hxxps://download2286[.]mediafire[.]com/ku8hjpz5cpeg7eZMiKKOeUmPeY9LNsF6sMyfzgKJBxUvY6Fmelu-a89277jgIVax1Prv-mMAWWUSeRM9OQITcaf0cBN6FNJebxPb21GBZPnsCPb7eFF2gblpU2Z4CorLv5yaRbIx1J32jYyBURy1HeZ6SMgj69A9dVgOUYGEAIo/evmglv4etgbbc11/RobloxCheat[.]zip

Resubmissions

07/07/2024, 16:36

240707-t4hcjaxfnb 8

07/07/2024, 16:34

240707-t28fyaxfmd 7

Analysis

max time kernel
429s
max time network
478s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
07/07/2024, 16:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://download2286.mediafire.com/ku8hjpz5cpeg7eZMiKKOeUmPeY9LNsF6sMyfzgKJBxUvY6Fmelu-a89277jgIVax1Prv-mMAWWUSeRM9OQITcaf0cBN6FNJebxPb21GBZPnsCPb7eFF2gblpU2Z4CorLv5yaRbIx1J32jYyBURy1HeZ6SMgj69A9dVgOUYGEAIo/evmglv4etgbbc11/RobloxCheat.zip

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-587429654-1855694383-2268796072-1000\{B0E9906D-9E38-4975-B3C5-DCEE3818E053}	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 341463.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
1320	msedge.exe
1320	msedge.exe
4004	msedge.exe
4004	msedge.exe
3772	msedge.exe
3772	msedge.exe
4368	identity_helper.exe
4368	identity_helper.exe
3060	msedge.exe
3060	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe
804	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs

pid	Process
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4004 wrote to memory of 3920	4004	msedge.exe	82
PID 4004 wrote to memory of 3920	4004	msedge.exe	82
PID 4004 wrote to memory of 1148	4004	msedge.exe	87
PID 4004 wrote to memory of 1148	4004	msedge.exe	87
PID 4004 wrote to memory of 1148	4004	msedge.exe	87
PID 4004 wrote to memory of 1148	4004	msedge.exe	87
PID 4004 wrote to memory of 1148	4004	msedge.exe	87
PID 4004 wrote to memory of 1148	4004	msedge.exe	87
PID 4004 wrote to memory of 1148	4004	msedge.exe	87
PID 4004 wrote to memory of 1148	4004	msedge.exe	87
PID 4004 wrote to memory of 1148	4004	msedge.exe	87
PID 4004 wrote to memory of 1148	4004	msedge.exe	87
PID 4004 wrote to memory of 1148	4004	msedge.exe	87
PID 4004 wrote to memory of 1148	4004	msedge.exe	87
PID 4004 wrote to memory of 1148	4004	msedge.exe	87
PID 4004 wrote to memory of 1148	4004	msedge.exe	87
PID 4004 wrote to memory of 1148	4004	msedge.exe	87
PID 4004 wrote to memory of 1148	4004	msedge.exe	87
PID 4004 wrote to memory of 1148	4004	msedge.exe	87
PID 4004 wrote to memory of 1148	4004	msedge.exe	87
PID 4004 wrote to memory of 1148	4004	msedge.exe	87
PID 4004 wrote to memory of 1148	4004	msedge.exe	87
PID 4004 wrote to memory of 1148	4004	msedge.exe	87
PID 4004 wrote to memory of 1148	4004	msedge.exe	87
PID 4004 wrote to memory of 1148	4004	msedge.exe	87
PID 4004 wrote to memory of 1148	4004	msedge.exe	87
PID 4004 wrote to memory of 1148	4004	msedge.exe	87
PID 4004 wrote to memory of 1148	4004	msedge.exe	87
PID 4004 wrote to memory of 1148	4004	msedge.exe	87
PID 4004 wrote to memory of 1148	4004	msedge.exe	87
PID 4004 wrote to memory of 1148	4004	msedge.exe	87
PID 4004 wrote to memory of 1148	4004	msedge.exe	87
PID 4004 wrote to memory of 1148	4004	msedge.exe	87
PID 4004 wrote to memory of 1148	4004	msedge.exe	87
PID 4004 wrote to memory of 1148	4004	msedge.exe	87
PID 4004 wrote to memory of 1148	4004	msedge.exe	87
PID 4004 wrote to memory of 1148	4004	msedge.exe	87
PID 4004 wrote to memory of 1148	4004	msedge.exe	87
PID 4004 wrote to memory of 1148	4004	msedge.exe	87
PID 4004 wrote to memory of 1148	4004	msedge.exe	87
PID 4004 wrote to memory of 1148	4004	msedge.exe	87
PID 4004 wrote to memory of 1148	4004	msedge.exe	87
PID 4004 wrote to memory of 1320	4004	msedge.exe	88
PID 4004 wrote to memory of 1320	4004	msedge.exe	88
PID 4004 wrote to memory of 1456	4004	msedge.exe	89
PID 4004 wrote to memory of 1456	4004	msedge.exe	89
PID 4004 wrote to memory of 1456	4004	msedge.exe	89
PID 4004 wrote to memory of 1456	4004	msedge.exe	89
PID 4004 wrote to memory of 1456	4004	msedge.exe	89
PID 4004 wrote to memory of 1456	4004	msedge.exe	89
PID 4004 wrote to memory of 1456	4004	msedge.exe	89
PID 4004 wrote to memory of 1456	4004	msedge.exe	89
PID 4004 wrote to memory of 1456	4004	msedge.exe	89
PID 4004 wrote to memory of 1456	4004	msedge.exe	89
PID 4004 wrote to memory of 1456	4004	msedge.exe	89
PID 4004 wrote to memory of 1456	4004	msedge.exe	89
PID 4004 wrote to memory of 1456	4004	msedge.exe	89
PID 4004 wrote to memory of 1456	4004	msedge.exe	89
PID 4004 wrote to memory of 1456	4004	msedge.exe	89
PID 4004 wrote to memory of 1456	4004	msedge.exe	89
PID 4004 wrote to memory of 1456	4004	msedge.exe	89
PID 4004 wrote to memory of 1456	4004	msedge.exe	89
PID 4004 wrote to memory of 1456	4004	msedge.exe	89
PID 4004 wrote to memory of 1456	4004	msedge.exe	89

