hxxp://roblox[.]com[.]kg/groups/9649207841/#!/about

Analysis

max time kernel
149s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
10-06-2024 19:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://roblox.com.kg/groups/9649207841/#!/about

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 8 IoCs

Processes:

msedge.exemsedge.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949\Moniker = "cr.sb.cdmf5200eafd3ad904629cbb0f87a78a3c7211081fe"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949\Children	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\cr.sb.cdmf5200eafd3ad904629cbb0f87a78a3c7211081fe	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\cr.sb.cdmf5200eafd3ad904629cbb0f87a78a3c7211081fe\Children	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3906287020-2915474608-1755617787-1000\{4CAFDAC7-E418-43B7-BB42-5559A28B9B0D}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949\DisplayName = "Chrome Sandbox"	msedge.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exe

pid	process
792	msedge.exe
792	msedge.exe
3424	msedge.exe
3424	msedge.exe
2528	identity_helper.exe
2528	identity_helper.exe
5424	msedge.exe
5516	msedge.exe
5516	msedge.exe
5220	msedge.exe
5220	msedge.exe
5220	msedge.exe
5220	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs

Processes:

msedge.exe

pid	process
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 3424 wrote to memory of 1972	3424	msedge.exe	msedge.exe
PID 3424 wrote to memory of 1972	3424	msedge.exe	msedge.exe
PID 3424 wrote to memory of 2356	3424	msedge.exe	msedge.exe
PID 3424 wrote to memory of 2356	3424	msedge.exe	msedge.exe
PID 3424 wrote to memory of 2356	3424	msedge.exe	msedge.exe
PID 3424 wrote to memory of 2356	3424	msedge.exe	msedge.exe
PID 3424 wrote to memory of 2356	3424	msedge.exe	msedge.exe
PID 3424 wrote to memory of 2356	3424	msedge.exe	msedge.exe
PID 3424 wrote to memory of 2356	3424	msedge.exe	msedge.exe
PID 3424 wrote to memory of 2356	3424	msedge.exe	msedge.exe
PID 3424 wrote to memory of 2356	3424	msedge.exe	msedge.exe
PID 3424 wrote to memory of 2356	3424	msedge.exe	msedge.exe
PID 3424 wrote to memory of 2356	3424	msedge.exe	msedge.exe
PID 3424 wrote to memory of 2356	3424	msedge.exe	msedge.exe
PID 3424 wrote to memory of 2356	3424	msedge.exe	msedge.exe
PID 3424 wrote to memory of 2356	3424	msedge.exe	msedge.exe
PID 3424 wrote to memory of 2356	3424	msedge.exe	msedge.exe
PID 3424 wrote to memory of 2356	3424	msedge.exe	msedge.exe
PID 3424 wrote to memory of 2356	3424	msedge.exe	msedge.exe
PID 3424 wrote to memory of 2356	3424	msedge.exe	msedge.exe
PID 3424 wrote to memory of 2356	3424	msedge.exe	msedge.exe
PID 3424 wrote to memory of 2356	3424	msedge.exe	msedge.exe
PID 3424 wrote to memory of 2356	3424	msedge.exe	msedge.exe
PID 3424 wrote to memory of 2356	3424	msedge.exe	msedge.exe
PID 3424 wrote to memory of 2356	3424	msedge.exe	msedge.exe
PID 3424 wrote to memory of 2356	3424	msedge.exe	msedge.exe
PID 3424 wrote to memory of 2356	3424	msedge.exe	msedge.exe
PID 3424 wrote to memory of 2356	3424	msedge.exe	msedge.exe
PID 3424 wrote to memory of 2356	3424	msedge.exe	msedge.exe
PID 3424 wrote to memory of 2356	3424	msedge.exe	msedge.exe
PID 3424 wrote to memory of 2356	3424	msedge.exe	msedge.exe
PID 3424 wrote to memory of 2356	3424	msedge.exe	msedge.exe
PID 3424 wrote to memory of 2356	3424	msedge.exe	msedge.exe
PID 3424 wrote to memory of 2356	3424	msedge.exe	msedge.exe
PID 3424 wrote to memory of 2356	3424	msedge.exe	msedge.exe
PID 3424 wrote to memory of 2356	3424	msedge.exe	msedge.exe
PID 3424 wrote to memory of 2356	3424	msedge.exe	msedge.exe
PID 3424 wrote to memory of 2356	3424	msedge.exe	msedge.exe
PID 3424 wrote to memory of 2356	3424	msedge.exe	msedge.exe
PID 3424 wrote to memory of 2356	3424	msedge.exe	msedge.exe
PID 3424 wrote to memory of 2356	3424	msedge.exe	msedge.exe
PID 3424 wrote to memory of 2356	3424	msedge.exe	msedge.exe
PID 3424 wrote to memory of 792	3424	msedge.exe	msedge.exe
PID 3424 wrote to memory of 792	3424	msedge.exe	msedge.exe
PID 3424 wrote to memory of 3648	3424	msedge.exe	msedge.exe
PID 3424 wrote to memory of 3648	3424	msedge.exe	msedge.exe
PID 3424 wrote to memory of 3648	3424	msedge.exe	msedge.exe
PID 3424 wrote to memory of 3648	3424	msedge.exe	msedge.exe
PID 3424 wrote to memory of 3648	3424	msedge.exe	msedge.exe
PID 3424 wrote to memory of 3648	3424	msedge.exe	msedge.exe
PID 3424 wrote to memory of 3648	3424	msedge.exe	msedge.exe
PID 3424 wrote to memory of 3648	3424	msedge.exe	msedge.exe
PID 3424 wrote to memory of 3648	3424	msedge.exe	msedge.exe
PID 3424 wrote to memory of 3648	3424	msedge.exe	msedge.exe
PID 3424 wrote to memory of 3648	3424	msedge.exe	msedge.exe
PID 3424 wrote to memory of 3648	3424	msedge.exe	msedge.exe
PID 3424 wrote to memory of 3648	3424	msedge.exe	msedge.exe
PID 3424 wrote to memory of 3648	3424	msedge.exe	msedge.exe
PID 3424 wrote to memory of 3648	3424	msedge.exe	msedge.exe
PID 3424 wrote to memory of 3648	3424	msedge.exe	msedge.exe
PID 3424 wrote to memory of 3648	3424	msedge.exe	msedge.exe
PID 3424 wrote to memory of 3648	3424	msedge.exe	msedge.exe
PID 3424 wrote to memory of 3648	3424	msedge.exe	msedge.exe
PID 3424 wrote to memory of 3648	3424	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://roblox.com.kg/groups/9649207841/#!/about
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3424

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8534c46f8,0x7ff8534c4708,0x7ff8534c4718
2⤵
PID:1972

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,16918914717284170665,6199529446103834416,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:2
2⤵
PID:2356

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,16918914717284170665,6199529446103834416,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2252 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:792

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,16918914717284170665,6199529446103834416,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2844 /prefetch:8
2⤵
PID:3648

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,16918914717284170665,6199529446103834416,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
2⤵
PID:4948

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,16918914717284170665,6199529446103834416,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
2⤵
PID:848

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,16918914717284170665,6199529446103834416,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5040 /prefetch:1
2⤵
PID:3836

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,16918914717284170665,6199529446103834416,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3508 /prefetch:1
2⤵
PID:5044

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,16918914717284170665,6199529446103834416,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5340 /prefetch:1
2⤵
PID:4316

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,16918914717284170665,6199529446103834416,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5496 /prefetch:1
2⤵
PID:724

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,16918914717284170665,6199529446103834416,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4876 /prefetch:8
2⤵
PID:4556

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,16918914717284170665,6199529446103834416,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4876 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2528

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2108,16918914717284170665,6199529446103834416,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5828 /prefetch:8
2⤵
PID:4676

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,16918914717284170665,6199529446103834416,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5416 /prefetch:1
2⤵
PID:2632

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,16918914717284170665,6199529446103834416,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5956 /prefetch:1
2⤵
PID:536

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,16918914717284170665,6199529446103834416,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5972 /prefetch:1
2⤵
PID:4544

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,16918914717284170665,6199529446103834416,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5264 /prefetch:1
2⤵
PID:3840

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,16918914717284170665,6199529446103834416,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5340 /prefetch:1
2⤵
PID:4964

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,16918914717284170665,6199529446103834416,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5388 /prefetch:1
2⤵
PID:1020

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,16918914717284170665,6199529446103834416,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6112 /prefetch:1
2⤵
PID:4828

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=media.mojom.MediaFoundationService --field-trial-handle=2108,16918914717284170665,6199529446103834416,131072 --lang=en-US --service-sandbox-type=mf_cdm --mojo-platform-channel-handle=6656 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5424

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2108,16918914717284170665,6199529446103834416,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6512 /prefetch:8
2⤵
PID:5508

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2108,16918914717284170665,6199529446103834416,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5356 /prefetch:8
2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:5516

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,16918914717284170665,6199529446103834416,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4976 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5220

