hxxps://groups[.]google[.]com/d/forum/geek-squad-customer-service7452xtwd

Analysis

max time kernel
146s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
04/08/2023, 14:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://groups.google.com/d/forum/geek-squad-customer-service7452xtwd

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3360	msedge.exe
3360	msedge.exe
652	msedge.exe
652	msedge.exe
696	identity_helper.exe
696	identity_helper.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
652	msedge.exe
652	msedge.exe
652	msedge.exe
652	msedge.exe
652	msedge.exe
652	msedge.exe
652	msedge.exe
652	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
652	msedge.exe
652	msedge.exe
652	msedge.exe
652	msedge.exe
652	msedge.exe
652	msedge.exe
652	msedge.exe
652	msedge.exe
652	msedge.exe
652	msedge.exe
652	msedge.exe
652	msedge.exe
652	msedge.exe
652	msedge.exe
652	msedge.exe
652	msedge.exe
652	msedge.exe
652	msedge.exe
652	msedge.exe
652	msedge.exe
652	msedge.exe
652	msedge.exe
652	msedge.exe
652	msedge.exe
652	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
652	msedge.exe
652	msedge.exe
652	msedge.exe
652	msedge.exe
652	msedge.exe
652	msedge.exe
652	msedge.exe
652	msedge.exe
652	msedge.exe
652	msedge.exe
652	msedge.exe
652	msedge.exe
652	msedge.exe
652	msedge.exe
652	msedge.exe
652	msedge.exe
652	msedge.exe
652	msedge.exe
652	msedge.exe
652	msedge.exe
652	msedge.exe
652	msedge.exe
652	msedge.exe
652	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 652 wrote to memory of 1820	652	msedge.exe	53
PID 652 wrote to memory of 1820	652	msedge.exe	53
PID 652 wrote to memory of 4376	652	msedge.exe	85
PID 652 wrote to memory of 4376	652	msedge.exe	85
PID 652 wrote to memory of 4376	652	msedge.exe	85
PID 652 wrote to memory of 4376	652	msedge.exe	85
PID 652 wrote to memory of 4376	652	msedge.exe	85
PID 652 wrote to memory of 4376	652	msedge.exe	85
PID 652 wrote to memory of 4376	652	msedge.exe	85
PID 652 wrote to memory of 4376	652	msedge.exe	85
PID 652 wrote to memory of 4376	652	msedge.exe	85
PID 652 wrote to memory of 4376	652	msedge.exe	85
PID 652 wrote to memory of 4376	652	msedge.exe	85
PID 652 wrote to memory of 4376	652	msedge.exe	85
PID 652 wrote to memory of 4376	652	msedge.exe	85
PID 652 wrote to memory of 4376	652	msedge.exe	85
PID 652 wrote to memory of 4376	652	msedge.exe	85
PID 652 wrote to memory of 4376	652	msedge.exe	85
PID 652 wrote to memory of 4376	652	msedge.exe	85
PID 652 wrote to memory of 4376	652	msedge.exe	85
PID 652 wrote to memory of 4376	652	msedge.exe	85
PID 652 wrote to memory of 4376	652	msedge.exe	85
PID 652 wrote to memory of 4376	652	msedge.exe	85
PID 652 wrote to memory of 4376	652	msedge.exe	85
PID 652 wrote to memory of 4376	652	msedge.exe	85
PID 652 wrote to memory of 4376	652	msedge.exe	85
PID 652 wrote to memory of 4376	652	msedge.exe	85
PID 652 wrote to memory of 4376	652	msedge.exe	85
PID 652 wrote to memory of 4376	652	msedge.exe	85
PID 652 wrote to memory of 4376	652	msedge.exe	85
PID 652 wrote to memory of 4376	652	msedge.exe	85
PID 652 wrote to memory of 4376	652	msedge.exe	85
PID 652 wrote to memory of 4376	652	msedge.exe	85
PID 652 wrote to memory of 4376	652	msedge.exe	85
PID 652 wrote to memory of 4376	652	msedge.exe	85
PID 652 wrote to memory of 4376	652	msedge.exe	85
PID 652 wrote to memory of 4376	652	msedge.exe	85
PID 652 wrote to memory of 4376	652	msedge.exe	85
PID 652 wrote to memory of 4376	652	msedge.exe	85
PID 652 wrote to memory of 4376	652	msedge.exe	85
PID 652 wrote to memory of 4376	652	msedge.exe	85
PID 652 wrote to memory of 4376	652	msedge.exe	85
PID 652 wrote to memory of 3360	652	msedge.exe	86
PID 652 wrote to memory of 3360	652	msedge.exe	86
PID 652 wrote to memory of 2240	652	msedge.exe	87
PID 652 wrote to memory of 2240	652	msedge.exe	87
PID 652 wrote to memory of 2240	652	msedge.exe	87
PID 652 wrote to memory of 2240	652	msedge.exe	87
PID 652 wrote to memory of 2240	652	msedge.exe	87
PID 652 wrote to memory of 2240	652	msedge.exe	87
PID 652 wrote to memory of 2240	652	msedge.exe	87
PID 652 wrote to memory of 2240	652	msedge.exe	87
PID 652 wrote to memory of 2240	652	msedge.exe	87
PID 652 wrote to memory of 2240	652	msedge.exe	87
PID 652 wrote to memory of 2240	652	msedge.exe	87
PID 652 wrote to memory of 2240	652	msedge.exe	87
PID 652 wrote to memory of 2240	652	msedge.exe	87
PID 652 wrote to memory of 2240	652	msedge.exe	87
PID 652 wrote to memory of 2240	652	msedge.exe	87
PID 652 wrote to memory of 2240	652	msedge.exe	87
PID 652 wrote to memory of 2240	652	msedge.exe	87
PID 652 wrote to memory of 2240	652	msedge.exe	87
PID 652 wrote to memory of 2240	652	msedge.exe	87
PID 652 wrote to memory of 2240	652	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://groups.google.com/d/forum/geek-squad-customer-service7452xtwd
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd32f646f8,0x7ffd32f64708,0x7ffd32f64718
  2⤵
  PID:1820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,3034360340866266873,7676231696851989547,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2092 /prefetch:2
  2⤵
  PID:4376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,3034360340866266873,7676231696851989547,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2076,3034360340866266873,7676231696851989547,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2772 /prefetch:8
  2⤵
  PID:2240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,3034360340866266873,7676231696851989547,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
  2⤵
  PID:4288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,3034360340866266873,7676231696851989547,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
  2⤵
  PID:3884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,3034360340866266873,7676231696851989547,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4932 /prefetch:1
  2⤵
  PID:1216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,3034360340866266873,7676231696851989547,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4076 /prefetch:1
  2⤵
  PID:1284
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,3034360340866266873,7676231696851989547,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4896 /prefetch:8
  2⤵
  PID:1724
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,3034360340866266873,7676231696851989547,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4896 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,3034360340866266873,7676231696851989547,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5764 /prefetch:1
  2⤵
  PID:4444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,3034360340866266873,7676231696851989547,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5804 /prefetch:1
  2⤵
  PID:456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,3034360340866266873,7676231696851989547,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4076 /prefetch:1
  2⤵
  PID:2084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,3034360340866266873,7676231696851989547,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5144 /prefetch:1
  2⤵
  PID:4332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,3034360340866266873,7676231696851989547,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2240 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3984

