hxxp://google[.]com

Analysis

max time kernel
145s
max time network
145s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
15/05/2024, 14:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://google.com

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4012	msedge.exe
4012	msedge.exe
4136	msedge.exe
4136	msedge.exe
2680	msedge.exe
2680	msedge.exe
3560	identity_helper.exe
3560	identity_helper.exe
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
4136	msedge.exe
4136	msedge.exe
4136	msedge.exe
4136	msedge.exe
4136	msedge.exe
4136	msedge.exe
4136	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4136	msedge.exe
4136	msedge.exe
4136	msedge.exe
4136	msedge.exe
4136	msedge.exe
4136	msedge.exe
4136	msedge.exe
4136	msedge.exe
4136	msedge.exe
4136	msedge.exe
4136	msedge.exe
4136	msedge.exe
4136	msedge.exe
4136	msedge.exe
4136	msedge.exe
4136	msedge.exe
4136	msedge.exe
4136	msedge.exe
4136	msedge.exe
4136	msedge.exe
4136	msedge.exe
4136	msedge.exe
4136	msedge.exe
4136	msedge.exe
4136	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
4136	msedge.exe
4136	msedge.exe
4136	msedge.exe
4136	msedge.exe
4136	msedge.exe
4136	msedge.exe
4136	msedge.exe
4136	msedge.exe
4136	msedge.exe
4136	msedge.exe
4136	msedge.exe
4136	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4136 wrote to memory of 2944	4136	msedge.exe	80
PID 4136 wrote to memory of 2944	4136	msedge.exe	80
PID 4136 wrote to memory of 4292	4136	msedge.exe	82
PID 4136 wrote to memory of 4292	4136	msedge.exe	82
PID 4136 wrote to memory of 4292	4136	msedge.exe	82
PID 4136 wrote to memory of 4292	4136	msedge.exe	82
PID 4136 wrote to memory of 4292	4136	msedge.exe	82
PID 4136 wrote to memory of 4292	4136	msedge.exe	82
PID 4136 wrote to memory of 4292	4136	msedge.exe	82
PID 4136 wrote to memory of 4292	4136	msedge.exe	82
PID 4136 wrote to memory of 4292	4136	msedge.exe	82
PID 4136 wrote to memory of 4292	4136	msedge.exe	82
PID 4136 wrote to memory of 4292	4136	msedge.exe	82
PID 4136 wrote to memory of 4292	4136	msedge.exe	82
PID 4136 wrote to memory of 4292	4136	msedge.exe	82
PID 4136 wrote to memory of 4292	4136	msedge.exe	82
PID 4136 wrote to memory of 4292	4136	msedge.exe	82
PID 4136 wrote to memory of 4292	4136	msedge.exe	82
PID 4136 wrote to memory of 4292	4136	msedge.exe	82
PID 4136 wrote to memory of 4292	4136	msedge.exe	82
PID 4136 wrote to memory of 4292	4136	msedge.exe	82
PID 4136 wrote to memory of 4292	4136	msedge.exe	82
PID 4136 wrote to memory of 4292	4136	msedge.exe	82
PID 4136 wrote to memory of 4292	4136	msedge.exe	82
PID 4136 wrote to memory of 4292	4136	msedge.exe	82
PID 4136 wrote to memory of 4292	4136	msedge.exe	82
PID 4136 wrote to memory of 4292	4136	msedge.exe	82
PID 4136 wrote to memory of 4292	4136	msedge.exe	82
PID 4136 wrote to memory of 4292	4136	msedge.exe	82
PID 4136 wrote to memory of 4292	4136	msedge.exe	82
PID 4136 wrote to memory of 4292	4136	msedge.exe	82
PID 4136 wrote to memory of 4292	4136	msedge.exe	82
PID 4136 wrote to memory of 4292	4136	msedge.exe	82
PID 4136 wrote to memory of 4292	4136	msedge.exe	82
PID 4136 wrote to memory of 4292	4136	msedge.exe	82
PID 4136 wrote to memory of 4292	4136	msedge.exe	82
PID 4136 wrote to memory of 4292	4136	msedge.exe	82
PID 4136 wrote to memory of 4292	4136	msedge.exe	82
PID 4136 wrote to memory of 4292	4136	msedge.exe	82
PID 4136 wrote to memory of 4292	4136	msedge.exe	82
PID 4136 wrote to memory of 4292	4136	msedge.exe	82
PID 4136 wrote to memory of 4292	4136	msedge.exe	82
PID 4136 wrote to memory of 4012	4136	msedge.exe	83
PID 4136 wrote to memory of 4012	4136	msedge.exe	83
PID 4136 wrote to memory of 1968	4136	msedge.exe	84
PID 4136 wrote to memory of 1968	4136	msedge.exe	84
PID 4136 wrote to memory of 1968	4136	msedge.exe	84
PID 4136 wrote to memory of 1968	4136	msedge.exe	84
PID 4136 wrote to memory of 1968	4136	msedge.exe	84
PID 4136 wrote to memory of 1968	4136	msedge.exe	84
PID 4136 wrote to memory of 1968	4136	msedge.exe	84
PID 4136 wrote to memory of 1968	4136	msedge.exe	84
PID 4136 wrote to memory of 1968	4136	msedge.exe	84
PID 4136 wrote to memory of 1968	4136	msedge.exe	84
PID 4136 wrote to memory of 1968	4136	msedge.exe	84
PID 4136 wrote to memory of 1968	4136	msedge.exe	84
PID 4136 wrote to memory of 1968	4136	msedge.exe	84
PID 4136 wrote to memory of 1968	4136	msedge.exe	84
PID 4136 wrote to memory of 1968	4136	msedge.exe	84
PID 4136 wrote to memory of 1968	4136	msedge.exe	84
PID 4136 wrote to memory of 1968	4136	msedge.exe	84
PID 4136 wrote to memory of 1968	4136	msedge.exe	84
PID 4136 wrote to memory of 1968	4136	msedge.exe	84
PID 4136 wrote to memory of 1968	4136	msedge.exe	84

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.com
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd2e2f3cb8,0x7ffd2e2f3cc8,0x7ffd2e2f3cd8
  2⤵
  PID:2944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1884,9972651204217997970,3448432431489503968,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1896 /prefetch:2
  2⤵
  PID:4292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1884,9972651204217997970,3448432431489503968,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2352 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1884,9972651204217997970,3448432431489503968,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2672 /prefetch:8
  2⤵
  PID:1968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,9972651204217997970,3448432431489503968,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3172 /prefetch:1
  2⤵
  PID:4832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,9972651204217997970,3448432431489503968,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
  2⤵
  PID:464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,9972651204217997970,3448432431489503968,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4668 /prefetch:1
  2⤵
  PID:1540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,9972651204217997970,3448432431489503968,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1
  2⤵
  PID:4176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,9972651204217997970,3448432431489503968,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5244 /prefetch:1
  2⤵
  PID:4412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,9972651204217997970,3448432431489503968,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4664 /prefetch:1
  2⤵
  PID:4712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,9972651204217997970,3448432431489503968,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5576 /prefetch:1
  2⤵
  PID:112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1884,9972651204217997970,3448432431489503968,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5312 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2680
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1884,9972651204217997970,3448432431489503968,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5500 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1884,9972651204217997970,3448432431489503968,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5476 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1080

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1016

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6876cbd342d4d6b236f44f52c50f780f

SHA1
a215cf6a499bfb67a3266d211844ec4c82128d83

SHA256
ca5a6320d94ee74db11e55893a42a52c56c8f067cba35594d507b593d993451e

SHA512
dff3675753b6b733ffa2da73d28a250a52ab29620935960673d77fe2f90d37a273c8c6afdf87db959bdb49f31b69b41f7aa4febac5bbdd43a9706a4dd9705039

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c1c7e2f451eb3836d23007799bc21d5f

SHA1
11a25f6055210aa7f99d77346b0d4f1dc123ce79

SHA256
429a870d582c77c8a661c8cc3f4afa424ed5faf64ce722f51a6a74f66b21c800

SHA512
2ca40bbbe76488dff4b10cca78a81ecf2e97d75cd65f301da4414d93e08e33f231171d455b0dbf012b2d4735428e835bf3631f678f0ab203383e315da2d23a34

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
172a51eafe41ba74c21a471c6133c602

SHA1
d1301b9a61ae0512669173a91f6c6c83a2327a48

SHA256
72fc7436edcda1ef8d37035e73fbd400faf9bfc3c7bf438dc215828aa012b88b

SHA512
2a56f044f1b94c267b5006ef64fc5bb40e0ded4af0466374e0d26b1458137ced9b56a7c6bd7f29ad748f1983914a1846db5038f804e16d4d7091374b41a2ca49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
a8950c9cb73149dea3f3729179332d9e

SHA1
7bf9efd9c0c03ff410ded3742db37dc8a8f04d92

SHA256
59f8d222104739c0a110c9b5cf44c555fe503c73280d23323ff28937acbf1201

SHA512
4648b8a0ea0c4f43233c860f15b638e0399c4d16b23ee5279ffb22be52c8721d0daa10291a555033c8dffce00a9ce7d89727114a2647710d75302222f4e9a577

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
b86ac75d22dff1f8f47b5a2e7c62775a

SHA1
fc41a7c2b5c252e309c1d9b54cae2c7e23c5d444

SHA256
f40987d5c9e70fbe0683b7892791d3f3f8c926c28bced74504f7da0dde208a87

SHA512
53cb49607b3532d7a74fec885322be7303ca3d7048dbbf61e176d23e2d86beae1c449e4f9d37c02358b741ae8969c5fa65efc77984937a4319348ff91f2655ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
637445d80993aac92429fa0402bbfe1a

SHA1
d9c955cfc3d02bd32067b38ffd8306407d4f9bdc

SHA256
cd03cd4832426ce934a05beb0621ebae50902768277ec732540de17fb37de032

SHA512
63fb27e0f04b3d33517031fce8f18279cf3b74fb6c09a7707a79376286ed50339721ac9aafca06f6efdc1e0821bc535bbe4fe7d77b4b374b99f452877accdfbc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
01bceb4d15d1f87f91db516fe312efbb

SHA1
ff3a4de45137ca1fae6f99d51e7c3d390ac0d36a

SHA256
e47d7700bd802aa55f515cadf43d3b0f7759ef641178d6955c0c7d141164c40e

SHA512
0b52c9392d8d40edd47b66e7a81c039a0386d7a3e67b79a8bc7dc6527d1fd6a85511f56da348c366a0a2452f142e4bf94be5864624cb7e404928c0ebf5b58c99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
3e50648ba76d3e8fe73b749b16cd6eb5

SHA1
e861e937d388093a3558436ba79f320d4f32ac43

SHA256
4f28363900e1fce1e93fab6d8844e00ed1a8c7b1a64280208a9d5942518a87e8

SHA512
a19ffda5524519b447e6f9273a3817329ad23a7455eb021b6b8b9504937a6cd77b7f5b294a503315823e0eec119c7592af2095c03d795ce9bd840c3ad71155ab

Download Submit