hxxp://Roblox[.]com

Analysis

max time kernel
134s
max time network
143s
platform
windows10-1703_x64
resource
win10-20240221-en
resource tags

arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system
submitted
21/02/2024, 13:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://Roblox.com

Score

4^/10

Malware Config

Signatures

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdge.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdgeCP.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-313240725-3527728709-4038673254-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-313240725-3527728709-4038673254-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-313240725-3527728709-4038673254-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\""	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-313240725-3527728709-4038673254-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-313240725-3527728709-4038673254-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\DisallowDefaultBrowserPrompt = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-313240725-3527728709-4038673254-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "56"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-313240725-3527728709-4038673254-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\trust	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-313240725-3527728709-4038673254-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "21"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-313240725-3527728709-4038673254-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed\Certificates	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-313240725-3527728709-4038673254-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Content\CacheLimit = "256000"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-313240725-3527728709-4038673254-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$Discuz!	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-313240725-3527728709-4038673254-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$http://www.typepad.com/	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-313240725-3527728709-4038673254-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-313240725-3527728709-4038673254-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\roblox.com\NumberOfSubdoma = "0"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-313240725-3527728709-4038673254-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 6747fd4ecd64da01	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-313240725-3527728709-4038673254-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "77"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-313240725-3527728709-4038673254-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-313240725-3527728709-4038673254-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\CA\CTLs	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-313240725-3527728709-4038673254-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-313240725-3527728709-4038673254-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\roblox.com	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-313240725-3527728709-4038673254-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History\CacheLimit = "1"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-313240725-3527728709-4038673254-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Privacy\InProgressFlags = "262144"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-313240725-3527728709-4038673254-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IETld\LowMic	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-313240725-3527728709-4038673254-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-313240725-3527728709-4038673254-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-313240725-3527728709-4038673254-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-313240725-3527728709-4038673254-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\History\CacheLimit = "1"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-313240725-3527728709-4038673254-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\www.roblox.com\ = "21"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-313240725-3527728709-4038673254-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-313240725-3527728709-4038673254-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory\NextBrowserDataLogTime = 706a5db4ff64da01	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-313240725-3527728709-4038673254-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 919f0c6acd64da01	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-313240725-3527728709-4038673254-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$WordPress	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-313240725-3527728709-4038673254-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-313240725-3527728709-4038673254-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-313240725-3527728709-4038673254-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\SyncIEFirstTimeFullScan = "1"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-313240725-3527728709-4038673254-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 4f554e4fcd64da01	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-313240725-3527728709-4038673254-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-313240725-3527728709-4038673254-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\Active = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-313240725-3527728709-4038673254-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-313240725-3527728709-4038673254-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-313240725-3527728709-4038673254-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\www.roblox.com\ = "56"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-313240725-3527728709-4038673254-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Privacy\ClearBrowsingHistoryOnStart = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-313240725-3527728709-4038673254-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Root\CTLs	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-313240725-3527728709-4038673254-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-313240725-3527728709-4038673254-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-313240725-3527728709-4038673254-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\roblox.com\Total = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-313240725-3527728709-4038673254-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-313240725-3527728709-4038673254-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating\NextPromptBuild = "15063"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-313240725-3527728709-4038673254-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating\Rating Prompt Shown = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-313240725-3527728709-4038673254-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\CIStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-313240725-3527728709-4038673254-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\www.roblox.com\ = "77"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-313240725-3527728709-4038673254-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\www.roblox.com\ = "110"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-313240725-3527728709-4038673254-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Revision = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-313240725-3527728709-4038673254-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DXFeatureLevel = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-313240725-3527728709-4038673254-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-313240725-3527728709-4038673254-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-313240725-3527728709-4038673254-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-313240725-3527728709-4038673254-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-313240725-3527728709-4038673254-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-313240725-3527728709-4038673254-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-313240725-3527728709-4038673254-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-313240725-3527728709-4038673254-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Cookies\CacheLimit = "1"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-313240725-3527728709-4038673254-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\roblox.com\Total = "77"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-313240725-3527728709-4038673254-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "13185"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-313240725-3527728709-4038673254-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\SubSysId = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-313240725-3527728709-4038673254-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache	MicrosoftEdgeCP.exe

