Analysis
-
max time kernel
480s -
max time network
484s -
platform
windows11-21h2_x64 -
resource
win11-20240419-en -
resource tags
arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system -
submitted
29-04-2024 19:57
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
http://Roblox.com
Resource
win10v2004-20240426-en
Behavioral task
behavioral2
Sample
http://Roblox.com
Resource
win11-20240419-en
General
-
Target
http://Roblox.com
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 2576 msedge.exe 2576 msedge.exe 4624 msedge.exe 4624 msedge.exe 3488 msedge.exe 3488 msedge.exe 2412 identity_helper.exe 2412 identity_helper.exe 4032 msedge.exe 4032 msedge.exe 4032 msedge.exe 4032 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
pid Process 4624 msedge.exe 4624 msedge.exe 4624 msedge.exe 4624 msedge.exe 4624 msedge.exe 4624 msedge.exe 4624 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 4624 msedge.exe 4624 msedge.exe 4624 msedge.exe 4624 msedge.exe 4624 msedge.exe 4624 msedge.exe 4624 msedge.exe 4624 msedge.exe 4624 msedge.exe 4624 msedge.exe 4624 msedge.exe 4624 msedge.exe 4624 msedge.exe 4624 msedge.exe 4624 msedge.exe 4624 msedge.exe 4624 msedge.exe 4624 msedge.exe 4624 msedge.exe 4624 msedge.exe 4624 msedge.exe 4624 msedge.exe 4624 msedge.exe 4624 msedge.exe 4624 msedge.exe -
Suspicious use of SendNotifyMessage 12 IoCs
pid Process 4624 msedge.exe 4624 msedge.exe 4624 msedge.exe 4624 msedge.exe 4624 msedge.exe 4624 msedge.exe 4624 msedge.exe 4624 msedge.exe 4624 msedge.exe 4624 msedge.exe 4624 msedge.exe 4624 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4624 wrote to memory of 4628 4624 msedge.exe 80 PID 4624 wrote to memory of 4628 4624 msedge.exe 80 PID 4624 wrote to memory of 2936 4624 msedge.exe 81 PID 4624 wrote to memory of 2936 4624 msedge.exe 81 PID 4624 wrote to memory of 2936 4624 msedge.exe 81 PID 4624 wrote to memory of 2936 4624 msedge.exe 81 PID 4624 wrote to memory of 2936 4624 msedge.exe 81 PID 4624 wrote to memory of 2936 4624 msedge.exe 81 PID 4624 wrote to memory of 2936 4624 msedge.exe 81 PID 4624 wrote to memory of 2936 4624 msedge.exe 81 PID 4624 wrote to memory of 2936 4624 msedge.exe 81 PID 4624 wrote to memory of 2936 4624 msedge.exe 81 PID 4624 wrote to memory of 2936 4624 msedge.exe 81 PID 4624 wrote to memory of 2936 4624 msedge.exe 81 PID 4624 wrote to memory of 2936 4624 msedge.exe 81 PID 4624 wrote to memory of 2936 4624 msedge.exe 81 PID 4624 wrote to memory of 2936 4624 msedge.exe 81 PID 4624 wrote to memory of 2936 4624 msedge.exe 81 PID 4624 wrote to memory of 2936 4624 msedge.exe 81 PID 4624 wrote to memory of 2936 4624 msedge.exe 81 PID 4624 wrote to memory of 2936 4624 msedge.exe 81 PID 4624 wrote to memory of 2936 4624 msedge.exe 81 PID 4624 wrote to memory of 2936 4624 msedge.exe 81 PID 4624 wrote to memory of 2936 4624 msedge.exe 81 PID 4624 wrote to memory of 2936 4624 msedge.exe 81 PID 4624 wrote to memory of 2936 4624 msedge.exe 81 PID 4624 wrote to memory of 2936 4624 msedge.exe 81 PID 4624 wrote to memory of 2936 4624 msedge.exe 81 PID 4624 wrote to memory of 2936 4624 msedge.exe 81 PID 4624 wrote to memory of 2936 4624 msedge.exe 81 PID 4624 wrote to memory of 2936 4624 msedge.exe 81 PID 4624 wrote to memory of 2936 4624 msedge.exe 81 PID 4624 wrote to memory of 2936 4624 msedge.exe 81 PID 4624 wrote to memory of 2936 4624 msedge.exe 81 PID 4624 wrote to memory of 2936 4624 msedge.exe 81 PID 4624 wrote to memory of 2936 4624 msedge.exe 81 PID 4624 wrote to memory of 2936 4624 msedge.exe 81 PID 4624 wrote to memory of 2936 4624 msedge.exe 81 PID 4624 wrote to memory of 2936 4624 msedge.exe 81 PID 4624 wrote to memory of 2936 4624 msedge.exe 81 PID 4624 wrote to memory of 2936 4624 msedge.exe 81 PID 4624 wrote to memory of 2936 4624 msedge.exe 81 PID 4624 wrote to memory of 2576 4624 msedge.exe 82 PID 4624 wrote to memory of 2576 4624 msedge.exe 82 PID 4624 wrote to memory of 1768 4624 msedge.exe 83 PID 4624 wrote to memory of 1768 4624 msedge.exe 83 PID 4624 wrote to memory of 1768 4624 msedge.exe 83 PID 4624 wrote to memory of 1768 4624 msedge.exe 83 PID 4624 wrote to memory of 1768 4624 msedge.exe 83 PID 4624 wrote to memory of 1768 4624 msedge.exe 83 PID 4624 wrote to memory of 1768 4624 msedge.exe 83 PID 4624 wrote to memory of 1768 4624 msedge.exe 83 PID 4624 wrote to memory of 1768 4624 msedge.exe 83 PID 4624 wrote to memory of 1768 4624 msedge.exe 83 PID 4624 wrote to memory of 1768 4624 msedge.exe 83 PID 4624 wrote to memory of 1768 4624 msedge.exe 83 PID 4624 wrote to memory of 1768 4624 msedge.exe 83 PID 4624 wrote to memory of 1768 4624 msedge.exe 83 PID 4624 wrote to memory of 1768 4624 msedge.exe 83 PID 4624 wrote to memory of 1768 4624 msedge.exe 83 PID 4624 wrote to memory of 1768 4624 msedge.exe 83 PID 4624 wrote to memory of 1768 4624 msedge.exe 83 PID 4624 wrote to memory of 1768 4624 msedge.exe 83 PID 4624 wrote to memory of 1768 4624 msedge.exe 83
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://Roblox.com1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4624 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff058b3cb8,0x7fff058b3cc8,0x7fff058b3cd82⤵PID:4628
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1852,11560039362782797842,9602535253065025180,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1856 /prefetch:22⤵PID:2936
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1852,11560039362782797842,9602535253065025180,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:2576
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1852,11560039362782797842,9602535253065025180,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2764 /prefetch:82⤵PID:1768
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,11560039362782797842,9602535253065025180,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3168 /prefetch:12⤵PID:2272
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,11560039362782797842,9602535253065025180,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3188 /prefetch:12⤵PID:2880
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,11560039362782797842,9602535253065025180,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4988 /prefetch:12⤵PID:3608
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1852,11560039362782797842,9602535253065025180,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5192 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3488
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1852,11560039362782797842,9602535253065025180,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5460 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2412
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,11560039362782797842,9602535253065025180,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:12⤵PID:900
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,11560039362782797842,9602535253065025180,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5520 /prefetch:12⤵PID:1464
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,11560039362782797842,9602535253065025180,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4972 /prefetch:12⤵PID:2844
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,11560039362782797842,9602535253065025180,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4004 /prefetch:12⤵PID:4204
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1852,11560039362782797842,9602535253065025180,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5164 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:4032
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4196
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1476
