71916efd98ebad32e60025ebb48cbc3bb8556d60a82260143580fa2b3f90c72c

Analysis

max time kernel
145s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
14-12-2024 00:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Data/register-en-US.htm
Size

7KB
MD5

7f5cc2de62d3cfded6df11c12ba29bef
SHA1

794d28fb01c64307ffb4d11cdb5f0e5ade25764a
SHA256

c98dacf548332f440e75e3fd419c19faf2ff66d4cfae453e9afc9e2a944e2889
SHA512

42fa96d52762eb5c2e8c94c392bcef08f56c5ce8dec0960f9847a7bce1a36073386c4646311c55cf2e0a96b773c0c99794e6cee64fce4795bf27d7c652fbe5f9
SSDEEP

192:wQF/w/oV90Wz6vODX0vh9epP6836mY2efYGqJfgTauvUrFcJB:/LBf6FyCT/OFcJB

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2180	msedge.exe
2180	msedge.exe
1996	msedge.exe
1996	msedge.exe
3060	identity_helper.exe
3060	identity_helper.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
1996	msedge.exe
1996	msedge.exe
1996	msedge.exe
1996	msedge.exe
1996	msedge.exe
1996	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1996	msedge.exe
1996	msedge.exe
1996	msedge.exe
1996	msedge.exe
1996	msedge.exe
1996	msedge.exe
1996	msedge.exe
1996	msedge.exe
1996	msedge.exe
1996	msedge.exe
1996	msedge.exe
1996	msedge.exe
1996	msedge.exe
1996	msedge.exe
1996	msedge.exe
1996	msedge.exe
1996	msedge.exe
1996	msedge.exe
1996	msedge.exe
1996	msedge.exe
1996	msedge.exe
1996	msedge.exe
1996	msedge.exe
1996	msedge.exe
1996	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1996	msedge.exe
1996	msedge.exe
1996	msedge.exe
1996	msedge.exe
1996	msedge.exe
1996	msedge.exe
1996	msedge.exe
1996	msedge.exe
1996	msedge.exe
1996	msedge.exe
1996	msedge.exe
1996	msedge.exe
1996	msedge.exe
1996	msedge.exe
1996	msedge.exe
1996	msedge.exe
1996	msedge.exe
1996	msedge.exe
1996	msedge.exe
1996	msedge.exe
1996	msedge.exe
1996	msedge.exe
1996	msedge.exe
1996	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1996 wrote to memory of 4800	1996	msedge.exe	82
PID 1996 wrote to memory of 4800	1996	msedge.exe	82
PID 1996 wrote to memory of 3484	1996	msedge.exe	83
PID 1996 wrote to memory of 3484	1996	msedge.exe	83
PID 1996 wrote to memory of 3484	1996	msedge.exe	83
PID 1996 wrote to memory of 3484	1996	msedge.exe	83
PID 1996 wrote to memory of 3484	1996	msedge.exe	83
PID 1996 wrote to memory of 3484	1996	msedge.exe	83
PID 1996 wrote to memory of 3484	1996	msedge.exe	83
PID 1996 wrote to memory of 3484	1996	msedge.exe	83
PID 1996 wrote to memory of 3484	1996	msedge.exe	83
PID 1996 wrote to memory of 3484	1996	msedge.exe	83
PID 1996 wrote to memory of 3484	1996	msedge.exe	83
PID 1996 wrote to memory of 3484	1996	msedge.exe	83
PID 1996 wrote to memory of 3484	1996	msedge.exe	83
PID 1996 wrote to memory of 3484	1996	msedge.exe	83
PID 1996 wrote to memory of 3484	1996	msedge.exe	83
PID 1996 wrote to memory of 3484	1996	msedge.exe	83
PID 1996 wrote to memory of 3484	1996	msedge.exe	83
PID 1996 wrote to memory of 3484	1996	msedge.exe	83
PID 1996 wrote to memory of 3484	1996	msedge.exe	83
PID 1996 wrote to memory of 3484	1996	msedge.exe	83
PID 1996 wrote to memory of 3484	1996	msedge.exe	83
PID 1996 wrote to memory of 3484	1996	msedge.exe	83
PID 1996 wrote to memory of 3484	1996	msedge.exe	83
PID 1996 wrote to memory of 3484	1996	msedge.exe	83
PID 1996 wrote to memory of 3484	1996	msedge.exe	83
PID 1996 wrote to memory of 3484	1996	msedge.exe	83
PID 1996 wrote to memory of 3484	1996	msedge.exe	83
PID 1996 wrote to memory of 3484	1996	msedge.exe	83
PID 1996 wrote to memory of 3484	1996	msedge.exe	83
PID 1996 wrote to memory of 3484	1996	msedge.exe	83
PID 1996 wrote to memory of 3484	1996	msedge.exe	83
PID 1996 wrote to memory of 3484	1996	msedge.exe	83
PID 1996 wrote to memory of 3484	1996	msedge.exe	83
PID 1996 wrote to memory of 3484	1996	msedge.exe	83
PID 1996 wrote to memory of 3484	1996	msedge.exe	83
PID 1996 wrote to memory of 3484	1996	msedge.exe	83
PID 1996 wrote to memory of 3484	1996	msedge.exe	83
PID 1996 wrote to memory of 3484	1996	msedge.exe	83
PID 1996 wrote to memory of 3484	1996	msedge.exe	83
PID 1996 wrote to memory of 3484	1996	msedge.exe	83
PID 1996 wrote to memory of 2180	1996	msedge.exe	84
PID 1996 wrote to memory of 2180	1996	msedge.exe	84
PID 1996 wrote to memory of 3612	1996	msedge.exe	85
PID 1996 wrote to memory of 3612	1996	msedge.exe	85
PID 1996 wrote to memory of 3612	1996	msedge.exe	85
PID 1996 wrote to memory of 3612	1996	msedge.exe	85
PID 1996 wrote to memory of 3612	1996	msedge.exe	85
PID 1996 wrote to memory of 3612	1996	msedge.exe	85
PID 1996 wrote to memory of 3612	1996	msedge.exe	85
PID 1996 wrote to memory of 3612	1996	msedge.exe	85
PID 1996 wrote to memory of 3612	1996	msedge.exe	85
PID 1996 wrote to memory of 3612	1996	msedge.exe	85
PID 1996 wrote to memory of 3612	1996	msedge.exe	85
PID 1996 wrote to memory of 3612	1996	msedge.exe	85
PID 1996 wrote to memory of 3612	1996	msedge.exe	85
PID 1996 wrote to memory of 3612	1996	msedge.exe	85
PID 1996 wrote to memory of 3612	1996	msedge.exe	85
PID 1996 wrote to memory of 3612	1996	msedge.exe	85
PID 1996 wrote to memory of 3612	1996	msedge.exe	85
PID 1996 wrote to memory of 3612	1996	msedge.exe	85
PID 1996 wrote to memory of 3612	1996	msedge.exe	85
PID 1996 wrote to memory of 3612	1996	msedge.exe	85

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument C:\Users\Admin\AppData\Local\Temp\Data\register-en-US.htm
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffebdd546f8,0x7ffebdd54708,0x7ffebdd54718
  2⤵
  PID:4800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,1439163891784962659,15511014757100782972,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:2
  2⤵
  PID:3484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,1439163891784962659,15511014757100782972,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,1439163891784962659,15511014757100782972,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2780 /prefetch:8
  2⤵
  PID:3612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,1439163891784962659,15511014757100782972,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
  2⤵
  PID:924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,1439163891784962659,15511014757100782972,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
  2⤵
  PID:3528
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,1439163891784962659,15511014757100782972,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5000 /prefetch:8
  2⤵
  PID:2116
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,1439163891784962659,15511014757100782972,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5000 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,1439163891784962659,15511014757100782972,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5072 /prefetch:1
  2⤵
  PID:2600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,1439163891784962659,15511014757100782972,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5088 /prefetch:1
  2⤵
  PID:1772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,1439163891784962659,15511014757100782972,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5552 /prefetch:1
  2⤵
  PID:5100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,1439163891784962659,15511014757100782972,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5592 /prefetch:1
  2⤵
  PID:4324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,1439163891784962659,15511014757100782972,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2940 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5052

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4160

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
56a4f78e21616a6e19da57228569489b

SHA1
21bfabbfc294d5f2aa1da825c5590d760483bc76

SHA256
d036661e765ee8fd18978a2b5501e8df6b220e4bca531d9860407555294c96fb

SHA512
c2c3cd1152bb486028fe75ab3ce0d0bc9d64c4ca7eb8860ddd934b2f6e0140d2c913af4fa082b88e92a6a6d20fd483a1cb9813209f371a0f56374bc97d7f863b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e443ee4336fcf13c698b8ab5f3c173d0

SHA1
9bf70b16f03820cbe3158e1f1396b07b8ac9d75a

SHA256
79e277da2074f9467e0518f0f26ca2ba74914bee82553f935a0ccf64a0119e8b

SHA512
cbf6f6aa0ea69b47f51592296da2b7be1180e7b483c61b4d17ba9ee1a2d3345cbe0987b96f4e25de1438b553db358f330aad8a26e8522601f055c3d5a8313cdd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
89df6926ab0405a03ea139b14b6bd310

SHA1
d929dfd35aac96f7160dcca75d8c57fc5aacf6ef

SHA256
110fd46a962e97981f0f98d8675a11358ee81566eb647c61d45123771b023aeb

SHA512
11cec3e41b3eddafe3d237dde452731a159f7b280f987a5dc63abc06a464711ae920a9ce6fe25e2f54a7a408fe5be5f1ea338d7a10026f9e59c00b977037aef6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9e42dc8bb8cede1a666675d8956652c1

SHA1
4326a72b4f94630b3d3d49131746976d3f2b0f60

SHA256
7650a3cd9a80c95d69ee03a76fef826490366d31946251cfd291d5cb012ce0e3

SHA512
86862edf7f13d02a3733265d26d76bfb8a7cea59e0034034b5a4be401de5a356f91d61285a57df24f2706ac274f834211b4b2652ccf555961d8d597d1918aecb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
8fc7333dd62a6508202309befb47b4ce

SHA1
42c16e8979c63618ae0d5e149918ea33afd0fa79

SHA256
a87608f8e4b14404ad0da7d12bd026d284e240708959ea865b32bc9b95518c85

SHA512
26ca66b0f780b3992659ea90d8a66bf057f12cbc2f18be5df73302ef11f2c57e0eabba18970c28c90d3f58f5b40b78ec490339771b174e2fff422c4a94064c4f

Download Submit