hxxps://r[.]forms[.]hr[.]com/im/6310995/5ea462fac36558c8011c59af5e6281218cce1035f40d8688a74fa65b54104e79[.]gif?e=s9ydI5oYdhwN18Xfd7ia6SxCutY9Ka9YwMNOU7eYfMc7apGgXvz0SDRMJOkPTUDKbnmqWFitbpZB8DT37wE7lR9j73ejHITHquWY30VVO3JCEKJzUehV3gW-hDK3Do22D1CYgfWx_67c0RvEm6mlX-uWkdL105hDYNLwFOMVdPoY7A_dbAwdnyvC4uObKpkErwV1zrWnSek6FldHwPncB7TzR-XiP7Ftx8ZJWYrIlB8LidW8O2PVWWPmJ-Z-QhY3gZOquhV6twESDCRqr18Va_UWWIHgu7jD3NEfmHIr7FALa57H8kPIOfmpHzyB8nSCmXFTcthThOkVI9WbY9d4HwlLPfr1bnkd9SKZpmNgr-91D27C6SoyqYE

Analysis

max time kernel
25s
max time network
11s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
20-01-2025 09:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://r.forms.hr.com/im/6310995/5ea462fac36558c8011c59af5e6281218cce1035f40d8688a74fa65b54104e79.gif?e=s9ydI5oYdhwN18Xfd7ia6SxCutY9Ka9YwMNOU7eYfMc7apGgXvz0SDRMJOkPTUDKbnmqWFitbpZB8DT37wE7lR9j73ejHITHquWY30VVO3JCEKJzUehV3gW-hDK3Do22D1CYgfWx_67c0RvEm6mlX-uWkdL105hDYNLwFOMVdPoY7A_dbAwdnyvC4uObKpkErwV1zrWnSek6FldHwPncB7TzR-XiP7Ftx8ZJWYrIlB8LidW8O2PVWWPmJ-Z-QhY3gZOquhV6twESDCRqr18Va_UWWIHgu7jD3NEfmHIr7FALa57H8kPIOfmpHzyB8nSCmXFTcthThOkVI9WbY9d4HwlLPfr1bnkd9SKZpmNgr-91D27C6SoyqYE

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1700	msedge.exe
1700	msedge.exe
3068	msedge.exe
3068	msedge.exe
3264	msedge.exe
3264	msedge.exe
2052	identity_helper.exe
2052	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe

Suspicious use of SendNotifyMessage 20 IoCs

pid	Process
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3068 wrote to memory of 5724	3068	msedge.exe	77
PID 3068 wrote to memory of 5724	3068	msedge.exe	77
PID 3068 wrote to memory of 972	3068	msedge.exe	78
PID 3068 wrote to memory of 972	3068	msedge.exe	78
PID 3068 wrote to memory of 972	3068	msedge.exe	78
PID 3068 wrote to memory of 972	3068	msedge.exe	78
PID 3068 wrote to memory of 972	3068	msedge.exe	78
PID 3068 wrote to memory of 972	3068	msedge.exe	78
PID 3068 wrote to memory of 972	3068	msedge.exe	78
PID 3068 wrote to memory of 972	3068	msedge.exe	78
PID 3068 wrote to memory of 972	3068	msedge.exe	78
PID 3068 wrote to memory of 972	3068	msedge.exe	78
PID 3068 wrote to memory of 972	3068	msedge.exe	78
PID 3068 wrote to memory of 972	3068	msedge.exe	78
PID 3068 wrote to memory of 972	3068	msedge.exe	78
PID 3068 wrote to memory of 972	3068	msedge.exe	78
PID 3068 wrote to memory of 972	3068	msedge.exe	78
PID 3068 wrote to memory of 972	3068	msedge.exe	78
PID 3068 wrote to memory of 972	3068	msedge.exe	78
PID 3068 wrote to memory of 972	3068	msedge.exe	78
PID 3068 wrote to memory of 972	3068	msedge.exe	78
PID 3068 wrote to memory of 972	3068	msedge.exe	78
PID 3068 wrote to memory of 972	3068	msedge.exe	78
PID 3068 wrote to memory of 972	3068	msedge.exe	78
PID 3068 wrote to memory of 972	3068	msedge.exe	78
PID 3068 wrote to memory of 972	3068	msedge.exe	78
PID 3068 wrote to memory of 972	3068	msedge.exe	78
PID 3068 wrote to memory of 972	3068	msedge.exe	78
PID 3068 wrote to memory of 972	3068	msedge.exe	78
PID 3068 wrote to memory of 972	3068	msedge.exe	78
PID 3068 wrote to memory of 972	3068	msedge.exe	78
PID 3068 wrote to memory of 972	3068	msedge.exe	78
PID 3068 wrote to memory of 972	3068	msedge.exe	78
PID 3068 wrote to memory of 972	3068	msedge.exe	78
PID 3068 wrote to memory of 972	3068	msedge.exe	78
PID 3068 wrote to memory of 972	3068	msedge.exe	78
PID 3068 wrote to memory of 972	3068	msedge.exe	78
PID 3068 wrote to memory of 972	3068	msedge.exe	78
PID 3068 wrote to memory of 972	3068	msedge.exe	78
PID 3068 wrote to memory of 972	3068	msedge.exe	78
PID 3068 wrote to memory of 972	3068	msedge.exe	78
PID 3068 wrote to memory of 972	3068	msedge.exe	78
PID 3068 wrote to memory of 1700	3068	msedge.exe	79
PID 3068 wrote to memory of 1700	3068	msedge.exe	79
PID 3068 wrote to memory of 6108	3068	msedge.exe	80
PID 3068 wrote to memory of 6108	3068	msedge.exe	80
PID 3068 wrote to memory of 6108	3068	msedge.exe	80
PID 3068 wrote to memory of 6108	3068	msedge.exe	80
PID 3068 wrote to memory of 6108	3068	msedge.exe	80
PID 3068 wrote to memory of 6108	3068	msedge.exe	80
PID 3068 wrote to memory of 6108	3068	msedge.exe	80
PID 3068 wrote to memory of 6108	3068	msedge.exe	80
PID 3068 wrote to memory of 6108	3068	msedge.exe	80
PID 3068 wrote to memory of 6108	3068	msedge.exe	80
PID 3068 wrote to memory of 6108	3068	msedge.exe	80
PID 3068 wrote to memory of 6108	3068	msedge.exe	80
PID 3068 wrote to memory of 6108	3068	msedge.exe	80
PID 3068 wrote to memory of 6108	3068	msedge.exe	80
PID 3068 wrote to memory of 6108	3068	msedge.exe	80
PID 3068 wrote to memory of 6108	3068	msedge.exe	80
PID 3068 wrote to memory of 6108	3068	msedge.exe	80
PID 3068 wrote to memory of 6108	3068	msedge.exe	80
PID 3068 wrote to memory of 6108	3068	msedge.exe	80
PID 3068 wrote to memory of 6108	3068	msedge.exe	80

