hxxp://google[.]com

Analysis

max time kernel
1680s
max time network
1685s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
09-01-2024 17:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://google.com

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
884	msedge.exe
884	msedge.exe
2172	msedge.exe
2172	msedge.exe
4000	identity_helper.exe
4000	identity_helper.exe
6104	msedge.exe
6104	msedge.exe
6104	msedge.exe
6104	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe
2172	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2172 wrote to memory of 1640	2172	msedge.exe	12
PID 2172 wrote to memory of 1640	2172	msedge.exe	12
PID 2172 wrote to memory of 1620	2172	msedge.exe	26
PID 2172 wrote to memory of 1620	2172	msedge.exe	26
PID 2172 wrote to memory of 1620	2172	msedge.exe	26
PID 2172 wrote to memory of 1620	2172	msedge.exe	26
PID 2172 wrote to memory of 1620	2172	msedge.exe	26
PID 2172 wrote to memory of 1620	2172	msedge.exe	26
PID 2172 wrote to memory of 1620	2172	msedge.exe	26
PID 2172 wrote to memory of 1620	2172	msedge.exe	26
PID 2172 wrote to memory of 1620	2172	msedge.exe	26
PID 2172 wrote to memory of 1620	2172	msedge.exe	26
PID 2172 wrote to memory of 1620	2172	msedge.exe	26
PID 2172 wrote to memory of 1620	2172	msedge.exe	26
PID 2172 wrote to memory of 1620	2172	msedge.exe	26
PID 2172 wrote to memory of 1620	2172	msedge.exe	26
PID 2172 wrote to memory of 1620	2172	msedge.exe	26
PID 2172 wrote to memory of 1620	2172	msedge.exe	26
PID 2172 wrote to memory of 1620	2172	msedge.exe	26
PID 2172 wrote to memory of 1620	2172	msedge.exe	26
PID 2172 wrote to memory of 1620	2172	msedge.exe	26
PID 2172 wrote to memory of 1620	2172	msedge.exe	26
PID 2172 wrote to memory of 1620	2172	msedge.exe	26
PID 2172 wrote to memory of 1620	2172	msedge.exe	26
PID 2172 wrote to memory of 1620	2172	msedge.exe	26
PID 2172 wrote to memory of 1620	2172	msedge.exe	26
PID 2172 wrote to memory of 1620	2172	msedge.exe	26
PID 2172 wrote to memory of 1620	2172	msedge.exe	26
PID 2172 wrote to memory of 1620	2172	msedge.exe	26
PID 2172 wrote to memory of 1620	2172	msedge.exe	26
PID 2172 wrote to memory of 1620	2172	msedge.exe	26
PID 2172 wrote to memory of 1620	2172	msedge.exe	26
PID 2172 wrote to memory of 1620	2172	msedge.exe	26
PID 2172 wrote to memory of 1620	2172	msedge.exe	26
PID 2172 wrote to memory of 1620	2172	msedge.exe	26
PID 2172 wrote to memory of 1620	2172	msedge.exe	26
PID 2172 wrote to memory of 1620	2172	msedge.exe	26
PID 2172 wrote to memory of 1620	2172	msedge.exe	26
PID 2172 wrote to memory of 1620	2172	msedge.exe	26
PID 2172 wrote to memory of 1620	2172	msedge.exe	26
PID 2172 wrote to memory of 1620	2172	msedge.exe	26
PID 2172 wrote to memory of 1620	2172	msedge.exe	26
PID 2172 wrote to memory of 884	2172	msedge.exe	16
PID 2172 wrote to memory of 884	2172	msedge.exe	16
PID 2172 wrote to memory of 4552	2172	msedge.exe	24
PID 2172 wrote to memory of 4552	2172	msedge.exe	24
PID 2172 wrote to memory of 4552	2172	msedge.exe	24
PID 2172 wrote to memory of 4552	2172	msedge.exe	24
PID 2172 wrote to memory of 4552	2172	msedge.exe	24
PID 2172 wrote to memory of 4552	2172	msedge.exe	24
PID 2172 wrote to memory of 4552	2172	msedge.exe	24
PID 2172 wrote to memory of 4552	2172	msedge.exe	24
PID 2172 wrote to memory of 4552	2172	msedge.exe	24
PID 2172 wrote to memory of 4552	2172	msedge.exe	24
PID 2172 wrote to memory of 4552	2172	msedge.exe	24
PID 2172 wrote to memory of 4552	2172	msedge.exe	24
PID 2172 wrote to memory of 4552	2172	msedge.exe	24
PID 2172 wrote to memory of 4552	2172	msedge.exe	24
PID 2172 wrote to memory of 4552	2172	msedge.exe	24
PID 2172 wrote to memory of 4552	2172	msedge.exe	24
PID 2172 wrote to memory of 4552	2172	msedge.exe	24
PID 2172 wrote to memory of 4552	2172	msedge.exe	24
PID 2172 wrote to memory of 4552	2172	msedge.exe	24
PID 2172 wrote to memory of 4552	2172	msedge.exe	24