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2372

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4460

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5472

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416
Filesize
1KB

MD5
55540a230bdab55187a841cfe1aa1545

SHA1
363e4734f757bdeb89868efe94907774a327695e

SHA256
d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb

SHA512
c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416
Filesize
230B

MD5
84b9ca814ef14e1eddc900f7fc5aea0d

SHA1
bc848bebec94cf51ec09e15aeaf05cffd05c3079

SHA256
94592f494e6b9c8bf5efd21129c6850a1d09364ce637c6638d11549466355f66

SHA512
fa8ff4a15751e2d81edceff9d767caf8d8fb7dacde8b3db62032d1cd18c294384a7c6ad7de132aae2e8d08a25b0751f3ddfdd7270fe296df65e471e3c922fce4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
ae54e9db2e89f2c54da8cc0bfcbd26bd

SHA1
a88af6c673609ecbc51a1a60dfbc8577830d2b5d

SHA256
5009d3c953de63cfd14a7d911156c514e179ff07d2b94382d9caac6040cb72af

SHA512
e3b70e5eb7321b9deca6f6a17424a15b9fd5c4008bd3789bd01099fd13cb2f4a2f37fe4b920fb51c50517745b576c1f94df83efd1a7e75949551163985599998

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
f53207a5ca2ef5c7e976cbb3cb26d870

SHA1
49a8cc44f53da77bb3dfb36fc7676ed54675db43

SHA256
19ab4e3c9da6d9cedda7461efdba9a2085e743513ab89f1dd0fd5a8f9486ad23

SHA512
be734c7e8afda19f445912aef0d78f9941add29baebd4a812bff27f10a1d78b52aeb11c551468c8644443c86e1a2a6b2e4aead3d7f81d39925e3c20406ac1499

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
3KB

MD5
7824000473930e53012f16836ff844f1

SHA1
65f9ab93e67881a06c58c6016fcdce53339b1a10

SHA256
383c3136ae087db97aa734e259253fa727e91db5a69cea8bd00b7955af4d05b3

SHA512
a476e24b0766f13e9fa6e59d9f29838a4b4ddbcc1c57bc06cc103eecf1cc7b9b5652a5b1767167444233993329f5c8e90fb17d48ce9328c91784ff66b183c0e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
3KB

MD5
507f3420fb58c7328bba35dcb1a00da1

SHA1
79ddb0b057b7330624e52a829e652f2b69da892b

SHA256
71f047d91f3b91b1d36f06efef270147b6293c5b000ce4d4d03634f98f99fc1b

SHA512
a8488e8d817c8ba17b1a81b0eb4ee74b144122227c6ac5186a66fbe1336e0c87565da9753468ed375730e2488214f81f91d81b8a78cccfe7303addc537e6b943

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
338718c3537ceca52485dfe778d86678

SHA1
d3e214228df871790a4871226b9e11fa529e3ad9

SHA256
e78f926c59ee8add303412f937f7466156e036e2fa2fdaaf33f13eb77a7bcac8

SHA512
8b05a3e4c3ef2886dd7ad1f13bfb2520ad98c7759b6aaf8f22470f3281f820d7c8b88823b5b5d6c268ba52c99cf97a20eafe2ce5bc974aabd956f5c0e44449a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
c6c3b33bca5d57fd277a2b668b0f2bd3

SHA1
e77500c08cf5209b0a7f0c419b1380fe7a310ae6

SHA256
cd1122965115f08e8810fcd23db4fe20d46066803cd08929660f29cea4169ff4

SHA512
a7956e0946bf5a269d8f8694d83d418d8a939d538a5015137412839888ba62c0745bb40dabd14ef0e294c6b7affa50098eb9c8c66efae85210c50ff0f0250afa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
6718b000854cb301bd81fee3b5d06d81

SHA1
e21620383e4574368ecf2f9e3e42013122cf257b

SHA256
2522d2658326c2119caf694d8865065d188ae7a2653fb4858fcaa5cc148f2484

SHA512
a76d5a1f391b3cc97eee772c9dcb4bd2541d8922371bc60755c9091168459c4b45a089fd0b88872caee7d8c34d283e897a5b4053f046cc398a9977568b133d37

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
3ad2b92dbff26715526e85cbe554c003

SHA1
8b3d8289298a97bfec36e8505f6eba5d993b4fb0

SHA256
5f0a278f24918cb4095c693105aa9ea10d207c0f7dbed1125bc1f7768ed131db

SHA512
019935b2bc124ace78b73d695b3ffd467d5dc4053dbc9e83e31a746e609529b8dcc733e8ee408d5537e350982bb4f5888aeffba95e734c79a44ad4de6c971972

