Analysis
-
max time kernel
1680s -
max time network
1685s -
platform
windows11-21h2_x64 -
resource
win11-20240508-en -
resource tags
arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system -
submitted
17-06-2024 13:57
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://google.com
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
https://google.com
Resource
win10-20240611-en
Behavioral task
behavioral3
Sample
https://google.com
Resource
win10v2004-20240508-en
Behavioral task
behavioral4
Sample
https://google.com
Resource
win11-20240508-en
Behavioral task
behavioral5
Sample
https://google.com
Resource
macos-20240611-en
General
-
Target
https://google.com
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
msedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exepid process 4436 msedge.exe 4436 msedge.exe 3668 msedge.exe 3668 msedge.exe 2668 msedge.exe 2668 msedge.exe 1952 identity_helper.exe 1952 identity_helper.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
Processes:
msedge.exepid process 3668 msedge.exe 3668 msedge.exe 3668 msedge.exe 3668 msedge.exe 3668 msedge.exe 3668 msedge.exe 3668 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
Processes:
msedge.exepid process 3668 msedge.exe 3668 msedge.exe 3668 msedge.exe 3668 msedge.exe 3668 msedge.exe 3668 msedge.exe 3668 msedge.exe 3668 msedge.exe 3668 msedge.exe 3668 msedge.exe 3668 msedge.exe 3668 msedge.exe 3668 msedge.exe 3668 msedge.exe 3668 msedge.exe 3668 msedge.exe 3668 msedge.exe 3668 msedge.exe 3668 msedge.exe 3668 msedge.exe 3668 msedge.exe 3668 msedge.exe 3668 msedge.exe 3668 msedge.exe 3668 msedge.exe -
Suspicious use of SendNotifyMessage 12 IoCs
Processes:
msedge.exepid process 3668 msedge.exe 3668 msedge.exe 3668 msedge.exe 3668 msedge.exe 3668 msedge.exe 3668 msedge.exe 3668 msedge.exe 3668 msedge.exe 3668 msedge.exe 3668 msedge.exe 3668 msedge.exe 3668 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 3668 wrote to memory of 4644 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 4644 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 1976 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 1976 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 1976 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 1976 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 1976 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 1976 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 1976 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 1976 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 1976 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 1976 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 1976 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 1976 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 1976 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 1976 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 1976 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 1976 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 1976 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 1976 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 1976 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 1976 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 1976 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 1976 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 1976 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 1976 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 1976 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 1976 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 1976 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 1976 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 1976 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 1976 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 1976 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 1976 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 1976 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 1976 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 1976 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 1976 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 1976 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 1976 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 1976 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 1976 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 4436 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 4436 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 4420 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 4420 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 4420 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 4420 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 4420 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 4420 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 4420 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 4420 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 4420 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 4420 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 4420 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 4420 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 4420 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 4420 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 4420 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 4420 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 4420 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 4420 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 4420 3668 msedge.exe msedge.exe PID 3668 wrote to memory of 4420 3668 msedge.exe msedge.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://google.com1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3668 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9a6713cb8,0x7ff9a6713cc8,0x7ff9a6713cd82⤵PID:4644
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1924,10812080808341420172,16909135189437246505,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1936 /prefetch:22⤵PID:1976
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1924,10812080808341420172,16909135189437246505,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2364 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:4436 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1924,10812080808341420172,16909135189437246505,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2596 /prefetch:82⤵PID:4420
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,10812080808341420172,16909135189437246505,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:12⤵PID:752
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,10812080808341420172,16909135189437246505,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:12⤵PID:4872
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,10812080808341420172,16909135189437246505,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4584 /prefetch:12⤵PID:3956
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,10812080808341420172,16909135189437246505,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3936 /prefetch:12⤵PID:2752
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,10812080808341420172,16909135189437246505,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4900 /prefetch:12⤵PID:4300
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,10812080808341420172,16909135189437246505,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5280 /prefetch:12⤵PID:1988
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,10812080808341420172,16909135189437246505,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4016 /prefetch:12⤵PID:4588
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1924,10812080808341420172,16909135189437246505,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4748 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2668 -
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1924,10812080808341420172,16909135189437246505,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4024 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1952 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1924,10812080808341420172,16909135189437246505,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5792 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:3168
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:688
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4112
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD56876cbd342d4d6b236f44f52c50f780f
SHA1a215cf6a499bfb67a3266d211844ec4c82128d83
SHA256ca5a6320d94ee74db11e55893a42a52c56c8f067cba35594d507b593d993451e
SHA512dff3675753b6b733ffa2da73d28a250a52ab29620935960673d77fe2f90d37a273c8c6afdf87db959bdb49f31b69b41f7aa4febac5bbdd43a9706a4dd9705039
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5c1c7e2f451eb3836d23007799bc21d5f
SHA111a25f6055210aa7f99d77346b0d4f1dc123ce79
SHA256429a870d582c77c8a661c8cc3f4afa424ed5faf64ce722f51a6a74f66b21c800
SHA5122ca40bbbe76488dff4b10cca78a81ecf2e97d75cd65f301da4414d93e08e33f231171d455b0dbf012b2d4735428e835bf3631f678f0ab203383e315da2d23a34
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
216B
MD5dffec34659acb26592727fd9477df238
SHA119ce392e89324bf5e766545ecf2725a390bcff78
SHA256123a7dc2a2b3abc8d9a6be66423fbf1aec0044a787391d8577b4cd3fc3086f48
SHA5122b5f884d1a36a15ef5993e6d182a41fdfb15bfc44d1155fc43607218ce0a4f62df16e58708364aa53f3dc6bf934c2877bffe658f43fcdddaedcc19ac04b26cfc
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
1KB
MD5f7c5660834663b4c5be1f9104762177e
SHA1551e5615da370a83089992d4631bc43ecebf0179
SHA256ed8e49f4d91943528038397fbecad13cc2e21a56cbb1f55b0a558d36a7387986
SHA51286bb1c7db75e17755843fe85893fdb0e7a70895696737eab419cd07cb5b390b223792bfc90d9d407a98f2f465e2e6e56ad5c87b541e521e2f82941e681a0a7ba
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD5813ff09240039bb2e40a18b3bf271dbd
SHA1fd3fa35da945b87a5ac4f4f833921c9adede5232
SHA2565db361c93be338d6cd1326233ef429978e7630bf4db1e980168fee4c996094a1
SHA512275de9dbdacf32bdde6569022dde70c8529b1070bd57d75171917234fb2c9c94adc83b9333235f372f3c2f8c349d9d05cc26f49d07050df85bb7ee8868b5a21e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD570c63101b190fb7cd763e239af72b7b2
SHA1ee70f8950ec466c870c6bb684f4906dab6053a05
SHA256c5a9754418047046ff0db9e380344b5a1d690d78945c275b6c8fc3342001f866
SHA51215e22a5daba2ab5fc55ffd6225f9c0ac08d8b2c1aa37e42efaa826b92eaa1bb0a2722f65d07e2f139ab26cf24600562438c01df45de809d0d71a732f9c4175c2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD52404193311d18308763ec1d2110c3c49
SHA194c2d3c6f2f65ef6c89ed64c1a9a706724454946
SHA256aea27e1a7931f2c58b144a0ac861c821c1ed2189ebd15294236f2b6e0f228a4f
SHA512792824504dd1961fd963f00786ded80757858947bc9c4ddabb7475982c8328464ea2ea195dd04f8a189e0f0965471c4e0b44b33febda93aed9ad54af8bd1e0cd
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
10KB
MD5c17bae877dbd73ec9fb67645e653bd29
SHA19214549223e0f97f151a0fd5bc9b46e7874d5277
SHA2568f36108f0cb7948cb861f5e88460971f590a6d600c3ff0ea351f465e4583b090
SHA5127fba3af0cb6d878d523527fdb706f39349392b869b53fe2919640d1ecbfd7f61d4210ae36f23c9b29c014d60a70cecd920f39cad38766816693414f8f9c2dbe6
-
\??\pipe\LOCAL\crashpad_3668_RODWYKKVAEDVIZNXMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e