Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
02/04/2024, 08:11
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://auth-bool.formstack.com/forms/swe
Resource
win10v2004-20240226-en
General
-
Target
https://auth-bool.formstack.com/forms/swe
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 4956 msedge.exe 4956 msedge.exe 2964 msedge.exe 2964 msedge.exe 1360 identity_helper.exe 1360 identity_helper.exe 1152 msedge.exe 1152 msedge.exe 1152 msedge.exe 1152 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
pid Process 2964 msedge.exe 2964 msedge.exe 2964 msedge.exe 2964 msedge.exe 2964 msedge.exe 2964 msedge.exe 2964 msedge.exe 2964 msedge.exe 2964 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 2964 msedge.exe 2964 msedge.exe 2964 msedge.exe 2964 msedge.exe 2964 msedge.exe 2964 msedge.exe 2964 msedge.exe 2964 msedge.exe 2964 msedge.exe 2964 msedge.exe 2964 msedge.exe 2964 msedge.exe 2964 msedge.exe 2964 msedge.exe 2964 msedge.exe 2964 msedge.exe 2964 msedge.exe 2964 msedge.exe 2964 msedge.exe 2964 msedge.exe 2964 msedge.exe 2964 msedge.exe 2964 msedge.exe 2964 msedge.exe 2964 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 2964 msedge.exe 2964 msedge.exe 2964 msedge.exe 2964 msedge.exe 2964 msedge.exe 2964 msedge.exe 2964 msedge.exe 2964 msedge.exe 2964 msedge.exe 2964 msedge.exe 2964 msedge.exe 2964 msedge.exe 2964 msedge.exe 2964 msedge.exe 2964 msedge.exe 2964 msedge.exe 2964 msedge.exe 2964 msedge.exe 2964 msedge.exe 2964 msedge.exe 2964 msedge.exe 2964 msedge.exe 2964 msedge.exe 2964 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2964 wrote to memory of 3284 2964 msedge.exe 84 PID 2964 wrote to memory of 3284 2964 msedge.exe 84 PID 2964 wrote to memory of 2712 2964 msedge.exe 85 PID 2964 wrote to memory of 2712 2964 msedge.exe 85 PID 2964 wrote to memory of 2712 2964 msedge.exe 85 PID 2964 wrote to memory of 2712 2964 msedge.exe 85 PID 2964 wrote to memory of 2712 2964 msedge.exe 85 PID 2964 wrote to memory of 2712 2964 msedge.exe 85 PID 2964 wrote to memory of 2712 2964 msedge.exe 85 PID 2964 wrote to memory of 2712 2964 msedge.exe 85 PID 2964 wrote to memory of 2712 2964 msedge.exe 85 PID 2964 wrote to memory of 2712 2964 msedge.exe 85 PID 2964 wrote to memory of 2712 2964 msedge.exe 85 PID 2964 wrote to memory of 2712 2964 msedge.exe 85 PID 2964 wrote to memory of 2712 2964 msedge.exe 85 PID 2964 wrote to memory of 2712 2964 msedge.exe 85 PID 2964 wrote to memory of 2712 2964 msedge.exe 85 PID 2964 wrote to memory of 2712 2964 msedge.exe 85 PID 2964 wrote to memory of 2712 2964 msedge.exe 85 PID 2964 wrote to memory of 2712 2964 msedge.exe 85 PID 2964 wrote to memory of 2712 2964 msedge.exe 85 PID 2964 wrote to memory of 2712 2964 msedge.exe 85 PID 2964 wrote to memory of 2712 2964 msedge.exe 85 PID 2964 wrote to memory of 2712 2964 msedge.exe 85 PID 2964 wrote to memory of 2712 2964 msedge.exe 85 PID 2964 wrote to memory of 2712 2964 msedge.exe 85 PID 2964 wrote to memory of 2712 2964 msedge.exe 85 PID 2964 wrote to memory of 2712 2964 msedge.exe 85 PID 2964 wrote to memory of 2712 2964 msedge.exe 85 PID 2964 wrote to memory of 2712 2964 msedge.exe 85 PID 2964 wrote to memory of 2712 2964 msedge.exe 85 PID 2964 wrote to memory of 2712 2964 msedge.exe 85 PID 2964 wrote to memory of 2712 2964 msedge.exe 85 PID 2964 wrote to memory of 2712 2964 msedge.exe 85 PID 2964 wrote to memory of 2712 2964 msedge.exe 85 PID 2964 wrote to memory of 2712 2964 msedge.exe 85 PID 2964 wrote to memory of 2712 2964 msedge.exe 85 PID 2964 wrote to memory of 2712 2964 msedge.exe 85 PID 2964 wrote to memory of 2712 2964 msedge.exe 85 PID 2964 wrote to memory of 2712 2964 msedge.exe 85 PID 2964 wrote to memory of 2712 2964 msedge.exe 85 PID 