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
2c0eac24de9496a54fea9c55117a3ada

SHA1
96ae9fafbcc3206600c83fcc050aa7a72d8f73ff

SHA256
92663afba74d5923b54a36712c6547b90768e72674f242254f2625edae0e2b7e

SHA512
001f80687d131fc282d094eca46d7748d10c05c413e138ed9d041591a588278dc3289c7b265c8ed59b2ab6b4fafd920e7ea658958c4e5583efabcdb49b73d322

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
feb9ee1f0ba5ba924e9566102df9367d

SHA1
93c45a7859d2db18f7f4d14a5fbe1088303045f6

SHA256
5fe7dcc3ce791d7d24187248df4854c087c389daa1b2b7580c7fe620726844ec

SHA512
17b3d5ecb23fac7912f3ea28cb6baa5fab9baf8f2be7dc56a2f9813b5cf20ef7873004e69448e36c5c8edf42bfd213cfae71b60f011cbbd7976d981a35d3512c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
6e18d941b737d711274d7461fb2b6fd7

SHA1
a312250ef1d74cda67be1b668225f43d6aca854d

SHA256
e80d8c3d61187130f2cbd0f6992a83258d7800593ed354aef41417102c5df15c

SHA512
71ed145e91970fd6d0e0b0e4ffc552c592dc50cbac4e4cd2c2ad4e43f9a63f3947f78795bb32723223773b58851f646ddf6208eeec90cde2ed85917d077346c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
eb059efd1f74566f75febbbcd8658473

SHA1
538914199cb9e221633029322035e0d50bb07bc6

SHA256
237601a28b71cc3435e387ca5fa8ebc546b9e2da9b75de98f0bb9a8a145b852a

SHA512
386f7e3aa1196076e963525bfa072ba48ed559df245724d5093c1fb40617da9e01493a13409f249d214518e5dfe55aae19f0fba845ac15b0b87213577f6af429

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
4af61255550fdcc374d47ed557f5ce4e

SHA1
f0389a57dd2ab0cbd2fcbaa4b1a7bce4ac4f9326

SHA256
390ad2646f0847706dffcb9f73368aa4bf9a58d4fb388be7ce1b8189c71dfb4b

SHA512
56b8d051580e71509be9c1910a680fb6a43b7e1bc0e026a6602f36dc83e8d4df8219f4abaebd891d2a05b66c96e5c6859bfadb80b01da015e35402022278bfe1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
0741cc2634b481ed2c864b1870ab692a

SHA1
6444630e182291e9008392d86027b5d339474816

SHA256
5f1ecfd1f578ada9872fb9ef5b746cec4cacd4136b3bd6bfdff907ea97512f2c

SHA512
d9bc473494f6636dda5b4534570a6bd400d4d0e06a45e04271d5e84655c36c666512d4ec6ba2e9f6ca629d63c97eb134d169799ff04822f9f27a8c9ea2019ced

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
d5554da74c3886e05b352b2cc1e8ec38

SHA1
7c45495335c2321763e371ffe831dd8ecb2c1fd0

SHA256
8bf48aa85fa128007c7ec77a92f3b61b319e735762a7c7c1a245d1ab608e1674

SHA512
89841815bbb1375c9fa9bd1575fc8caab5db67b48298a8685c5a435dd7cbae00b05579a0322fdf73c0cf654b828c2a87d30895356c2e661bc2d4077743e81963

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe578ed2.TMP
Filesize
1KB

MD5
7a2352dd612c34c82933e8663f1fb9c3

SHA1
459106412b6838ecc45e2d0cda636164dce46a40

SHA256
129a22bb05ed8fe9cb2cf4de77526fdf7617d7f1b40f4e784f07d6ec4c824407

SHA512
747b58e406dc1fd63866261274b72ccb4221f665d51b79b6ee6e0fd207c29650755593bf49c1078e0e7217713ed92bb44b6dd59ebfb16929b140f5963a40550a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
10KB

MD5
491d11c9f9eeff2eb571385512edb4ac

SHA1
3a0adb509328dbca088ba51ae29f424fa18e94db

SHA256
7cea88e7a6907fe91e22fe1b603e65fe9e2e513e09092f108b0f683e8abebda2

SHA512
efff2ed2705949a1e35191a5e890098f0d8b090142ce79ee0b4e817cc0877d554e00f4ec084335770a487dbee2d184310ee07e084b4a259c47ab4f6f21d31e01

Download Submit
\??\pipe\LOCAL\crashpad_3424_UBFJRAAXPOWJEYJN
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit