hxxp://hi | Triage

Analysis

max time kernel
1681s
max time network
1801s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
22/02/2024, 07:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://hi

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 8 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\cr.sb.cdmf5200eafd3ad904629cbb0f87a78a3c7211081fe\Children	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1790404759-2178872477-2616469472-1000\{55E53D68-E447-4B57-9E32-204D98925DFD}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949\DisplayName = "Chrome Sandbox"	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949\Moniker = "cr.sb.cdmf5200eafd3ad904629cbb0f87a78a3c7211081fe"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949\Children	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\cr.sb.cdmf5200eafd3ad904629cbb0f87a78a3c7211081fe	msedge.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
4464	msedge.exe
4464	msedge.exe
5072	msedge.exe
5072	msedge.exe
4064	identity_helper.exe
4064	identity_helper.exe
3352	msedge.exe
4928	msedge.exe
4928	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs

pid	Process
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5072 wrote to memory of 4424	5072	msedge.exe	74
PID 5072 wrote to memory of 4424	5072	msedge.exe	74
PID 5072 wrote to memory of 112	5072	msedge.exe	85
PID 5072 wrote to memory of 112	5072	msedge.exe	85
PID 5072 wrote to memory of 112	5072	msedge.exe	85
PID 5072 wrote to memory of 112	5072	msedge.exe	85
PID 5072 wrote to memory of 112	5072	msedge.exe	85
PID 5072 wrote to memory of 112	5072	msedge.exe	85
PID 5072 wrote to memory of 112	5072	msedge.exe	85
PID 5072 wrote to memory of 112	5072	msedge.exe	85
PID 5072 wrote to memory of 112	5072	msedge.exe	85
PID 5072 wrote to memory of 112	5072	msedge.exe	85
PID 5072 wrote to memory of 112	5072	msedge.exe	85
PID 5072 wrote to memory of 112	5072	msedge.exe	85
PID 5072 wrote to memory of 112	5072	msedge.exe	85
PID 5072 wrote to memory of 112	5072	msedge.exe	85
PID 5072 wrote to memory of 112	5072	msedge.exe	85
PID 5072 wrote to memory of 112	5072	msedge.exe	85
PID 5072 wrote to memory of 112	5072	msedge.exe	85
PID 5072 wrote to memory of 112	5072	msedge.exe	85
PID 5072 wrote to memory of 112	5072	msedge.exe	85
PID 5072 wrote to memory of 112	5072	msedge.exe	85
PID 5072 wrote to memory of 112	5072	msedge.exe	85
PID 5072 wrote to memory of 112	5072	msedge.exe	85
PID 5072 wrote to memory of 112	5072	msedge.exe	85
PID 5072 wrote to memory of 112	5072	msedge.exe	85
PID 5072 wrote to memory of 112	5072	msedge.exe	85
PID 5072 wrote to memory of 112	5072	msedge.exe	85
PID 5072 wrote to memory of 112	5072	msedge.exe	85
PID 5072 wrote to memory of 112	5072	msedge.exe	85
PID 5072 wrote to memory of 112	5072	msedge.exe	85
PID 5072 wrote to memory of 112	5072	msedge.exe	85
PID 5072 wrote to memory of 112	5072	msedge.exe	85
PID 5072 wrote to memory of 112	5072	msedge.exe	85
PID 5072 wrote to memory of 112	5072	msedge.exe	85
PID 5072 wrote to memory of 112	5072	msedge.exe	85
PID 5072 wrote to memory of 112	5072	msedge.exe	85
PID 5072 wrote to memory of 112	5072	msedge.exe	85
PID 5072 wrote to memory of 112	5072	msedge.exe	85
PID 5072 wrote to memory of 112	5072	msedge.exe	85
PID 5072 wrote to memory of 112	5072	msedge.exe	85
PID 5072 wrote to memory of 112	5072	msedge.exe	85
PID 5072 wrote to memory of 4464	5072	msedge.exe	86
PID 5072 wrote to memory of 4464	5072	msedge.exe	86
PID 5072 wrote to memory of 872	5072	msedge.exe	87
PID 5072 wrote to memory of 872	5072	msedge.exe	87
PID 5072 wrote to memory of 872	5072	msedge.exe	87
PID 5072 wrote to memory of 872	5072	msedge.exe	87
PID 5072 wrote to memory of 872	5072	msedge.exe	87
PID 5072 wrote to memory of 872	5072	msedge.exe	87
PID 5072 wrote to memory of 872	5072	msedge.exe	87
PID 5072 wrote to memory of 872	5072	msedge.exe	87
PID 5072 wrote to memory of 872	5072	msedge.exe	87
PID 5072 wrote to memory of 872	5072	msedge.exe	87
PID 5072 wrote to memory of 872	5072	msedge.exe	87
PID 5072 wrote to memory of 872	5072	msedge.exe	87
PID 5072 wrote to memory of 872	5072	msedge.exe	87
PID 5072 wrote to memory of 872	5072	msedge.exe	87
PID 5072 wrote to memory of 872	5072	msedge.exe	87
PID 5072 wrote to memory of 872	5072	msedge.exe	87
PID 5072 wrote to memory of 872	5072	msedge.exe	87
PID 5072 wrote to memory of 872	5072	msedge.exe	87
PID 5072 wrote to memory of 872	5072	msedge.exe	87
PID 5072 wrote to memory of 872	5072	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://hi
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbdfd846f8,0x7ffbdfd84708,0x7ffbdfd84718
  2⤵
  PID:4424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,7543226527122584121,18215350099325577145,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:2
  2⤵
  PID:112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,7543226527122584121,18215350099325577145,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,7543226527122584121,18215350099325577145,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2952 /prefetch:8
  2⤵
  PID:872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,7543226527122584121,18215350099325577145,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3588 /prefetch:1
  2⤵
  PID:4252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,7543226527122584121,18215350099325577145,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3576 /prefetch:1
  2⤵
  PID:4848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,7543226527122584121,18215350099325577145,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4340 /prefetch:1
  2⤵
  PID:2376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,7543226527122584121,18215350099325577145,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3880 /prefetch:1
  2⤵
  PID:4196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,7543226527122584121,18215350099325577145,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3808 /prefetch:1
  2⤵
  PID:3904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,7543226527122584121,18215350099325577145,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5288 /prefetch:1
  2⤵
  PID:1960
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,7543226527122584121,18215350099325577145,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5652 /prefetch:8
  2⤵
  PID:1540
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,7543226527122584121,18215350099325577145,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5652 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,7543226527122584121,18215350099325577145,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5760 /prefetch:1
  2⤵
  PID:2188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,7543226527122584121,18215350099325577145,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5504 /prefetch:1
  2⤵
  PID:3472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,7543226527122584121,18215350099325577145,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4072 /prefetch:1
  2⤵
  PID:4752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,7543226527122584121,18215350099325577145,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
  2⤵
  PID:2700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,7543226527122584121,18215350099325577145,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5076 /prefetch:1
  2⤵
  PID:4864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,7543226527122584121,18215350099325577145,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5904 /prefetch:1
  2⤵
  PID:3472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=media.mojom.MediaFoundationService --field-trial-handle=2096,7543226527122584121,18215350099325577145,131072 --lang=en-US --service-sandbox-type=mf_cdm --mojo-platform-channel-handle=4884 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2096,7543226527122584121,18215350099325577145,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6120 /prefetch:8
  2⤵
  PID:3500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2096,7543226527122584121,18215350099325577145,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6424 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:4928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,7543226527122584121,18215350099325577145,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6324 /prefetch:1
  2⤵
  PID:1864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,7543226527122584121,18215350099325577145,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6168 /prefetch:1
  2⤵
  PID:4284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,7543226527122584121,18215350099325577145,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3816 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3948

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2384

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1864

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3bde7b7b0c0c9c66bdd8e3f712bd71eb

SHA1
266bd462e249f029df05311255a15c8f42719acc

SHA256
2ccd4a1b56206faa8f6482ce7841636e7bb2192f4cf5258d47e209953a77a01a

SHA512
5fab7a83d86d65e7c369848c5a7d375d9ad132246b57653242c7c7d960123a50257c9e8c4c9a8f22ee861fce357b018236ac877b96c03990a88de4ddb9822818

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9cafa4c8eee7ab605ab279aafd19cc14

SHA1
e362e5d37d1a79e7b4a8642b068934e4571a55f1

SHA256
d0817f51aa2fb8c3cae18605dbfd6ec21a6ff3f953171e7ac064648ffdee1166

SHA512
eefd65ffcfb98ac8c3738eb2b3f4933d5bc5b992a1d465b8424903c8f74382ec2c95074290ddbb1001204843bfef59a32b868808a6bee4bc41ee9571515bbac6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
86KB

MD5
4923a7479f3522cbe9389d7a4862ac07

SHA1
1bc1eb916c29c8cb05f5e46deb5740b2c5e992ed

SHA256
6d83cc91996c474cc23c3a20d6cc27b91e34117d0e15277512711efb9a6080be

SHA512
3d0dda89630f837e20956edd8ec1a083c79f5934f10adfffb116dc499d3b78418929f5c557c395cd78ef58d8a23ed2ce3af302a549a9d2aabae333c3857c8cd8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000018

Filesize
48KB

MD5
21af9bc981d404957c6344aaff4b3e28

SHA1
e5569bc0876884ded0d9594432cc261effc66d47

SHA256
e9515acb1b0c8f7c1008358ed424d6563cae681f0e87c53547d0cb7b9f51b051

SHA512
fb42427a114a3cb5739c30f6235c4fe3102876b2063772665c82ecce483955d357dead930e6da185f2b27fb0e72b9837ee272c3271efa5b7e80f98edf4cfaae8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
40c4465e4216048bb95b5d6b9b2c31cf

SHA1
058d397f79e57e3320ccf93c374724b992debbb1

SHA256
99c31eb540176ad3f79df82d6a04ca2cd16be266e2520803a70e12011d40ee79

SHA512
90cfd5ea19c5b8180f0c1560a205f7458d11dc4fa3e553c13ec84a1d796da069ca657ec7f73617905b851a49bbf41579e866bc019645e7590311e7623dc73bd8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
3388af1268701e1cf7179eb4a06abe87

SHA1
8ab3dc43c3db7101b98307f5649cf41cceb5e9e8

SHA256
99cf2052d8d6d5370b26825e351287568189554807dbeea0a697db02e3ceedb8

SHA512
c4c2e7a173ba71872376e552dc699747e53e93c5b077890f89aa5ac5c83ee381f0bb20effa9e9d8f226c3e9ce546a27bd9b8d38f3436f263914a2282b5941a01

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.roblox.com_0.indexeddb.leveldb\MANIFEST-000001

Filesize
23B

MD5
3fd11ff447c1ee23538dc4d9724427a3

SHA1
1335e6f71cc4e3cf7025233523b4760f8893e9c9

SHA256
720a78803b84cbcc8eb204d5cf8ea6ee2f693be0ab2124ddf2b81455de02a3ed

SHA512
10a3bd3813014eb6f8c2993182e1fa382d745372f8921519e1d25f70d76f08640e84cb8d0b554ccd329a6b4e6de6872328650fefa91f98c3c0cfc204899ee824

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
936115fa8b0d269e4995eb22ac964f09

SHA1
6b0e6b54d9957b770fde4f01ad1250c412a07c3c

SHA256
b17c9b4d560fc928c0dbcbe00565248da770f482bbb6412b00e9d1588e971da3

SHA512
bffafd14c876c0fc1f9c396ec0b70b7ac12425938293ff8d539593a7b4b8e9c05f294bf1d98a762aa37fddd1a2ffb99a9c5658e331eaf6952c294710edeae922

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
c66a521dbae0c1203c6e7c571fafb1b2

SHA1
4721d8d8bb10820f48d23ebd9e2b1ead054de42e

SHA256
f673d7b120eea12099968a6eb0df4e77e436a88c9fe76103cf2917c58d3f07ab

SHA512
02077758e4d717098ebfd5b64ee2807c16b27f6803e844b3b3de9bd9684347090e102d9d051a230dc2257160df14941dc6c3d38e3a5082cab4c1d602ff05df88

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b4a9a7826944e4dc57ce941b76bb7f08

SHA1
e29ce84a2a9d363992cd20dc3c00d8c53eeafbdd

SHA256
472540fbc07122915500ed45416ab1440ffe4a10f279b5998035edc3c6b3ab77

SHA512
4a1d7ad4cf7b69ab69dd340ba02841ac8cbaae5ce096c78f3d200e58821805d913ab6b3ec6b73ce1e082f492e4cf34940d20715f0c98e5c80b3e41b1555b4917

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6a8c0c1d357b3b737bc8bca906484431

SHA1
2cf1bfc5c4cea7ad7eb412f8192d15086be4802d

SHA256
a0637a8752f42e98df71b13d7c6d43f118785dc38a1d84ef260326e227360ea1

SHA512
9dc4ba51e4ad91c5d59f40c0c28aecc3175de28290985ec6c223446374039c717286587fe64fd76feade6f54fc3ff60b9eba0699181240337bab3e4146b9264c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f936f4b0d5dfcd1a72b729f8ea740adb

SHA1
02c28c4342169c2e8e4493500a7729bbad081a7b

SHA256
97490c9f8ab736a5bf1483b469b9fef6bb2a9c6df3c00a9b4a210a71fc014456

SHA512
6c192318d1d18be64122ba6026d834e2cddbeaeb2fcdc83a6cb32f247d6786d5f0eb625b8f7185e112c417ee755474936439c99d7dfabf3196f229bf62f7ba91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c8d0cb063b9b0a00f7057ba02ff868e3

SHA1
d1bb21bebe5da550b5f852bd80d81fc23e67867b

SHA256
a637497cedfc2063620f151b87ced501bc663df55b528ac08220d3ccabb2c59a

SHA512
d2f2ff6e07f89fd0d06246415b5b51b6beac5ed24c2cc0d4ef610ad86f299583113b1e07aaa2d2bec8d072c934123b25785a8fbf31bdb9a6e7789b20d4e7bcd2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
99f7a041571651c5672778dccc73b9fa

SHA1
5b99513e8d10902670e260634a626a1da9db4097

SHA256
96439b23b069fd91dc2918ca14e079b556e7a849031a3f39d84e91bd951c1120

SHA512
a4222a0ab97f38db7ed0ebf42b824fe64af96e76a64b0b5c5914bf0a98a483380e80e661474a8f125f1061f2ccaf7d390d8388a5529fc0c7649a6ccd794a23ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
34d5032b65ee15e976dcf542ac5d42f2

SHA1
bce8b1fca065b3a3a70c8624414312f817f5832f

SHA256
030c9ec4b14d691282ca61667d925a8c859443a4a99557c7ab988e83cb9317a4

SHA512
abfddabad96b26d07dde2144006c3cdd687cb87c08dd4f0081437ff2f211700f54dad24dbf96d94e5e01669a7d943f8fe9d8355b9cf49878e91d5e9cd10204cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
541de52addb7831eb8087c98fd610de4

SHA1
4ebaebec376cca628c61b25d89f33b3ca08eb376

SHA256
07967e5fa7e808ca569877f2eea8114cb7d4195465c59c04471f34a3423b7b39

SHA512
13388958228daeed541695c9a6ebd3d75d13164a77f5f71c4e1f38a1df8f9b0359a547cf0149cbd20a95b6885be883aa0981edd28626d9b26077edf3f209bf0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
7358461b412684d384808164c2067efe

SHA1
57de8321802cfc0c402e279544a43530d5005d54

SHA256
73367b607c702ae37ab276f47ff77a9c6d1e3166f9d206160e2251c45b75ff20

SHA512
1f70573658d274b2fc5e55e66e235eaf780ec1a62f8d48e672e28e7e4766b75e9fc9cc10870f3e3e1bee570a9acd44a54dd68cfa44a9003c220bbcccb04040e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
beb3b67dfc495e99a305b3fd1e4e14c1

SHA1
f24c22031a39067fba569ea1a71251074a4aa412

SHA256
00bdb01457a2a5324851ade772ece6c2a27e741f7bade0ad7bf5a232a84b9670

SHA512
7386c7dce0b9c5fe0719c63a910814f007dcde464530845fb0ac4c634dea14162cf8324501afaa6121592ca425bee8b4a0e981f8e28c54d8a31781b8550e2431

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
ec0106a9dd8535e7f363d684eaf3c45b

SHA1
26eb1e4776850eba0d96981e8a1ecfb36219a62a

SHA256
5efe4aa6c7b79c7fb791a7eeccbee011e30840a87c4ec2f46184cfb2ddc674ac

SHA512
0b8c6751a195e3c15fee28755a63181c52de12552de0d6e077acda59a669e06361d4e8e541fac38c6042ef02079f276373981efd950a42102be189d350e00d87

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
0bca7da07ce8ffacfd9366a0331a8d4f

SHA1
5868fba25cb5feffe555f681c717ed1658e13fae

SHA256
292e6e9c28e3b34932d021fab53aee890bceb1fa9ee6459ea108626cd7f1d3f7

SHA512
990c9233e2bd4f49d756ef54091af85ed902d38cdcaae053865b04988b9b6324612ded39b0ae078d4e8ed651b03b1c1ee47331f952da47967c68cd14f329df73

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
693d375ad9eeeee762244a8950d8cc24

SHA1
c8e5de24437b738581b03872d39feab89e7acb29

SHA256
cbe65378a4f36cf922203f6b03c3c3f6ba5b9cd3394f0a2fcb4d3cb8f91e6006

SHA512
19c6faa8a3f61f74e7d6b2fef952f4a458b76d87abc7207a6b20f72366d80033d34d101f8f58a396642a92d35d61968035df0829cc849b356d3bc6f22ff1c62a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
99ba844d63fcbc31ca3ec1f67174c0cf

SHA1
ca71dd2b571456c3bf194900de90559528b5d6ae

SHA256
c883f358016ff1c51b134b1cb46da0c119483fb5b52a8feb14ae752337578b55

SHA512
79b5cabf6ecad8c3e1e2e32a3dfb4792deae108cc88655f44a03a4aaa6eb18d1775696754c0169c5be350ccf8307d6c69fb4f867c0b1aac8eda4cac446a35344

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
81cc9030696783cdae164fa957f14ba7

SHA1
a0a32c97eb1e54cb4104b5e950e601fbd1f24d0c

SHA256
90c0ecf6249cfad0b45356954959e0016d9c535eb22df407955f9a854fb2ab02

SHA512
76b1f63b516b62920672cd6c7137fbacdb945fa2353164ee647634f6886846fb35ae4e885fb862ec32bfa98ba9382e2d4fcb1bbc87ab600896da0f5247cff350

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57e9e3.TMP

Filesize
1KB

MD5
85e5b390b85720f1e0602585ea8be7a9

SHA1
bca5bad550e8b628780845f972cc73f2a07b3ae2

SHA256
bfbcb0285e2f57984037d6d76c05ea1cda4e87010660d1de0f0a0ff888dab76f

SHA512
2f7064c82e9b6ab028aef196802854872b82a895b95bc867b5e03876269a1803581ac6ef34da0523c793cb96376fab8b38c29df27cfb19adceabf63acfc17d94

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\f2168cd6-e52d-44a1-a211-275adfd5f0c8.tmp

Filesize
1KB

MD5
48874ef673723d40d10beb59ee3300f8

SHA1
b4c10b0dce1d53f6d160519ddb29a8b2da567ba7

SHA256
fabbb4a39aa6d0a58eb76140a7d9c74827b179d7ca8923069e7afb26657a5111

SHA512
71f54d5ef739a4e2908ce87db4fe5fb2d123000750438d6d8e7613835d32ef80cd80aadec12f002abc06e454f51bc90fd0e18574b137696845c4147e200741ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
f9992d03fc1b0de2aa5315afce079b36

SHA1
3430d32d932be1e7e1f5d6db45f180ab7f10d256

SHA256
0dc42caede1903fc6ba9d71de202e64c02704f9a451ab32024387767b5167450

SHA512
131315c1a441236e34c137f2c59b19a4c596b4b1fc56f1c6d004957d8fe10e50f3858b8cbf80c48f1befb26a68f457e09028ae5dbea6ecb6cc96b696777249fa

Download Submit