hxxps://formcarry[.]com/s/Eb0olpc_VY

Analysis

max time kernel
146s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
17/08/2023, 01:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://formcarry.com/s/Eb0olpc_VY

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1180	msedge.exe
1180	msedge.exe
1444	msedge.exe
1444	msedge.exe
952	identity_helper.exe
952	identity_helper.exe
1724	msedge.exe
1724	msedge.exe
1724	msedge.exe
1724	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1444 wrote to memory of 3396	1444	msedge.exe	81
PID 1444 wrote to memory of 3396	1444	msedge.exe	81
PID 1444 wrote to memory of 5064	1444	msedge.exe	83
PID 1444 wrote to memory of 5064	1444	msedge.exe	83
PID 1444 wrote to memory of 5064	1444	msedge.exe	83
PID 1444 wrote to memory of 5064	1444	msedge.exe	83
PID 1444 wrote to memory of 5064	1444	msedge.exe	83
PID 1444 wrote to memory of 5064	1444	msedge.exe	83
PID 1444 wrote to memory of 5064	1444	msedge.exe	83
PID 1444 wrote to memory of 5064	1444	msedge.exe	83
PID 1444 wrote to memory of 5064	1444	msedge.exe	83
PID 1444 wrote to memory of 5064	1444	msedge.exe	83
PID 1444 wrote to memory of 5064	1444	msedge.exe	83
PID 1444 wrote to memory of 5064	1444	msedge.exe	83
PID 1444 wrote to memory of 5064	1444	msedge.exe	83
PID 1444 wrote to memory of 5064	1444	msedge.exe	83
PID 1444 wrote to memory of 5064	1444	msedge.exe	83
PID 1444 wrote to memory of 5064	1444	msedge.exe	83
PID 1444 wrote to memory of 5064	1444	msedge.exe	83
PID 1444 wrote to memory of 5064	1444	msedge.exe	83
PID 1444 wrote to memory of 5064	1444	msedge.exe	83
PID 1444 wrote to memory of 5064	1444	msedge.exe	83
PID 1444 wrote to memory of 5064	1444	msedge.exe	83
PID 1444 wrote to memory of 5064	1444	msedge.exe	83
PID 1444 wrote to memory of 5064	1444	msedge.exe	83
PID 1444 wrote to memory of 5064	1444	msedge.exe	83
PID 1444 wrote to memory of 5064	1444	msedge.exe	83
PID 1444 wrote to memory of 5064	1444	msedge.exe	83
PID 1444 wrote to memory of 5064	1444	msedge.exe	83
PID 1444 wrote to memory of 5064	1444	msedge.exe	83
PID 1444 wrote to memory of 5064	1444	msedge.exe	83
PID 1444 wrote to memory of 5064	1444	msedge.exe	83
PID 1444 wrote to memory of 5064	1444	msedge.exe	83
PID 1444 wrote to memory of 5064	1444	msedge.exe	83
PID 1444 wrote to memory of 5064	1444	msedge.exe	83
PID 1444 wrote to memory of 5064	1444	msedge.exe	83
PID 1444 wrote to memory of 5064	1444	msedge.exe	83
PID 1444 wrote to memory of 5064	1444	msedge.exe	83
PID 1444 wrote to memory of 5064	1444	msedge.exe	83
PID 1444 wrote to memory of 5064	1444	msedge.exe	83
PID 1444 wrote to memory of 5064	1444	msedge.exe	83
PID 1444 wrote to memory of 5064	1444	msedge.exe	83
PID 1444 wrote to memory of 1180	1444	msedge.exe	82
PID 1444 wrote to memory of 1180	1444	msedge.exe	82
PID 1444 wrote to memory of 2904	1444	msedge.exe	84
PID 1444 wrote to memory of 2904	1444	msedge.exe	84
PID 1444 wrote to memory of 2904	1444	msedge.exe	84
PID 1444 wrote to memory of 2904	1444	msedge.exe	84
PID 1444 wrote to memory of 2904	1444	msedge.exe	84
PID 1444 wrote to memory of 2904	1444	msedge.exe	84
PID 1444 wrote to memory of 2904	1444	msedge.exe	84
PID 1444 wrote to memory of 2904	1444	msedge.exe	84
PID 1444 wrote to memory of 2904	1444	msedge.exe	84
PID 1444 wrote to memory of 2904	1444	msedge.exe	84
PID 1444 wrote to memory of 2904	1444	msedge.exe	84
PID 1444 wrote to memory of 2904	1444	msedge.exe	84
PID 1444 wrote to memory of 2904	1444	msedge.exe	84
PID 1444 wrote to memory of 2904	1444	msedge.exe	84
PID 1444 wrote to memory of 2904	1444	msedge.exe	84
PID 1444 wrote to memory of 2904	1444	msedge.exe	84
PID 1444 wrote to memory of 2904	1444	msedge.exe	84
PID 1444 wrote to memory of 2904	1444	msedge.exe	84
PID 1444 wrote to memory of 2904	1444	msedge.exe	84
PID 1444 wrote to memory of 2904	1444	msedge.exe	84

