hxxps://bgp[.]tools/as/4837#prefixes

Analysis

max time kernel
259s
max time network
276s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19/11/2024, 18:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://bgp.tools/as/4837#prefixes

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3124	msedge.exe
3124	msedge.exe
2552	msedge.exe
2552	msedge.exe
4408	identity_helper.exe
4408	identity_helper.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe
2552	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2552 wrote to memory of 2064	2552	msedge.exe	83
PID 2552 wrote to memory of 2064	2552	msedge.exe	83
PID 2552 wrote to memory of 4924	2552	msedge.exe	84
PID 2552 wrote to memory of 4924	2552	msedge.exe	84
PID 2552 wrote to memory of 4924	2552	msedge.exe	84
PID 2552 wrote to memory of 4924	2552	msedge.exe	84
PID 2552 wrote to memory of 4924	2552	msedge.exe	84
PID 2552 wrote to memory of 4924	2552	msedge.exe	84
PID 2552 wrote to memory of 4924	2552	msedge.exe	84
PID 2552 wrote to memory of 4924	2552	msedge.exe	84
PID 2552 wrote to memory of 4924	2552	msedge.exe	84
PID 2552 wrote to memory of 4924	2552	msedge.exe	84
PID 2552 wrote to memory of 4924	2552	msedge.exe	84
PID 2552 wrote to memory of 4924	2552	msedge.exe	84
PID 2552 wrote to memory of 4924	2552	msedge.exe	84
PID 2552 wrote to memory of 4924	2552	msedge.exe	84
PID 2552 wrote to memory of 4924	2552	msedge.exe	84
PID 2552 wrote to memory of 4924	2552	msedge.exe	84
PID 2552 wrote to memory of 4924	2552	msedge.exe	84
PID 2552 wrote to memory of 4924	2552	msedge.exe	84
PID 2552 wrote to memory of 4924	2552	msedge.exe	84
PID 2552 wrote to memory of 4924	2552	msedge.exe	84
PID 2552 wrote to memory of 4924	2552	msedge.exe	84
PID 2552 wrote to memory of 4924	2552	msedge.exe	84
PID 2552 wrote to memory of 4924	2552	msedge.exe	84
PID 2552 wrote to memory of 4924	2552	msedge.exe	84
PID 2552 wrote to memory of 4924	2552	msedge.exe	84
PID 2552 wrote to memory of 4924	2552	msedge.exe	84
PID 2552 wrote to memory of 4924	2552	msedge.exe	84
PID 2552 wrote to memory of 4924	2552	msedge.exe	84
PID 2552 wrote to memory of 4924	2552	msedge.exe	84
PID 2552 wrote to memory of 4924	2552	msedge.exe	84
PID 2552 wrote to memory of 4924	2552	msedge.exe	84
PID 2552 wrote to memory of 4924	2552	msedge.exe	84
PID 2552 wrote to memory of 4924	2552	msedge.exe	84
PID 2552 wrote to memory of 4924	2552	msedge.exe	84
PID 2552 wrote to memory of 4924	2552	msedge.exe	84
PID 2552 wrote to memory of 4924	2552	msedge.exe	84
PID 2552 wrote to memory of 4924	2552	msedge.exe	84
PID 2552 wrote to memory of 4924	2552	msedge.exe	84
PID 2552 wrote to memory of 4924	2552	msedge.exe	84
PID 2552 wrote to memory of 4924	2552	msedge.exe	84
PID 2552 wrote to memory of 3124	2552	msedge.exe	85
PID 2552 wrote to memory of 3124	2552	msedge.exe	85
PID 2552 wrote to memory of 2292	2552	msedge.exe	86
PID 2552 wrote to memory of 2292	2552	msedge.exe	86
PID 2552 wrote to memory of 2292	2552	msedge.exe	86
PID 2552 wrote to memory of 2292	2552	msedge.exe	86
PID 2552 wrote to memory of 2292	2552	msedge.exe	86
PID 2552 wrote to memory of 2292	2552	msedge.exe	86
PID 2552 wrote to memory of 2292	2552	msedge.exe	86
PID 2552 wrote to memory of 2292	2552	msedge.exe	86
PID 2552 wrote to memory of 2292	2552	msedge.exe	86
PID 2552 wrote to memory of 2292	2552	msedge.exe	86
PID 2552 wrote to memory of 2292	2552	msedge.exe	86
PID 2552 wrote to memory of 2292	2552	msedge.exe	86
PID 2552 wrote to memory of 2292	2552	msedge.exe	86
PID 2552 wrote to memory of 2292	2552	msedge.exe	86
PID 2552 wrote to memory of 2292	2552	msedge.exe	86
PID 2552 wrote to memory of 2292	2552	msedge.exe	86
PID 2552 wrote to memory of 2292	2552	msedge.exe	86
PID 2552 wrote to memory of 2292	2552	msedge.exe	86
PID 2552 wrote to memory of 2292	2552	msedge.exe	86
PID 2552 wrote to memory of 2292	2552	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://bgp.tools/as/4837#prefixes
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8314946f8,0x7ff831494708,0x7ff831494718
  2⤵
  PID:2064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,14327443109302427365,14075077658207232768,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2180 /prefetch:2
  2⤵
  PID:4924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2168,14327443109302427365,14075077658207232768,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2328 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2168,14327443109302427365,14075077658207232768,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2884 /prefetch:8
  2⤵
  PID:2292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,14327443109302427365,14075077658207232768,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
  2⤵
  PID:748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,14327443109302427365,14075077658207232768,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1
  2⤵
  PID:2944
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2168,14327443109302427365,14075077658207232768,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5128 /prefetch:8
  2⤵
  PID:2524
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2168,14327443109302427365,14075077658207232768,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5128 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,14327443109302427365,14075077658207232768,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5168 /prefetch:1
  2⤵
  PID:5032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,14327443109302427365,14075077658207232768,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5184 /prefetch:1
  2⤵
  PID:4388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,14327443109302427365,14075077658207232768,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5680 /prefetch:1
  2⤵
  PID:3628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,14327443109302427365,14075077658207232768,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5672 /prefetch:1
  2⤵
  PID:1952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,14327443109302427365,14075077658207232768,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1716 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3100