2964 wrote to memory of 2712 2964 msedge.exe 85 PID 2964 wrote to memory of 4956 2964 msedge.exe 86 PID 2964 wrote to memory of 4956 2964 msedge.exe 86 PID 2964 wrote to memory of 2160 2964 msedge.exe 87 PID 2964 wrote to memory of 2160 2964 msedge.exe 87 PID 2964 wrote to memory of 2160 2964 msedge.exe 87 PID 2964 wrote to memory of 2160 2964 msedge.exe 87 PID 2964 wrote to memory of 2160 2964 msedge.exe 87 PID 2964 wrote to memory of 2160 2964 msedge.exe 87 PID 2964 wrote to memory of 2160 2964 msedge.exe 87 PID 2964 wrote to memory of 2160 2964 msedge.exe 87 PID 2964 wrote to memory of 2160 2964 msedge.exe 87 PID 2964 wrote to memory of 2160 2964 msedge.exe 87 PID 2964 wrote to memory of 2160 2964 msedge.exe 87 PID 2964 wrote to memory of 2160 2964 msedge.exe 87 PID 2964 wrote to memory of 2160 2964 msedge.exe 87 PID 2964 wrote to memory of 2160 2964 msedge.exe 87 PID 2964 wrote to memory of 2160 2964 msedge.exe 87 PID 2964 wrote to memory of 2160 2964 msedge.exe 87 PID 2964 wrote to memory of 2160 2964 msedge.exe 87 PID 2964 wrote to memory of 2160 2964 msedge.exe 87 PID 2964 wrote to memory of 2160 2964 msedge.exe 87 PID 2964 wrote to memory of 2160 2964 msedge.exe 87
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://auth-bool.formstack.com/forms/swe1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcbcc146f8,0x7ffcbcc14708,0x7ffcbcc147182⤵PID:3284
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2244,10536006322751649103,12018747170916159678,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2276 /prefetch:22⤵PID:2712
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2244,10536006322751649103,12018747170916159678,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2340 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:4956
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2244,10536006322751649103,12018747170916159678,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2888 /prefetch:82⤵PID:2160
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,10536006322751649103,12018747170916159678,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:12⤵PID:3720
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,10536006322751649103,12018747170916159678,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3440 /prefetch:12⤵PID:3572
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,10536006322751649103,12018747170916159678,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5060 /prefetch:12⤵PID:4732
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,10536006322751649103,12018747170916159678,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4720 /prefetch:12⤵PID:1812
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,10536006322751649103,12018747170916159678,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5356 /prefetch:12⤵PID:1168
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2244,10536006322751649103,12018747170916159678,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3592 /prefetch:82⤵PID:2484
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2244,10536006322751649103,12018747170916159678,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3592 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1360
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,10536006322751649103,12018747170916159678,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5304 /prefetch:12⤵PID:1640
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,10536006322751649103,12018747170916159678,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4716 /prefetch:12⤵PID:2024
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,10536006322751649103,12018747170916159678,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5360 /prefetch:12⤵PID:4488
