hxxps://www[.]cricksoft[.]com/us/support/clicker/ipad/how-save-files-ipad

Analysis

max time kernel
145s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
26/12/2023, 05:20

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://www.cricksoft.com/us/support/clicker/ipad/how-save-files-ipad

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3208	msedge.exe
3208	msedge.exe
3604	msedge.exe
3604	msedge.exe
2992	identity_helper.exe
2992	identity_helper.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3604 wrote to memory of 4800	3604	msedge.exe	46
PID 3604 wrote to memory of 4800	3604	msedge.exe	46
PID 3604 wrote to memory of 1680	3604	msedge.exe	91
PID 3604 wrote to memory of 1680	3604	msedge.exe	91
PID 3604 wrote to memory of 1680	3604	msedge.exe	91
PID 3604 wrote to memory of 1680	3604	msedge.exe	91
PID 3604 wrote to memory of 1680	3604	msedge.exe	91
PID 3604 wrote to memory of 1680	3604	msedge.exe	91
PID 3604 wrote to memory of 1680	3604	msedge.exe	91
PID 3604 wrote to memory of 1680	3604	msedge.exe	91
PID 3604 wrote to memory of 1680	3604	msedge.exe	91
PID 3604 wrote to memory of 1680	3604	msedge.exe	91
PID 3604 wrote to memory of 1680	3604	msedge.exe	91
PID 3604 wrote to memory of 1680	3604	msedge.exe	91
PID 3604 wrote to memory of 1680	3604	msedge.exe	91
PID 3604 wrote to memory of 1680	3604	msedge.exe	91
PID 3604 wrote to memory of 1680	3604	msedge.exe	91
PID 3604 wrote to memory of 1680	3604	msedge.exe	91
PID 3604 wrote to memory of 1680	3604	msedge.exe	91
PID 3604 wrote to memory of 1680	3604	msedge.exe	91
PID 3604 wrote to memory of 1680	3604	msedge.exe	91
PID 3604 wrote to memory of 1680	3604	msedge.exe	91
PID 3604 wrote to memory of 1680	3604	msedge.exe	91
PID 3604 wrote to memory of 1680	3604	msedge.exe	91
PID 3604 wrote to memory of 1680	3604	msedge.exe	91
PID 3604 wrote to memory of 1680	3604	msedge.exe	91
PID 3604 wrote to memory of 1680	3604	msedge.exe	91
PID 3604 wrote to memory of 1680	3604	msedge.exe	91
PID 3604 wrote to memory of 1680	3604	msedge.exe	91
PID 3604 wrote to memory of 1680	3604	msedge.exe	91
PID 3604 wrote to memory of 1680	3604	msedge.exe	91
PID 3604 wrote to memory of 1680	3604	msedge.exe	91
PID 3604 wrote to memory of 1680	3604	msedge.exe	91
PID 3604 wrote to memory of 1680	3604	msedge.exe	91
PID 3604 wrote to memory of 1680	3604	msedge.exe	91
PID 3604 wrote to memory of 1680	3604	msedge.exe	91
PID 3604 wrote to memory of 1680	3604	msedge.exe	91
PID 3604 wrote to memory of 1680	3604	msedge.exe	91
PID 3604 wrote to memory of 1680	3604	msedge.exe	91
PID 3604 wrote to memory of 1680	3604	msedge.exe	91
PID 3604 wrote to memory of 1680	3604	msedge.exe	91
PID 3604 wrote to memory of 1680	3604	msedge.exe	91
PID 3604 wrote to memory of 3208	3604	msedge.exe	90
PID 3604 wrote to memory of 3208	3604	msedge.exe	90
PID 3604 wrote to memory of 1112	3604	msedge.exe	92
PID 3604 wrote to memory of 1112	3604	msedge.exe	92
PID 3604 wrote to memory of 1112	3604	msedge.exe	92
PID 3604 wrote to memory of 1112	3604	msedge.exe	92
PID 3604 wrote to memory of 1112	3604	msedge.exe	92
PID 3604 wrote to memory of 1112	3604	msedge.exe	92
PID 3604 wrote to memory of 1112	3604	msedge.exe	92
PID 3604 wrote to memory of 1112	3604	msedge.exe	92
PID 3604 wrote to memory of 1112	3604	msedge.exe	92
PID 3604 wrote to memory of 1112	3604	msedge.exe	92
PID 3604 wrote to memory of 1112	3604	msedge.exe	92
PID 3604 wrote to memory of 1112	3604	msedge.exe	92
PID 3604 wrote to memory of 1112	3604	msedge.exe	92
PID 3604 wrote to memory of 1112	3604	msedge.exe	92
PID 3604 wrote to memory of 1112	3604	msedge.exe	92
PID 3604 wrote to memory of 1112	3604	msedge.exe	92
PID 3604 wrote to memory of 1112	3604	msedge.exe	92
PID 3604 wrote to memory of 1112	3604	msedge.exe	92
PID 3604 wrote to memory of 1112	3604	msedge.exe	92
PID 3604 wrote to memory of 1112	3604	msedge.exe	92