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3292

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4192

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\667e6b27-a0ad-452e-99db-2b4fabbbcc4c.tmp

Filesize
12KB

MD5
184d712428850fa9960cea1e08c580ab

SHA1
a9aeeaddf62b35d57cf6e9946e397dde1d4ce13b

SHA256
4cf1c32c8921881c564370b1485f5660d0ef520c5883b2c382609bc950e54703

SHA512
f2e97e127df9c349c4bd0645a1b54595c821ddba3d0068d0a3aa0c544b4566ae53c2e58b49d88416c75a4036f251462fc30f1eab9a44bc78671c73cbc11595c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
70e2e6954b953053c0c4f3b6e6ad9330

SHA1
cb61ba67b3bffa1d833bb85cc9547669ec46f62f

SHA256
f6e770a3b88ad3fda592419b6c00553bdadc50d5fb466ef872271389977f2ab4

SHA512
eeacb0e62f68f56285f7605963ca9bb82f542d4e2ccc323266c08c9990cecdebd574e1ab304ae08ea8c6c94c50683180f83562f972e92799ebbcfcd8f503fb5a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
384B

MD5
873b5a135b94de05f74bc296e6f523c5

SHA1
58c8513c1c3b73f5be1aa27585156a553f3e75f5

SHA256
81c90263fb3fdcbc760ded19840a847174ddf36825598422d65be8b19f684d91

SHA512
bed38a928019fca78eee374510969782decb8d8c6dd8796cefd1799d48389849b2f09e7cd995e3c6649ffe33f2a37a6684a9ac542ebaeaf45f43d9d28ab35419

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
58738bdb1e786a6a4295738302251676

SHA1
2945d01627488ccf0ecf5142dbe1ae52c39d291b

SHA256
72d97ed3e8a3279d6268a40b95c6b2a905126f5344f44491a05ecace8e62aa5b

SHA512
9b3c5ab18402ce743a0575f934b5420fbcc649fd2d4995d1b2010d1ecd19b7f28e472dab1c666a6ae1d91447bf580602bf8c2e337d3982df614b21b0676d8a3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
c09354b428293fcec8b3e07786807d72

SHA1
bd2ac8e21cc22916759f994924a50eff6fa92b64

SHA256
95a51736ad46a4ba35263767213a04d7b80fcb2c8e607be0200fe2258c5252f2

SHA512
23b5aec53c9e2b91db2c5b9e9ef52008a88e75470f5f69c269aa146b513d71cc9c7140aa1334d42bd644f5e339026978b4d7a7f40976ef8fce9590915ce66760

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
736cfcf8bf0d72ad17a1c998b5977405

SHA1
20ea5af065b8200a7a6f6fede321b2c8610fc3db

SHA256
7d30142ef532ebf54fe267f82e2f49477ab2a0db6ff0bd9cf61103fe9225ac85

SHA512
10128ab38ad51cff65ad1b666dbe02a5c651243adbbeb66a4016014a7b43c2cc75b97abf45dd0c53dac3bb6230e7a4fc9a42436d6a9c3f52b3733d26f68793b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
b42c6d81fb3fe6728299be1c42a7e63a

SHA1
bdd8984f3ab745111ab068052c63cfecc3030cce

SHA256
ece5faee4f21adb649f22bfa11b8f3238cd2c69cb01cc5022aed22059bfbec92

SHA512
1cd5c8f365982f9f916d41348a6fbb0c1df6042d6818c25ff0ad0da28a788a2e05fad4b0046501acbfb0ba23afe43410d60ea5c91c28e40e2b5bb619f2b40b4c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
5a478f1e08816969e8214f982850b754

SHA1
1cf5e7192f3c6e31c7e27b6cb34ebf89036eec0c

SHA256
665cf5612c61412c9acc928b1e155c8f11ae83905ce614d9a1a7ad72cc0fd489

SHA512
7e7ff60c157841f6f5bb206ebbce29f6df3a6c0c671805415ad7226654e13da49ad76e39a6d0afe28992348f3b5685ecacbfb44178fd61998c54caebbfd97832

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit