hxxps://github[.]com/Chrisaacosta/Solara-Executor

Analysis

max time kernel
120s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
21-05-2024 14:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Chrisaacosta/Solara-Executor

Score

6^/10

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

34 camo.githubusercontent.com
35 camo.githubusercontent.com
36 camo.githubusercontent.com

flow	ioc
34	camo.githubusercontent.com
35	camo.githubusercontent.com
36	camo.githubusercontent.com

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 8 IoCs

Processes:

msedge.exemsedge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949\DisplayName = "Chrome Sandbox"	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949\Moniker = "cr.sb.cdmf5200eafd3ad904629cbb0f87a78a3c7211081fe"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949\Children	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\cr.sb.cdmf5200eafd3ad904629cbb0f87a78a3c7211081fe	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\cr.sb.cdmf5200eafd3ad904629cbb0f87a78a3c7211081fe\Children	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1162180587-977231257-2194346871-1000\{33FD803E-42B5-4FC4-ABD8-98800CD012FD}	msedge.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exe

pid	process
5112	msedge.exe
5112	msedge.exe
1960	msedge.exe
1960	msedge.exe
4460	identity_helper.exe
4460	identity_helper.exe
5484	msedge.exe
5484	msedge.exe
5568	msedge.exe
5200	msedge.exe
5200	msedge.exe
5200	msedge.exe
5200	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs

Processes:

