hxxps://fmzent[.]com/li/ZGF2aWRfc2Fsdm9AZXVyb3AtYXNzaXN0YW5jZS5lcw==

Analysis

max time kernel
145s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
23-08-2024 10:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://fmzent.com/li/ZGF2aWRfc2Fsdm9AZXVyb3AtYXNzaXN0YW5jZS5lcw==

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4536	msedge.exe
4536	msedge.exe
1316	msedge.exe
1316	msedge.exe
2768	identity_helper.exe
2768	identity_helper.exe
5604	msedge.exe
5604	msedge.exe
5604	msedge.exe
5604	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1316 wrote to memory of 4044	1316	msedge.exe	84
PID 1316 wrote to memory of 4044	1316	msedge.exe	84
PID 1316 wrote to memory of 1112	1316	msedge.exe	85
PID 1316 wrote to memory of 1112	1316	msedge.exe	85
PID 1316 wrote to memory of 1112	1316	msedge.exe	85
PID 1316 wrote to memory of 1112	1316	msedge.exe	85
PID 1316 wrote to memory of 1112	1316	msedge.exe	85
PID 1316 wrote to memory of 1112	1316	msedge.exe	85
PID 1316 wrote to memory of 1112	1316	msedge.exe	85
PID 1316 wrote to memory of 1112	1316	msedge.exe	85
PID 1316 wrote to memory of 1112	1316	msedge.exe	85
PID 1316 wrote to memory of 1112	1316	msedge.exe	85
PID 1316 wrote to memory of 1112	1316	msedge.exe	85
PID 1316 wrote to memory of 1112	1316	msedge.exe	85
PID 1316 wrote to memory of 1112	1316	msedge.exe	85
PID 1316 wrote to memory of 1112	1316	msedge.exe	85
PID 1316 wrote to memory of 1112	1316	msedge.exe	85
PID 1316 wrote to memory of 1112	1316	msedge.exe	85
PID 1316 wrote to memory of 1112	1316	msedge.exe	85
PID 1316 wrote to memory of 1112	1316	msedge.exe	85
PID 1316 wrote to memory of 1112	1316	msedge.exe	85
PID 1316 wrote to memory of 1112	1316	msedge.exe	85
PID 1316 wrote to memory of 1112	1316	msedge.exe	85
PID 1316 wrote to memory of 1112	1316	msedge.exe	85
PID 1316 wrote to memory of 1112	1316	msedge.exe	85
PID 1316 wrote to memory of 1112	1316	msedge.exe	85
PID 1316 wrote to memory of 1112	1316	msedge.exe	85
PID 1316 wrote to memory of 1112	1316	msedge.exe	85
PID 1316 wrote to memory of 1112	1316	msedge.exe	85
PID 1316 wrote to memory of 1112	1316	msedge.exe	85
PID 1316 wrote to memory of 1112	1316	msedge.exe	85
PID 1316 wrote to memory of 1112	1316	msedge.exe	85
PID 1316 wrote to memory of 1112	1316	msedge.exe	85
PID 1316 wrote to memory of 1112	1316	msedge.exe	85
PID 1316 wrote to memory of 1112	1316	msedge.exe	85
PID 1316 wrote to memory of 1112	1316	msedge.exe	85
PID 1316 wrote to memory of 1112	1316	msedge.exe	85
PID 1316 wrote to memory of 1112	1316	msedge.exe	85
PID 1316 wrote to memory of 1112	1316	msedge.exe	85
PID 1316 wrote to memory of 1112	1316	msedge.exe	85
PID 1316 wrote to memory of 1112	1316	msedge.exe	85
PID 1316 wrote to memory of 1112	1316	msedge.exe	85
PID 1316 wrote to memory of 4536	1316	msedge.exe	86
PID 1316 wrote to memory of 4536	1316	msedge.exe	86
PID 1316 wrote to memory of 4956	1316	msedge.exe	87
PID 1316 wrote to memory of 4956	1316	msedge.exe	87
PID 1316 wrote to memory of 4956	1316	msedge.exe	87
PID 1316 wrote to memory of 4956	1316	msedge.exe	87
PID 1316 wrote to memory of 4956	1316	msedge.exe	87
PID 1316 wrote to memory of 4956	1316	msedge.exe	87
PID 1316 wrote to memory of 4956	1316	msedge.exe	87
PID 1316 wrote to memory of 4956	1316	msedge.exe	87
PID 1316 wrote to memory of 4956	1316	msedge.exe	87
PID 1316 wrote to memory of 4956	1316	msedge.exe	87
PID 1316 wrote to memory of 4956	1316	msedge.exe	87
PID 1316 wrote to memory of 4956	1316	msedge.exe	87
PID 1316 wrote to memory of 4956	1316	msedge.exe	87
PID 1316 wrote to memory of 4956	1316	msedge.exe	87
PID 1316 wrote to memory of 4956	1316	msedge.exe	87
PID 1316 wrote to memory of 4956	1316	msedge.exe	87
PID 1316 wrote to memory of 4956	1316	msedge.exe	87
PID 1316 wrote to memory of 4956	1316	msedge.exe	87
PID 1316 wrote to memory of 4956	1316	msedge.exe	87
PID 1316 wrote to memory of 4956	1316	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://fmzent.com/li/ZGF2aWRfc2Fsdm9AZXVyb3AtYXNzaXN0YW5jZS5lcw==
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcb96746f8,0x7ffcb9674708,0x7ffcb9674718
  2⤵
  PID:4044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2176,500006497878763854,5242093387771961203,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2188 /prefetch:2
  2⤵
  PID:1112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2176,500006497878763854,5242093387771961203,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2244 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2176,500006497878763854,5242093387771961203,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2956 /prefetch:8
  2⤵
  PID:4956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,500006497878763854,5242093387771961203,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1
  2⤵
  PID:5056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,500006497878763854,5242093387771961203,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3448 /prefetch:1
  2⤵
  PID:2044
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2176,500006497878763854,5242093387771961203,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5440 /prefetch:8
  2⤵
  PID:4796
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2176,500006497878763854,5242093387771961203,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5440 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,500006497878763854,5242093387771961203,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4756 /prefetch:1
  2⤵
  PID:2440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,500006497878763854,5242093387771961203,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4764 /prefetch:1
  2⤵
  PID:1392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,500006497878763854,5242093387771961203,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5704 /prefetch:1
  2⤵
  PID:3380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,500006497878763854,5242093387771961203,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5748 /prefetch:1
  2⤵
  PID:4104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,500006497878763854,5242093387771961203,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5764 /prefetch:1
  2⤵
  PID:4152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2176,500006497878763854,5242093387771961203,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5192 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5604

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4052

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ff63763eedb406987ced076e36ec9acf

SHA1
16365aa97cd1a115412f8ae436d5d4e9be5f7b5d

SHA256
8f460e8b7a67f0c65b7248961a7c71146c9e7a19772b193972b486dbf05b8e4c

SHA512
ce90336169c8b2de249d4faea2519bf7c3df48ae9d77cdf471dd5dbd8e8542d47d9348080a098074aa63c255890850ee3b80ddb8eef8384919fdca3bb9371d9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2783c40400a8912a79cfd383da731086

SHA1
001a131fe399c30973089e18358818090ca81789

SHA256
331fa67da5f67bbb42794c3aeab8f7819f35347460ffb352ccc914e0373a22c5

SHA512
b7c7d3aa966ad39a86aae02479649d74dcbf29d9cb3a7ff8b9b2354ea60704da55f5c0df803fd0a7191170a8e72fdd5eacfa1a739d7a74e390a7b74bdced1685

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
62d1cb5a942999e9d67167f733bd2edb

SHA1
5a99445bda3eea4bb6cbe44c55f135203b460dfd

SHA256
5112b0a90d93f0fe924f47c99f9ab8f0595b42829800cc677e02a76d8c8096b3

SHA512
37d20139c9d0ba8deee05a891e35e52d00d7ce995bf11e9b268cd0215784e19c7f583485f3688dbacf60235c31469b26a5ddf91b8c8a48267101b9ea2679af04

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
532B

MD5
76f4f666ba7528c8eaf32451d12e2d97

SHA1
cc0ed8c2212104fb3f6403a589053817ae362319

SHA256
d4e868c76f6c7d5eede0ff482c075a09e8fd45a7e610341db6b99dce7eae8741

SHA512
e37ff610935a523542132c3cb48c147c73647f35b5d6656d61dfa9c4dc7a5fcdee845985f51b8182f337dd495cdd5b6d376c3d1989fbb9142bde7613d7982fbd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
f1cb64fec7352264dd4ac58d5aaaa83f

SHA1
18746a31b8ea5845b64b0762e632bf501fab092c

SHA256
dd86ac64319ff581cf9fa505be3058a0c9021b92e83a2a5c01647c7d631579a6

SHA512
9e55b2320cc79856078741a8b0205c878320511f13cbd40832862e1a4dcd7b8b93d4e3055de3460436ac70f26bc1eebf11ef9fc519deba014f1a8ccaded55ded

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
615deb8e2121ffc090416b3d90a88364

SHA1
089e5e2403f37c28a2b4ca8205c5dcb7e3b2bb1e

SHA256
84497290326e25526a25af4c0d5d12e15ab12e6bf589aa8b549b658411fdcae3

SHA512
30bc3defb34e469683c3fd9341f9e5a4e2be5a5185ae26e5ae20768475f45bee29a16cd28f0b0288dccef90327b877cc9020eaaae0dd729d6630ab58484fcecc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
fd34699c5f4c4717b79cfec2e6414c9f

SHA1
779a2509da293fb2ee5fadbc6682e4a7a7ce5362

SHA256
38bd65fdcede449369df2eaa2e8a336da1ec4b7e29507e7843995bac94eeda64

SHA512
e9b703eccb3e805c67f7d0d81bd33ecba597459b5cde4dd83e362ace2ad1d696444af8eb717304e5b6f305d5c99dc789fd66b48d3a773d294f12d0ff2bd20204

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
b626ce55e9853b01a2f748c5e77b78b9

SHA1
2d16683e9ae1ae886f5a50aca2364f084d20a9f0

SHA256
ef2ae9aa2151b5607cbc15557ed7fbef6f97f2a5f8186793e44f5b3d6e1bee53

SHA512
5b662d4fe884981c6e24a23b3f114570a42fb106ec82722ecaf4879c91c5cd23b74ea2027dce17c6228e19a59e02fef9ff612a53eb17f12ad2c2706761c2b93a

Download Submit