wrote to memory of 1504	1784	msedge.exe	98
PID 1784 wrote to memory of 1504	1784	msedge.exe	98
PID 1784 wrote to memory of 1504	1784	msedge.exe	98
PID 1784 wrote to memory of 1504	1784	msedge.exe	98
PID 1784 wrote to memory of 1504	1784	msedge.exe	98
PID 1784 wrote to memory of 1504	1784	msedge.exe	98
PID 1784 wrote to memory of 1504	1784	msedge.exe	98
PID 1784 wrote to memory of 1504	1784	msedge.exe	98
PID 1784 wrote to memory of 1504	1784	msedge.exe	98
PID 1784 wrote to memory of 1504	1784	msedge.exe	98
PID 1784 wrote to memory of 1504	1784	msedge.exe	98
PID 1784 wrote to memory of 1504	1784	msedge.exe	98
PID 1784 wrote to memory of 1504	1784	msedge.exe	98
PID 1784 wrote to memory of 1504	1784	msedge.exe	98
PID 1784 wrote to memory of 1504	1784	msedge.exe	98
PID 1784 wrote to memory of 1504	1784	msedge.exe	98
PID 1784 wrote to memory of 1504	1784	msedge.exe	98
PID 1784 wrote to memory of 1504	1784	msedge.exe	98
PID 1784 wrote to memory of 1504	1784	msedge.exe	98
PID 1784 wrote to memory of 1504	1784	msedge.exe	98
PID 1784 wrote to memory of 1504	1784	msedge.exe	98
PID 1784 wrote to memory of 1504	1784	msedge.exe	98
PID 1784 wrote to memory of 1504	1784	msedge.exe	98
PID 1784 wrote to memory of 1504	1784	msedge.exe	98
PID 1784 wrote to memory of 1504	1784	msedge.exe	98
PID 1784 wrote to memory of 1504	1784	msedge.exe	98
PID 1784 wrote to memory of 1504	1784	msedge.exe	98
PID 1784 wrote to memory of 1504	1784	msedge.exe	98
PID 1784 wrote to memory of 1504	1784	msedge.exe	98
PID 1784 wrote to memory of 1504	1784	msedge.exe	98
PID 1784 wrote to memory of 1504	1784	msedge.exe	98
PID 1784 wrote to memory of 1504	1784	msedge.exe	98
PID 1784 wrote to memory of 1504	1784	msedge.exe	98
PID 1784 wrote to memory of 1676	1784	msedge.exe	97
PID 1784 wrote to memory of 1676	1784	msedge.exe	97
PID 1784 wrote to memory of 1632	1784	msedge.exe	99
PID 1784 wrote to memory of 1632	1784	msedge.exe	99
PID 1784 wrote to memory of 1632	1784	msedge.exe	99
PID 1784 wrote to memory of 1632	1784	msedge.exe	99
PID 1784 wrote to memory of 1632	1784	msedge.exe	99
PID 1784 wrote to memory of 1632	1784	msedge.exe	99
PID 1784 wrote to memory of 1632	1784	msedge.exe	99
PID 1784 wrote to memory of 1632	1784	msedge.exe	99
PID 1784 wrote to memory of 1632	1784	msedge.exe	99
PID 1784 wrote to memory of 1632	1784	msedge.exe	99
PID 1784 wrote to memory of 1632	1784	msedge.exe	99
PID 1784 wrote to memory of 1632	1784	msedge.exe	99
PID 1784 wrote to memory of 1632	1784	msedge.exe	99
PID 1784 wrote to memory of 1632	1784	msedge.exe	99
PID 1784 wrote to memory of 1632	1784	msedge.exe	99
PID 1784 wrote to memory of 1632	1784	msedge.exe	99
PID 1784 wrote to memory of 1632	1784	msedge.exe	99
PID 1784 wrote to memory of 1632	1784	msedge.exe	99
PID 1784 wrote to memory of 1632	1784	msedge.exe	99
PID 1784 wrote to memory of 1632	1784	msedge.exe	99

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Screenshot 2024-01-31 6.33.12 PM.png"
1⤵
PID:2864