Suspicious behavior: MapViewOfSection 4 IoCs

pid	Process
1700	MicrosoftEdgeCP.exe
1700	MicrosoftEdgeCP.exe
1700	MicrosoftEdgeCP.exe
1700	MicrosoftEdgeCP.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	1336	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	1336	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	1336	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	1336	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	3028	MicrosoftEdge.exe
Token: SeDebugPrivilege	3028	MicrosoftEdge.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3028	MicrosoftEdge.exe
1700	MicrosoftEdgeCP.exe
1336	MicrosoftEdgeCP.exe
1700	MicrosoftEdgeCP.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 1700 wrote to memory of 200	1700	MicrosoftEdgeCP.exe	76
PID 1700 wrote to memory of 200	1700	MicrosoftEdgeCP.exe	76
PID 1700 wrote to memory of 200	1700	MicrosoftEdgeCP.exe	76
PID 1700 wrote to memory of 200	1700	MicrosoftEdgeCP.exe	76
PID 1700 wrote to memory of 200	1700	MicrosoftEdgeCP.exe	76
PID 1700 wrote to memory of 200	1700	MicrosoftEdgeCP.exe	76
PID 1700 wrote to memory of 200	1700	MicrosoftEdgeCP.exe	76
PID 1700 wrote to memory of 200	1700	MicrosoftEdgeCP.exe	76
PID 1700 wrote to memory of 200	1700	MicrosoftEdgeCP.exe	76
PID 1700 wrote to memory of 200	1700	MicrosoftEdgeCP.exe	76
PID 1700 wrote to memory of 200	1700	MicrosoftEdgeCP.exe	76
PID 1700 wrote to memory of 200	1700	MicrosoftEdgeCP.exe	76
PID 1700 wrote to memory of 200	1700	MicrosoftEdgeCP.exe	76
PID 1700 wrote to memory of 200	1700	MicrosoftEdgeCP.exe	76
PID 1700 wrote to memory of 200	1700	MicrosoftEdgeCP.exe	76
PID 1700 wrote to memory of 200	1700	MicrosoftEdgeCP.exe	76
PID 1700 wrote to memory of 200	1700	MicrosoftEdgeCP.exe	76
PID 1700 wrote to memory of 200	1700	MicrosoftEdgeCP.exe	76
PID 1700 wrote to memory of 200	1700	MicrosoftEdgeCP.exe	76
PID 1700 wrote to memory of 200	1700	MicrosoftEdgeCP.exe	76
PID 1700 wrote to memory of 200	1700	MicrosoftEdgeCP.exe	76
PID 1700 wrote to memory of 200	1700	MicrosoftEdgeCP.exe	76
PID 1700 wrote to memory of 200	1700	MicrosoftEdgeCP.exe	76

C:\Windows\system32\LaunchWinApp.exe
"C:\Windows\system32\LaunchWinApp.exe" "http://Roblox.com"
1⤵
PID:2940

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3028

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:2956

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1700

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1336

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:200

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:5324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\MicrosoftEdge\SharedCacheContainers\MicrosoftEdge_iecompat\IECompatData.xml

Filesize
74KB

MD5
d4fc49dc14f63895d997fa4940f24378

SHA1
3efb1437a7c5e46034147cbbc8db017c69d02c31

SHA256
853d2f4eb81c9fdcea2ee079f6faf98214b111b77cdf68709b38989d123890f1

SHA512
cc60d79b4afe5007634ac21dc4bc92081880be4c0d798a1735b63b27e936c02f399964f744dc73711987f01e8a1064b02a4867dd6cac27538e5fbe275cc61e0a

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\User\Default\DOMStore\P9YG1IF6\www.roblox[1].xml

Filesize
326B

MD5
0da93337ddc6b72292c6ca38e7105791

SHA1
754863fe7918b5b3bea7a2bb2cf17654b1d2ddbb

SHA256
5f208f2c0a590cad643179b9d08c179fd2e182920dcec2730d2ae11ded580aad

SHA512
f819a30bc86627b0d36a3988e865be719b72535df22904ca5ad946373714ca691c7836846c5112dfa6e4ade34bad601d9f188f9e0d742f9c24ab9ad92de4c165

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\User\Default\DOMStore\P9YG1IF6\www.roblox[1].xml