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.cricksoft.com/us/support/clicker/ipad/how-save-files-ipad
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbc52d46f8,0x7ffbc52d4708,0x7ffbc52d4718
  2⤵
  PID:4800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,6192217883292075334,18426151175422052309,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2092 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,6192217883292075334,18426151175422052309,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2
  2⤵
  PID:1680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,6192217883292075334,18426151175422052309,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2848 /prefetch:8
  2⤵
  PID:1112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,6192217883292075334,18426151175422052309,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3552 /prefetch:1
  2⤵
  PID:4712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,6192217883292075334,18426151175422052309,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
  2⤵
  PID:3008
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,6192217883292075334,18426151175422052309,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5840 /prefetch:8
  2⤵
  PID:2468
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,6192217883292075334,18426151175422052309,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5840 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,6192217883292075334,18426151175422052309,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5024 /prefetch:1
  2⤵
  PID:228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,6192217883292075334,18426151175422052309,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4712 /prefetch:1
  2⤵
  PID:784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,6192217883292075334,18426151175422052309,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5616 /prefetch:1
  2⤵
  PID:3832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,6192217883292075334,18426151175422052309,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5116 /prefetch:1
  2⤵
  PID:4632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,6192217883292075334,18426151175422052309,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3044 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4360

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1492

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1386433ecc349475d39fb1e4f9e149a0

SHA1
f04f71ac77cb30f1d04fd16d42852322a8b2680f

SHA256
a7c79320a37d3516823f533e0ca73ed54fc4cdade9999b9827d06ea9f8916bbc

SHA512
fcd5449c58ead25955d01739929c42ffc89b9007bc2c8779c05271f2d053be66e05414c410738c35572ef31811aff908e7fe3dd7a9cef33c27acb308a420280e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
192B

MD5
3d7c08deae1fab4f4f4091ad37ce7e3e

SHA1
57ee2a2725bd9ac6f86aef21a7c48b015c217d60

SHA256
c5c37532af3ec4093f84f15a92531625cfedf81edfe1eea4b086dca50642e029

SHA512
0915c6c249904ad47dec9fed05104745b1d342d3ae7d8bca6159830891ae91cd1788679fc07ac98661e8728bfe6364258783f68077019f3701082c5b2d5afab8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
47da534eb4b1b874b291826277153f3d

SHA1
5392b121eaa7e44a2df891f0b0e6219c628bc558

SHA256
385390c31fad23e417c9f0e9b41ba2f44466f2ac06e2b46c8e13ef03b6c18c50

SHA512
a922e727539801e8309fe4d8df1b864c3fed075e918666be0058c8e14be9752bce9cefb8901335bb6a0fb6921fa1810436df1a2ec88e351a5e2d375daa4a647f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f45f621d6e68ddae9bb780e0240dc8a6

SHA1
a1a637f112ce80650846ac52b72a92d2b2a3271d

SHA256
ae04bd9bbbacb7d767cb47177d56f4b8556345b2a461b8d7a566e5dc8fce1315

SHA512
16c3dba03160254fd8f76a20dc1a1aa21150a71340536ce332e26a0533a2530891e78975305bfa3aae45cdbac863ef58242349f6acd0aae726b60952a3abe72a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
687d0d5c891f509a1554a95380f524fd

SHA1
5071a5c111d64ece25afb920e638685b1744267a

SHA256
2057a61b1baa8159286c7aefe355e96a15d0e69fd0b2e5bfba170c744e422fe5

SHA512
668d6e3beb919a88da22289ce3666176e08d464f3d9acaabc4185131ac7ade7f1171a9edfca45a38d198580e7df2cb95fe5ce2e48e167b405c5b9f9b976f3bf6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
eed8f7c89ed6c05ee04fb77c03fc86b2

SHA1
597f5989ad6f0c32a6b7cf6a772102de506d736f

SHA256
87caff20eceeef6d63387b3c1dcb4e074a2ea45d33832a6f5fd78b9fb13ebd63

SHA512
2b26f57d8318514b03a6a7bac6b8c6196f8911da2d6e3a584dcd93f4b5d3c64da507dac62518b60044a1ecd5e3430576241c043c5da42372c6684f61768331f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
e664066e3aa135f185ed1c194b9fa1f8

SHA1
358ff3c6ad0580b8ae1e5ef2a89a4e597c2efdc5

SHA256
86e595be48dbc768a52d7ea62116036c024093e1302aced8c29dd6a2d9935617

SHA512
58710818b5f664006a5aa418da6c8cd3f709c2265bc161f81b9dfe6cdb8304fabaa4ce9deba419fe4281623feeeaa0321f481ae5855d347c6d8cf95968ee905e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
538B

MD5
4d1751b27ffe4e0e1adbd81bfec767d9

SHA1
77e7618e93269e10875001ea531228e08c488ad7

SHA256
c7a7a95f0f18034f08cc174a102ea2a8badb6233e89edf705979d6d712ea3b8c

SHA512
7fc713c33e0cca9ac8c910526d16822d9e3b8f48afb348cb171611125f2e8e8c15693571119665d47cb0c6f295b6a5862c7ce79aa4fb56964b7fbf354e504da9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57af1c.TMP

Filesize
538B

MD5
2153b997811cb2ff79372ca04c93506f

SHA1
41ca4a1723de3bebe56c3625f173908e819b22ae

SHA256
a81e960970a18fa06fae1d3bd63abfeca9abd155f74665eb93fc10378431a62c

SHA512
5a6f2952c0a963296a0f98c3a244da8f1d08a3c4300898b5811aa5f0f7b7bff215c7c011ff417e67a7e326a05da74b95a85f080b53b42fa4b73d6260546f4811

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
eab843d63c9866cdb0900f4862ad98af

SHA1
a0d71e08f2ae19f99c8e2fd96d867c9886348814

SHA256
719d82ed7da5644fa8dd90a5d369d14d6d26367cc5711f4a9b27b18c4d48be5e

SHA512
be69319a5d9a6c0aa149c664dc184e9911740549243367231da4b35105b9e3544e810b7133bd441567aa5085c40ad4b07d0f9f8efebfe8a7494e5d6a06fb57a8

Download Submit