hxxps://www[.]espc2024e[.]com/home[.]html?in=g-1xwoC9E3QbKgwP0kTFE5j16CeFKLpzROYTDUTX6NRt29T_9TWRi1twkmbNsSAx&cid=mJWL-DGlAooPmfBR2FPc2A

Analysis

max time kernel
106s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20240802-es
resource tags

arch:x64arch:x86image:win10v2004-20240802-eslocale:es-esos:windows10-2004-x64systemwindows
submitted
09-09-2024 14:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.espc2024e.com/home.html?in=g-1xwoC9E3QbKgwP0kTFE5j16CeFKLpzROYTDUTX6NRt29T_9TWRi1twkmbNsSAx&cid=mJWL-DGlAooPmfBR2FPc2A

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3152	msedge.exe
3152	msedge.exe
644	msedge.exe
644	msedge.exe
2604	identity_helper.exe
2604	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
644	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
644	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
644	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 644 wrote to memory of 1560	644	msedge.exe	85
PID 644 wrote to memory of 1560	644	msedge.exe	85
PID 644 wrote to memory of 4044	644	msedge.exe	86
PID 644 wrote to memory of 4044	644	msedge.exe	86
PID 644 wrote to memory of 4044	644	msedge.exe	86
PID 644 wrote to memory of 4044	644	msedge.exe	86
PID 644 wrote to memory of 4044	644	msedge.exe	86
PID 644 wrote to memory of 4044	644	msedge.exe	86
PID 644 wrote to memory of 4044	644	msedge.exe	86
PID 644 wrote to memory of 4044	644	msedge.exe	86
PID 644 wrote to memory of 4044	644	msedge.exe	86
PID 644 wrote to memory of 4044	644	msedge.exe	86
PID 644 wrote to memory of 4044	644	msedge.exe	86
PID 644 wrote to memory of 4044	644	msedge.exe	86
PID 644 wrote to memory of 4044	644	msedge.exe	86
PID 644 wrote to memory of 4044	644	msedge.exe	86
PID 644 wrote to memory of 4044	644	msedge.exe	86
PID 644 wrote to memory of 4044	644	msedge.exe	86
PID 644 wrote to memory of 4044	644	msedge.exe	86
PID 644 wrote to memory of 4044	644	msedge.exe	86
PID 644 wrote to memory of 4044	644	msedge.exe	86
PID 644 wrote to memory of 4044	644	msedge.exe	86
PID 644 wrote to memory of 4044	644	msedge.exe	86
PID 644 wrote to memory of 4044	644	msedge.exe	86
PID 644 wrote to memory of 4044	644	msedge.exe	86
PID 644 wrote to memory of 4044	644	msedge.exe	86
PID 644 wrote to memory of 4044	644	msedge.exe	86
PID 644 wrote to memory of 4044	644	msedge.exe	86
PID 644 wrote to memory of 4044	644	msedge.exe	86
PID 644 wrote to memory of 4044	644	msedge.exe	86
PID 644 wrote to memory of 4044	644	msedge.exe	86
PID 644 wrote to memory of 4044	644	msedge.exe	86
PID 644 wrote to memory of 4044	644	msedge.exe	86
PID 644 wrote to memory of 4044	644	msedge.exe	86
PID 644 wrote to memory of 4044	644	msedge.exe	86
PID 644 wrote to memory of 4044	644	msedge.exe	86
PID 644 wrote to memory of 4044	644	msedge.exe	86
PID 644 wrote to memory of 4044	644	msedge.exe	86
PID 644 wrote to memory of 4044	644	msedge.exe	86
PID 644 wrote to memory of 4044	644	msedge.exe	86
PID 644 wrote to memory of 4044	644	msedge.exe	86
PID 644 wrote to memory of 4044	644	msedge.exe	86
PID 644 wrote to memory of 3152	644	msedge.exe	87
PID 644 wrote to memory of 3152	644	msedge.exe	87
PID 644 wrote to memory of 412	644	msedge.exe	88
PID 644 wrote to memory of 412	644	msedge.exe	88
PID 644 wrote to memory of 412	644	msedge.exe	88
PID 644 wrote to memory of 412	644	msedge.exe	88
PID 644 wrote to memory of 412	644	msedge.exe	88
PID 644 wrote to memory of 412	644	msedge.exe	88
PID 644 wrote to memory of 412	644	msedge.exe	88
PID 644 wrote to memory of 412	644	msedge.exe	88
PID 644 wrote to memory of 412	644	msedge.exe	88
PID 644 wrote to memory of 412	644	msedge.exe	88
PID 644 wrote to memory of 412	644	msedge.exe	88
PID 644 wrote to memory of 412	644	msedge.exe	88
PID 644 wrote to memory of 412	644	msedge.exe	88
PID 644 wrote to memory of 412	644	msedge.exe	88
PID 644 wrote to memory of 412	644	msedge.exe	88
PID 644 wrote to memory of 412	644	msedge.exe	88
PID 644 wrote to memory of 412	644	msedge.exe	88
PID 644 wrote to memory of 412	644	msedge.exe	88
PID 644 wrote to memory of 412	644	msedge.exe	88
PID 644 wrote to memory of 412	644	msedge.exe	88

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.espc2024e.com/home.html?in=g-1xwoC9E3QbKgwP0kTFE5j16CeFKLpzROYTDUTX6NRt29T_9TWRi1twkmbNsSAx&cid=mJWL-DGlAooPmfBR2FPc2A
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff910ff46f8,0x7ff910ff4708,0x7ff910ff4718
  2⤵
  PID:1560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1948,10370210285684301117,4769665088032741792,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:2
  2⤵
  PID:4044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1948,10370210285684301117,4769665088032741792,131072 --lang=es --service-sandbox-type=none --mojo-platform-channel-handle=2180 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1948,10370210285684301117,4769665088032741792,131072 --lang=es --service-sandbox-type=utility --mojo-platform-channel-handle=2880 /prefetch:8
  2⤵
  PID:412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,10370210285684301117,4769665088032741792,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
  2⤵
  PID:264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,10370210285684301117,4769665088032741792,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
  2⤵
  PID:3480
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1948,10370210285684301117,4769665088032741792,131072 --lang=es --service-sandbox-type=none --mojo-platform-channel-handle=5172 /prefetch:8
  2⤵
  PID:3856
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1948,10370210285684301117,4769665088032741792,131072 --lang=es --service-sandbox-type=none --mojo-platform-channel-handle=5172 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,10370210285684301117,4769665088032741792,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5468 /prefetch:1
  2⤵
  PID:816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,10370210285684301117,4769665088032741792,131072 --lang=es --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5244 /prefetch:1
  2⤵
  PID:2412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,10370210285684301117,4769665088032741792,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5476 /prefetch:1
  2⤵
  PID:2780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,10370210285684301117,4769665088032741792,131072 --lang=es --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5528 /prefetch:1
  2⤵
  PID:3296

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4844

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9e3fc58a8fb86c93d19e1500b873ef6f

SHA1
c6aae5f4e26f5570db5e14bba8d5061867a33b56

SHA256
828f4eacac1c40b790fd70dbb6fa6ba03dcc681171d9b2a6579626d27837b1c4

SHA512
e5e245b56fa82075e060f468a3224cf2ef43f1b6d87f0351a2102d85c7c897e559be4caeaecfdc4059af29fdc674681b61229319dda95cb2ee649b2eb98d313e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
27304926d60324abe74d7a4b571c35ea

SHA1
78b8f92fcaf4a09eaa786bbe33fd1b0222ef29c1

SHA256
7039ad5c2b40f4d97c8c2269f4942be13436d739b2e1f8feb7a0c9f9fdb931de

SHA512
f5b6181d3f432238c7365f64fc8a373299e23ba8178bcc419471916ef8b23e909787c7c0617ab22e4eb90909c02bd7b84f1386fbc61e2bdb5a0eb474175da4bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\21ad3e3e-2124-4016-8458-54a06952bb65.tmp

Filesize
1KB

MD5
58c5770f26e8b03c4095fe730ac043f5

SHA1
03b8701c526056da6f352de7e3efe343312cef51

SHA256
2f483b47b8ee640f13b8a13936e481216913f52754e85bd96f1ab5cec8806ab6

SHA512
a0bba17e6314e36e374cb1736359ef9ae3af32669c1d7d410ea437c2e9b6ccf0b81a56c824ebc0804b8a99bcc8076275eea1ac5ffbdf7b01bb4dce641e257b8c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
408B

MD5
a41f50341d11385b62830b22face1b23

SHA1
70b3134325beda42e7ff25e35fd1fe2f12653dfc

SHA256
972b8cfd467cf84110bcdf49e6332ed2a7a5be021a0751ad365c6d381724b57b

SHA512
0441b40478019ee5bd186276548e0129776113bb88a37cf2a15987a9d1db11330043c21ccf093bdaacb2ea795d69b388bc1fb070a2b83abe065fb033d7e04294

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
3f46897f466128304e88faffa963cc5f

SHA1
56bc1a5c995b5775e84705d5247bd3f433ea8e1c

SHA256
4dff5bfbeba360a1d240742eefa88308f565840757d5476cb1fe971731bcdead

SHA512
35a40033203124ba16ee08b13ee536d78b6aa652685c6ec95d71bf21284d6509efdf064ebe2e574443a7fd00a1722795c41e38cb22aeadb65c70fa7c690ac50e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
d7027a5c1016cd728b02f349d5c2bff8

SHA1
28590fb10b3cadff6370963bd899bda093c78b94

SHA256
a85fd8f2de5064f60093b0822d3f5c9b8956e323f853e4e8a3a1d29fece81e3e

SHA512
c2b903763430551457addd6850cf696a9cd1076285e90d8f171910998b83716ddaf5a989afdf81884780e9c1557c142ee196ea9c3422eee6ce1eecf939fb9c08

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
54dfadebc734fd2a560d8c9da9cab57c

SHA1
d25fc8e73ec808250820809003ab8d047fc48357

SHA256
c220a07496e5f7585956494d0dbb20308a880e8aaf785af861f403224a2ebaff

SHA512
27771880f0df6da122efb4e2dd5f6a2e5d7fb985b7f47a5be462e6b4b85015f6b644cd3a548a83fa5fa6c0fdf53e84816f7cf77915072336696465b7661d7e17

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
29f4a535bf697d61713be45b93ca43f8

SHA1
47b6bc3ec1324e94417287e8c9cb59b1430b7de3

SHA256
4d73239c31d80f4fa33da2ffaabde8964ea9c8d302f4c4900d6c54ccc4c94e12

SHA512
768fb51314438f9019eabd154634f8bb7af98f20ed405383ed9a528ec158f8cfed19e9e89be7c6dab5a445cc28b37f4f17807e72f6a340bcc9c54e034bde6ad6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe59355e.TMP

Filesize
1KB

MD5
eeede396b02634ce412b8dde5c9bbc37

SHA1
c02956d0b99aa04c88154bb137c44890dee3c062

SHA256
63b8fc18417786d8d2c2a9a0e04d6f9ba152ceef9cff46d4d9045644a249085a

SHA512
793b9e57338ac28c0731c519df495a8d697f36442a027dcf0388dd6e765781ea22686eb1900cdfff1121fec1cf255f609ef972699b2527605be728961bd49a7b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
554cd8d793d0480e422b7e91e2b5c909

SHA1
37ef8f0ebf0fc477af14e360a114b1c26aed5ee5

SHA256
9759ecc94586e26743a3e99067f51b22dca10ad10f2fa786f30e85fa48149ab3

SHA512
91db3570f910f6f627b0df576a64f418117af4030d6284bb5866799293b3584ab1f1e9631f8e1b4e20f0722f5695bdd25635fbd2d0565543e3802733bec8c191

Download Submit