hxxps://www[.]microsoft[.]com/

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
13/05/2024, 17:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.microsoft.com/

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3736	msedge.exe
3736	msedge.exe
3652	msedge.exe
3652	msedge.exe
4488	identity_helper.exe
4488	identity_helper.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3652 wrote to memory of 892	3652	msedge.exe	83
PID 3652 wrote to memory of 892	3652	msedge.exe	83
PID 3652 wrote to memory of 1872	3652	msedge.exe	84
PID 3652 wrote to memory of 1872	3652	msedge.exe	84
PID 3652 wrote to memory of 1872	3652	msedge.exe	84
PID 3652 wrote to memory of 1872	3652	msedge.exe	84
PID 3652 wrote to memory of 1872	3652	msedge.exe	84
PID 3652 wrote to memory of 1872	3652	msedge.exe	84
PID 3652 wrote to memory of 1872	3652	msedge.exe	84
PID 3652 wrote to memory of 1872	3652	msedge.exe	84
PID 3652 wrote to memory of 1872	3652	msedge.exe	84
PID 3652 wrote to memory of 1872	3652	msedge.exe	84
PID 3652 wrote to memory of 1872	3652	msedge.exe	84
PID 3652 wrote to memory of 1872	3652	msedge.exe	84
PID 3652 wrote to memory of 1872	3652	msedge.exe	84
PID 3652 wrote to memory of 1872	3652	msedge.exe	84
PID 3652 wrote to memory of 1872	3652	msedge.exe	84
PID 3652 wrote to memory of 1872	3652	msedge.exe	84
PID 3652 wrote to memory of 1872	3652	msedge.exe	84
PID 3652 wrote to memory of 1872	3652	msedge.exe	84
PID 3652 wrote to memory of 1872	3652	msedge.exe	84
PID 3652 wrote to memory of 1872	3652	msedge.exe	84
PID 3652 wrote to memory of 1872	3652	msedge.exe	84
PID 3652 wrote to memory of 1872	3652	msedge.exe	84
PID 3652 wrote to memory of 1872	3652	msedge.exe	84
PID 3652 wrote to memory of 1872	3652	msedge.exe	84
PID 3652 wrote to memory of 1872	3652	msedge.exe	84
PID 3652 wrote to memory of 1872	3652	msedge.exe	84
PID 3652 wrote to memory of 1872	3652	msedge.exe	84
PID 3652 wrote to memory of 1872	3652	msedge.exe	84
PID 3652 wrote to memory of 1872	3652	msedge.exe	84
PID 3652 wrote to memory of 1872	3652	msedge.exe	84
PID 3652 wrote to memory of 1872	3652	msedge.exe	84
PID 3652 wrote to memory of 1872	3652	msedge.exe	84
PID 3652 wrote to memory of 1872	3652	msedge.exe	84
PID 3652 wrote to memory of 1872	3652	msedge.exe	84
PID 3652 wrote to memory of 1872	3652	msedge.exe	84
PID 3652 wrote to memory of 1872	3652	msedge.exe	84
PID 3652 wrote to memory of 1872	3652	msedge.exe	84
PID 3652 wrote to memory of 1872	3652	msedge.exe	84
PID 3652 wrote to memory of 1872	3652	msedge.exe	84
PID 3652 wrote to memory of 1872	3652	msedge.exe	84
PID 3652 wrote to memory of 3736	3652	msedge.exe	85
PID 3652 wrote to memory of 3736	3652	msedge.exe	85
PID 3652 wrote to memory of 4708	3652	msedge.exe	86
PID 3652 wrote to memory of 4708	3652	msedge.exe	86
PID 3652 wrote to memory of 4708	3652	msedge.exe	86
PID 3652 wrote to memory of 4708	3652	msedge.exe	86
PID 3652 wrote to memory of 4708	3652	msedge.exe	86
PID 3652 wrote to memory of 4708	3652	msedge.exe	86
PID 3652 wrote to memory of 4708	3652	msedge.exe	86
PID 3652 wrote to memory of 4708	3652	msedge.exe	86
PID 3652 wrote to memory of 4708	3652	msedge.exe	86
PID 3652 wrote to memory of 4708	3652	msedge.exe	86
PID 3652 wrote to memory of 4708	3652	msedge.exe	86
PID 3652 wrote to memory of 4708	3652	msedge.exe	86
PID 3652 wrote to memory of 4708	3652	msedge.exe	86
PID 3652 wrote to memory of 4708	3652	msedge.exe	86
PID 3652 wrote to memory of 4708	3652	msedge.exe	86
PID 3652 wrote to memory of 4708	3652	msedge.exe	86
PID 3652 wrote to memory of 4708	3652	msedge.exe	86
PID 3652 wrote to memory of 4708	3652	msedge.exe	86
PID 3652 wrote to memory of 4708	3652	msedge.exe	86
PID 3652 wrote to memory of 4708	3652	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.microsoft.com/
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff96de446f8,0x7ff96de44708,0x7ff96de44718
  2⤵
  PID:892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,4713335720894170340,13142549933995102297,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2176 /prefetch:2
  2⤵
  PID:1872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,4713335720894170340,13142549933995102297,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2240 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,4713335720894170340,13142549933995102297,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2924 /prefetch:8
  2⤵
  PID:4708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,4713335720894170340,13142549933995102297,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
  2⤵
  PID:4732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,4713335720894170340,13142549933995102297,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
  2⤵
  PID:396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,4713335720894170340,13142549933995102297,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5116 /prefetch:1
  2⤵
  PID:4580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,4713335720894170340,13142549933995102297,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
  2⤵
  PID:4656
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,4713335720894170340,13142549933995102297,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3420 /prefetch:8
  2⤵
  PID:1368
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,4713335720894170340,13142549933995102297,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3420 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,4713335720894170340,13142549933995102297,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5492 /prefetch:1
  2⤵
  PID:4580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,4713335720894170340,13142549933995102297,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5436 /prefetch:1
  2⤵
  PID:4192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,4713335720894170340,13142549933995102297,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4676 /prefetch:1
  2⤵
  PID:1264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,4713335720894170340,13142549933995102297,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5332 /prefetch:1
  2⤵
  PID:4548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,4713335720894170340,13142549933995102297,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3092 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:456

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2408

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Filesize
330B

MD5
7d023349b7720d805b02d0fd746e0fa3

SHA1
4159997b17de0cc331558ea0851ab92c819ec960

SHA256
9849f5d3382d60298c348c9b7c453c17145185eda50215949775ed3bdb6eeb9e

SHA512
0c591c429cdbbf51ba2af7d2c8a0effd419750ade56e540527c36fbd6ec87c0789103bd3ffe15c5515f13b2fcbd2ae6907e4fa635d78951161d0c15a4df61348

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4f7152bc5a1a715ef481e37d1c791959

SHA1
c8a1ed674c62ae4f45519f90a8cc5a81eff3a6d7

SHA256
704dd4f98d8ca34ec421f23ba1891b178c23c14b3301e4655efc5c02d356c2bc

SHA512
2e6b02ca35d76a655a17a5f3e9dbd8d7517c7dae24f0095c7350eb9e7bdf9e1256a7009aa8878f96c89d1ea4fe5323a41f72b8c551806dda62880d7ff231ff5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ea98e583ad99df195d29aa066204ab56

SHA1
f89398664af0179641aa0138b337097b617cb2db

SHA256
a7abb51435909fa2d75c6f2ff5c69a93d4a0ab276ed579e7d8733b2a63ffbee6

SHA512
e109be3466e653e5d310b3e402e1626298b09205d223722a82344dd78504f3c33e1e24e8402a02f38cd2c9c50d96a303ce4846bea5a583423937ab018cd5782f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
552B

MD5
de21c04b4ad6dcebbe86bcb94104f8a2

SHA1
0c2fe4e5e0a7848205ea620be23c54b7de85565a

SHA256
6b559d7b0dfe001629cc75a428625d86c6eab20374e1894203523317e9fc3536

SHA512
eb4fe2b590b2ee5c39347ef6646ae2d26d650e969864d053ffc696f4b4ee0a5754de9bc8fe011d669783fab5d9aa6fb6e57af825d8e6afadf2c6841fde4eb39e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
8adfb7927ea998e92963c5f773512d62

SHA1
82385d36a6c129bb9018436b3580aa8eada32769

SHA256
6bdccad45f09ab0c2ca8aa7b14b2d6f29a0b69e2fb38d9f58d4887271154ceed

SHA512
da1941a79eca7e1c45b0dcb22b2ab9eeef8eb52fe39560c327090289bb575be7c9bc5494f6fc9f833d1473092cd7fb24e1ae839998917b29b07eda9ce73034b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
47f33726d268013aeb8113793e756615

SHA1
b538d326cffe6fdbbec224c933e04bcf96a14a09

SHA256
6d1eb78a8ab8fed2f4f1c47cfb153684e45bc0aa53dae483b14a6f368c69a9ce

SHA512
5281ad2b2e5059903648949c6f8134d6b9f5bdfff61d2e29340b55ab56d9092ff21b0bf2bbd63a2a199e536493aad3b658e5b3f5f814a964c9599e2ac83447a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
cb959cb17463c4960836a8ded5451b71

SHA1
b9beab94777d50ddd36d48a781b29606493cb802

SHA256
c46fb0b9c5448afbdceb37afeafe6d2f4d00c149bad9c8f1672346d8814e8a48

SHA512
8448d11c6310c95e762735b6f2e860b3e3b10c663e5b2c7873d9b568840f086a763096bfb18ba80601575ec5e4fef63a77eb3bdac8a942a16c4a44e01610bb9c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
4ed84f6913e96904b404a119c2fd6998

SHA1
832a4d561aa36c64cb9844eee89fd9fe7cd5c39e

SHA256
a05617eeb1de1a5a358e06d11867ed2b9fd70ffef46b5d8aa92101fddac6073f

SHA512
4ab9de0a2c9adb90dae13244e94dc478c0e77d1e86f0958ef74097351f51244a8c6a7b01a22852be3703059608476efe3844969896e92d0689255f9b53bd7ba3

Download Submit