hxxp://bit[.]ly/TAPSCAN

Analysis

max time kernel
107s
max time network
109s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
23/07/2024, 11:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://bit.ly/TAPSCAN

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3636	msedge.exe
3636	msedge.exe
5068	msedge.exe
5068	msedge.exe
5012	identity_helper.exe
5012	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5068 wrote to memory of 4488	5068	msedge.exe	84
PID 5068 wrote to memory of 4488	5068	msedge.exe	84
PID 5068 wrote to memory of 980	5068	msedge.exe	85
PID 5068 wrote to memory of 980	5068	msedge.exe	85
PID 5068 wrote to memory of 980	5068	msedge.exe	85
PID 5068 wrote to memory of 980	5068	msedge.exe	85
PID 5068 wrote to memory of 980	5068	msedge.exe	85
PID 5068 wrote to memory of 980	5068	msedge.exe	85
PID 5068 wrote to memory of 980	5068	msedge.exe	85
PID 5068 wrote to memory of 980	5068	msedge.exe	85
PID 5068 wrote to memory of 980	5068	msedge.exe	85
PID 5068 wrote to memory of 980	5068	msedge.exe	85
PID 5068 wrote to memory of 980	5068	msedge.exe	85
PID 5068 wrote to memory of 980	5068	msedge.exe	85
PID 5068 wrote to memory of 980	5068	msedge.exe	85
PID 5068 wrote to memory of 980	5068	msedge.exe	85
PID 5068 wrote to memory of 980	5068	msedge.exe	85
PID 5068 wrote to memory of 980	5068	msedge.exe	85
PID 5068 wrote to memory of 980	5068	msedge.exe	85
PID 5068 wrote to memory of 980	5068	msedge.exe	85
PID 5068 wrote to memory of 980	5068	msedge.exe	85
PID 5068 wrote to memory of 980	5068	msedge.exe	85
PID 5068 wrote to memory of 980	5068	msedge.exe	85
PID 5068 wrote to memory of 980	5068	msedge.exe	85
PID 5068 wrote to memory of 980	5068	msedge.exe	85
PID 5068 wrote to memory of 980	5068	msedge.exe	85
PID 5068 wrote to memory of 980	5068	msedge.exe	85
PID 5068 wrote to memory of 980	5068	msedge.exe	85
PID 5068 wrote to memory of 980	5068	msedge.exe	85
PID 5068 wrote to memory of 980	5068	msedge.exe	85
PID 5068 wrote to memory of 980	5068	msedge.exe	85
PID 5068 wrote to memory of 980	5068	msedge.exe	85
PID 5068 wrote to memory of 980	5068	msedge.exe	85
PID 5068 wrote to memory of 980	5068	msedge.exe	85
PID 5068 wrote to memory of 980	5068	msedge.exe	85
PID 5068 wrote to memory of 980	5068	msedge.exe	85
PID 5068 wrote to memory of 980	5068	msedge.exe	85
PID 5068 wrote to memory of 980	5068	msedge.exe	85
PID 5068 wrote to memory of 980	5068	msedge.exe	85
PID 5068 wrote to memory of 980	5068	msedge.exe	85
PID 5068 wrote to memory of 980	5068	msedge.exe	85
PID 5068 wrote to memory of 980	5068	msedge.exe	85
PID 5068 wrote to memory of 3636	5068	msedge.exe	86
PID 5068 wrote to memory of 3636	5068	msedge.exe	86
PID 5068 wrote to memory of 3816	5068	msedge.exe	87
PID 5068 wrote to memory of 3816	5068	msedge.exe	87
PID 5068 wrote to memory of 3816	5068	msedge.exe	87
PID 5068 wrote to memory of 3816	5068	msedge.exe	87
PID 5068 wrote to memory of 3816	5068	msedge.exe	87
PID 5068 wrote to memory of 3816	5068	msedge.exe	87
PID 5068 wrote to memory of 3816	5068	msedge.exe	87
PID 5068 wrote to memory of 3816	5068	msedge.exe	87
PID 5068 wrote to memory of 3816	5068	msedge.exe	87
PID 5068 wrote to memory of 3816	5068	msedge.exe	87
PID 5068 wrote to memory of 3816	5068	msedge.exe	87
PID 5068 wrote to memory of 3816	5068	msedge.exe	87
PID 5068 wrote to memory of 3816	5068	msedge.exe	87
PID 5068 wrote to memory of 3816	5068	msedge.exe	87
PID 5068 wrote to memory of 3816	5068	msedge.exe	87
PID 5068 wrote to memory of 3816	5068	msedge.exe	87
PID 5068 wrote to memory of 3816	5068	msedge.exe	87
PID 5068 wrote to memory of 3816	5068	msedge.exe	87
PID 5068 wrote to memory of 3816	5068	msedge.exe	87
PID 5068 wrote to memory of 3816	5068	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://bit.ly/TAPSCAN
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9eb0b46f8,0x7ff9eb0b4708,0x7ff9eb0b4718
  2⤵
  PID:4488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,9707854969260146662,5094868630291394497,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2200 /prefetch:2
  2⤵
  PID:980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,9707854969260146662,5094868630291394497,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2256 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2156,9707854969260146662,5094868630291394497,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2684 /prefetch:8
  2⤵
  PID:3816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,9707854969260146662,5094868630291394497,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3196 /prefetch:1
  2⤵
  PID:2088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,9707854969260146662,5094868630291394497,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3208 /prefetch:1
  2⤵
  PID:2676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,9707854969260146662,5094868630291394497,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4940 /prefetch:1
  2⤵
  PID:3492
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,9707854969260146662,5094868630291394497,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5340 /prefetch:8
  2⤵
  PID:940
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,9707854969260146662,5094868630291394497,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5340 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,9707854969260146662,5094868630291394497,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5552 /prefetch:1
  2⤵
  PID:1576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,9707854969260146662,5094868630291394497,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5520 /prefetch:1
  2⤵
  PID:3280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,9707854969260146662,5094868630291394497,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5484 /prefetch:1
  2⤵
  PID:4416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,9707854969260146662,5094868630291394497,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5112 /prefetch:1
  2⤵
  PID:1928

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3868

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
bafce9e4c53a0cb85310891b6b21791b

SHA1
5d70027cc137a7cbb38f5801b15fd97b05e89ee2

SHA256
71fb546b5d2210a56e90b448ee10120cd92c518c8f79fb960f01b918f89f2b00

SHA512
c0e4d3eccc0135ac92051539a18f64b8b8628cfe74e5b019d4f8e1dcbb51a9b49c486a1523885fe6be53da7118c013852e753c26a5490538c1e721fd0188836c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a499254d6b5d91f97eb7a86e5f8ca573

SHA1
03dbfebfec8c94a9c06f9b0cd81ebe0a2b8be3d1

SHA256
fb87b758c2b98989df851380293ff6786cb9a5cf2b3a384cec70d9f3eb064499

SHA512
d7adcc76d0470bcd68d7644de3c8d2b6d61df8485979a4752ceea3df4d85bd1c290f72b3d8d5c8d639d5a10afa48d80e457f76b44dd8107ac97eb80fd98c7b0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000e

Filesize
211KB

MD5
151fb811968eaf8efb840908b89dc9d4

SHA1
7ec811009fd9b0e6d92d12d78b002275f2f1bee1

SHA256
043fd8558e4a5a60aaccd2f0377f77a544e3e375242e9d7200dc6e51f94103ed

SHA512
83aface0ab01da52fd077f747c9d5916e3c06b0ea5c551d7d316707ec3e8f3f986ce1c82e6f2136e48c6511a83cb0ac67ff6dc8f0e440ac72fc6854086a87674

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
480B

MD5
a92313713fef5268659dc949855e2917

SHA1
093afb22d2633196d1ab6965e5cf2c9e7c604f8d

SHA256
a7a5d0a0ea7b595bff60d6012612e6bdb9a2d5ad57769053b8620b8cb6c2d011

SHA512
f31a67b156d53a4da3ee1bc27d1a76a6edc500b66a3bcac856d29f5517ff1f5e48d9a8587e880b9b2635a298b1a846b6bf07a30b21a0e0cc60858c082580db35

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
c544e759906bde81db4ed09274f1833d

SHA1
ee8e5870026d1617d092be7507a8349d00175e16

SHA256
cb9ddeb680168488eed0da9f9c10207839f7e3781f151300de69dc0ece488747

SHA512
66172fbe2108a3108c6064b147877eb241bd359b9f84ae82edd99b77d356fe7ec7dd8d30290842f68f05b4b5ab3865361aa6d1ba20d692b2109ef4689325b40d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
92ec901a22c3702df2d6d68acb19e53d

SHA1
6182ee2b9bc4dfad6b0c862eb4b04ed934d7f75c

SHA256
72d5f85cb10ddd54dc119340f163fb11d1235cb0993e5ae27b2a941f70ca49d4

SHA512
16e6aa05169bb29a8891d77b62407b0ff4562ac5e0e654beb0b69d96e373839ba8bbcf6b75deec5d338336f28beced6bc6bf634243dc527e43dc420f3e201646

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6098354d4dc6dd98a6c8d13d1f97ba08

SHA1
255b5086f4852f45553e385d15c22b8e825c557e

SHA256
80d548621bb7d2b239da695561be0c7257df55822edc1af5a1896996e6c1ba55

SHA512
3d9de277b763d818bd227cf9296f0681439b56990c3534da95836566d59fd0501a736f0db9b46302ca4c10d62f92bb5149ec2023d9b3feb1cbf44d48cc5d6960

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
538B

MD5
7764d5937f6693d7c2a5d9626f5a52e9

SHA1
76fcdd5571d45ffdf91a6c5b405c6af9837d656e

SHA256
02405b811b9ef4c834bac2e59cd51bb1dcd5064c01e87c0397b072276f580eed

SHA512
67d25754114e1d679718f52ce2cd6f115467ad5babd9994666bb7f8cfc51655d1439ae16bd16740a73e8a197dc06b7a6f619da20236d8b15345b3e17d67984cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58c2de.TMP

Filesize
538B

MD5
9508f12b0d40a639533533cfd7a41088

SHA1
4f52793347cb6a1119492f7f7e97a4acbd34855a

SHA256
a1ee307626081b5c67bdf3eeb26bd6e4aa167c273ceb58474b9e6f33f2fd6ec1

SHA512
064986a8f4b678cfe65492aec15f4cc6a4b64546a7bb14a2bf6bdbe1bb8b06b0f06c851d3862ef394c581ad0c307e854c18cf7cc1a9cdab5b357a93bdab3cb13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
5517e3545388406e6b4f9fe4f1a349a2

SHA1
152940be54230576618261327ed5a0b4bd232478

SHA256
326b1d7e17ef86f820862bd1f0c0d0444f0600ed8e278e33061411c5021acfc3

SHA512
039fa1341807d1443bfa0a296f0ff8245b9711aa2f7e2d9ffbdcad58cd2ff90f7013b3e97428ccdd5184bb53aeffe6fda489ee81f16e72cc6b4a5b2b4b738a0f

Download Submit