Filesize
260B

MD5
a7b89bc73309f8bdd95999f48505831e

SHA1
203f504d09160d1978df16068e58ef98f2c658dd

SHA256
41d6bbf26ad25808d4cb127e0b9b96f08de53ec8e2173608d57e2421bf1b06b5

SHA512
14968b207ad6b2640a15c54f1cfc842dd7f156850b9ac1090475cd8229f35e4e91d34ac00fffc18081a27712ab2a171af9c6223cf616facab465126491d9dc72

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\User\Default\DOMStore\P9YG1IF6\www.roblox[1].xml

Filesize
326B

MD5
bb2031a894fd084241b5b29db012bb09

SHA1
ddf3e3e69c3f3be33e3a8dc37ec0e845c0fbd100

SHA256
48fadde9d2a95c4e79255138ec3ad19e798bf57391bc00a87abd9b6361df9f70

SHA512
51522eef5d8d3d4f7094d301e754adf5d86b3a316efb0acd4406aa3b06e8901ce876f9fcd3b20b9ca9d53eb46ac16de01202ec8f626ab1104d749f61dfb59e47

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\User\Default\DOMStore\P9YG1IF6\www.roblox[1].xml

Filesize
326B

MD5
32b7bbf490629bc07bf63feb443bd919

SHA1
609dc0cb4d1961d1febc949499a1b4bfa32e5fa9

SHA256
cc7b81bcabdd6daf84a19c72dc11a4bc298d9cecd2507533448b455e17f9388a

SHA512
2af2908ed59065085a35e94d8846bdd1c55d2927305bf47a1c03b9598d53d7e2f1f49611f1c507b8583ac3591acc8f44de29d3a4c02a0998e4ab45565dbbaf31

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\User\Default\DOMStore\P9YG1IF6\www.roblox[1].xml

Filesize
95B

MD5
0b557c59166c85ba35b13ba3c62e9d41

SHA1
8da94fedb54e06d37bb8ffd356d2c0a6a4d4e9a7

SHA256
b4e614ecacbe09ce3812d5f3b3d014d682f84cce48649f18d9e913bf1fe7322b

SHA512
86be2629adf30cabd040b67890fd8722f8c6d555ebc6e646316d74130204e464dc3462ec4056034bde43482706128f8c6a905f6bb132191983cab463e80bbe1b

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\User\Default\DOMStore\P9YG1IF6\www.roblox[1].xml

Filesize
209B

MD5
3ffbdbe22faaccb7c27445c4a8628722

SHA1
a9ab266a4ac401c6cd88c5c92cc918c1f413acd0

SHA256
256799feacb0b681393cfe2ad9aa823b57ed27f0c556b9959f27f836ce5e5471

SHA512
22e24cffe6ea1c0a0fcc80dbbb342328fe3dbde176c4f84682b1345d9c1fa5297c59fef654ab511b1a2caf7a85053a16e6926e8c97e2f6aaef114f5d725ae14e

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\User\Default\DOMStore\P9YG1IF6\www.roblox[1].xml

Filesize
326B

MD5
8600321a47a5cb3f01a4ef80f8a0c419

SHA1
83c0dae51cda0b26f6c4a637bc943c41f8a16284

SHA256
701be03312a98f9bb8ef442ff047dc04ad773185b82b2301f0576fe6ee245ce0

SHA512
685e30c88dc2b128be2d7a74f55dc446d0b3138e464b875de2fa2d1ad4e0833b6d0fcca38a6cfcb53ab237a03d0c410cedc5d407ea69682b210b6e898289e3ed

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\M2GJS0AN\7bba321f4d8328683d6e59487ce514eb[1].ico

Filesize
4KB

MD5
7bba321f4d8328683d6e59487ce514eb

SHA1
ae0edd3d76e39c564740b30e4fe605b4cd50ad48

SHA256
68984ffee2a03c1cdb6296fd383d64cc2c75e13471221a4bcb4d93fcfa8dab54

SHA512
ed6a932f8818d5340e2e2c09dcc61693e9f9032c7201e05a0ce21c6c521b4ac7dd9204affbbfffd3bcebbebe88337fbd32091eaa1e35469b861834f2523c800d

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\P2S2D20O\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\Temp\~DF54536A24B139ECA1.TMP

Filesize
16KB

MD5
ee5ad374be8baf708e94b654a89c3792

SHA1
b1865b84ded29facfcb6a7ea1dea0fea7a56a34b

SHA256
9a5a1d208decc8f73b5474fb72e804554cf855dccae03ff29c10f5c99fe21cd9

SHA512
02608640703cefca76b714a710abd4e93325e57825caf9b01e2841bfcca2350165c31bf127832530ffb2b4392e4a77e1d50219a5077f903ed83a2a0d9a74cfad

Download Submit
memory/200-985-0x00000181E9EF0000-0x00000181E9F00000-memory.dmp

Filesize
64KB

Download
memory/200-1013-0x00000181E9EF0000-0x00000181E9F00000-memory.dmp

Filesize
64KB

Download
memory/200-603-0x00000181FE120000-0x00000181FE140000-memory.dmp

Filesize
128KB

Download
memory/200-415-0x00000181FD4E0000-0x00000181FD500000-memory.dmp

Filesize
128KB

Download
memory/200-680-0x00000181FEC20000-0x00000181FEC40000-memory.dmp

Filesize
128KB

Download
memory/200-409-0x00000181FE8D0000-0x00000181FE8F0000-memory.dmp

Filesize
128KB

Download
memory/200-712-0x0000017980200000-0x0000017980300000-memory.dmp

Filesize
1024KB

Download
memory/200-807-0x0000017981AD0000-0x0000017981AD2000-memory.dmp

Filesize
8KB

Download
memory/200-842-0x0000017981CB0000-0x0000017981CB2000-memory.dmp

Filesize
8KB

Download
memory/200-403-0x00000181FE180000-0x00000181FE1A0000-memory.dmp

Filesize
128KB

Download
memory/200-921-0x0000017981930000-0x0000017981932000-memory.dmp

Filesize
8KB

Download
memory/200-67-0x00000181EA5D0000-0x00000181EA5D2000-memory.dmp

Filesize
8KB

Download
memory/200-1000-0x00000181E9EF0000-0x00000181E9F00000-memory.dmp

Filesize
64KB

Download
memory/200-1004-0x00000181E9EF0000-0x00000181E9F00000-memory.dmp

Filesize
64KB

Download
memory/200-1009-0x0000017982490000-0x0000017982492000-memory.dmp

Filesize
8KB

Download
memory/200-1011-0x00000181E9EF0000-0x00000181E9F00000-memory.dmp

Filesize
64KB

Download
memory/200-1012-0x00000181E9EF0000-0x00000181E9F00000-memory.dmp

Filesize
64KB

Download
memory/200-431-0x00000181FF340000-0x00000181FF440000-memory.dmp

Filesize
1024KB

Download
memory/200-1014-0x00000181E9EF0000-0x00000181E9F00000-memory.dmp

Filesize
64KB

Download
memory/200-1016-0x0000017982280000-0x0000017982282000-memory.dmp

Filesize
8KB

Download
memory/200-1017-0x00000181E9EF0000-0x00000181E9F00000-memory.dmp

Filesize
64KB

Download
memory/200-1020-0x00000181E9EF0000-0x00000181E9F00000-memory.dmp

Filesize
64KB

Download
memory/200-1018-0x00000181E9EF0000-0x00000181E9F00000-memory.dmp

Filesize
64KB

Download
memory/200-1021-0x00000181E9EF0000-0x00000181E9F00000-memory.dmp

Filesize
64KB

Download
memory/200-1019-0x0000017982AC0000-0x0000017982AC2000-memory.dmp

Filesize
8KB

Download
memory/200-1015-0x00000181E9EF0000-0x00000181E9F00000-memory.dmp

Filesize
64KB

Download
memory/200-361-0x00000181FC800000-0x00000181FC820000-memory.dmp

Filesize
128KB

Download
memory/200-359-0x00000181FE520000-0x00000181FE522000-memory.dmp

Filesize
8KB

Download
memory/200-355-0x00000181FD200000-0x00000181FD220000-memory.dmp

Filesize
128KB

Download
memory/200-71-0x00000181FAB10000-0x00000181FAB12000-memory.dmp

Filesize
8KB

Download
memory/200-69-0x00000181EA5F0000-0x00000181EA5F2000-memory.dmp

Filesize
8KB

Download
memory/3028-0-0x0000022D5D420000-0x0000022D5D430000-memory.dmp

Filesize
64KB

Download
memory/3028-35-0x0000022D62560000-0x0000022D62562000-memory.dmp

Filesize
8KB

Download
memory/3028-16-0x0000022D5DC00000-0x0000022D5DC10000-memory.dmp

Filesize
64KB

Download