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://download2286.mediafire.com/ku8hjpz5cpeg7eZMiKKOeUmPeY9LNsF6sMyfzgKJBxUvY6Fmelu-a89277jgIVax1Prv-mMAWWUSeRM9OQITcaf0cBN6FNJebxPb21GBZPnsCPb7eFF2gblpU2Z4CorLv5yaRbIx1J32jYyBURy1HeZ6SMgj69A9dVgOUYGEAIo/evmglv4etgbbc11/RobloxCheat.zip
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd0c9b46f8,0x7ffd0c9b4708,0x7ffd0c9b4718
  2⤵
  PID:3920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,1974629580861308082,5061998016821781990,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2116 /prefetch:2
  2⤵
  PID:1148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,1974629580861308082,5061998016821781990,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2504 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2084,1974629580861308082,5061998016821781990,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2880 /prefetch:8
  2⤵
  PID:1456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,1974629580861308082,5061998016821781990,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3424 /prefetch:1
  2⤵
  PID:5048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,1974629580861308082,5061998016821781990,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:1
  2⤵
  PID:4576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,1974629580861308082,5061998016821781990,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5932 /prefetch:1
  2⤵
  PID:3192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2084,1974629580861308082,5061998016821781990,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4688 /prefetch:8
  2⤵
  PID:1064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,1974629580861308082,5061998016821781990,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6312 /prefetch:1
  2⤵
  PID:5032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,1974629580861308082,5061998016821781990,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6304 /prefetch:1
  2⤵
  PID:2840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,1974629580861308082,5061998016821781990,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5716 /prefetch:1
  2⤵
  PID:4492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,1974629580861308082,5061998016821781990,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5804 /prefetch:1
  2⤵
  PID:116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2084,1974629580861308082,5061998016821781990,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6636 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3772
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,1974629580861308082,5061998016821781990,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6584 /prefetch:8
  2⤵
  PID:916
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,1974629580861308082,5061998016821781990,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6584 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,1974629580861308082,5061998016821781990,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6836 /prefetch:1
  2⤵
  PID:5096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,1974629580861308082,5061998016821781990,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3680 /prefetch:1
  2⤵
  PID:3124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2084,1974629580861308082,5061998016821781990,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6608 /prefetch:8
  2⤵
  PID:4356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2084,1974629580861308082,5061998016821781990,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6452 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:3060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,1974629580861308082,5061998016821781990,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3608 /prefetch:1
  2⤵
  PID:3304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,1974629580861308082,5061998016821781990,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6020 /prefetch:1
  2⤵
  PID:4532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,1974629580861308082,5061998016821781990,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6632 /prefetch:1
  2⤵
  PID:4912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,1974629580861308082,5061998016821781990,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2776 /prefetch:1
  2⤵
  PID:1244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2084,1974629580861308082,5061998016821781990,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=1984 /prefetch:8
  2⤵
  PID:5096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,1974629580861308082,5061998016821781990,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5336 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:804

