Analysis
-
max time kernel
186s -
max time network
188s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
10-03-2024 12:45
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
http://runescape-pmod.webchars.com
Resource
win10v2004-20240226-en
General
-
Target
http://runescape-pmod.webchars.com
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exepid process 4112 msedge.exe 4112 msedge.exe 820 msedge.exe 820 msedge.exe 4376 identity_helper.exe 4376 identity_helper.exe 4080 msedge.exe 4080 msedge.exe 4080 msedge.exe 4080 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
Processes:
msedge.exepid process 820 msedge.exe 820 msedge.exe 820 msedge.exe 820 msedge.exe 820 msedge.exe 820 msedge.exe 820 msedge.exe -
Suspicious use of FindShellTrayWindow 26 IoCs
Processes:
msedge.exepid process 820 msedge.exe 820 msedge.exe 820 msedge.exe 820 msedge.exe 820 msedge.exe 820 msedge.exe 820 msedge.exe 820 msedge.exe 820 msedge.exe 820 msedge.exe 820 msedge.exe 820 msedge.exe 820 msedge.exe 820 msedge.exe 820 msedge.exe 820 msedge.exe 820 msedge.exe 820 msedge.exe 820 msedge.exe 820 msedge.exe 820 msedge.exe 820 msedge.exe 820 msedge.exe 820 msedge.exe 820 msedge.exe 820 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 820 msedge.exe 820 msedge.exe 820 msedge.exe 820 msedge.exe 820 msedge.exe 820 msedge.exe 820 msedge.exe 820 msedge.exe 820 msedge.exe 820 msedge.exe 820 msedge.exe 820 msedge.exe 820 msedge.exe 820 msedge.exe 820 msedge.exe 820 msedge.exe 820 msedge.exe 820 msedge.exe 820 msedge.exe 820 msedge.exe 820 msedge.exe 820 msedge.exe 820 msedge.exe 820 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 820 wrote to memory of 4624 820 msedge.exe msedge.exe PID 820 wrote to memory of 4624 820 msedge.exe msedge.exe PID 820 wrote to memory of 1232 820 msedge.exe msedge.exe PID 820 wrote to memory of 1232 820 msedge.exe msedge.exe PID 820 wrote to memory of 1232 820 msedge.exe msedge.exe PID 820 wrote to memory of 1232 820 msedge.exe msedge.exe PID 820 wrote to memory of 1232 820 msedge.exe msedge.exe PID 820 wrote to memory of 1232 820 msedge.exe msedge.exe PID 820 wrote to memory of 1232 820 msedge.exe msedge.exe PID 820 wrote to memory of 1232 820 msedge.exe msedge.exe PID 820 wrote to memory of 1232 820 msedge.exe msedge.exe PID 820 wrote to memory of 1232 820 msedge.exe msedge.exe PID 820 wrote to memory of 1232 820 msedge.exe msedge.exe PID 820 wrote to memory of 1232 820 msedge.exe msedge.exe PID 820 wrote to memory of 1232 820 msedge.exe msedge.exe PID 820 wrote to memory of 1232 820 msedge.exe msedge.exe PID 820 wrote to memory of 1232 820 msedge.exe msedge.exe PID 820 wrote to memory of 1232 820 msedge.exe msedge.exe PID 820 wrote to memory of 1232 820 msedge.exe msedge.exe PID 820 wrote to memory of 1232 820 msedge.exe msedge.exe PID 820 wrote to memory of 1232 820 msedge.exe msedge.exe PID 820 wrote to memory of 1232 820 msedge.exe msedge.exe PID 820 wrote to memory of 1232 820 msedge.exe msedge.exe PID 820 wrote to memory of 1232 820 msedge.exe msedge.exe PID 820 wrote to memory of 1232 820 msedge.exe msedge.exe PID 820 wrote to memory of 1232 820 msedge.exe msedge.exe PID 820 wrote to memory of 1232 820 msedge.exe msedge.exe PID 820 wrote to memory of 1232 820 msedge.exe msedge.exe PID 820 wrote to memory of 1232 820 msedge.exe msedge.exe PID 820 wrote to memory of 1232 820 msedge.exe msedge.exe PID 820 wrote to memory of 1232 820 msedge.exe msedge.exe PID 820 wrote to memory of 1232 820 msedge.exe msedge.exe PID 820 wrote to memory of 1232 820 msedge.exe msedge.exe PID 820 wrote to memory of 1232 820 msedge.exe msedge.exe PID 820 wrote to memory of 1232 820 msedge.exe msedge.exe PID 820 wrote to memory of 1232 820 msedge.exe msedge.exe PID 820 wrote to memory of 1232 820 msedge.exe msedge.exe PID 820 wrote to memory of 1232 820 msedge.exe msedge.exe PID 820 wrote to memory of 1232 820 msedge.exe msedge.exe PID 820 wrote to memory of 1232 820 msedge.exe msedge.exe PID 820 wrote to memory of 1232 820 msedge.exe msedge.exe PID 820 wrote to memory of 1232 820 msedge.exe msedge.exe PID 820 wrote to memory of 4112 820 msedge.exe msedge.exe PID 820 wrote to memory of 4112 820 msedge.exe msedge.exe PID 820 wrote to memory of 4088 820 msedge.exe msedge.exe PID 820 wrote to memory of 4088 820 msedge.exe msedge.exe PID 820 wrote to memory of 4088 820 msedge.exe msedge.exe PID 820 wrote to memory of 4088 820 msedge.exe msedge.exe PID 820 wrote to memory of 4088 820 msedge.exe msedge.exe PID 820 wrote to memory of 4088 820 msedge.exe msedge.exe PID 820 wrote to memory of 4088 820 msedge.exe msedge.exe PID 820 wrote to memory of 4088 820 msedge.exe msedge.exe PID 820 wrote to memory of 4088 820 msedge.exe msedge.exe PID 820 wrote to memory of 4088 820 msedge.exe msedge.exe PID 820 wrote to memory of 4088 820 msedge.exe msedge.exe PID 820 wrote to memory of 4088 820 msedge.exe msedge.exe PID 820 wrote to memory of 4088 820 msedge.exe msedge.exe PID 820 wrote to memory of 4088 820 msedge.exe msedge.exe PID 820 wrote to memory of 4088 820 msedge.exe msedge.exe PID 820 wrote to memory of 4088 820 msedge.exe msedge.exe PID 820 wrote to memory of 4088 820 msedge.exe msedge.exe PID 820 wrote to memory of 4088 820 msedge.exe msedge.exe PID 820 wrote to memory of 4088 820 msedge.exe msedge.exe PID 820 wrote to memory of 4088 820 msedge.exe msedge.