hxxp://google[.]com

Resubmissions

17/01/2025, 09:49

250117-ltejws1qdv 3

17/01/2025, 09:48

250117-ls436a1qct 4

17/01/2025, 06:31

250117-hakp1svnfz 10

Analysis

max time kernel
294s
max time network
290s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
17/01/2025, 09:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://google.com

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2100	msedge.exe
2100	msedge.exe
3388	msedge.exe
3388	msedge.exe
5020	identity_helper.exe
5020	identity_helper.exe
588	msedge.exe
588	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3388 wrote to memory of 4376	3388	msedge.exe	77
PID 3388 wrote to memory of 4376	3388	msedge.exe	77
PID 3388 wrote to memory of 4740	3388	msedge.exe	78
PID 3388 wrote to memory of 4740	3388	msedge.exe	78
PID 3388 wrote to memory of 4740	3388	msedge.exe	78
PID 3388 wrote to memory of 4740	3388	msedge.exe	78
PID 3388 wrote to memory of 4740	3388	msedge.exe	78
PID 3388 wrote to memory of 4740	3388	msedge.exe	78
PID 3388 wrote to memory of 4740	3388	msedge.exe	78
PID 3388 wrote to memory of 4740	3388	msedge.exe	78
PID 3388 wrote to memory of 4740	3388	msedge.exe	78
PID 3388 wrote to memory of 4740	3388	msedge.exe	78
PID 3388 wrote to memory of 4740	3388	msedge.exe	78
PID 3388 wrote to memory of 4740	3388	msedge.exe	78
PID 3388 wrote to memory of 4740	3388	msedge.exe	78
PID 3388 wrote to memory of 4740	3388	msedge.exe	78
PID 3388 wrote to memory of 4740	3388	msedge.exe	78
PID 3388 wrote to memory of 4740	3388	msedge.exe	78
PID 3388 wrote to memory of 4740	3388	msedge.exe	78
PID 3388 wrote to memory of 4740	3388	msedge.exe	78
PID 3388 wrote to memory of 4740	3388	msedge.exe	78
PID 3388 wrote to memory of 4740	3388	msedge.exe	78
PID 3388 wrote to memory of 4740	3388	msedge.exe	78
PID 3388 wrote to memory of 4740	3388	msedge.exe	78
PID 3388 wrote to memory of 4740	3388	msedge.exe	78
PID 3388 wrote to memory of 4740	3388	msedge.exe	78
PID 3388 wrote to memory of 4740	3388	msedge.exe	78
PID 3388 wrote to memory of 4740	3388	msedge.exe	78
PID 3388 wrote to memory of 4740	3388	msedge.exe	78
PID 3388 wrote to memory of 4740	3388	msedge.exe	78
PID 3388 wrote to memory of 4740	3388	msedge.exe	78
PID 3388 wrote to memory of 4740	3388	msedge.exe	78
PID 3388 wrote to memory of 4740	3388	msedge.exe	78
PID 3388 wrote to memory of 4740	3388	msedge.exe	78
PID 3388 wrote to memory of 4740	3388	msedge.exe	78
PID 3388 wrote to memory of 4740	3388	msedge.exe	78
PID 3388 wrote to memory of 4740	3388	msedge.exe	78
PID 3388 wrote to memory of 4740	3388	msedge.exe	78
PID 3388 wrote to memory of 4740	3388	msedge.exe	78
PID 3388 wrote to memory of 4740	3388	msedge.exe	78
PID 3388 wrote to memory of 4740	3388	msedge.exe	78
PID 3388 wrote to memory of 4740	3388	msedge.exe	78
PID 3388 wrote to memory of 2100	3388	msedge.exe	79
PID 3388 wrote to memory of 2100	3388	msedge.exe	79
PID 3388 wrote to memory of 2872	3388	msedge.exe	80
PID 3388 wrote to memory of 2872	3388	msedge.exe	80
PID 3388 wrote to memory of 2872	3388	msedge.exe	80
PID 3388 wrote to memory of 2872	3388	msedge.exe	80
PID 3388 wrote to memory of 2872	3388	msedge.exe	80
PID 3388 wrote to memory of 2872	3388	msedge.exe	80
PID 3388 wrote to memory of 2872	3388	msedge.exe	80
PID 3388 wrote to memory of 2872	3388	msedge.exe	80
PID 3388 wrote to memory of 2872	3388	msedge.exe	80
PID 3388 wrote to memory of 2872	3388	msedge.exe	80
PID 3388 wrote to memory of 2872	3388	msedge.exe	80
PID 3388 wrote to memory of 2872	3388	msedge.exe	80
PID 3388 wrote to memory of 2872	3388	msedge.exe	80
PID 3388 wrote to memory of 2872	3388	msedge.exe	80
PID 3388 wrote to memory of 2872	3388	msedge.exe	80
PID 3388 wrote to memory of 2872	3388	msedge.exe	80
PID 3388 wrote to memory of 2872	3388	msedge.exe	80
PID 3388 wrote to memory of 2872	3388	msedge.exe	80
PID 3388 wrote to memory of 2872	3388	msedge.exe	80
PID 3388 wrote to memory of 2872	3388	msedge.exe	80

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument http://google.com
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff977b3cb8,0x7fff977b3cc8,0x7fff977b3cd8
  2⤵
  PID:4376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1912,18067244680959226565,5197268362979776973,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1924 /prefetch:2
  2⤵
  PID:4740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1912,18067244680959226565,5197268362979776973,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2368 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1912,18067244680959226565,5197268362979776973,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2764 /prefetch:8
  2⤵
  PID:2872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,18067244680959226565,5197268362979776973,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1
  2⤵
  PID:1256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,18067244680959226565,5197268362979776973,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
  2⤵
  PID:5012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,18067244680959226565,5197268362979776973,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4748 /prefetch:1
  2⤵
  PID:5064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,18067244680959226565,5197268362979776973,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5028 /prefetch:1
  2⤵
  PID:2404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,18067244680959226565,5197268362979776973,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5048 /prefetch:1
  2⤵
  PID:1508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,18067244680959226565,5197268362979776973,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5408 /prefetch:1
  2⤵
  PID:5044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,18067244680959226565,5197268362979776973,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5496 /prefetch:1
  2⤵
  PID:700
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1912,18067244680959226565,5197268362979776973,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5216 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1912,18067244680959226565,5197268362979776973,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5840 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1912,18067244680959226565,5197268362979776973,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4836 /prefetch:2
  2⤵
  PID:3748

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5000

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
554d6d27186fa7d6762d95dde7a17584

SHA1
93ea7b20b8fae384cf0be0d65e4295097112fdca

SHA256
2fa6145571e1f1ece9850a1ac94661213d3e0d82f1cef7ac1286ff6b2c2017cb

SHA512
57d9008ccabc315bd0e829b19fe91e24bab6ef20bcfab651b937b0f38eec840b58d0aed092a3bbedd2d6a95d5c150372a1e51087572de55672172adc1fc468a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a28bb0d36049e72d00393056dce10a26

SHA1
c753387b64cc15c0efc80084da393acdb4fc01d0

SHA256
684d797e28b7fd86af84bfb217d190e4f5e03d92092d988a6091b2c7bbbd67c1

SHA512
20940fee33aa2194c36a3db92d4fd314ce7eacc2aa745abec62aa031c2a53ba4ff89f2568626e7bd2536090175f8d045c3bb52c5faa5ecc8da8410ab5fc519f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
215KB

MD5
d474ec7f8d58a66420b6daa0893a4874

SHA1
4314642571493ba983748556d0e76ec6704da211

SHA256
553a19b6f44f125d9594c02231e4217e9d74d92b7065dc996d92f1e53f6bcb69

SHA512
344062d1be40db095abb7392b047b16f33ea3043158690cf66a2fa554aa2db79c4aa68de1308f1eddf6b9140b9ac5de70aad960b4e8e8b91f105213c4aace348

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
6e56fea4fe6167bee03d0bc894b686b7

SHA1
8b613377783747f06052ddbb187746e16f023f59

SHA256
df82252c4fa7c73767b7986da31af30fb4dc11fff3d1f082751b90d0e6f353e6

SHA512
2d6cfbbf4b00aec098b93ea644330b221721c35f5a85683e6bb5a618705d547b9508aa9ae9282b7ef8569be8dbed0575b4c4d520a75e69156b3971d006c71f80

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
814B

MD5
df1962ad20b197e6da8b7ac140fbcce1

SHA1
b5bfc9a3af18eddd247d921a19cc6a833516f756

SHA256
a02c508ff6059c128dccb93de19d69075dad47b6e93db02c62def608198c9a9c

SHA512
a939a6d93bef0b4ccac5774172ffd6d9d8b8b5bca5557f91f8721e4581aebd0d5ada48d4dfca67c4e979c1272afff840b6655afb3add8d890dff2b4ab85277be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
997b75ce6cdb9724cf31dfb2f7c817bd

SHA1
76223748e6bd4658679059a47b54accbb122e42c

SHA256
1f7b82399438e42abf7b27f7d160aad8346924bb42c20334cf81693aa350cace

SHA512
e5a519f3d2d945328194b632e23e87a396c2203cc9b77f5d1a06e431670b034bdd2c2d1f2a8f7cff625c997fd6ab339f666444fcc2c6b7c1bf509846d49ef816

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9f8d093afd7fc17d92124d9a322ef650

SHA1
24f1cdd296534ba59bca3dc8b65d3292c03e0a76

SHA256
acd5252e91c6dcae4f94d8cb86d93b7ce785651b97c1903a0fc7fd2f8d43550c

SHA512
225c0b8a77494d537b7c348b2fe660493aff8f23cab50481b62e0ee357d0867751a2d29f7bad71baf22e186f1b5568e03dad1ccdca5d220bffab74bfee418e53

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
39f6befc4c8f8ba4c99b46175dd05457

SHA1
28c8360dfbff23b818a94f2ce2f933779e6e268d

SHA256
3eaa7fa945ff624a47090f89d9d06a408f22bdf60438044038ad1439244a7c23

SHA512
9a5d18a6d30871b4dee89accc8e1b4e89500079787e0e56bba45021364c77b42ab7be276edb723d451b706c4e9ed777fdb73649ca574f3573f4110cd4f430a1d

Download Submit