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://r.forms.hr.com/im/6310995/5ea462fac36558c8011c59af5e6281218cce1035f40d8688a74fa65b54104e79.gif?e=s9ydI5oYdhwN18Xfd7ia6SxCutY9Ka9YwMNOU7eYfMc7apGgXvz0SDRMJOkPTUDKbnmqWFitbpZB8DT37wE7lR9j73ejHITHquWY30VVO3JCEKJzUehV3gW-hDK3Do22D1CYgfWx_67c0RvEm6mlX-uWkdL105hDYNLwFOMVdPoY7A_dbAwdnyvC4uObKpkErwV1zrWnSek6FldHwPncB7TzR-XiP7Ftx8ZJWYrIlB8LidW8O2PVWWPmJ-Z-QhY3gZOquhV6twESDCRqr18Va_UWWIHgu7jD3NEfmHIr7FALa57H8kPIOfmpHzyB8nSCmXFTcthThOkVI9WbY9d4HwlLPfr1bnkd9SKZpmNgr-91D27C6SoyqYE
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff900633cb8,0x7ff900633cc8,0x7ff900633cd8
  2⤵
  PID:5724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1896,7592245591506958747,4494867268965787653,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1924 /prefetch:2
  2⤵
  PID:972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1896,7592245591506958747,4494867268965787653,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2380 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1896,7592245591506958747,4494867268965787653,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2788 /prefetch:8
  2⤵
  PID:6108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,7592245591506958747,4494867268965787653,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
  2⤵
  PID:72
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,7592245591506958747,4494867268965787653,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
  2⤵
  PID:3424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,7592245591506958747,4494867268965787653,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4624 /prefetch:1
  2⤵
  PID:392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1896,7592245591506958747,4494867268965787653,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4140 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3264
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1896,7592245591506958747,4494867268965787653,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5488 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,7592245591506958747,4494867268965787653,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3956 /prefetch:1
  2⤵
  PID:2848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,7592245591506958747,4494867268965787653,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3844 /prefetch:1
  2⤵
  PID:1288

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1176

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
aad1d98ca9748cc4c31aa3b5abfe0fed

SHA1
32e8d4d9447b13bc00ec3eb15a88c55c29489495

SHA256
2a07cac05ffcf140a9ad32e58ef51b32ecccf1e3ab5ef4e656770df813a8944e

SHA512
150ebf7e37d20f88b21ab7ea0793afe1d40b00611ed36f0cf1ac1371b656d26f11b08a84dbb958891c79776fae04c9c616e45e2e211d292988a5709857a3bf72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
cb557349d7af9d6754aed39b4ace5bee

SHA1
04de2ac30defbb36508a41872ddb475effe2d793

SHA256
cfc24ed7d1c2e2c6585f53db7b39aa2447bf9212487b0a3c8c2a7d8e7e5572ee

SHA512
f0cf51f42d975d720d613d09f201435bf98c6283ae5bc033207f4ada93b15e49743a235a1cfb1b761bde268e2f7f8561aa57619b99bff67a36820bc1a4d0ec4a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
09d18f942484ffcf932501528489bd6b

SHA1
ac07b822d3f143735378e801cb40acbe34c76c8f

SHA256
e90fae505e5b73b6c75ee310640a8f1955acf08c5f9e36e55bbbf21ffb2a8748

SHA512
357779466f4535c14e61fd487280d3fd8d5769d1c8c785cd7e9ea823a9ccb85db703b88dce19a41f2c0c584acd8d0a14c074e48ce10e1a105992577ff08dc21f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
3e1240d3a5e929265944f652f0dbd131

SHA1
b35e85a28446a75499a98e7a2733880ca0b46ce1

SHA256
dff0c845cedfb63b58f02add3d9551e92e58e783d6ca11ac46048100864a241f

SHA512
1430c34f905368dd375fea202c6f56f11a9231c734c87f0f4ef98b34b7fee8acb33f16e5954a86703b0b244aba8824111e1f909ca3fd2e13f4c627030b985451

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
495b55a3bd7a4f348d6811cf3883cbb6

SHA1
feccca7d577a1b96bbbb75522937341629f925aa

SHA256
071028d6ba91b313ac23d56ed982bca769a6dfbf4216b5e0f99d0458da60124e

SHA512
d626a6fade735fbd9a6aae4a15f0e682a53ff5b812ceee633e2f4128331a744577fe948a4cf93bd22b8a8479c0a2e0e727a518427eb74171e465848fe06c619a

Download Submit