Analysis
-
max time kernel
146s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
01-03-2024 07:27
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://go-link.ru/jzABO
Resource
win10v2004-20240226-en
General
-
Target
https://go-link.ru/jzABO
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exepid process 3004 msedge.exe 3004 msedge.exe 4832 msedge.exe 4832 msedge.exe 2924 identity_helper.exe 2924 identity_helper.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
Processes:
msedge.exepid process 4832 msedge.exe 4832 msedge.exe 4832 msedge.exe 4832 msedge.exe 4832 msedge.exe 4832 msedge.exe 4832 msedge.exe -
Suspicious use of FindShellTrayWindow 26 IoCs
Processes:
msedge.exepid process 4832 msedge.exe 4832 msedge.exe 4832 msedge.exe 4832 msedge.exe 4832 msedge.exe 4832 msedge.exe 4832 msedge.exe 4832 msedge.exe 4832 msedge.exe 4832 msedge.exe 4832 msedge.exe 4832 msedge.exe 4832 msedge.exe 4832 msedge.exe 4832 msedge.exe 4832 msedge.exe 4832 msedge.exe 4832 msedge.exe 4832 msedge.exe 4832 msedge.exe 4832 msedge.exe 4832 msedge.exe 4832 msedge.exe 4832 msedge.exe 4832 msedge.exe 4832 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 4832 msedge.exe 4832 msedge.exe 4832 msedge.exe 4832 msedge.exe 4832 msedge.exe 4832 msedge.exe 4832 msedge.exe 4832 msedge.exe 4832 msedge.exe 4832 msedge.exe 4832 msedge.exe 4832 msedge.exe 4832 msedge.exe 4832 msedge.exe 4832 msedge.exe 4832 msedge.exe 4832 msedge.exe 4832 msedge.exe 4832 msedge.exe 4832 msedge.exe 4832 msedge.exe 4832 msedge.exe 4832 msedge.exe 4832 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 4832 wrote to memory of 1792 4832 msedge.exe msedge.exe PID 4832 wrote to memory of 1792 4832 msedge.exe msedge.exe PID 4832 wrote to memory of 4040 4832 msedge.exe msedge.exe PID 4832 wrote to memory of 4040 4832 msedge.exe msedge.exe PID 4832 wrote to memory of 4040 4832 msedge.exe msedge.exe PID 4832 wrote to memory of 4040 4832 msedge.exe msedge.exe PID 4832 wrote to memory of 4040 4832 msedge.exe msedge.exe PID 4832 wrote to memory of 4040 4832 msedge.exe msedge.exe PID 4832 wrote to memory of 4040 4832 msedge.exe msedge.exe PID 4832 wrote to memory of 4040 4832 msedge.exe msedge.exe PID 4832 wrote to memory of 4040 4832 msedge.exe msedge.exe PID 4832 wrote to memory of 4040 4832 msedge.exe msedge.exe PID 4832 wrote to memory of 4040 4832 msedge.exe msedge.exe PID 4832 wrote to memory of 4040 4832 msedge.exe msedge.exe PID 4832 wrote to memory of 4040 4832 msedge.exe msedge.exe PID 4832 wrote to memory of 4040 4832 msedge.exe msedge.exe PID 4832 wrote to memory of 4040 4832 msedge.exe msedge.exe PID 4832 wrote to memory of 4040 4832 msedge.exe msedge.exe PID 4832 wrote to memory of 4040 4832 msedge.exe msedge.exe PID 4832 wrote to memory of 4040 4832 msedge.exe msedge.exe PID 4832 wrote to memory of 4040 4832 msedge.exe msedge.exe PID 4832 wrote to memory of 4040 4832 msedge.exe msedge.exe PID 4832 wrote to memory of 4040 4832 msedge.exe msedge.exe PID 4832 wrote to memory of 4040 4832 msedge.exe msedge.exe PID 4832 wrote to memory of 4040 4832 msedge.exe msedge.exe PID 4832 wrote to memory of 4040 4832 msedge.exe msedge.exe PID 4832 wrote to memory of 4040 4832 msedge.exe msedge.exe PID 4832 wrote to memory of 4040 4832 msedge.exe msedge.exe PID 4832 wrote to memory of 4040 4832 msedge.exe msedge.exe PID 4832 wrote to memory of 4040 4832 msedge.exe msedge.exe PID 4832 wrote to memory of 4040 4832 msedge.exe msedge.exe PID 4832 wrote to memory of 4040 4832 msedge.exe msedge.exe PID 4832 wrote to memory of 4040 4832 msedge.exe msedge.exe PID 4832 wrote to memory of 4040 4832 msedge.exe msedge.exe PID 4832 wrote to memory of 4040 4832 msedge.exe msedge.exe PID 4832 wrote to memory of 4040 4832 msedge.exe msedge.exe PID 4832 wrote to memory of 4040 4832 msedge.exe msedge.exe PID 4832 wrote to memory of 4040 4832 msedge.exe msedge.exe PID 4832 wrote to memory of 4040 4832 msedge.exe msedge.exe PID 4832 wrote to memory of 4040 4832 msedge.exe msedge.exe PID 4832 wrote to memory of 4040 4832 msedge.exe msedge.exe PID 4832 wrote to memory of 4040 4832 msedge.exe msedge.exe PID 4832 wrote to memory of 3004 4832 msedge.exe msedge.exe PID 4832 wrote to memory of 3004 4832 msedge.exe msedge.exe PID 4832 wrote to memory of 4492 4832 msedge.exe msedge.exe PID 4832 wrote to memory of 4492 4832 msedge.exe msedge.exe PID 4832 wrote to memory of 4492 4832 msedge.exe msedge.exe PID 4832 wrote to memory of 4492 4832 msedge.exe msedge.exe PID 4832 wrote to memory of 4492 4832 msedge.exe msedge.exe PID 4832 wrote to memory of 4492 4832 msedge.exe msedge.exe PID 4832 wrote to memory of 4492 4832 msedge.exe msedge.exe PID 4832 wrote to memory of 4492 4832 msedge.exe msedge.exe PID 4832 wrote to memory of 4492 4832 msedge.exe msedge.exe PID 4832 wrote to memory of 4492 4832 msedge.exe msedge.exe PID 4832 wrote to memory of 4492 4832 msedge.exe msedge.exe PID 4832 wrote to memory of 4492 4832 msedge.exe msedge.exe PID 4832 wrote to memory of 4492 4832 msedge.exe msedge.exe PID 4832 wrote to memory of 4492 4832 msedge.exe msedge.exe PID 4832 wrote to memory of 4492 4832 msedge.exe msedge.exe PID 4832 wrote to memory of 4492 4832 msedge.exe msedge.exe PID 4832 wrote to memory of 4492 4832 msedge.exe msedge.exe PID 4832 wrote to memory of 4492 4832 msedge.exe msedge.exe PID 4832 wrote to memory of 4492 4832 msedge.exe msedge.exe PID 4832 wrote to memory of 4492 4832 msedge.exe msedge.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://go-link.ru/jzABO1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4832 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xe0,0xe4,0xd8,0xdc,0x108,0x7ffcfe0946f8,0x7ffcfe094708,0x7ffcfe0947182⤵PID:1792
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,2909636659331509823,10046708103686563892,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:22⤵PID:4040
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,2909636659331509823,10046708103686563892,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:3004 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2084,2909636659331509823,10046708103686563892,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2868 /prefetch:82⤵PID:4492
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,2909636659331509823,10046708103686563892,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:12⤵PID:4408
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,2909636659331509823,10046708103686563892,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3536 /prefetch:12⤵PID:624
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,2909636659331509823,10046708103686563892,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5040 /prefetch:12⤵PID:3524
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,2909636659331509823,10046708103686563892,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5536 /prefetch:82⤵PID:3880
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,2909636659331509823,10046708103686563892,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5536 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2924 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,2909636659331509823,10046708103686563892,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4532 /prefetch:12⤵PID:976
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,2909636659331509823,10046708103686563892,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:12⤵PID:4200
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,2909636659331509823,10046708103686563892,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5788 /prefetch:12⤵PID:1648
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,2909636659331509823,10046708103686563892,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4608 /prefetch:12⤵PID:4432
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,2909636659331509823,10046708103686563892,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1124 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:4596
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4420
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2264
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD536bb45cb1262fcfcab1e3e7960784eaa
SHA1ab0e15841b027632c9e1b0a47d3dec42162fc637
SHA2567c6b0de6f9b4c3ca1f5d6af23c3380f849825af00b58420b76c72b62cfae44ae
SHA51202c54c919f8cf3fc28f5f965fe1755955636d7d89b5f0504a02fcd9d94de8c50e046c7c2d6cf349fabde03b0fbbcc61df6e9968f2af237106bf7edd697e07456
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD51e3dc6a82a2cb341f7c9feeaf53f466f
SHA1915decb72e1f86e14114f14ac9bfd9ba198fdfce
SHA256a56135007f4dadf6606bc237cb75ff5ff77326ba093dff30d6881ce9a04a114c
SHA5120a5223e8cecce77613b1c02535c79b3795e5ad89fc0a934e9795e488712e02b527413109ad1f94bbd4eb35dd07b86dd6e9f4b57d4d7c8a0a57ec3f7f76c7890a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
456B
MD518dd51c7d247b32153a5c0bf8364d812
SHA19780730187778d4cadb661772feedd0745f7c227
SHA25624f9b76c06e278c02e5aab640f455cc27e8f616d8e815a21214fb3fd33cf2cd8
SHA512bead41bf70ed22c4e0647006f5390855b42453ffff17f048dbbf1e603860de086459d001dc5cd8589d301c8f7013b736dfe396cb4ffd4565d69414e6d1bc5746
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
855B
MD51963200b6cd0c2cabe924a788d2d53bc
SHA1e5cbeedcc55f0251e40e9e25382a71f470fb31ad
SHA25647c96f58712550604c873bd8c616b98ac82f0c187b3abe8fa77f1f80189990ea
SHA512238a6a3624ed094ea0764d0a8e5b1d01f0c924e854333896ad96c5bfee0b0be5eddc0167b94c25e4de3e191c33e37383371b52e284407c22a627fd184db9b59d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5b2cd57620225036723ae0a81f83237ee
SHA1f2048f844bce7f1259d134053bd89b608c311d9b
SHA25689dbde780c1e05d4bc2a88de76bd6b946e5f423f19f32df254ac1faaba622f5c
SHA512f7e1947616eafd19221726d1a84b411f62f919e90cbbb481cf2f9af7549034913bad9cd412e590f1173b8c9debf5e9cd89187b4ea6ff8c56a7f2ee961ede546c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5a02fb7884b49ac62750d5fc088dfdeb2
SHA1982a9e5ce06f2629bd761dc81336e23fec04d510
SHA256cf054045979d6a12a2d7484b975721acceb8fc736dc9f3f672e80153cc2234f1
SHA512d3cf52ed3f7bcc911e81ca5eaac83e7ff4a851fd74725b9461a5e91de139b6043a54b5a5bf28c5ec373d710ccafa5e2e63e5bd69d14ea700eec1d08c6c5d13f9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5c217c73a445795efbb7b5e1536abf969
SHA1bb1c81f7b51b20dfa31cb3f6dd86e06a0619dabd
SHA256be5440abdcbdeb7eaca96a6ffcbd8c5610013a0273be691ad7df164e001dc978
SHA5128ee802b3a6ac38587c41500478b986d28c4fab267720efa29575faa72bcf6e2a6c40f0f2f8a938442960350d19d229e2bfd29b18b9f483bcd565eddcbbf6ffee
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD55cfb19f4830fdfc2f13732ad95e45109
SHA1a1143a5a9f27070bf2e7e184326c4fbc9acc3d3c
SHA2563ffca7c1b2fe24296dfbc1fa0f52ffc455522e41b845276f91a528863c8b9f77
SHA5122c318bc1caba544d3dbb4915005c4c24912c9bcc0408ce7fc47383a60c80799df4c8a0397d78e8796ff4a45e0a8de3b6d55938737681e57a2dfa0bf09126abd9
-
\??\pipe\LOCAL\crashpad_4832_MXBPNVOHADHQILAUMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e