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd67a546f8,0x7ffd67a54708,0x7ffd67a54718
1⤵
PID:1640

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.com
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2196,3412064476889805271,12431156924618807802,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2260 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,3412064476889805271,12431156924618807802,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
  2⤵
  PID:3984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,3412064476889805271,12431156924618807802,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
  2⤵
  PID:4732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2196,3412064476889805271,12431156924618807802,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2984 /prefetch:8
  2⤵
  PID:4552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2196,3412064476889805271,12431156924618807802,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2208 /prefetch:2
  2⤵
  PID:1620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,3412064476889805271,12431156924618807802,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4904 /prefetch:1
  2⤵
  PID:5096
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2196,3412064476889805271,12431156924618807802,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5488 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4000
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2196,3412064476889805271,12431156924618807802,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5488 /prefetch:8
  2⤵
  PID:2260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,3412064476889805271,12431156924618807802,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5256 /prefetch:1
  2⤵
  PID:2540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,3412064476889805271,12431156924618807802,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4032 /prefetch:1
  2⤵
  PID:3292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,3412064476889805271,12431156924618807802,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4264 /prefetch:1
  2⤵
  PID:5348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,3412064476889805271,12431156924618807802,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4036 /prefetch:1
  2⤵
  PID:5340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2196,3412064476889805271,12431156924618807802,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5680 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6104

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4492

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1248

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f246cc2c0e84109806d24fcf52bd0672

SHA1
8725d2b2477efe4f66c60e0f2028bf79d8b88e4e

SHA256
0c1014ae07c2077dd55d7386cc9cf9e0551be1d67fe05a6006957427ae09fec5

SHA512
dcf31357eb39a05213550a879941e2c039ec0ba41e4867d5d630807420f070289552d56d9f16c6d11edcdb0f9448bf51e7d2e460e88aa9c55a5bfe5d8d331640

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
192B

MD5
caf04894b88e4c0cb24d6b8a6960c352

SHA1
0d66f6aba3860042114fbb335ae2ac1ab22be586

SHA256
2a96395fb51435679d520584cee16ce8c48722dcb8b1298c01706bd542d01e90

SHA512
229f283262fe44d0d26c1fe9900308c994d8bcd2f6f046b60e4b9ab1b82a0183c8551df213bd8062e000615f9c5177bfb7ae4c767f03e11f4f3edbb4c284b686

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
977B

MD5
3a1efb9b41f10d5a3cbde2fdd8285c6e

SHA1
fff90529f4b6d9180107f17c141ead0a3001465a

SHA256
ba7fb1adc42a45d5c831ba82a1bf65c42be86e8969aaef197555ee7d8ce633d4

SHA512
5d8223961d70f5cb29731c6a663e9cb059b790b5ab509f42d353e6f30043ac9ece9253420449af61cc5425f3584b8bbbc4a91dd117dfec98875b2385b0fa7fd2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
b4026320d09ba9ad269fcabe69ea9a93

SHA1
6c05b8019178a06c772e0e68e8208a48da7e1c2f

SHA256
d3f1575213c2b1da64f0eb76aa28a960e878ef5d457e39208b229f4303d8bcaf

SHA512
4da3aebfd4e3cc6c469ad63101379c038decea84561b54b18639dd927477e59ee40a911b65a7ad670c40a8a6a549c131255cb6bbe37917ea10e18f21c4f29696

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9226b7183a1630013f6cbfcbae92f477

SHA1
fbd811fa2363cd7f57a291ff09f26279363c4b12

SHA256
f6c2862edc568905f8fde00ccef0fe70b365528a3d2884c893f4cff52e1fad7d

SHA512
75751ec62c5e0201b3a64dc6d7183747406140712f96411791e29d1019d95af63372419c3970680fd9b9a2ccfc0bc0e179c81071e50b12b021f7544bc415a506

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
5e62a6848f50c5ca5f19380c1ea38156

SHA1
1f5e7db8c292a93ae4a94a912dd93fe899f1ea6a

SHA256
23b683118f90c909ce86f9be9123ff6ac1355adb098ffbb09b9e5ec18fc2b488

SHA512
ce00590890ed908c18c3ec56df5f79c6c800e3bea2ad4629b9788b19bd1d9e94215fb991275e6ec5a58ac31b193e1c0b9cbaa52ff534319a5e76ec4fc8d3ba54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
d6d02721085d47eee2ffd6717197e38a

SHA1
ba13762e162d346e56dffa6a02a7edb03491e4c9

SHA256
e9e187beaaa6ffd7283552b6b9b632e1f91c44d925fd79299a6b921ab1649ef3

SHA512
a36731bfb0188634447d00f4f00a5afba7523b5d33b25af99b0d8e05d37dc9217f8b476d20b609bd78cf1fde7b1aaf4d02016590094c3d6240ecc6f011673d90

Download Submit