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8361b46f8,0x7ff8361b4708,0x7ff8361b4718
  2⤵
  PID:4840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2064,2522490734678666694,11500907567072863971,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2280 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,2522490734678666694,11500907567072863971,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2080 /prefetch:2
  2⤵
  PID:1504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2064,2522490734678666694,11500907567072863971,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2816 /prefetch:8
  2⤵
  PID:1632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,2522490734678666694,11500907567072863971,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
  2⤵
  PID:3968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,2522490734678666694,11500907567072863971,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
  2⤵
  PID:3616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,2522490734678666694,11500907567072863971,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4672 /prefetch:1
  2⤵
  PID:208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,2522490734678666694,11500907567072863971,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3208 /prefetch:1
  2⤵
  PID:2988
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2064,2522490734678666694,11500907567072863971,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3484 /prefetch:8
  2⤵
  PID:3292
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2064,2522490734678666694,11500907567072863971,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3484 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,2522490734678666694,11500907567072863971,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3420 /prefetch:1
  2⤵
  PID:3796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,2522490734678666694,11500907567072863971,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5472 /prefetch:1
  2⤵
  PID:5048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,2522490734678666694,11500907567072863971,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5228 /prefetch:1
  2⤵
  PID:1904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,2522490734678666694,11500907567072863971,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4688 /prefetch:1
  2⤵
  PID:3196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,2522490734678666694,11500907567072863971,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5816 /prefetch:1
  2⤵
  PID:1340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,2522490734678666694,11500907567072863971,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5276 /prefetch:1
  2⤵
  PID:752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,2522490734678666694,11500907567072863971,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1712 /prefetch:1
  2⤵
  PID:4364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=media.mojom.MediaFoundationService --field-trial-handle=2064,2522490734678666694,11500907567072863971,131072 --lang=en-US --service-sandbox-type=mf_cdm --mojo-platform-channel-handle=5720 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,2522490734678666694,11500907567072863971,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4952 /prefetch:1
  2⤵
  PID:2540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,2522490734678666694,11500907567072863971,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1932 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,2522490734678666694,11500907567072863971,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3544 /prefetch:1
  2⤵
  PID:4836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=media.mojom.MediaFoundationService --field-trial-handle=2064,2522490734678666694,11500907567072863971,131072 --lang=en-US --service-sandbox-type=mf_cdm --mojo-platform-channel-handle=6020 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4044

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4276

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2700

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3e71d66ce903fcba6050e4b99b624fa7

SHA1
139d274762405b422eab698da8cc85f405922de5

SHA256
53b34e24e3fbb6a7f473192fc4dec2ae668974494f5636f0359b6ca27d7c65e3

SHA512
17e2f1400000dd6c54c8dc067b31bcb0a3111e44a9d2c5c779f484a51ada92d88f5b6e6847270faae8ff881117b7ceaaf8dfe9df427cbb8d9449ceacd0480388

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
86KB

MD5
1a1c9f8ab327c5a9a6d7f55331386c77

SHA1
7f2f8644c66b3d1a3288c45461d4676867cff10e

SHA256
a4442b88334edd5827319792a0a61c62311c923949ebc1eccc364dd117654368

SHA512
a737362747180fbadb32c6f596fbb347a6989107d655795afdecb7863c0bdd0a11c2c7405b1538422624437af5ff22b83b829f6bf1b7bf7019033a2a330554b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001b

Filesize
49KB

MD5
950948bdc28159adeae2d735e720f9ce

SHA1
456af20c06403a131bdadabfb5a0cdf0e6e8ba5f

SHA256
608b2d937c5ecd145d356de16f0851f3f782e39494dda6704831752a1f326b85

SHA512
f0d5bc4a2a5bca890c476027ce48b0a6480ec6ac650aed4f3e72d47001307b6f2d2e7880635e09abbbefdb4211abeea658cf9adba099791b5f7c63267d0580e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
cf3c1da8f570dc8fb97cdf6c52d06a94

SHA1
12403a3665470f330d4c85f7148930bb3d4c8b2c

SHA256
28cd1c901c21336ec9f4902059aeb1d9d11cb41c79f4c3c8f82ad3d3e18e3ce8

SHA512
07f2ec16c72e2bba9fd5d7ba17a85c986ea76c5edd4fdbd62be6eb0da676582786aede0c17f6f9ee4500e06ebfc8c663120a5022f1fd186c9eaa1167240f041d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
80d1f5e8f3f1925a2eed121705feac64

SHA1
3211ce2db891e89c906865f81e86186fe172d128

SHA256
47a0b44154d88d5c9d47ff5cf738daaf4e6ee6bf5a32e980daf79e265e298630

SHA512
1cb9e9bfe3b2b2d8313fefba841183cd4f8468106a6c551660edc887f4da66e71abb5b467f7c90cebe346687bdb88a914b5eed6101811627bbdb89ae4c6894b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.roblox.com_0.indexeddb.leveldb\MANIFEST-000001

Filesize
23B

MD5
3fd11ff447c1ee23538dc4d9724427a3

SHA1
1335e6f71cc4e3cf7025233523b4760f8893e9c9

SHA256
720a78803b84cbcc8eb204d5cf8ea6ee2f693be0ab2124ddf2b81455de02a3ed

SHA512
10a3bd3813014eb6f8c2993182e1fa382d745372f8921519e1d25f70d76f08640e84cb8d0b554ccd329a6b4e6de6872328650fefa91f98c3c0cfc204899ee824