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1212

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1676

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e1fe3a26bd35b84102bb4203f31e74c7

SHA1
45fdfa8433789b575eb64e116718e62e0e0cf4a0

SHA256
26e0d51529de906dd285ba48288e25eaf5213c0f0bab9bc5f119ecbc5e1b93ee

SHA512
d528db2e9b917d4fbe24b1b5c6f4cb274f4f91c84f63e5119e041fa89ae0cd01a370e314f8b6aca9d6fa958e79feabc720f4b54b3d8aed69aab11fa84cad36bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2915233ace3b11bc8898c958f245aa9a

SHA1
68c6aa983da303b825d656ac3284081db682f702

SHA256
b2cb442f2ca27619c8df087f56fcbbb53186c53f8fd131af886ee3712220477e

SHA512
e3f1b70d39b615e212f84d587ee816598236ee6ce144d919593894fcce4a0900343a9e8b837a0d1bd10921fff1c976c84c4a570eda776fe84d374a69e7a54890

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
a456ec8bc825506eb9b3e2502f824a92

SHA1
51f10a0dd24f0c19d1d762af07351512a4052fb4

SHA256
d082c14a16b0bc4fc0457d2f3670fba5b8ce43bc32d8880c73d3a5b55280c89c

SHA512
bb7bbe7e179a5cda313624c0546459687a9dec21bd13c2429f8a3d4a9a65956721742704c436ba5c107db8d1e90fdfc4dd1cba348a6ac1e9d6dbeb42958c7c67

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
f0c40af16a645eb8d960f8d566117ecc

SHA1
2c6f30c82a2f32f3892ef8fb2f3e331edcd68b79

SHA256
753257999cca660372df6a1111418fbe8c1a59e9134991b3a6a29d771abc1fb2

SHA512
8c72ef73cd5df4493e9a618f32fa132566310c147dcd9e1c657c6786ca7d4f0d2520d4c760b1e0bede8628602eeb7ccf99442e41de767003bd27d0ae273aebb5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
f96efade61975709aa1350e50fa4bfd0

SHA1
f36360eb44ca4c4fa758afa2bc4bc9cef84d689e

SHA256
9daa2a71b402771af3c7997b85f0273df8dacddf8b9df42365b25cfa1c5749ed

SHA512
d9dd66583e9511cf3ab68c5e5daf58d6b16fa9e64edaae04358a1ac55a37871fc0878267f7a37d03e44690b99b24a2c0b4907bdc9c7fdceae1f82a65dc64ffeb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
6KB

MD5
d86196235d8378c9270c69c194b5aa58

SHA1
5a8ef8cc1be23475b2470bb74048b92a8cf44816

SHA256
c821ebc1254fa97e79c2707fef3ff3a86c5f37691ff3020c70349079111079dc

SHA512
48f60852ea206f58a75b96d7d4bcfdb1a914ace5ec64faac82677be0f1116fb6249cee5207acbca7382d68ec40e1b7809fa0bc044a2e348a2278bcc32c4ad93f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
91cd19cfe3eafe64bb1f39cdc8306ca8

