2a743b1540bfc7ba676fb9ff51fac848e0d84a1f991519b86d5adf78644c4056

Analysis

max time kernel
145s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
25-07-2024 10:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

upload/feedback/language/index.htm
Size

1B
MD5

7215ee9c7d9dc229d2921a40e899ec5f
SHA1

b858cb282617fb0956d960215c8e84d1ccf909c6
SHA256

36a9e7f1c95b82ffb99743e0c5c4ce95d83c9a430aac59f84ef3cbfab6145068
SHA512

f90ddd77e400dfe6a3fcf479b00b1ee29e7015c5bb8cd70f5f15b4886cc339275ff553fc8a053f8ddc7324f45168cffaf81f8c3ac93996f6536eef38e5e40768

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exe

pid	process
4256	msedge.exe
4256	msedge.exe
4020	msedge.exe
4020	msedge.exe
1016	identity_helper.exe
1016	identity_helper.exe
848	msedge.exe
848	msedge.exe
848	msedge.exe
848	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

msedge.exe

pid process

4020 msedge.exe
4020 msedge.exe
4020 msedge.exe
4020 msedge.exe
4020 msedge.exe
4020 msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 4020 wrote to memory of 2060	4020	msedge.exe	msedge.exe
PID 4020 wrote to memory of 2060	4020	msedge.exe	msedge.exe
PID 4020 wrote to memory of 1068	4020	msedge.exe	msedge.exe
PID 4020 wrote to memory of 1068	4020	msedge.exe	msedge.exe
PID 4020 wrote to memory of 1068	4020	msedge.exe	msedge.exe
PID 4020 wrote to memory of 1068	4020	msedge.exe	msedge.exe
PID 4020 wrote to memory of 1068	4020	msedge.exe	msedge.exe
PID 4020 wrote to memory of 1068	4020	msedge.exe	msedge.exe
PID 4020 wrote to memory of 1068	4020	msedge.exe	msedge.exe
PID 4020 wrote to memory of 1068	4020	msedge.exe	msedge.exe
PID 4020 wrote to memory of 1068	4020	msedge.exe	msedge.exe
PID 4020 wrote to memory of 1068	4020	msedge.exe	msedge.exe
PID 4020 wrote to memory of 1068	4020	msedge.exe	msedge.exe
PID 4020 wrote to memory of 1068	4020	msedge.exe	msedge.exe
PID 4020 wrote to memory of 1068	4020	msedge.exe	msedge.exe
PID 4020 wrote to memory of 1068	4020	msedge.exe	msedge.exe
PID 4020 wrote to memory of 1068	4020	msedge.exe	msedge.exe
PID 4020 wrote to memory of 1068	4020	msedge.exe	msedge.exe
PID 4020 wrote to memory of 1068	4020	msedge.exe	msedge.exe
PID 4020 wrote to memory of 1068	4020	msedge.exe	msedge.exe
PID 4020 wrote to memory of 1068	4020	msedge.exe	msedge.exe
PID 4020 wrote to memory of 1068	4020	msedge.exe	msedge.exe
PID 4020 wrote to memory of 1068	4020	msedge.exe	msedge.exe
PID 4020 wrote to memory of 1068	4020	msedge.exe	msedge.exe
PID 4020 wrote to memory of 1068	4020	msedge.exe	msedge.exe
PID 4020 wrote to memory of 1068	4020	msedge.exe	msedge.exe
PID 4020 wrote to memory of 1068	4020	msedge.exe	msedge.exe
PID 4020 wrote to memory of 1068	4020	msedge.exe	msedge.exe
PID 4020 wrote to memory of 1068	4020	msedge.exe	msedge.exe
PID 4020 wrote to memory of 1068	4020	msedge.exe	msedge.exe
PID 4020 wrote to memory of 1068	4020	msedge.exe	msedge.exe
PID 4020 wrote to memory of 1068	4020	msedge.exe	msedge.exe
PID 4020 wrote to memory of 1068	4020	msedge.exe	msedge.exe
PID 4020 wrote to memory of 1068	4020	msedge.exe	msedge.exe
PID 4020 wrote to memory of 1068	4020	msedge.exe	msedge.exe
PID 4020 wrote to memory of 1068	4020	msedge.exe	msedge.exe
PID 4020 wrote to memory of 1068	4020	msedge.exe	msedge.exe
PID 4020 wrote to memory of 1068	4020	msedge.exe	msedge.exe
PID 4020 wrote to memory of 1068	4020	msedge.exe	msedge.exe
PID 4020 wrote to memory of 1068	4020	msedge.exe	msedge.exe
PID 4020 wrote to memory of 1068	4020	msedge.exe	msedge.exe
PID 4020 wrote to memory of 1068	4020	msedge.exe	msedge.exe
PID 4020 wrote to memory of 4256	4020	msedge.exe	msedge.exe
PID 4020 wrote to memory of 4256	4020	msedge.exe	msedge.exe
PID 4020 wrote to memory of 1148	4020	msedge.exe	msedge.exe
PID 4020 wrote to memory of 1148	4020	msedge.exe	msedge.exe
PID 4020 wrote to memory of 1148	4020	msedge.exe	msedge.exe
PID 4020 wrote to memory of 1148	4020	msedge.exe	msedge.exe
PID 4020 wrote to memory of 1148	4020	msedge.exe	msedge.exe
PID 4020 wrote to memory of 1148	4020	msedge.exe	msedge.exe
PID 4020 wrote to memory of 1148	4020	msedge.exe	msedge.exe
PID 4020 wrote to memory of 1148	4020	msedge.exe	msedge.exe
PID 4020 wrote to memory of 1148	4020	msedge.exe	msedge.exe
PID 4020 wrote to memory of 1148	4020	msedge.exe	msedge.exe
PID 4020 wrote to memory of 1148	4020	msedge.exe	msedge.exe
PID 4020 wrote to memory of 1148	4020	msedge.exe	msedge.exe
PID 4020 wrote to memory of 1148	4020	msedge.exe	msedge.exe
PID 4020 wrote to memory of 1148	4020	msedge.exe	msedge.exe
PID 4020 wrote to memory of 1148	4020	msedge.exe	msedge.exe
PID 4020 wrote to memory of 1148	4020	msedge.exe	msedge.exe
PID 4020 wrote to memory of 1148	4020	msedge.exe	msedge.exe
PID 4020 wrote to memory of 1148	4020	msedge.exe	msedge.exe
PID 4020 wrote to memory of 1148	4020	msedge.exe	msedge.exe
PID 4020 wrote to memory of 1148	4020	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\upload\feedback\language\index.htm
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4020