msedge.exe

pid	process
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 1960 wrote to memory of 2876	1960	msedge.exe	msedge.exe
PID 1960 wrote to memory of 2876	1960	msedge.exe	msedge.exe
PID 1960 wrote to memory of 1892	1960	msedge.exe	msedge.exe
PID 1960 wrote to memory of 1892	1960	msedge.exe	msedge.exe
PID 1960 wrote to memory of 1892	1960	msedge.exe	msedge.exe
PID 1960 wrote to memory of 1892	1960	msedge.exe	msedge.exe
PID 1960 wrote to memory of 1892	1960	msedge.exe	msedge.exe
PID 1960 wrote to memory of 1892	1960	msedge.exe	msedge.exe
PID 1960 wrote to memory of 1892	1960	msedge.exe	msedge.exe
PID 1960 wrote to memory of 1892	1960	msedge.exe	msedge.exe
PID 1960 wrote to memory of 1892	1960	msedge.exe	msedge.exe
PID 1960 wrote to memory of 1892	1960	msedge.exe	msedge.exe
PID 1960 wrote to memory of 1892	1960	msedge.exe	msedge.exe
PID 1960 wrote to memory of 1892	1960	msedge.exe	msedge.exe
PID 1960 wrote to memory of 1892	1960	msedge.exe	msedge.exe
PID 1960 wrote to memory of 1892	1960	msedge.exe	msedge.exe
PID 1960 wrote to memory of 1892	1960	msedge.exe	msedge.exe
PID 1960 wrote to memory of 1892	1960	msedge.exe	msedge.exe
PID 1960 wrote to memory of 1892	1960	msedge.exe	msedge.exe
PID 1960 wrote to memory of 1892	1960	msedge.exe	msedge.exe
PID 1960 wrote to memory of 1892	1960	msedge.exe	msedge.exe
PID 1960 wrote to memory of 1892	1960	msedge.exe	msedge.exe
PID 1960 wrote to memory of 1892	1960	msedge.exe	msedge.exe
PID 1960 wrote to memory of 1892	1960	msedge.exe	msedge.exe
PID 1960 wrote to memory of 1892	1960	msedge.exe	msedge.exe
PID 1960 wrote to memory of 1892	1960	msedge.exe	msedge.exe
PID 1960 wrote to memory of 1892	1960	msedge.exe	msedge.exe
PID 1960 wrote to memory of 1892	1960	msedge.exe	msedge.exe
PID 1960 wrote to memory of 1892	1960	msedge.exe	msedge.exe
PID 1960 wrote to memory of 1892	1960	msedge.exe	msedge.exe
PID 1960 wrote to memory of 1892	1960	msedge.exe	msedge.exe
PID 1960 wrote to memory of 1892	1960	msedge.exe	msedge.exe
PID 1960 wrote to memory of 1892	1960	msedge.exe	msedge.exe
PID 1960 wrote to memory of 1892	1960	msedge.exe	msedge.exe
PID 1960 wrote to memory of 1892	1960	msedge.exe	msedge.exe
PID 1960 wrote to memory of 1892	1960	msedge.exe	msedge.exe
PID 1960 wrote to memory of 1892	1960	msedge.exe	msedge.exe
PID 1960 wrote to memory of 1892	1960	msedge.exe	msedge.exe
PID 1960 wrote to memory of 1892	1960	msedge.exe	msedge.exe
PID 1960 wrote to memory of 1892	1960	msedge.exe	msedge.exe
PID 1960 wrote to memory of 1892	1960	msedge.exe	msedge.exe
PID 1960 wrote to memory of 1892	1960	msedge.exe	msedge.exe
PID 1960 wrote to memory of 5112	1960	msedge.exe	msedge.exe
PID 1960 wrote to memory of 5112	1960	msedge.exe	msedge.exe
PID 1960 wrote to memory of 2536	1960	msedge.exe	msedge.exe
PID 1960 wrote to memory of 2536	1960	msedge.exe	msedge.exe
PID 1960 wrote to memory of 2536	1960	msedge.exe	msedge.exe
PID 1960 wrote to memory of 2536	1960	msedge.exe	msedge.exe
PID 1960 wrote to memory of 2536	1960	msedge.exe	msedge.exe
PID 1960 wrote to memory of 2536	1960	msedge.exe	msedge.exe
PID 1960 wrote to memory of 2536	1960	msedge.exe	msedge.exe
PID 1960 wrote to memory of 2536	1960	msedge.exe	msedge.exe
PID 1960 wrote to memory of 2536	1960	msedge.exe	msedge.exe
PID 1960 wrote to memory of 2536	1960	msedge.exe	msedge.exe
PID 1960 wrote to memory of 2536	1960	msedge.exe	msedge.exe
PID 1960 wrote to memory of 2536	1960	msedge.exe	msedge.exe
PID 1960 wrote to memory of 2536	1960	msedge.exe	msedge.exe
PID 1960 wrote to memory of 2536	1960	msedge.exe	msedge.exe
PID 1960 wrote to memory of 2536	1960	msedge.exe	msedge.exe
PID 1960 wrote to memory of 2536	1960	msedge.exe	msedge.exe
PID 1960 wrote to memory of 2536	1960	msedge.exe	msedge.exe
PID 1960 wrote to memory of 2536	1960	msedge.exe	msedge.exe
PID 1960 wrote to memory of 2536	1960	msedge.exe	msedge.exe
PID 1960 wrote to memory of 2536	1960	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Chrisaacosta/Solara-Executor
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa7c1346f8,0x7ffa7c134708,0x7ffa7c134718
  2⤵
  PID:2876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2036,9387808272280485389,8226336683418689790,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2
  2⤵
  PID:1892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2036,9387808272280485389,8226336683418689790,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2036,9387808272280485389,8226336683418689790,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2872 /prefetch:8
  2⤵
  PID:2536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,9387808272280485389,8226336683418689790,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2016 /prefetch:1
  2⤵
  PID:3812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,9387808272280485389,8226336683418689790,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3412 /prefetch:1
  2⤵
  PID:2300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,9387808272280485389,8226336683418689790,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5000 /prefetch:1
  2⤵
  PID:3868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,9387808272280485389,8226336683418689790,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5524 /prefetch:1
  2⤵
  PID:4388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,9387808272280485389,8226336683418689790,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5552 /prefetch:1
  2⤵
  PID:3900
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2036,9387808272280485389,8226336683418689790,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5804 /prefetch:8
  2⤵
  PID:3828
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2036,9387808272280485389,8226336683418689790,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5804 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,9387808272280485389,8226336683418689790,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5900 /prefetch:1
  2⤵
  PID:412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,9387808272280485389,8226336683418689790,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5420 /prefetch:1
  2⤵
  PID:4884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,9387808272280485389,8226336683418689790,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5976 /prefetch:1
  2⤵
  PID:3868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,9387808272280485389,8226336683418689790,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3516 /prefetch:1
  2⤵
  PID:5220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2036,9387808272280485389,8226336683418689790,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=2016 /prefetch:8
  2⤵
  PID:5476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2036,9387808272280485389,8226336683418689790,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5860 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:5484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,9387808272280485389,8226336683418689790,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5300 /prefetch:1
  2⤵
  PID:5580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,9387808272280485389,8226336683418689790,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
  2⤵
  PID:5632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,9387808272280485389,8226336683418689790,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6508 /prefetch:1
  2⤵
  PID:5784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,9387808272280485389,8226336683418689790,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6212 /prefetch:1
  2⤵
  PID:5800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,9387808272280485389,8226336683418689790,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6512 /prefetch:1
  2⤵
  PID:5808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,9387808272280485389,8226336683418689790,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3996 /prefetch:1
  2⤵
  PID:6036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,9387808272280485389,8226336683418689790,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5108 /prefetch:1
  2⤵
  PID:5684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=media.mojom.MediaFoundationService --field-trial-handle=2036,9387808272280485389,8226336683418689790,131072 --lang=en-US --service-sandbox-type=mf_cdm --mojo-platform-channel-handle=6620 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2036,9387808272280485389,8226336683418689790,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6340 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5200

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2988

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1292

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
537815e7cc5c694912ac0308147852e4

SHA1
2ccdd9d9dc637db5462fe8119c0df261146c363c

SHA256
b4b69d099507d88abdeff4835e06cc6711e1c47464c963d013cef0a278e52d4f

SHA512
63969a69af057235dbdecddc483ef5ce0058673179a3580c5aa12938c9501513cdb72dd703a06fa7d4fc08d074f17528283338c795334398497c771ecbd1350a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8b167567021ccb1a9fdf073fa9112ef0

SHA1
3baf293fbfaa7c1e7cdacb5f2975737f4ef69898

SHA256
26764cedf35f118b55f30b3a36e0693f9f38290a5b2b6b8b83a00e990ae18513

SHA512
726098001ef1acf1dd154a658752fa27dea32bca8fbb66395c142cb666102e71632adbad1b7e2f717071cd3e3af3867471932a71707f2ae97b989f4be468ab54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\8233c743-ab3c-4820-b7b3-7740a6fb4163.tmp

Filesize
3KB

MD5
b37e165a44a1a5640243ba4c573a5494

SHA1
777754bcac1d61e19a267d4ef74f7ea944859418

SHA256
a44a07a176540ecb33944ab29a2c645efdbe48a5e2102feea03dbf3c6e64fbf7

SHA512
3d25d86503a4adf5a8406f8b3a4f89d8c5c583d71bddffd059fa8e69aabd70105a83b046dbd2116b52b02349c67eef9fb5a43b61278c9da98cfd14e5b7561455

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\87a33878-cfd2-435f-96a4-7794992a00a5.tmp

Filesize
6KB

MD5
8ac22e44c51935610566e9a1d514c2d7

SHA1
3db4ea94da843aff49607be25ebf4b4434412ab3

SHA256
9cca7ce271ff7db2e1370a35314b3923473608960b1c013ddb0cb631ce92b46e

SHA512
cefeaab6f9b190ed93bfa7f2623ee86b63f292f051e7fe8ef67223a1ddb9a21565f1dbf964328a80fc2fb54bafddef6e7101bdc0fcb2ce4c415e5326100ca63d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000020

Filesize
87KB

MD5
188a3a1abe1f909755907a8243c637be

SHA1
dd72881d55ffb182bf41afd22ecaa44ab5d23ede

SHA256
1f457f25cd55369f8b4c1b9686b25adb8a93f94acb9cc3f59c9ca4d912033d1d

SHA512
a9d2165fc4215466bf328a3128472f0de213789c54cd5e1a98e2c65b7bc84e7c7529cfb1439f1e759ead55ee6c6688d3d92cf2cf82bad3c84106ca76935a75f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000036

Filesize
48KB

MD5
793b639f0483074bf878fcf19c131678

SHA1
b1a2ef0fd4d7944a9519e54e3201a05c62c90415

SHA256
b214fce2614aec5046a24ad48e5023ae8d29fda0d8c510f6dfa116f684566869

SHA512
1aa25f77f1075f79f9d188ee9bb4a5569db406f2cbde550c7eb6c3377d3bbea5cfe86f1328248f8772020a90093c133de90c09cd2e50048fe2d400e807526238

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000042

Filesize
26KB

MD5
71c6e4dcb559033bffb685bfcac9213a

SHA1
25f961c9654c8b6ebdb65fc84b3e218fba9fe9fe

SHA256
77dcc1c86b052027db7eeeec2d6bad3d899360ca512a5c8ff38db272e9cee5c9

SHA512
f7065427eab4f90046446685101518f036d4472bafa41da4d0c80f30e3accb19d90f29c0483ff7b95a8282d1ef68b60457818e4c1457d307208b56d536e9ac68

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\temp-index

Filesize
6KB

MD5
17fd1519b8cecda0db64073a4edb48c0

SHA1
21f15ed946708fa2ae89a57f08777b7a7023d99d

SHA256
02312313574763dc253d6d50b8389efab2570586849e8160981cf2058a133391

SHA512
713c6d22e5e647887f4a779404669ad4338846008d77fe3524e697ec565da60b15194da4d1548be7a9c1b3c6d7422f5a5f849736b29a089cf083f6850c18e39e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
6KB

MD5
977caded74f64b2c41602f32e4fa98b5

SHA1
a8bd3ed86818d2a85fa1ac7086999e63d9eaba94

SHA256
16b495142ab3e9e425ee0a9756d37a6b79476f04c3514b0350245079fc850c85

SHA512
4006c6aaa14eaca650729e58c947fd21ed56ef56551481d1310dc39dfe9bded6ad96ae2522d16f174f4b782e3ea94538c441e04704867e2981db420610aeff6d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.roblox.com_0.indexeddb.leveldb\MANIFEST-000001

Filesize
23B

MD5
3fd11ff447c1ee23538dc4d9724427a3

SHA1
1335e6f71cc4e3cf7025233523b4760f8893e9c9

SHA256
720a78803b84cbcc8eb204d5cf8ea6ee2f693be0ab2124ddf2b81455de02a3ed

SHA512
10a3bd3813014eb6f8c2993182e1fa382d745372f8921519e1d25f70d76f08640e84cb8d0b554ccd329a6b4e6de6872328650fefa91f98c3c0cfc204899ee824

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
cf09d971dfc82f6a11571ff2757f1686

SHA1
b439fe3199a85eb0e6a2f9c7741b8a586f8490e4

SHA256
afd3de5ae133834039873593c381998af23bc0de2df23f36bfe3ac48a1e038e2

SHA512
85fdbff3b65f8150f895c271faf1fcad062f03442b887c05f60ea6a9bd1d5ddda09e8f1f13525583bff28700d3740d5a2b419cfb45cce98ede984819499b4841

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
054b7b7e4cc9c94671809f1a9944d015

SHA1
6e13a19c2844f47dbfc54d6e1eec602aba175865

SHA256
b82cf3c88d495a002b2a33a96e103b34fd9a8be5af8948fd0c4fd9944fc992f5

SHA512
b0d63cae0ee9d023e9c2805bbd9d577648a651aedcad8cb615be21a6c3c12970d0f2be6b0832aea325ede23dd2a2fb1aaf716c79d830d120546fec7aff214a0b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
3d7333182ddfbbc752bb78dd40a234e4

SHA1
c4b56869d017646f03a0260894ba43189e4c9b3b

SHA256
653606b7e6c3fc5b92e8111ae75d042f0b36a274df4eff0901b875f217516dda

SHA512
5fd6b18dce479a34934db2fb7a4a3aeac748aa2f9145ecae013e4a83f7fa88d756b0bb6091023f648c1e0b051e7e6470a63b1dee3bbe54e40c2a21541a7ad744

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
8126d23278bf030f1aa76da88e2dccbb

SHA1
e68be2bb56f0a1c6a394cf9bdb6d73a86426befb

SHA256
ceb3c2e27dd4f31aa346085ef2e2329f698cda5987ecca4b1d19ff4380a1fd84

SHA512
ac80c94ca14fac923236aa7caf4efd51559b2c35f99245b8060ee4d84eef9a31db757c31c5f7dbd3b1fcef8f26e4a5586e405cb991f60106047a8dc636858a4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
4dc407603ac515a491fe301a1a90f8bd

SHA1
e7722b52931980c93b9692875bb913b932a7c6f8

SHA256
251f84b4d4e413cb679423976c24fd1a833bd6abc9e1721b85e36e425f3734d9

SHA512
9bcb5b426307dad3da61b9878c298b924e7df967260f1398bdcef38a4a3e5b2173ab1a544ff36c0d0e35f4dd9866591b803b140e45fa2cd2c1134a4e5708ceac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ad29e53b58fc2bea1ee552a35c411294

SHA1
2e77419fec3cdcfff0a37da5f51dc8a8f5417dbe

SHA256
15820ff780b3cc50eda1b95fb259a2728d0aa9fab7c7acaefad77a56863c4c59

SHA512
beb472777e9c5ff9cbab4762d0a4dbda97062a5c5f13ad75d7b54e1af539f9136af4447982b2ceff0b94cd1ee388be4263362b7f6b0acad34b8b90497dd05923

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
c5c46ea558f1639033529bc6a9d4027d

SHA1
283b6cb7e9828d1cc8c4b73f7ab57153a369b167

SHA256
3b99d7697d185d5c8dfbf23db73fdfe92117bfe45e8b999194af0140f419b96f

SHA512
85c2ca7cbb4a57b811ef8a24e60c24277af017c4b26041b10ddc4122196522c00598f071e5695fe74cbac0e3a2cae364c9d1d1a562a2bb8af5f13c9ebaf959e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
f1a70264249e8adc16532579c5fee213

SHA1
3d4d510280e816c0d3d78df66472b2c65f727cfd

SHA256
e5fdec76e87f4df8eb01a179203021da6cb6feaa61f7dad04f8a8a955fa35ed7

SHA512
a0b4f0f6fde8e0dd3ff94fc0eeba4feeccaba4fc7e370c72214abb1e48f40454b38d6941021f583c0b4ae8e5c5acedcfdfb8eea459fcc67894d450e67ddba3ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
6b4eac4a14bf8a4674e8f691575ba8b5

SHA1
8e7e0200ad34cb3de773d156a3a649fbdb3ceaf7

SHA256
efbf88ad5975c635fd197707a4dac3b1e1393dca6a9fc93501b330215c073cef

SHA512
fa9a6e8a281a3c7dc8b94d617a2aa6bc3da883e70c6eb9d0e46ef60bb48d7be3f8c4e96c76d8576db12ae1f18a1eceb8398c4465f65731f6403d622bc6e61a9a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
7b789c1a93afa21e5fb3ef51fd4d05e8

SHA1
e071e91a78df56e21a612ba5bc914b2346571dee

SHA256
7436d925350a580e6a80aca5a7527953f3b7817fac5aab8368a3c718dc829108

SHA512
841b8fdd383fd33c4451cd13c18cc5f996ffff22d03c4927a42d069cd9ede5ab7e0eb94dc96270d8c39ae651dce43e46c4f8ea761b256bb2538b75bc9373bfdc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
5KB

MD5
cb00372781c6299851e09be97ac36fe3

SHA1
4a9d858184d3d5a9b9d5b5a3e051dc2083b8104c

SHA256
fe911ec5ba369acb3f6602c7e274bf9b74c726acfbf9efe1ef74840ba256a284

SHA512
69847c0171abe4c291b8427b3f407e2aa50bcba0ddfb2d7f92cf08d342e47ace942327db3e2833c98256aec1b6623e2323e059b1d96086483595d7904c01eb4f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
a578344f92233305657c7d8bfaebdd01

SHA1
194fbb4389c278b872c18814470397bf51108ba9

SHA256
63ae7ddaef65a655dd6d9cc0ff13038d3aa5622b32af0c3721d0ab256a477a05

SHA512
eb16344107839194977751c24ca9b23508f0c2deef633af098beceed7c6e4074672f640a27d51de22d0d2d9143386137340cebd7199456984330172c6d4da618

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
e582dd8889fb52f96d7b671d40117222

SHA1
458411ef969d8c634202c661e0b16ea3e00d0cce

SHA256
ace7a09fb0bcef593a1464533508838b3f6bf167d05eb7cc0a98157d26fa619e

SHA512
84f21bb360f62e6eae48ae764cd6a4f9326aff14c0eb4047726ba30139b618e2448229db8c78a0176c7a5c965f2f7fb934ec38ca66b401bdbfa09af84f20599f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe578a3e.TMP

Filesize
1KB

MD5
f3a39dc2d9d0f0037a29e9b1e0ec3fdd

SHA1
abe0129e6a2f1dee3f61ac12c342a484ee925881

SHA256
5412dd49f33eafbcfae11350e95ff7c1246079b2bb1e7c0a6bdbc8403ea333cd

SHA512
b52eadd03aafec7c7f38664fc16dce33c6efea3e459f43dc4aaed83ff54718193bb7aecc1585e2da68e6cd5ecce37adb70604800a48ded321f067cd47939fccd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
17ccb31db79a08134a009e2bfeff9a51

SHA1
0534fd1d221f1ee6eff301223b06c2a71c349ce4

SHA256
d539427687061f5b7fb1485456eb5e6f27d4137c82da0301d190c1a89f0a0168

SHA512
5875a220ea4297669f4a1240021804571f29ae19baea4f3a77015c67b6a67463e3a4de2fc23e44d6a9a748218f3ebef1ab79105c490a62ebc024631723edb0e3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
\??\pipe\LOCAL\crashpad_1960_BHREBUUPYCVKILNV

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit