hxxps://google[.]com

Analysis

max time kernel
1760s
max time network
1684s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
06/06/2024, 18:08

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://google.com

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4412	msedge.exe
4412	msedge.exe
640	msedge.exe
640	msedge.exe
1104	identity_helper.exe
1104	identity_helper.exe
2412	msedge.exe
2412	msedge.exe
2412	msedge.exe
2412	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 640 wrote to memory of 3964	640	msedge.exe	82
PID 640 wrote to memory of 3964	640	msedge.exe	82
PID 640 wrote to memory of 3980	640	msedge.exe	83
PID 640 wrote to memory of 3980	640	msedge.exe	83
PID 640 wrote to memory of 3980	640	msedge.exe	83
PID 640 wrote to memory of 3980	640	msedge.exe	83
PID 640 wrote to memory of 3980	640	msedge.exe	83
PID 640 wrote to memory of 3980	640	msedge.exe	83
PID 640 wrote to memory of 3980	640	msedge.exe	83
PID 640 wrote to memory of 3980	640	msedge.exe	83
PID 640 wrote to memory of 3980	640	msedge.exe	83
PID 640 wrote to memory of 3980	640	msedge.exe	83
PID 640 wrote to memory of 3980	640	msedge.exe	83
PID 640 wrote to memory of 3980	640	msedge.exe	83
PID 640 wrote to memory of 3980	640	msedge.exe	83
PID 640 wrote to memory of 3980	640	msedge.exe	83
PID 640 wrote to memory of 3980	640	msedge.exe	83
PID 640 wrote to memory of 3980	640	msedge.exe	83
PID 640 wrote to memory of 3980	640	msedge.exe	83
PID 640 wrote to memory of 3980	640	msedge.exe	83
PID 640 wrote to memory of 3980	640	msedge.exe	83
PID 640 wrote to memory of 3980	640	msedge.exe	83
PID 640 wrote to memory of 3980	640	msedge.exe	83
PID 640 wrote to memory of 3980	640	msedge.exe	83
PID 640 wrote to memory of 3980	640	msedge.exe	83
PID 640 wrote to memory of 3980	640	msedge.exe	83
PID 640 wrote to memory of 3980	640	msedge.exe	83
PID 640 wrote to memory of 3980	640	msedge.exe	83
PID 640 wrote to memory of 3980	640	msedge.exe	83
PID 640 wrote to memory of 3980	640	msedge.exe	83
PID 640 wrote to memory of 3980	640	msedge.exe	83
PID 640 wrote to memory of 3980	640	msedge.exe	83
PID 640 wrote to memory of 3980	640	msedge.exe	83
PID 640 wrote to memory of 3980	640	msedge.exe	83
PID 640 wrote to memory of 3980	640	msedge.exe	83
PID 640 wrote to memory of 3980	640	msedge.exe	83
PID 640 wrote to memory of 3980	640	msedge.exe	83
PID 640 wrote to memory of 3980	640	msedge.exe	83
PID 640 wrote to memory of 3980	640	msedge.exe	83
PID 640 wrote to memory of 3980	640	msedge.exe	83
PID 640 wrote to memory of 3980	640	msedge.exe	83
PID 640 wrote to memory of 3980	640	msedge.exe	83
PID 640 wrote to memory of 4412	640	msedge.exe	84
PID 640 wrote to memory of 4412	640	msedge.exe	84
PID 640 wrote to memory of 2760	640	msedge.exe	85
PID 640 wrote to memory of 2760	640	msedge.exe	85
PID 640 wrote to memory of 2760	640	msedge.exe	85
PID 640 wrote to memory of 2760	640	msedge.exe	85
PID 640 wrote to memory of 2760	640	msedge.exe	85
PID 640 wrote to memory of 2760	640	msedge.exe	85
PID 640 wrote to memory of 2760	640	msedge.exe	85
PID 640 wrote to memory of 2760	640	msedge.exe	85
PID 640 wrote to memory of 2760	640	msedge.exe	85
PID 640 wrote to memory of 2760	640	msedge.exe	85
PID 640 wrote to memory of 2760	640	msedge.exe	85
PID 640 wrote to memory of 2760	640	msedge.exe	85
PID 640 wrote to memory of 2760	640	msedge.exe	85
PID 640 wrote to memory of 2760	640	msedge.exe	85
PID 640 wrote to memory of 2760	640	msedge.exe	85
PID 640 wrote to memory of 2760	640	msedge.exe	85
PID 640 wrote to memory of 2760	640	msedge.exe	85
PID 640 wrote to memory of 2760	640	msedge.exe	85
PID 640 wrote to memory of 2760	640	msedge.exe	85
PID 640 wrote to memory of 2760	640	msedge.exe	85

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://google.com
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb884446f8,0x7ffb88444708,0x7ffb88444718
  2⤵
  PID:3964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,2515200362152511764,8410164162696538701,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2116 /prefetch:2
  2⤵
  PID:3980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,2515200362152511764,8410164162696538701,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,2515200362152511764,8410164162696538701,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2768 /prefetch:8
  2⤵
  PID:2760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,2515200362152511764,8410164162696538701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
  2⤵
  PID:2172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,2515200362152511764,8410164162696538701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
  2⤵
  PID:1500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,2515200362152511764,8410164162696538701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4628 /prefetch:1
  2⤵
  PID:920
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,2515200362152511764,8410164162696538701,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5124 /prefetch:8
  2⤵
  PID:5028
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,2515200362152511764,8410164162696538701,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5124 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,2515200362152511764,8410164162696538701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5188 /prefetch:1
  2⤵
  PID:1968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,2515200362152511764,8410164162696538701,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5204 /prefetch:1
  2⤵
  PID:740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,2515200362152511764,8410164162696538701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4108 /prefetch:1
  2⤵
  PID:1616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,2515200362152511764,8410164162696538701,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5316 /prefetch:1
  2⤵
  PID:2268
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,2515200362152511764,8410164162696538701,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2236 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2412

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:552

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
56641592f6e69f5f5fb06f2319384490

SHA1
6a86be42e2c6d26b7830ad9f4e2627995fd91069

SHA256
02d4984e590e947265474d592e64edde840fdca7eb881eebde3e220a1d883455

SHA512
c75e689b2bbbe07ebf72baf75c56f19c39f45d5593cf47535eb722f95002b3ee418027047c0ee8d63800f499038db5e2c24aff9705d830c7b6eaa290d9adc868

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
612a6c4247ef652299b376221c984213

SHA1
d306f3b16bde39708aa862aee372345feb559750

SHA256
9d8e24c91cff338e56b518a533cb2e49a2803356bbf6e04892fb168a7ce2844a

SHA512
34a14d63abb1e3fe0f9927a94393043d458fe0624843e108d290266f554018e6379cba924cb5388735abdd6c5f1e2e318478a673f3f9b762815a758866d10973

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
336B

MD5
88ee119b1f8ebe5885652aea774a9d76

SHA1
1a647a5d0fb1021fa099cca86d26208e871c0984

SHA256
8d931b9afa8433562caade6816fd2a4088b0fc7af9dd2de5bd5fe47dbaf83c93

SHA512
f24d2eec65bb80632f689843aeccfb259a5936e694328acb6fd149a6e1b5341826cfdb702f5096df9dd79e4071d6896ac1b3e2c9189af72776bd0ad2731bd780

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
ec658f6363b63dad6ab6f6dd69786ac5

SHA1
e76a3854c8d2b80ef1aaa48f6a6bc0b9242664fd

SHA256
2abb2fed9305804b91fa5314a885fd982dec725a2fe209266f3ec393888c0f93

SHA512
80f2b666e63d4f8170901ecb1ff349927c6fc9b895831ebba495dfda8e26f90bb0a7dd77976284754c727df9bf946d8a94b1ed175f1661f565c879460783a068

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
4f00f2556a9f978a09aa446dfa0bc9e3

SHA1
7813048e7ab7488814902d8811fc6dffb89919f9

SHA256
8c9250bfcd3f204dff3c4ab1ec37e7087d72845d6feef1a0e9d04344f8ca87f5

SHA512
842927f67ff45dfd841ffd93b4cf1fd8a8a47a8b5d5c53fb6c70ddd9209ee20cd4ca259c2b7d7dd1e7eed3ba520eeb2ecd8d7a5fc6d735ce6ec009c982fbfb0f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
0dba69a887a2a700199d9a4ff58df193

SHA1
bac9bb9d21688ca8b4f7d25635a5e21b28393acd

SHA256
32260af89811522b135101686085b0fc0684e7e5e5657cfa019ca8bd04ce5b76

SHA512
bd1ba33c8f5e34f678528e06caeb96b50a472b66b375abd70975ffc3ec7b353626d6478911d7afd7e131e204a41acf98126173a103fb2e5a433de2c7fb574a76

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
5dc51685d20e234001e7ca4f93d4b686

SHA1
1418ddf569cc9ac4f1ffaeb9cfcff179355a3dbc

SHA256
4687a2c1cf5b029bbe81b2e7d9abb129b9a4b94117a5946766fc58af90d6b47b

SHA512
55ead3f65e20597c3aab8cd12c432aef54ef340e7bb9a0f7c9bb2b0c0bb7bce30ec0782381e02019d0feae6a6079e79046e3019f0d61c9ff34282e611cf6ad00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
6cf05451ff8b593bb991bbe9ed236157

SHA1
72815f86cad4f6b7ede7949ae75c9f778c8c185d

SHA256
339faa401b910b23364e60dc6e6cd741bf94de86af9dcfc1d52dcd3d69d6736e

SHA512
d6e319306a3007111eca003786194293513a7ed4c42b5718d770d175c4348bd89504ef4004de04b1320d6efd594b36991c9c9df32478df557fd081cdf72847fb

Download Submit