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3068

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
56a4f78e21616a6e19da57228569489b

SHA1
21bfabbfc294d5f2aa1da825c5590d760483bc76

SHA256
d036661e765ee8fd18978a2b5501e8df6b220e4bca531d9860407555294c96fb

SHA512
c2c3cd1152bb486028fe75ab3ce0d0bc9d64c4ca7eb8860ddd934b2f6e0140d2c913af4fa082b88e92a6a6d20fd483a1cb9813209f371a0f56374bc97d7f863b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e443ee4336fcf13c698b8ab5f3c173d0

SHA1
9bf70b16f03820cbe3158e1f1396b07b8ac9d75a

SHA256
79e277da2074f9467e0518f0f26ca2ba74914bee82553f935a0ccf64a0119e8b

SHA512
cbf6f6aa0ea69b47f51592296da2b7be1180e7b483c61b4d17ba9ee1a2d3345cbe0987b96f4e25de1438b553db358f330aad8a26e8522601f055c3d5a8313cdd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
b68fefa1c284a139b4a1b4ebd70833c3

SHA1
f0700d61a4d85d0b0b64c608aa7f8f6dd3fc3656

SHA256
a878c27b8d1d2c1fe09e5ff74e58570da28bac6c69d241067770fda443c578f4

SHA512
548b8b6720471d4dd337eaec817256cf4ce0b78b02a52780fbdf917ca7bd58b5d6f4e07d093cb606de2e0d3d41061b87c26035241392b79c4a67224adeb9d158

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
177B

MD5
18ade3824844eb976d5b75c0489155ca

SHA1
d43b11f69f20adb4352e78cc89fd6dfbb04c19ec

SHA256
1d7a868b380aaf275c400493624464df51403daef2f56a2ff7fc510f1b18d9ca

SHA512
41a63a1867e00b2f2b67d835b9beca88cd26852e9f7173df2091b061be514075d00088f7b7749b5c265df8032a3c1c8b701696b096796de322bb6e4ea3141343

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
b1237e9ed7e9d714acf5cf3c831ae3b2

SHA1
ea1824700523c2c9fbbb4b9acf61812b7a22fc60

SHA256
e06d00d3a61f7c525dd93db62820b496e94a13ae4c61cddc16bcab0c2b5abee6

SHA512
60135e4b3571909505af17bda5f577649a539f8d3acb4796d713fbce3020e84552d836b1238ef2a90e096e90736dace9d05134504228be4053690904cfe2a512

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
32d077c972a8a610e81fc1af6fbde8b7

SHA1
bcc540b5d6111a8eab6aa916633f8e3de23a2117

SHA256
e4fae230e2f899e4369d93a1fa578e59b3aa2527004ae010d09646463b817a74

SHA512
99c9390295f996d0ab4eff5b8eb1033efdd393d764ac3366b57efd30da3335bdce3b3c08f87df969b5327368f1c766e4a6d14a80d5ab6e3be12279cbae99a5e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
75315a96d82b27f288164a5b3c907c18

SHA1
1a40db244e56c5be5b38a0c448ce8806af2a4c39

SHA256
56d029ba99df5bd7bef31e669e3e341eb41892a51e058bb05a08a95e7c0d4c52

SHA512
cf55ce2c5a98c5b0c39a107e4dc3a462a876588e62e4a503e826dcef6579e1d71e1292bccf34ad8816cf5415571ef961f26195d1d2097dd681706aef0e850669

Download Submit