hxxps://www[.]preqin[.]com/registerinterest/account-verification?email=milo[.]dochow@met[.]com&uid=517303&sendID=333783&vertype=freeaccountver&activationkey=ddzvZC1H&freeaccount=1&refpage=997f7d6f0e7c3d9f1aa24d82f2022a3a

Analysis

max time kernel
147s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
02/10/2023, 11:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.preqin.com/registerinterest/[email protected]&uid=517303&sendID=333783&vertype=freeaccountver&activationkey=ddzvZC1H&freeaccount=1&refpage=997f7d6f0e7c3d9f1aa24d82f2022a3a

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1756	msedge.exe
1756	msedge.exe
4104	msedge.exe
4104	msedge.exe
4580	identity_helper.exe
4580	identity_helper.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4104 wrote to memory of 4576	4104	msedge.exe	78
PID 4104 wrote to memory of 4576	4104	msedge.exe	78
PID 4104 wrote to memory of 1092	4104	msedge.exe	87
PID 4104 wrote to memory of 1092	4104	msedge.exe	87
PID 4104 wrote to memory of 1092	4104	msedge.exe	87
PID 4104 wrote to memory of 1092	4104	msedge.exe	87
PID 4104 wrote to memory of 1092	4104	msedge.exe	87
PID 4104 wrote to memory of 1092	4104	msedge.exe	87
PID 4104 wrote to memory of 1092	4104	msedge.exe	87
PID 4104 wrote to memory of 1092	4104	msedge.exe	87
PID 4104 wrote to memory of 1092	4104	msedge.exe	87
PID 4104 wrote to memory of 1092	4104	msedge.exe	87
PID 4104 wrote to memory of 1092	4104	msedge.exe	87
PID 4104 wrote to memory of 1092	4104	msedge.exe	87
PID 4104 wrote to memory of 1092	4104	msedge.exe	87
PID 4104 wrote to memory of 1092	4104	msedge.exe	87
PID 4104 wrote to memory of 1092	4104	msedge.exe	87
PID 4104 wrote to memory of 1092	4104	msedge.exe	87
PID 4104 wrote to memory of 1092	4104	msedge.exe	87
PID 4104 wrote to memory of 1092	4104	msedge.exe	87
PID 4104 wrote to memory of 1092	4104	msedge.exe	87
PID 4104 wrote to memory of 1092	4104	msedge.exe	87
PID 4104 wrote to memory of 1092	4104	msedge.exe	87
PID 4104 wrote to memory of 1092	4104	msedge.exe	87
PID 4104 wrote to memory of 1092	4104	msedge.exe	87
PID 4104 wrote to memory of 1092	4104	msedge.exe	87
PID 4104 wrote to memory of 1092	4104	msedge.exe	87
PID 4104 wrote to memory of 1092	4104	msedge.exe	87
PID 4104 wrote to memory of 1092	4104	msedge.exe	87
PID 4104 wrote to memory of 1092	4104	msedge.exe	87
PID 4104 wrote to memory of 1092	4104	msedge.exe	87
PID 4104 wrote to memory of 1092	4104	msedge.exe	87
PID 4104 wrote to memory of 1092	4104	msedge.exe	87
PID 4104 wrote to memory of 1092	4104	msedge.exe	87
PID 4104 wrote to memory of 1092	4104	msedge.exe	87
PID 4104 wrote to memory of 1092	4104	msedge.exe	87
PID 4104 wrote to memory of 1092	4104	msedge.exe	87
PID 4104 wrote to memory of 1092	4104	msedge.exe	87
PID 4104 wrote to memory of 1092	4104	msedge.exe	87
PID 4104 wrote to memory of 1092	4104	msedge.exe	87
PID 4104 wrote to memory of 1092	4104	msedge.exe	87
PID 4104 wrote to memory of 1092	4104	msedge.exe	87
PID 4104 wrote to memory of 1756	4104	msedge.exe	86
PID 4104 wrote to memory of 1756	4104	msedge.exe	86
PID 4104 wrote to memory of 4528	4104	msedge.exe	88
PID 4104 wrote to memory of 4528	4104	msedge.exe	88
PID 4104 wrote to memory of 4528	4104	msedge.exe	88
PID 4104 wrote to memory of 4528	4104	msedge.exe	88
PID 4104 wrote to memory of 4528	4104	msedge.exe	88
PID 4104 wrote to memory of 4528	4104	msedge.exe	88
PID 4104 wrote to memory of 4528	4104	msedge.exe	88
PID 4104 wrote to memory of 4528	4104	msedge.exe	88
PID 4104 wrote to memory of 4528	4104	msedge.exe	88
PID 4104 wrote to memory of 4528	4104	msedge.exe	88
PID 4104 wrote to memory of 4528	4104	msedge.exe	88
PID 4104 wrote to memory of 4528	4104	msedge.exe	88
PID 4104 wrote to memory of 4528	4104	msedge.exe	88
PID 4104 wrote to memory of 4528	4104	msedge.exe	88
PID 4104 wrote to memory of 4528	4104	msedge.exe	88
PID 4104 wrote to memory of 4528	4104	msedge.exe	88
PID 4104 wrote to memory of 4528	4104	msedge.exe	88
PID 4104 wrote to memory of 4528	4104	msedge.exe	88
PID 4104 wrote to memory of 4528	4104	msedge.exe	88
PID 4104 wrote to memory of 4528	4104	msedge.exe	88

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.preqin.com/registerinterest/[email protected]&uid=517303&sendID=333783&vertype=freeaccountver&activationkey=ddzvZC1H&freeaccount=1&refpage=997f7d6f0e7c3d9f1aa24d82f2022a3a
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff922fa46f8,0x7ff922fa4708,0x7ff922fa4718
  2⤵
  PID:4576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,6898463054460565130,2685315522128724473,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,6898463054460565130,2685315522128724473,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2
  2⤵
  PID:1092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,6898463054460565130,2685315522128724473,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2908 /prefetch:8
  2⤵
  PID:4528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,6898463054460565130,2685315522128724473,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
  2⤵
  PID:2332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,6898463054460565130,2685315522128724473,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
  2⤵
  PID:2204
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,6898463054460565130,2685315522128724473,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4556 /prefetch:1
  2⤵
  PID:3928
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,6898463054460565130,2685315522128724473,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5688 /prefetch:8
  2⤵
  PID:1188
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,6898463054460565130,2685315522128724473,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5688 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,6898463054460565130,2685315522128724473,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5332 /prefetch:1
  2⤵
  PID:4964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,6898463054460565130,2685315522128724473,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5328 /prefetch:1
  2⤵
  PID:1212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,6898463054460565130,2685315522128724473,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4000 /prefetch:1
  2⤵
  PID:2812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,6898463054460565130,2685315522128724473,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4768 /prefetch:1
  2⤵
  PID:1900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,6898463054460565130,2685315522128724473,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1704 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:380

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3732

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f95638730ec51abd55794c140ca826c9

SHA1
77c415e2599fbdfe16530c2ab533fd6b193e82ef

SHA256
106137874d86d602d1f4af7dac605f3470ec7a5d69b644b99d502bb38925bbd3

SHA512
0eb01b446d876886066783242381d214a01e2d282729a69b890ae2b6d74d0e1325a6bd4671738ebe3b6ecadc22ceb00f42348bad18d2352896ed3344cc29f78a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
984B

MD5
fe88949ac8ccb22191009537be688afe

SHA1
1675506fc31d37734ee2f305061b7e241ded1513

SHA256
e2da70f48e598fa382b3fabd2a57223fb863a9fbcb358b8cea8e38721aacc05f

SHA512
22f0c1b9e1933c4f49cd99ee978a20786be08b2ea187545309b2365979b2039eb6031c0d59164f6103c1b8e0c3f2dc4eb61135d73a797c7f8df27e9a14581bf1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
19ae60fd5b16dc3489ef7bdf2300b4dc

SHA1
43253d9b018af00462794052097c86637d3b4a8e

SHA256
91341b24d4571bbc54860bc0345a9080c739a02e5f02e6041bcc1b19bbf7bd89

SHA512
f8f79bfc8c8ee4dc6a5802fe9509b2f74e1e9f49a47235f7cf57a83ae37352dd2faf2c400fa75140562ce8e66b537e3626c9c285a46c51989bb3eb0db7d4a04a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
e5a2bcdca8863532708ee1457db3e333

SHA1
97be25982983ff4e7570c87386c56fb35ba33542

SHA256
071bb894bd015a9f343a4a7f864d46be0f895db1ff8e8002e4d67474bd62429c

SHA512
6104161e4a4b058aefaf0642ed91b01a7ebe8e4b0f32d35a2016394d340c443055d3c6d13dc03aadbc1602658245b7dd6f1058247ad7211dd43ef176b0bf0abb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
4b91fa4eb97770ed765924e40be67b32

SHA1
f2e33eb41c9891999fb956504ecaefcc1bcd1a59

SHA256
4647b420607c476e4ec1be8872b936c827f17701322181770b97a2e44cdca1c8

SHA512
62c09c45e24cfc2e527a25dccc71d3cd75dc58ad3025f0899c4b04c381d26ed2a5d2e8008195053ae12c6b8163a31aaafd7cf2efd0849800189e16de8fbb7fda

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
4a078fb8a7c67594a6c2aa724e2ac684

SHA1
92bc5b49985c8588c60f6f85c50a516fae0332f4

SHA256
c225fb924400745c1cd7b56fffaee71dce06613c91fbbb9aa247401ccb49e1ee

SHA512
188270df5243186d00ca8cc457f8ab7f7b2cd6368d987c3673f9c8944a4be6687b30daf8715429bd1b335391118d0ce840e3cb919ff4138c6273b286fb57b2b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\afd56d0b-b6fc-4646-a664-3661028a277f.tmp

Filesize
10KB

MD5
0ff4ccdf1fa156614eaa512df68432e2

SHA1
3f0effb78104b51d0d49b0b5dc30f2296b2a3151

SHA256
33bb11c92cbe0259cb53624031417951b99baaab679f52a32ef69ea0b092df09

SHA512
74e503d534379169fdf7086bddf837417870675a58e5663916071aceb47ab79fb5738f402ded9ad443f673f5526221fda7d4e171c812adaf3f2fb51434e8ef80

Download Submit