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://formcarry.com/s/Eb0olpc_VY
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb497f46f8,0x7ffb497f4708,0x7ffb497f4718
  2⤵
  PID:3396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,15869781493705959474,8034250527150241458,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2296 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,15869781493705959474,8034250527150241458,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:2
  2⤵
  PID:5064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,15869781493705959474,8034250527150241458,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2832 /prefetch:8
  2⤵
  PID:2904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,15869781493705959474,8034250527150241458,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
  2⤵
  PID:4948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,15869781493705959474,8034250527150241458,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
  2⤵
  PID:2480
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,15869781493705959474,8034250527150241458,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5076 /prefetch:8
  2⤵
  PID:4444
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,15869781493705959474,8034250527150241458,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5076 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,15869781493705959474,8034250527150241458,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5184 /prefetch:1
  2⤵
  PID:3784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,15869781493705959474,8034250527150241458,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4984 /prefetch:1
  2⤵
  PID:1960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,15869781493705959474,8034250527150241458,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5408 /prefetch:1
  2⤵
  PID:4816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,15869781493705959474,8034250527150241458,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5436 /prefetch:1
  2⤵
  PID:3500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,15869781493705959474,8034250527150241458,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3020 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1724

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:560

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:836

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b5f5369274e3bfbc449588bbb57bd383

SHA1
58bb46d57bd70c1c0bcbad619353cbe185f34c3b

SHA256
4190bd2ec2c0c65a2b8b97782cd3ae1d6cead80242f3595f06ebc6648c3e3464

SHA512
04a3816af6c5a335cde99d97019a3f68ade65eba70e4667c4d7dd78f78910481549f1dad23a46ccf9efa2e25c6e7a7c78c592b6ace951e1aab106ba06a10fcd6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
9554668bacaa73808ac55213b639d5a3

SHA1
50c2194cb24d82b944ff9eaabd9d9bd418f13d56

SHA256
1ee8a955d55bcd94519234b5525190dccef82278fb4b5df88371b11ed85a1ac0

SHA512
1240f751437bf77a8835acfdac351575948ca5a0d953d762ac54a361d5a6ce444e17da33a541ff604c60fe38a3d77bcf29cd9747d5381b0a92b43a8b4824cd2c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
377B

MD5
31bb34a2c616a2cc4c73f401e755b94d

SHA1
30aa6478b2ddcdde9b6c9005af372ef1298c3a65

SHA256
7bd2141120d6fd5b551ebbf8ad566a5a98394d95bb8561395e41a96bd139377c

SHA512
6788a8fbbbbe86d78424f8dc9f40395da22bb120a14a85756dc414e36b51b6a03fa177240bb96f17f5d020c6af4c6fee3f276288b54882f174c7df15bc1c018a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
bcfa8e18be9e2b31e2d361a8cbafe349

SHA1
c0a77c3b91094a97b497750103279119874b0c2c

SHA256
d8118ec3511bcd861b99271dac5c7c8157cc291258a50c8ed058233774516644

SHA512
c63d67f4505f0d6d2d943bfb0c449a2f05be1a8e648b15ce546de321826f0fd932f567264a17b24cf75275ebf0039b0b860a6c02a2b676a10006ff23b3d25e27

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
159b2403a12944140716c28dec427f18

SHA1
4d8e14c0f6a298ab6db934e89f89a43ba7207bfa

SHA256
91ae772b7ba1b9d6d2737e4373aaa028dc75c6276a339c16f7e91503c555018a

SHA512
70e92fdcb4acb1584e8a47f91b86768cf67472cc2cba76e138446291593bcd83fa3de0f241b49c4bff4659d791a95654a7a8782eb0c5cf244f3bb031cea5c44e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
29213338df67d29d6454ee5d61ad3970

SHA1
8c69ca76a2e639060d5ce835a9600e6ea3764a83

SHA256
d29fc0d97fa74d382d0f557ecea4e42b7d50dbce43915bfc0c114c16e532aa51

SHA512
14db25eba8a863d390b97fce4315402ed7c249598ff6c31d5a191b0f71c274eead42ba0658403e744110de072e6ff1cac3bccee1e48875bde6b1fe39a60d2407

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
95f46f7f46ad2f4bbb9e7c964cb2b023

SHA1
f438607d07bfff2c9453205a4736c01ed03cbb22

SHA256
f974b93d7c46ef00696cf002d41ccaf530750ba67900499b990ea5bd1ea50f64

SHA512
7290141904e75b5a0e5b2ad6e11a703432edfdc2ed710b5dcec268044f5787b949641a5ceea3e7ac50109163381515419389bca1d3a3d0ba108153366893131c

Download Submit