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffce14b46f8,0x7ffce14b4708,0x7ffce14b4718
2⤵
PID:2060

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,4667558772329673056,2327433538005799282,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:2
2⤵
PID:1068

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,4667558772329673056,2327433538005799282,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4256

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,4667558772329673056,2327433538005799282,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2856 /prefetch:8
2⤵
PID:1148

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,4667558772329673056,2327433538005799282,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:1
2⤵
PID:3556

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,4667558772329673056,2327433538005799282,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
2⤵
PID:3996

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,4667558772329673056,2327433538005799282,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4468 /prefetch:8
2⤵
PID:2476

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,4667558772329673056,2327433538005799282,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4468 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1016

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,4667558772329673056,2327433538005799282,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4752 /prefetch:1
2⤵
PID:1612

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,4667558772329673056,2327433538005799282,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4768 /prefetch:1
2⤵
PID:752

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,4667558772329673056,2327433538005799282,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4536 /prefetch:1
2⤵
PID:764

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,4667558772329673056,2327433538005799282,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4804 /prefetch:1
2⤵
PID:4288

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,4667558772329673056,2327433538005799282,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3180 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:848

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4636

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3340

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
04b60a51907d399f3685e03094b603cb

SHA1
228d18888782f4e66ca207c1a073560e0a4cc6e7

SHA256
87a9d9f1bd99313295b2ce703580b9d37c3a68b9b33026fdda4c2530f562e6a3

SHA512
2a8e3da94eaf0a6c4a2f29da6fec2796ba6a13cad6425bb650349a60eb3204643fc2fd1ab425f0251610cb9cce65e7dba459388b4e00c12ba3434a1798855c91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
9622e603d436ca747f3a4407a6ca952e

SHA1
297d9aed5337a8a7290ea436b61458c372b1d497

SHA256
ace0e47e358fba0831b508cd23949a503ae0e6a5c857859e720d1b6479ff2261

SHA512
f774c5c44f0fcdfb45847626f6808076dccabfbcb8a37d00329ec792e2901dc59636ef15c95d84d0080272571542d43b473ce11c2209ac251bee13bd611b200a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
328ff8ccdc7186287553e2ce1c468608

SHA1
4afd56217f3d8a9db9e0e61788e469860af2fd62

SHA256
206e269a350ee78d01834f42dec526a56c12be0627a2ceeec4e9c0d2a8d5d59a

SHA512
c352835edfad1f3c286e4fec50b2883fedf01e2b0405374a37489c4b0a7a55b07039b96440af8fc3a0ed19c92d1c2db57d451f7826ad3acfa4fe6f64ad2ec112

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
acdafb07bee4f257aacce62d5480edd4

SHA1
998865cdef5f12c167b6b2d8f16c7075b2109018

SHA256
37a94ba2314571ee80265c46b54557979c906c7766696949528c249d858469c7

SHA512
d32a9e92c689eb437ff08e7e6f1a6783ca88388b79ac4959551566572970970aacfd6ec54d202aa277e97ab0c44bc5cd45a83f4b9ed40a03a514f55a9d4b44da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
d97a40be5a66ca0ed643dc828fa6675f

SHA1
b25b5e8b4075b81b7c1f7fd51f08fb6d184e5fe5

SHA256
b71dcdbb454b627d82d0d4aa3f7018907a4d2d6b89a5aa4d3fc9453beba59dbf

SHA512
ff08752907819850f6260e6214b118ef695176970a46538560974f9dd24ca83e8539aa4fd8e5a2ae2367c545417c8d3469c33830fd81d5090191bc9c618520c6

Download Submit
\??\pipe\LOCAL\crashpad_4020_JPPZPSCXVDJQXXPB
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit