hxxps://www[.]bing[.]com/search?pglt=43&q=roblox&cvid=5f1dfff5b38d4221a918e741380cef32&gs_lcrp=EgZjaHJvbWUyBggAEEUYOdIBBzc2M2owajGoAgCwAgA&FORM=ANSPA1&PC=WSEDSE

Analysis

max time kernel
1800s
max time network
1799s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
23/08/2024, 18:30

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://www.bing.com/search?pglt=43&q=roblox&cvid=5f1dfff5b38d4221a918e741380cef32&gs_lcrp=EgZjaHJvbWUyBggAEEUYOdIBBzc2M2owajGoAgCwAgA&FORM=ANSPA1&PC=WSEDSE

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
716	msedge.exe
716	msedge.exe
376	msedge.exe
376	msedge.exe
1860	identity_helper.exe
1860	identity_helper.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
376	msedge.exe
376	msedge.exe
376	msedge.exe
376	msedge.exe
376	msedge.exe
376	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
376	msedge.exe
376	msedge.exe
376	msedge.exe
376	msedge.exe
376	msedge.exe
376	msedge.exe
376	msedge.exe
376	msedge.exe
376	msedge.exe
376	msedge.exe
376	msedge.exe
376	msedge.exe
376	msedge.exe
376	msedge.exe
376	msedge.exe
376	msedge.exe
376	msedge.exe
376	msedge.exe
376	msedge.exe
376	msedge.exe
376	msedge.exe
376	msedge.exe
376	msedge.exe
376	msedge.exe
376	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
376	msedge.exe
376	msedge.exe
376	msedge.exe
376	msedge.exe
376	msedge.exe
376	msedge.exe
376	msedge.exe
376	msedge.exe
376	msedge.exe
376	msedge.exe
376	msedge.exe
376	msedge.exe
376	msedge.exe
376	msedge.exe
376	msedge.exe
376	msedge.exe
376	msedge.exe
376	msedge.exe
376	msedge.exe
376	msedge.exe
376	msedge.exe
376	msedge.exe
376	msedge.exe
376	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 376 wrote to memory of 3208	376	msedge.exe	84
PID 376 wrote to memory of 3208	376	msedge.exe	84
PID 376 wrote to memory of 3152	376	msedge.exe	85
PID 376 wrote to memory of 3152	376	msedge.exe	85
PID 376 wrote to memory of 3152	376	msedge.exe	85
PID 376 wrote to memory of 3152	376	msedge.exe	85
PID 376 wrote to memory of 3152	376	msedge.exe	85
PID 376 wrote to memory of 3152	376	msedge.exe	85
PID 376 wrote to memory of 3152	376	msedge.exe	85
PID 376 wrote to memory of 3152	376	msedge.exe	85
PID 376 wrote to memory of 3152	376	msedge.exe	85
PID 376 wrote to memory of 3152	376	msedge.exe	85
PID 376 wrote to memory of 3152	376	msedge.exe	85
PID 376 wrote to memory of 3152	376	msedge.exe	85
PID 376 wrote to memory of 3152	376	msedge.exe	85
PID 376 wrote to memory of 3152	376	msedge.exe	85
PID 376 wrote to memory of 3152	376	msedge.exe	85
PID 376 wrote to memory of 3152	376	msedge.exe	85
PID 376 wrote to memory of 3152	376	msedge.exe	85
PID 376 wrote to memory of 3152	376	msedge.exe	85
PID 376 wrote to memory of 3152	376	msedge.exe	85
PID 376 wrote to memory of 3152	376	msedge.exe	85
PID 376 wrote to memory of 3152	376	msedge.exe	85
PID 376 wrote to memory of 3152	376	msedge.exe	85
PID 376 wrote to memory of 3152	376	msedge.exe	85
PID 376 wrote to memory of 3152	376	msedge.exe	85
PID 376 wrote to memory of 3152	376	msedge.exe	85
PID 376 wrote to memory of 3152	376	msedge.exe	85
PID 376 wrote to memory of 3152	376	msedge.exe	85
PID 376 wrote to memory of 3152	376	msedge.exe	85
PID 376 wrote to memory of 3152	376	msedge.exe	85
PID 376 wrote to memory of 3152	376	msedge.exe	85
PID 376 wrote to memory of 3152	376	msedge.exe	85
PID 376 wrote to memory of 3152	376	msedge.exe	85
PID 376 wrote to memory of 3152	376	msedge.exe	85
PID 376 wrote to memory of 3152	376	msedge.exe	85
PID 376 wrote to memory of 3152	376	msedge.exe	85
PID 376 wrote to memory of 3152	376	msedge.exe	85
PID 376 wrote to memory of 3152	376	msedge.exe	85
PID 376 wrote to memory of 3152	376	msedge.exe	85
PID 376 wrote to memory of 3152	376	msedge.exe	85