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
916B

MD5
ff892aefb397d55d6529fb931f81bdc2

SHA1
40e569c4a3be843f093b2e89abfbf3a8cbe597a5

SHA256
57283123fdc24752caf384aaaee609f70952c31a939f7eaa3e05762789cbedb7

SHA512
b853d2bf1e34f364c4253c0c2d71484df467761a57a53642ff947cc51e8659156d3d3a2a8c927e1b249060dae5e0a6485931651a34a7d2577b456a377122ea10

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0f2f233fdc6025bdd36cbe6889ab987e

SHA1
a9e26930f0ec3080afbf985117b8345572577c4f

SHA256
78523800d9319a1ef48b3547227a3dd22857be15eeb200c8ea85fed6c1a1ceea

SHA512
12f1ce9930d6bc1d7c3a3404edcc0d705531e9a4baf48d595f480a865ad7a1f4364392fe5fe36916b5407c359bc8b5737f10255fdc2331f9abe1c84dbfa6516b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
7d3f46d53d4c290291e891f916a07bbd

SHA1
f42f57eb8b7298fe804b2e8975fe6678906feaff

SHA256
580813cefd339c2436ce21a2531666c753450c669ab8fc8a36db91fd4a55fd32

SHA512
1472f47af97f0938d02895425980449c6359353dba0d65ed50d3956a0189f8b128cc4b8d70017fe916bd7d8aad065ae0e0d652debf3648ea628d0b5d1491c4a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
8c259fdc73b8066f9d39dc65e6f6fe52

SHA1
af437f53eb26b26642ada7d4d9e67d25afa3a78b

SHA256
5e1286a8cf7590fd66e8713dd7091b515f01e7f2b7b8b24f06a914c48c25bc51

SHA512
8565483732a8a164607512905369afdee82f034e3db267bcb2f4357a93836b134a17c90fef1006d4e715f06513e9b6863d79e0cd6168b30e46faf8a53a707775

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
8fd4ec9d535aca116e64d9d254b7335b

SHA1
59fbddb4695115a5918121ede58476e75e580995

SHA256
d68a787561fc1a7a4b168a2d8f8e5f190e3e78c553d718d1ec9434aba867e421

SHA512
74895a32a876327f096ade82af30e1e324bd9acf484d75ed74df681acfd5af0e0e8253239bb54667882a2e65243d32dc4903481995824ee18bfc92db325e8f03

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
fb296dfc5d5ac8860ac1e3692b9d8f40

SHA1
eda3839f142a4adc7fd6941d93e98d66167b899e

SHA256
0454927ac0ba1bb01bb2593e00dd51294d2752226352b2dd039ba8418a86e54b

SHA512
90dfab2bdd393004f493444b4f32bf67508a4d5526c4c01343f2a4ed199b7c6e1063710095d50f2a6608b82a1c22953c215395fcd3d891ec13aafb8309736406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
82ecf4d3581ead631e18fa138e9cdb02

SHA1
d2a1106ba66124a500fc878caee0001bdcf5ab07

SHA256
85fa62cd83b713fdb1b190371d8df455c3b50e5e5d54ca4e6853451f6ef60406

SHA512
45406598e73c36166764c63c9e100db1f35cc4784b4d81e013ff4417879a50fbcd66a588f4cc1da036d261465eb78223254c34a86f284b5fa7172d8125f8b296

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4bd7560fc564761f38c6985fed265db4

SHA1
5273cdf55b3ab8594941c2d34d1903b0fb94de5f

SHA256
fdb3f61d1ab8154c14588f9a66341a0c6c4d953c8f0137ad0437284e0c5b9716

SHA512
2482742dd24cbc0e9b72ee9355c3ccbe300c48757622583f5b0c39bb5e4b0dad274466efa9f4088c775f32cfe191f18064c0b2c261b3e0d400b415659bdc26ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
1b1b142e24215f033793d1311e24f6e6

SHA1
74e23cffbf03f3f0c430e6f4481e740c55a48587

SHA256
3dca3ec65d1f4109c6b66a1a47b2477afaf8d15306a523f297283da0eccbe8b1

SHA512
a569385710e3a0dc0d6366476c457927a847a2b2298c839e423c485f7dcce2468a58d20133f6dc81913056fb579957e67f63cf1e20b910d61816210447cd1f1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
612581cc817449a420cd4431f3791d02