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,10536006322751649103,12018747170916159678,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5436 /prefetch:12⤵PID:4328
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2244,10536006322751649103,12018747170916159678,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=2416 /prefetch:82⤵PID:3112
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2244,10536006322751649103,12018747170916159678,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3040 /prefetch:82⤵PID:460
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2244,10536006322751649103,12018747170916159678,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1972 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:1152
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4636
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4768
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD536bb45cb1262fcfcab1e3e7960784eaa
SHA1ab0e15841b027632c9e1b0a47d3dec42162fc637
SHA2567c6b0de6f9b4c3ca1f5d6af23c3380f849825af00b58420b76c72b62cfae44ae
SHA51202c54c919f8cf3fc28f5f965fe1755955636d7d89b5f0504a02fcd9d94de8c50e046c7c2d6cf349fabde03b0fbbcc61df6e9968f2af237106bf7edd697e07456
-
Filesize
152B
MD51e3dc6a82a2cb341f7c9feeaf53f466f
SHA1915decb72e1f86e14114f14ac9bfd9ba198fdfce
SHA256a56135007f4dadf6606bc237cb75ff5ff77326ba093dff30d6881ce9a04a114c
SHA5120a5223e8cecce77613b1c02535c79b3795e5ad89fc0a934e9795e488712e02b527413109ad1f94bbd4eb35dd07b86dd6e9f4b57d4d7c8a0a57ec3f7f76c7890a
-
Filesize
57KB
MD5347c0bf6e03fd189b460bd8d4bf38489
SHA131db18f36584daf9f7883b62557db117013b32df
SHA25622de52de07468aaf542c760d4c3deb447493d76304e58cd616c046cfd1852c63
SHA5127cbec5fa8182eab35cad8ce8cb4e2c370cf458664d02a07feb77ba23175040da7a0c608e979787ade6b3e0d6ba6405d758de2fc53c2b54cc2454acf37bece84f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize312B
MD5830acf9bff6dfc7683b762bd542b5f9c
SHA168c3cb13d2370d13bdc3c16d9d8e3e6c40674947
SHA2563ef954c107613798070df9e62b901a941dbcd3fbf7d892400e7972fcc3906262
SHA512931fd55f327e8503d23ec5a26d91184e3c52fa7e368a13f9b11e4e86e45aa7d79528d1081a23aa4fa0aa3b548ba5ed800105b9f341b60ca547004451e91b5c8a
-
Filesize
1KB
MD575ab1a04c726fb0535bd7829c0820734
SHA1518ca67107d7638851bebe9f80f59f01607271ac
SHA256a10c49e1e1f80059067c440325b244a18bff5887769c826dbab5fe827c09634b
SHA51254c824e3c3895e3fc26ba2e7ad9c78150ba3ee26ca1e3624a0f6c60803be4552c346334f9d9a1046f144169afed04cbebe199c483900bef38a451e354c500aac
-
Filesize
6KB
MD5735591fd53a920696ef1090aa35cce19
SHA1d6a4c294ec959e2c9a674a691c220fbf723f4722
SHA25648bc37b8bc41f0d8d847b199f29a593087c0f96dc3e6ad7281bd3e9bd575f47d
SHA51269578b5dd4eb1e440b27087f2123775a4a3057b8d2a3406ad549a7b0fc7ff5affcf9ef6f9f80dc6e075928372b1169383d9b3619fa1361b551b75a8374398582
-
Filesize
6KB
MD5f1d04f81cad34a9e92394a235ee6af3e
SHA1a65971f21488e39683d0c7a1c3188aed17c8cada
SHA2565e75969b429140a768b1d9b6ca7b817f4e395d656a7941647a6606925f28e15a
SHA512e7ba7de7aaad4bcab70d4af5a507447579876c1aefb711d753f814042d3315fa8942f52d2e8573f27aa8266542397b8a4ac506d6ff76f1cc4e0caba069a10f14
-
Filesize
6KB
MD5b5ddba4e43aba62c3e3c2ab882d91fa1
SHA1077ae5cfb39b641f593155c32dfe439eced09c4c
SHA2566c03bf5918bde61e8728f00e009fd34e47aaab45eb0cdd0cbadf372b12dc18d0
SHA512bda285f5d825286b7bdd700d64321a2f869cb4581012bcff86a236024fb26204e55340f3c531c0eaa53a9b2c665f26d1fc0a6847ddedf2f02568227ad83a9f58
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD56b7428f60ab9672d0a0d499179779740
SHA182e0101721f54ae6069e175c56ee6004f4090465
SHA256c2c726073858fe813fed69dc990474a146affb02497a77b196adce580b3258e9
SHA512ae8416b286d0b241aef21096ef1b7b1353d1f32bc42a8edbf848bf5d8a437252d05282b6e76c67eed25eba0d496133a0fd3ffe217d65198f92e4288e7f697a82