PID 376 wrote to memory of 3152	376	msedge.exe	85
PID 376 wrote to memory of 716	376	msedge.exe	86
PID 376 wrote to memory of 716	376	msedge.exe	86
PID 376 wrote to memory of 2064	376	msedge.exe	87
PID 376 wrote to memory of 2064	376	msedge.exe	87
PID 376 wrote to memory of 2064	376	msedge.exe	87
PID 376 wrote to memory of 2064	376	msedge.exe	87
PID 376 wrote to memory of 2064	376	msedge.exe	87
PID 376 wrote to memory of 2064	376	msedge.exe	87
PID 376 wrote to memory of 2064	376	msedge.exe	87
PID 376 wrote to memory of 2064	376	msedge.exe	87
PID 376 wrote to memory of 2064	376	msedge.exe	87
PID 376 wrote to memory of 2064	376	msedge.exe	87
PID 376 wrote to memory of 2064	376	msedge.exe	87
PID 376 wrote to memory of 2064	376	msedge.exe	87
PID 376 wrote to memory of 2064	376	msedge.exe	87
PID 376 wrote to memory of 2064	376	msedge.exe	87
PID 376 wrote to memory of 2064	376	msedge.exe	87
PID 376 wrote to memory of 2064	376	msedge.exe	87
PID 376 wrote to memory of 2064	376	msedge.exe	87
PID 376 wrote to memory of 2064	376	msedge.exe	87
PID 376 wrote to memory of 2064	376	msedge.exe	87
PID 376 wrote to memory of 2064	376	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.bing.com/search?pglt=43&q=roblox&cvid=5f1dfff5b38d4221a918e741380cef32&gs_lcrp=EgZjaHJvbWUyBggAEEUYOdIBBzc2M2owajGoAgCwAgA&FORM=ANSPA1&PC=WSEDSE
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa8b5d46f8,0x7ffa8b5d4708,0x7ffa8b5d4718
  2⤵
  PID:3208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2004,4037697728001085682,1874633618547084393,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2036 /prefetch:2
  2⤵
  PID:3152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2004,4037697728001085682,1874633618547084393,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2356 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2004,4037697728001085682,1874633618547084393,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2888 /prefetch:8
  2⤵
  PID:2064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,4037697728001085682,1874633618547084393,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
  2⤵
  PID:5028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,4037697728001085682,1874633618547084393,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
  2⤵
  PID:4604
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2004,4037697728001085682,1874633618547084393,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5376 /prefetch:8
  2⤵
  PID:5076
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2004,4037697728001085682,1874633618547084393,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5376 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,4037697728001085682,1874633618547084393,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5052 /prefetch:1
  2⤵
  PID:1912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,4037697728001085682,1874633618547084393,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5076 /prefetch:1
  2⤵
  PID:4816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,4037697728001085682,1874633618547084393,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3576 /prefetch:1
  2⤵
  PID:448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,4037697728001085682,1874633618547084393,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
  2⤵
  PID:5024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2004,4037697728001085682,1874633618547084393,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5536 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4744

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2156

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9e3fc58a8fb86c93d19e1500b873ef6f

SHA1
c6aae5f4e26f5570db5e14bba8d5061867a33b56

SHA256
828f4eacac1c40b790fd70dbb6fa6ba03dcc681171d9b2a6579626d27837b1c4

SHA512
e5e245b56fa82075e060f468a3224cf2ef43f1b6d87f0351a2102d85c7c897e559be4caeaecfdc4059af29fdc674681b61229319dda95cb2ee649b2eb98d313e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
27304926d60324abe74d7a4b571c35ea

SHA1
78b8f92fcaf4a09eaa786bbe33fd1b0222ef29c1

SHA256
7039ad5c2b40f4d97c8c2269f4942be13436d739b2e1f8feb7a0c9f9fdb931de

SHA512
f5b6181d3f432238c7365f64fc8a373299e23ba8178bcc419471916ef8b23e909787c7c0617ab22e4eb90909c02bd7b84f1386fbc61e2bdb5a0eb474175da4bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
96B

MD5
7fd9966f78e4e8bc5e63734357558c77

SHA1
7b2e3c24e00e8543dd77d61628ea8abecadb1a80

SHA256
75b3508c39742a8fc6fcbd5efc2deaacc3440352f873d83113911c71a2713da8

SHA512
211ae34ea35a4c448adbd4a72df2530d9e0c7cdad8ea2d8cb082311604bd440b9a80dd5026da726fc36646c94f1b4e69ad09114edb48b599730b20174b705ea9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
542B

MD5
633fdedfe2668df10c66e63a4ab3acbb

SHA1
461e270b0d72bd710723b0dd5812d179ad200be7

SHA256
347cc51126acc9c0e105a1821f6fb3f4385ed1131adf251764d794c767dfb49b

SHA512
443d189cdaf192cbbeddff6aafc855980bf11ee63bdf8496efee131cf971aebce3aeacd2dbcbcce39a36b38119b9a1d51bb068b33bc24251880ba2f6281c6bbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
fde562e59ed1534288d3a785d450220e

SHA1
dca09b3d59042d51c632462ac1a53102d644555a

SHA256
c31de01c3bbf962d6d2f911217b26869ddd31f1e4de504462d4eeaedda889096

SHA512
00db3f0191f143d7436867e40ca40b376c10feabe1f8ce4c5806d0c9a1513129d2a4f45a3c1a1b59313138fead0043db7e661fe2a714479cbc2bf1f4c493d266

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
2bf4cbd85af53b955b0011458b7bfc3a

SHA1
41a2d6f17e46eee3fb554ba46f4aeaf6dcf474f2

SHA256
dbcc02b5f33a0b64e9ca6d38e8d8e6515131b077359e1456c75760b357ae1f6b

SHA512
281e909b3073d33f7b07c99c70b7ae4a0472c51e8c44f1855df814a0e4a38c41d84c6bc24927d1ceee570f429db5962f11bd399e334d77793c627909694b3162

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
27e5086aa3f81a548eede7a70a09dfd5

SHA1
7bc8687f63c30315fcf1ba2e49604e8aa7c93433

SHA256
7e8240d2ab920f987de2dc79eeaaf1ebf0d252b2c7d9242317390ef8b5f25ae1

SHA512
a9a26485f68e60a5a3b65494b3d4b2ebb9b152261a512a548bfd2e4161c7b4f6e92e62dac35aed39873d1aa954e070e59593c1cf3354e417eb0ba753bc3c90ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
3db622c25e4bea97c6bccfcd03181323

SHA1
f2acd5f61f1a4b42cd92088650ce953b21ea09bf

SHA256
3a07f87e30fe3fd1f1e5dd8e5b3cd7a5ea67c97903ff57c8cb9dc9afc0a6e63e

SHA512
22ea52845c7fd68f9e9359daee865220a02c842a77ad13ba3ff775b7b31cbb63afa238d31d258686b39b5e3e5e5818b404d36679a2027cea5511724419889fbe

Download Submit