SHA1
dde322d4538e8b4ffea0117a0113d71c44014203

SHA256
172e5c6c2253dd2fe0ce78656839a012e04b8a503aac0e6d4351ae5a925b9af5

SHA512
5355589d0bb75c9a052625267d5199fb5eeff6fe8fdd32a3997a7c468cb36e5e9559642a9d92656bbfea504834c5209e48babaa027ce54f6490956a8e69921fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
fc9f5c4f13e0d1e806546329409914c1

SHA1
259d8778257f5f6a606e398be693b8c7abc36c57

SHA256
a13f9cbd67759fdc101f77330a2e857f66f3273467203404b1fc0e1b57763dd4

SHA512
5002ab2e02a50362f7f1ee23c7ba0d1f21b8ccf8fd3a4e01cdca2a42cd0cb36e782bab93fcfce7b4f960754350cad89179b50af6ae813425dfce1cf74849e582

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
596738bc88f90b6c5161419c696fb8a4

SHA1
1391e8f88ac27e01946e891f33ad8dcff4bfc339

SHA256
d5b6de318f089993173a8a5253d9d428683e1fbcedda6921311e541a45e8a657

SHA512
4fc8410d59c77808497816b82edc63488e2900f9553c3d89b5e0fa4f32b5b1b69b9e6879e59a0f08f60688428131b8eaa1a2fd284a1bb6763c005b2f51e94697

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
fa4f9435f551517ee0f919f1b2723b1e

SHA1
49eb2e76e120683d12e8972436ec057a075b5fac

SHA256
3e050c2157e6c23dec462a5ea12cd09f2d7be9ab86cb9336b2aee2ecdbe55e66

SHA512
392e86aeda2a74ab77122a8c5f3ba8889f11c88455c9465476f87d1dccbb7ffac343774e2b4a5f455644fee0c7d4fc1b2f502986545e5f54026f4221ad4c50dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
fc615df49198bc093bb002624998f315

SHA1
bd598a0543d71fd6692a8e5b1788df03168d1ad4

SHA256
96e41737b94346776987ab0ab7439d9b4ede2fb2050e73ac693c12b31453c0a8

SHA512
c5b5496917e6d62fc51ac58848f5efad65ad8502e07afde6bc60378140c4b0f55a8420b0d5284a533261d26eb4ba4211c750ef2d88a660155f2fc496f7cdd021

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
871B

MD5
c1aa4f2190e00a8678426179d8ccdd2c

SHA1
c69cfb11769a22a7efc2de1c0448c95723d10476

SHA256
4e526129124dc465590f524c565da011556f3cc858eebe65511c858ab9f8547f

SHA512
03d0f8c7f52e497705e287b93fad94430b8768a452d7c1ebd554b79c5067c4c2be764b3b6213ffba2c18cd9b2cc9712d87e086b131bffbd9b21f74d6a4efff0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
54ccd05798bfe1d391b84b0f764f6db6

SHA1
100eeda51bab071cc5d6814c28066904d295aafb

SHA256
5699ade39859cc64e56bfea100417c67a48b0ddd5965e900c3dfe08c769d0001

SHA512
aa4b3509e428ebd02796cecf562027b1336c93b62c3f9410845664eef5dd2065e601e12b707e6159eba4312dd5fb90f78bfc2d92840c01d4ae63141a73cf0387

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
8a233415b275167d9b26a54c2b79c20e

SHA1
6a4072b4445cb06048d8e90cfc699d68f2e495e5

SHA256
03f5a7aca53a87dcce57ec568501aefb16ae229a7ff7d7c97a66aa030ce623bf

SHA512
826c07e24de9d28fffbe1d1d32366c851170cd1abac038093bb668c434b6a995346fcbf3132c4d827b8aebda071934122d85b62b4101a714889f2c515c1384b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
30dc5b8eb8c79ffd184fddd0307054ba

SHA1
060aa03aa3cb30d6c5bc0ec294494f9ef9bb4377

SHA256
953c22a4d42edfd1ec15d37dc2516b5d2725721bf2c2053bc81a7ce96c0feca5

SHA512
092ed6cb8d6ccac8d299a2f29d82c596b601501ea4ecc3c0e23a9a291de38963704dc15f5be00378e3fe08d2854e6c9a1825d2d4a20a58cf78b8dd7509abca70

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
86ca7c8640400168a1a365eb213636e9

SHA1
4ddd76671211030f7e71e55ee9f0cb29098c0487

SHA256
efd31a2945188be0fd3afda67f44ca838be661cdc5c593fd55f76c6225f1a99d

SHA512
79d85b61c7095e04f9425a23bb03f8a7cff341932b96bb881607a7b431780145f67127b346553bc7a1d2a3b34eff2e8423cfc2c4614769fd60ee92d4a0251194

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58c147.TMP

Filesize
706B

MD5
811ab85baa1ac6b8f6c8a244eb12f899

SHA1
7d2042a62e20e6f90b758473bbab7d0ad50f9698

SHA256
00bc28b13bc2bf51b99d6a05bf2ebb58b7eca03caa5d030161ff61fd0614901b

SHA512
f5c33e29265a2ea3e88689063d7eb8da70f153daa306a3c0f893cffadead82c75877c8f81bed4736d3eaf976a4b9331bfeb766aa2a0361ec66263bba9d9f4e26

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
7cf123d673c353341eb2210a4fc29e13

SHA1
05b8bea406d16143eb3a4eaee5a2e0db1c57298c

SHA256
93faa173775966ade9a5919ec88dde76bbc26706a111267a174921ce488a2158

SHA512
f0a2e18273dfc9d979e696d588ab1780794f21c9c2b0043370e9d09c1b79ab8a048cd8be2ebe9be5669c9de0de4f2bd6c488d548946786d18369ce0e7f6c14eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
d81eabc7156489024ed68ab251e09bee

SHA1
ceebfbb5a34b5787e20ecfef4f5e3f5e4e4b4c5a

SHA256
382fc315065f486a05172e5d52fff0409385aba31fbf06ae08380f1f69b30b59

SHA512
bd12da38d6632c24e043e6c8aecf34e8a10667a842b94d115f8661b803c2e8be33890abd1afcd7a5423d5a55f258abc6fbe0fe876ad35284c107ea6defed17f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
c553dbcaa8253f90cee61d4ae8d314e0

SHA1
02ab846dba4dc62afd6cde3cc0043fa27b7387f8

SHA256
63c89bdda2f42a79dc46b4b6bd80195c119f481d085952348ce830996b2eb403

SHA512
00e5fa183543cd4e3b3fd2e946c485d73906152821182178577fb81c73c07c4e957650433ddd67fa14f5586833d257d9749d255999e56e1e26299c67492ce7ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
a27fecce034b674d9087d0aac5c30f2c

SHA1
350a08766fb14b6b301bc328410c55536612648a

SHA256
f52664805c8f3c5c923bf7e42089b1f9b9a4c81f56d267d8ef061abd21f7a35a

SHA512
8f4d0e76009a7887f05d6e133f6ef399aed19408bd4ed85d4782abbb8ed31fa64250c4fdb81bd70dcbd94c8535f179d55e8c5f01e74c5554a47df9057428ecf9

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 341463.crdownload

Filesize
5.5MB

MD5
94740510822524d579f869a81e02f5ea

SHA1
0e87d714e9eec2eee7c3af028e8e66e7478a107f

SHA256
ad927962330c2d2cf2bf7c33c1a5395df5ccd4ceabfb10c72db240041d773dda

SHA512
7cb3e72b0f1bdcbd53096fdec470fec9a6aa56d56b5f4bfa86b6afaa3ddbd2be6878f7874feb2c15647a627cea34a1fee7be35f6d1dffbf6a5a9c0bf8efa1d24

Download Submit