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://runescape-pmod.webchars.com1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcb68746f8,0x7ffcb6874708,0x7ffcb68747182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2200,3264240007962360975,15356463775325490779,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2220 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2200,3264240007962360975,15356463775325490779,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2292 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2200,3264240007962360975,15356463775325490779,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2932 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,3264240007962360975,15356463775325490779,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,3264240007962360975,15356463775325490779,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,3264240007962360975,15356463775325490779,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4136 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2200,3264240007962360975,15356463775325490779,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5628 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2200,3264240007962360975,15356463775325490779,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5628 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,3264240007962360975,15356463775325490779,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4112 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,3264240007962360975,15356463775325490779,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4444 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,3264240007962360975,15356463775325490779,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4360 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,3264240007962360975,15356463775325490779,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5812 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2200,3264240007962360975,15356463775325490779,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5936 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD57740a919423ddc469647f8fdd981324d
SHA1c1bc3f834507e4940a0b7594e34c4b83bbea7cda
SHA256bdd4adaa418d40558ab033ac0005fd6c2312d5f1f7fdf8b0e186fe1d65d78221
SHA5127ad98d5d089808d9a707d577e76e809a223d3007778a672734d0a607c2c3ac5f93bc72adb6e6c7f878a577d3a1e69a16d0cd871eb6f58b8d88e2ea25f77d87b7
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD59f44d6f922f830d04d7463189045a5a3
SHA12e9ae7188ab8f88078e83ba7f42a11a2c421cb1c
SHA2560ae5cf8b49bc34fafe9f86734c8121b631bad52a1424c1dd2caa05781032334a
SHA5127c1825eaefcc7b97bae31eeff031899300b175222de14000283e296e9b44680c8b3885a4ed5d78fd8dfee93333cd7289347b95a62bf11f751c4ca47772cf987d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD50c2f328c8d8538fd98036fc918efee2d
SHA1a29a2f89cd47513c5647f5ec1c45093cce32107e
SHA256c3c10d628762c6b1986e112088741a05b33a608ee2b314e4f6d08c8912dc458f
SHA5128b647ad3e1e593ffc45ba1b21d1d7c33c2713524117d319d672e69c752a8b4297a5fc6e11d919f957d651c15e2a991c439c7425406d60e384304107ad59fd8a5
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD505f58adc71c4da1857461449cac5668c
SHA1f4dde3fc518bdf6c010b25c4e1d145c7952b87e3
SHA2564bf60800257ba82f6e755177ea9914a52aa02358cf5f53851efd13eb2ad96104
SHA512326705a88fdd16e2feaed7edf8969798cd0983c2afb062bde83487b43539db04ba1078e47143a6c58b6018a96d22b20e163dee321adac670307cc978d9d95507
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD59e895bbb5271e1f34f86cdbbcd22da3a
SHA1f5ca3ae25ddd9c10375132cff885f4d6f5b2aab5
SHA256b00356bf86e2b9d08e2149db62ecdba74772824d2938f67d859d7d891bcd9599
SHA5127e30825a6019179f96005ce8b856e2a6c5e3512679b58c11f90d8a8165d8af7fbcb9e68426aae02c257fdcbd910509e7c887955223c0dc58e4cc5cf6172b2946
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD52401c2f754cb6d93a8acf235f6cfd2ba
SHA1c15022b5823fe065ed044898926bb74c905d23e7
SHA256db3d4a225e915245fa5e0f58c705cb9a2f46a5cab453e3d694e06c6a7e05cae6
SHA51268647f349c7c2c773d211a6eaad5d0a768761e647475ccc86997b798b41caaf8dea253a1966eb1160d620ccccfbf8a37edd2f57207bae040fd69c9a8d9520cbf
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD580a4ca9ec01bf2a0357a033379e33289
SHA121dab98c820e9ea11ce7560487336b7287e9793e
SHA256fc8505e91672c4968d6743352f664180ddd25cffd5df77357a15fec0ab31d750
SHA512a691920020927a0b393c907fa6fdec571130f36131826051579e1f6abe955d1322f3940f7ae4d315d32ace5ac1bdb770f54a28f75c16d2d9887dc301a69d05c5
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD54c550ff4a8f8d6ffca12159db9a815c1
SHA19bc40fd24f2a4beb31221ab0e1236b41ded06a56
SHA25627488ef32c5fa2435802c16ffb8cd4401758c97b2ada38c5c09154b09fee4610
SHA5122312aa5207e5e8cc587cae3846479ebe7d79273aca7f7af3f1d4e6d628fce54700dcf315277c43355f5418485356d2085c65cef583391d45d10f3956f28def1b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dicFilesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
\??\pipe\LOCAL\crashpad_820_UBREVEPOBTUDGPGJMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e