hxxps://docs[.]google[.]com/drawings/d/1lcF19hyDnlhQFCdZbcgi0BPmy6PskBqCrGZPHf9mkJY/preview?pli=18057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631420392

Analysis

max time kernel
145s
max time network
139s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
15/01/2025, 18:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://docs.google.com/drawings/d/1lcF19hyDnlhQFCdZbcgi0BPmy6PskBqCrGZPHf9mkJY/preview?pli=18057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631420392

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2324	msedge.exe
2324	msedge.exe
4304	msedge.exe
4304	msedge.exe
1636	msedge.exe
1636	msedge.exe
1972	identity_helper.exe
1972	identity_helper.exe
1716	msedge.exe
1716	msedge.exe
1716	msedge.exe
1716	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4304 wrote to memory of 4068	4304	msedge.exe	79
PID 4304 wrote to memory of 4068	4304	msedge.exe	79
PID 4304 wrote to memory of 2512	4304	msedge.exe	80
PID 4304 wrote to memory of 2512	4304	msedge.exe	80
PID 4304 wrote to memory of 2512	4304	msedge.exe	80
PID 4304 wrote to memory of 2512	4304	msedge.exe	80
PID 4304 wrote to memory of 2512	4304	msedge.exe	80
PID 4304 wrote to memory of 2512	4304	msedge.exe	80
PID 4304 wrote to memory of 2512	4304	msedge.exe	80
PID 4304 wrote to memory of 2512	4304	msedge.exe	80
PID 4304 wrote to memory of 2512	4304	msedge.exe	80
PID 4304 wrote to memory of 2512	4304	msedge.exe	80
PID 4304 wrote to memory of 2512	4304	msedge.exe	80
PID 4304 wrote to memory of 2512	4304	msedge.exe	80
PID 4304 wrote to memory of 2512	4304	msedge.exe	80
PID 4304 wrote to memory of 2512	4304	msedge.exe	80
PID 4304 wrote to memory of 2512	4304	msedge.exe	80
PID 4304 wrote to memory of 2512	4304	msedge.exe	80
PID 4304 wrote to memory of 2512	4304	msedge.exe	80
PID 4304 wrote to memory of 2512	4304	msedge.exe	80
PID 4304 wrote to memory of 2512	4304	msedge.exe	80
PID 4304 wrote to memory of 2512	4304	msedge.exe	80
PID 4304 wrote to memory of 2512	4304	msedge.exe	80
PID 4304 wrote to memory of 2512	4304	msedge.exe	80
PID 4304 wrote to memory of 2512	4304	msedge.exe	80
PID 4304 wrote to memory of 2512	4304	msedge.exe	80
PID 4304 wrote to memory of 2512	4304	msedge.exe	80
PID 4304 wrote to memory of 2512	4304	msedge.exe	80
PID 4304 wrote to memory of 2512	4304	msedge.exe	80
PID 4304 wrote to memory of 2512	4304	msedge.exe	80
PID 4304 wrote to memory of 2512	4304	msedge.exe	80
PID 4304 wrote to memory of 2512	4304	msedge.exe	80
PID 4304 wrote to memory of 2512	4304	msedge.exe	80
PID 4304 wrote to memory of 2512	4304	msedge.exe	80
PID 4304 wrote to memory of 2512	4304	msedge.exe	80
PID 4304 wrote to memory of 2512	4304	msedge.exe	80
PID 4304 wrote to memory of 2512	4304	msedge.exe	80
PID 4304 wrote to memory of 2512	4304	msedge.exe	80
PID 4304 wrote to memory of 2512	4304	msedge.exe	80
PID 4304 wrote to memory of 2512	4304	msedge.exe	80
PID 4304 wrote to memory of 2512	4304	msedge.exe	80
PID 4304 wrote to memory of 2512	4304	msedge.exe	80
PID 4304 wrote to memory of 2324	4304	msedge.exe	81
PID 4304 wrote to memory of 2324	4304	msedge.exe	81
PID 4304 wrote to memory of 656	4304	msedge.exe	82
PID 4304 wrote to memory of 656	4304	msedge.exe	82
PID 4304 wrote to memory of 656	4304	msedge.exe	82
PID 4304 wrote to memory of 656	4304	msedge.exe	82
PID 4304 wrote to memory of 656	4304	msedge.exe	82
PID 4304 wrote to memory of 656	4304	msedge.exe	82
PID 4304 wrote to memory of 656	4304	msedge.exe	82
PID 4304 wrote to memory of 656	4304	msedge.exe	82
PID 4304 wrote to memory of 656	4304	msedge.exe	82
PID 4304 wrote to memory of 656	4304	msedge.exe	82
PID 4304 wrote to memory of 656	4304	msedge.exe	82
PID 4304 wrote to memory of 656	4304	msedge.exe	82
PID 4304 wrote to memory of 656	4304	msedge.exe	82
PID 4304 wrote to memory of 656	4304	msedge.exe	82
PID 4304 wrote to memory of 656	4304	msedge.exe	82
PID 4304 wrote to memory of 656	4304	msedge.exe	82
PID 4304 wrote to memory of 656	4304	msedge.exe	82
PID 4304 wrote to memory of 656	4304	msedge.exe	82
PID 4304 wrote to memory of 656	4304	msedge.exe	82
PID 4304 wrote to memory of 656	4304	msedge.exe	82

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://docs.google.com/drawings/d/1lcF19hyDnlhQFCdZbcgi0BPmy6PskBqCrGZPHf9mkJY/preview?pli=18057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631428057631420392
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff997e23cb8,0x7ff997e23cc8,0x7ff997e23cd8
  2⤵
  PID:4068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1752,10034674218942105130,16851797389750068978,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1944 /prefetch:2
  2⤵
  PID:2512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1752,10034674218942105130,16851797389750068978,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2044 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1752,10034674218942105130,16851797389750068978,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2548 /prefetch:8
  2⤵
  PID:656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1752,10034674218942105130,16851797389750068978,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:1
  2⤵
  PID:2772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1752,10034674218942105130,16851797389750068978,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:1
  2⤵
  PID:3488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1752,10034674218942105130,16851797389750068978,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4916 /prefetch:1
  2⤵
  PID:2120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1752,10034674218942105130,16851797389750068978,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4944 /prefetch:1
  2⤵
  PID:1716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1752,10034674218942105130,16851797389750068978,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5288 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1636
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1752,10034674218942105130,16851797389750068978,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5572 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1752,10034674218942105130,16851797389750068978,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
  2⤵
  PID:1944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1752,10034674218942105130,16851797389750068978,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5188 /prefetch:1
  2⤵
  PID:4200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1752,10034674218942105130,16851797389750068978,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1172 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1716

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2232

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e9a2c784e6d797d91d4b8612e14d51bd

SHA1
25e2b07c396ee82e4404af09424f747fc05f04c2

SHA256
18ddbb93c981d8006071f9d26924ce3357cad212cbb65f48812d4a474c197ce6

SHA512
fc35688ae3cd448ed6b2069d39ce1219612c54f5bb0dd7b707c9e6f39450fe9fb1338cf5bd0b82a45207fac2fbab1e0eae77e5c9e6488371390eab45f76a5df1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1fc959921446fa3ab5813f75ca4d0235

SHA1
0aeef3ba7ba2aa1f725fca09432d384b06995e2a

SHA256
1b1e89d3b2f3da84cc8494d07cf0babc472c426ccb1c4ae13398243360c9d02c

SHA512
899d1e1b0feece25ac97527daddcaaeb069cb428532477849eba43a627502c590261f2c26fef31e4e20efd3d7eb0815336a784c4d2888e05afcf5477af872b06

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
6932e4a606f7bbd4457411c066d3ed86

SHA1
c8f0541d68f619b7ed69b44fbdf91ea6ded124ab

SHA256
9d5ec86b615848c7ec1f50473d4b66152e9e9b964039b64396b2280bb8367b55

SHA512
0deb1a0ad5eb888481ea8d4309dbaaf79fdb4a17786adb0c812a049e9798172b71f57bcd903dcf71d156d1e1a41ba5572424e387a0594faa2337110e7d61fa93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
992B

MD5
5d3a80e862ba379331cd1982aa2853bf

SHA1
93c83fd1876ca5f35eb9de502aa8a6a22ae1f77f

SHA256
2952518782c8ce7be743ce65244e213ef8801e50675a4423c38e0b4e9ad67499

SHA512
9ebbb12c77aaa29f59e12d3ab679f5bf8907168c29d6a508d336eef0221ba9136e4f0b59b10d3251ece77c1e4b47a826116bb94e0e8e2583dd9cafc5cf7c39cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e653b310f0fa578c4486379597eaed90

SHA1
75e1c0a210fc1bb3d166379caee98b9e2605a9db

SHA256
32d4f2dc8184e09b690c9c6b9916516b5eb6b7b2c845edacaf4e06c410b966b7

SHA512
3b3b0d6fff8fa551fb0b929b2f663304e869e7b76633925ffa304b16d464faeeff8f13eea077f807d47131ef65f4602d1c61beafe255713d4417480168ab8f1c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\f3725c96-8b51-47d5-9c72-10df55ed28da.tmp

Filesize
5KB

MD5
feb0ce7c2b3e71276ef3acfa93b51c08

SHA1
0c34555901824feffcd3a5ab95cae4ae65841afe

SHA256
bc5be401291c032e97ad590585c61f81fb095822d9534cae5d0bb86bc6fc1cb6

SHA512
9fb4ac0c6eba7ed67cb37d3f8035ca4ea1ec6395649440d55e17bd1f40b5d0139b2b0d0a572d39ef3678b7e0259689f1929d66f3061c3d2fb2c9b547d91e392e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
02d125d3c05588109feea9e416f9ac8a

SHA1
8e0ce1967b5150b4684a3d0334b105987cac0075

SHA256
6945c27c0f0d219525b85519d03b8ede2b36214d2053e746ab441f309e188a1c

SHA512
a5951d86cfd17d867206f3f52e3831037c0ef60c1969ed4edea8bb234e65999d8885cce7430a62d2b4b2efcb35d4e97bacdd4f41c8a19059d65bc599591969fc

Download Submit