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD58d5e555f6429eb64461265a024abf016
SHA105a5dca6408d473d82fe45ebc8e4843653ad55af
SHA2560344fd65882ba51695a10e1312e65f08d58afca83771c9d545e181829d6b5ed1
SHA512be5edfdcda1ba0db9fbab48ee1b643f1b03821e24048892d18033094fec14171035179e987a08dd91a1c25d91d9256837a4105f6765afd225a868f3e95050b8f
-
Filesize
152B
MD5b5710c39b3d1cd6dd0e5d30fbe1146d6
SHA1bf018f8a3e87605bfeca89d5a71776bfc8de0b47
SHA256770d04df1484883a18accb258ecfa407d328c32c0ccbd8866c1203c5dfb4981f
SHA5120f868e4ce284984662d8f0ff6e76f1a53e074a7223122a75efa7bb90d0204bc59bee4b36c215d219a03707c642e13f5efce0c3c57f46659a0cb1e7fd2f4d3cf1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize2KB
MD5f95d8c2aa61be123c45a861925ffe80a
SHA1ecd18c258819fe2ec9b70e9b7099a62c59649f31
SHA256044cef908b27f61e86c8891479421fc18690912022ac67a8aaa00c126926e8b2
SHA5120555ea31fa689e712517b37b21b6b32b78293f688aa17122188240003e2b9d857d0efe0dcd4b6db85f58204b7fbfe24d956a946cd34df55a6560eca55a7899ff
-
Filesize
2KB
MD57381807fa5d7327afd49ef7cf8f8c2c0
SHA1913d45e83dae8bbdbb7ef9521f5eefe500822bce
SHA2569443041ef30360f8677a24b2f074bcd5cd98e14d9afb80973228f83280ba1b9f
SHA512330f8261405eb3531fa5200c7edbcc3a18cf0ac9b52b52125cd862fd905c4c7fd65fa69dcfc2c0c59d13da58cc32b1e2a905a57efd9005ffd506e123f64db6ca
-
Filesize
5KB
MD54fdfc7fef043debdaac1c6be837ebb49
SHA1bd741eaf1e73aa77e7287481c696164d3d53f794
SHA2568370fcf74504d94980dc7ace5b85ffe0bc7ef867db3905159b6c8887da212662
SHA512ce29bed35dcd6e01c382ddfb2b89a9b8d7408a1ee2b27a3462d0e30e3deefd2b335108792539bddff71d17b8be98410f9328d2aef9c008108af09d82de6811ab
-
Filesize
6KB
MD5076e2f9b2ed716d9473e6da8f39fe419
SHA1166cf2bd3957554ceb84d3c64dd3657954f32f1a
SHA2569fd702423e821706740c9effd8ac78933edcdeb02e9ff96744a9480501874cd5
SHA512532e0df2ceed48a12c92e12b110494cd6f7b0369030acec94643bcf6ea0ad8859bdfa45c1f8d2d40a7a20c1751811289e3c2a4a25b77f3c746dcf4384dcdddb9
-
Filesize
1KB
MD5982c3b6e652bf1878b8e9c1c493a3d63
SHA18d45c9786a62941e14727f1ec17e2ebdd243b5f3
SHA256ec954696b1de9be81d64fde4dd7ee78049b4c6c9cc9807c29623046b86076b50
SHA512621cf1cf0b6caebfcb1b3ce89da3da9e9aa6ed39b8fe97b4401f06df49bdeffc8e83cafcbecd4dec2bfb561497bafebc961402739c1c7401b405018bb1a6f614
-
Filesize
1KB
MD529a7c6dabe27f53d8dc5c485fd362341
SHA102c6967f61f5984e344abf8dc676642b63951fff
SHA2566e9cbb33dcb9e2a9c561d17bd19c6438932c4e3398fff5447dfcf6383e803fb1
SHA5127b3d45967bfc1b1d34022e4ed4efffc9583ebe213ccd57e343d82d65d9bebdc032531a17bc58a8c1391b025ac92330bed116cfc5076095d7b7a5d679fb879f9e
-
Filesize
1KB
MD5fe27ff954e86f924e94e04d4105d85e9
SHA105d7b977a126e64483cf9a8da035cbf14f6c100f
SHA2567972b98d81a824c52523ee91d117db57241ac7970d9b4b96cd820532d592905e
SHA51296ec2a64de964c4d2634bf5a4fb7603071be62265a25bfefb50b77af6b0ef9e209e7bb0f3ea21d654bc1edf420be4acfde838bfbb212b75568e1ecf84e868d8e
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\e463afad-d667-4bba-957e-72140a1becb1.tmp
Filesize1KB
MD5d3c97ab3537b1ba7501314ca52a53ff8
SHA1e41404841cabecb12e71efdf7c6b1113ea88c459
SHA256d93debcafb7812151ecf14fcad7b4eda47cc2d9b7b9aa82c1bd72fd4d4143244
SHA512563d88d72f91473c8ea612d21596e3e9206e9381b5d4152457c702cbb1f53039d681d0aa225416c30b9825399e7cd90526d70bc120229479178bcf7b9bc12356
-
Filesize
11KB
MD5a654ca0e9d59e15893b7b878ffd3ab6e
SHA108729adb134c3d7405830a90a21b34fac7ce2779
SHA256b5f122ad1378b2e37b41f5c7b9dc68084f73c6a4770024794ad250a11c91e7e3
SHA512103c7f97090009df594cadcb776afd040f8017011c50fef456671f3c67edccbe2106bfedd91374827c93760d7906624871ff4d5fa00e32cc47a99912d39f1097
-
Filesize
11KB
MD5ef00d4ff3a34eb180fcf889d246c4b2a
SHA165d4a0039c950bbd3e482fbed8c73518f5342a19
SHA2569e1d27c6f361221404dba5970a0c17a9bf2039413329278323570d19164926f8
SHA5120a905380ce0d189fc8562bd1340910a7b29202e62692094770bb558cad91cbd70cf816253390c7fe2c8527ecc61be8c64d0bbd160838b958b6f7593818081d40