SHA1
ebcdb60ba4837b0cad885cafa7a2bfb06431a6d4

SHA256
f73a13072251df467663d798226577aced50381773d4d3e190b72aeb05ca56c8

SHA512
9eb9d6a26a5372aa96d1249000fab15e2a131bdd88c5d94bd9f4e25b96881bdaf46a01eee2deb97545389078bd84fe0c232d9f294e52a09be3c9c0206349a8e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
8ae7c4e223cf9a320e1fb27b93d7173c

SHA1
280b1e473042e7f7f50256a45b7df0b3c8f18829

SHA256
50af170e36220d4cda34ee4e6dc30d90417027895078d5c85de61bd4c4af33a6

SHA512
e9c4ea9ab0eb771f49740cf75f20bf036d0525953fd00d9c49e2116da656d1f0b41e2c4fb4f6c2319ed0d431ce19e1b01ae89b4269329fd24f5bb72a41fbe1b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
8084cb4c29a7766b2ff98051b37aefb3

SHA1
b6dcf2cca7518bd846bb34d3683134ba0d7eec34

SHA256
52222c1cc23d46ba082afff8b4af660f29cc52671b1685ad98f10bc8cdcb15b5

SHA512
bea802d29aeccb268fb35afe07a914c9dc26ce2862b6b8a37207a26d1be7a145debda13bab50bfc260ae518ab163bc191771524445ecd6c1208b32d21f535ac8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
b77448a654aaf1370a4ac5a6a0c3a344

SHA1
c99226c386d76f70005712646e0ab20a924e6111

SHA256
1406f019f45613ddb3c9ec125625716b44f9d26d9a4d34dfe28516b6c4333d84

SHA512
456680016aae4dc6c728f58c02d9152efdfc8c90cfa84c6ec377859c0f8fefc4f40dd6eeae9132fd04e59b9e75b867289749ffa01f74030a803abf6b440cfbdc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
0bb1d705de265642d4fbcb63c0f8d5e6

SHA1
a2e85ec5789b8840a09d10849ccc2972fe850a73

SHA256
68b7ed68e1bf1f03341d3e59154ab7e51ad76e5ddb5cc45b465fbf55c08953c0

SHA512
cb421c4e535f3f0a80dc10f1044d9ef00cb2f0a0718cadb2562fc26723903e1fc6ebcb027b857af82c7fa9233a51898129ebcb6aec668fb3965a9a3023ee6bfe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
6ff4643aceaf0f02df7005a22f0b4eac

SHA1
af08778875fb9c36d12d4c800cfe3c676c5beb06

SHA256
76cf8c9078da375b9afde8b528a743239e40de8c0cad2dcd237028c50b596ba6

SHA512
43f6c671e066515370ce33ad40fc942a5930df0ddec34c5a08eb5c4afecdc8a2c58144d35a634504e3c32fbfbac2820be2e64436742d8b51dd52a0f6df8ef8ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
91ee729fbfecbff0927e1d2deaabf05d

SHA1
6ecad2b3a652e1f7dcf4dc253dfb9e19d9f8300a

SHA256
84da228b7d1658859c98a8cf252abeb97409a92998f1770c52879b771569da96

SHA512
fb5601fa0de78b76cba93c4be87692db1a247dc6ec3767b7cb256a6d4dc69a5de8f94af296d4870611b17c6ac6dfc49c45d75818b7aa97a2ad0ed926bcd88f17

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
c831fc28947ee9549486ae54d5498c4c

SHA1
4fea2e66eb3aa08473b0e7885930520cf6b74f31

SHA256
32c8b2bd92841cd9ad806ba707d2fb8f7515a01d94a76fb2ae58dbc229d40d66

SHA512
31d881c4de62c6b5f3fa84a21e367e8fa1e8164c8235d8ee63e9267588f03a367da3a1655854ca28556c51adbd00bf56cbd84df1cc82d1faa74e938942ce77e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57c9e7.TMP

Filesize
1KB

MD5
05bfab3da0707befaa0012609c0a0882

SHA1
860f7c99d09ec8e53c0280dd5996399df83f8762

SHA256
e7f48e33121fea0331ae1f591c83c4208dbb91310faf15139b0f02ec2604b2a6

SHA512
636c6835c1f96d5cf5b4f8eb8f788d195b284c2973016e35c2a209c206b0e925fd31b71470b8530583c71149dc6cca5b8f21c52d7af7fc4dda615d6378015744

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
f3b319caf7e5dc753e13d033e294b0a8

SHA1
6b469ed2345025f3ef275e040672ce1f2aa62afc

SHA256
0d611a61004f71dad9ca47bdabae7de1f0bc033a8687f07ae0e92814fc05a358

SHA512
01bc2a0b346cdce9754d0593e7ffdd542f15906024b69d965148e20100a563a0360f72162e0cc3dcbe84fb9256ed5324195eb7862f162d4dac9b82ed8e8d4ddd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit