2f1128449f908c5d7e4727891c9b12e09362e173d99ceb01d5ccfee01aa6b299

Analysis

max time kernel
120s
max time network
131s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
03-02-2025 04:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

search.html
Size

289KB
MD5

41ac70eb780baccdb0f0d7efd969bd47
SHA1

5977cfb815f63201a1010cd01a730d7ef39d0a34
SHA256

2f1128449f908c5d7e4727891c9b12e09362e173d99ceb01d5ccfee01aa6b299
SHA512

f0e8b6c85c800a5bf760608e0c69b5eab85610bb629f3b84fcd520c2d12420051b67ceeb6cdcda22e848baf24eb10fe4a56d3a46823ac53b95ca9e4ee1686aa8
SSDEEP

6144:52lNf+Q+jMTiGGusshcZsYpFIho28/Y2mheqTB9i0wthKptjsYHl8K94i/1v0cPy:4V2

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3348	msedge.exe
3348	msedge.exe
2140	msedge.exe
2140	msedge.exe
632	identity_helper.exe
632	identity_helper.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
2140	msedge.exe
2140	msedge.exe
2140	msedge.exe
2140	msedge.exe
2140	msedge.exe
2140	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
2140	msedge.exe
2140	msedge.exe
2140	msedge.exe
2140	msedge.exe
2140	msedge.exe
2140	msedge.exe
2140	msedge.exe
2140	msedge.exe
2140	msedge.exe
2140	msedge.exe
2140	msedge.exe
2140	msedge.exe
2140	msedge.exe
2140	msedge.exe
2140	msedge.exe
2140	msedge.exe
2140	msedge.exe
2140	msedge.exe
2140	msedge.exe
2140	msedge.exe
2140	msedge.exe
2140	msedge.exe
2140	msedge.exe
2140	msedge.exe
2140	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2140	msedge.exe
2140	msedge.exe
2140	msedge.exe
2140	msedge.exe
2140	msedge.exe
2140	msedge.exe
2140	msedge.exe
2140	msedge.exe
2140	msedge.exe
2140	msedge.exe
2140	msedge.exe
2140	msedge.exe
2140	msedge.exe
2140	msedge.exe
2140	msedge.exe
2140	msedge.exe
2140	msedge.exe
2140	msedge.exe
2140	msedge.exe
2140	msedge.exe
2140	msedge.exe
2140	msedge.exe
2140	msedge.exe
2140	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2140 wrote to memory of 4768	2140	msedge.exe	83
PID 2140 wrote to memory of 4768	2140	msedge.exe	83
PID 2140 wrote to memory of 4636	2140	msedge.exe	84
PID 2140 wrote to memory of 4636	2140	msedge.exe	84
PID 2140 wrote to memory of 4636	2140	msedge.exe	84
PID 2140 wrote to memory of 4636	2140	msedge.exe	84
PID 2140 wrote to memory of 4636	2140	msedge.exe	84
PID 2140 wrote to memory of 4636	2140	msedge.exe	84
PID 2140 wrote to memory of 4636	2140	msedge.exe	84
PID 2140 wrote to memory of 4636	2140	msedge.exe	84
PID 2140 wrote to memory of 4636	2140	msedge.exe	84
PID 2140 wrote to memory of 4636	2140	msedge.exe	84
PID 2140 wrote to memory of 4636	2140	msedge.exe	84
PID 2140 wrote to memory of 4636	2140	msedge.exe	84
PID 2140 wrote to memory of 4636	2140	msedge.exe	84
PID 2140 wrote to memory of 4636	2140	msedge.exe	84
PID 2140 wrote to memory of 4636	2140	msedge.exe	84
PID 2140 wrote to memory of 4636	2140	msedge.exe	84
PID 2140 wrote to memory of 4636	2140	msedge.exe	84
PID 2140 wrote to memory of 4636	2140	msedge.exe	84
PID 2140 wrote to memory of 4636	2140	msedge.exe	84
PID 2140 wrote to memory of 4636	2140	msedge.exe	84
PID 2140 wrote to memory of 4636	2140	msedge.exe	84
PID 2140 wrote to memory of 4636	2140	msedge.exe	84
PID 2140 wrote to memory of 4636	2140	msedge.exe	84
PID 2140 wrote to memory of 4636	2140	msedge.exe	84
PID 2140 wrote to memory of 4636	2140	msedge.exe	84
PID 2140 wrote to memory of 4636	2140	msedge.exe	84
PID 2140 wrote to memory of 4636	2140	msedge.exe	84
PID 2140 wrote to memory of 4636	2140	msedge.exe	84
PID 2140 wrote to memory of 4636	2140	msedge.exe	84
PID 2140 wrote to memory of 4636	2140	msedge.exe	84
PID 2140 wrote to memory of 4636	2140	msedge.exe	84
PID 2140 wrote to memory of 4636	2140	msedge.exe	84
PID 2140 wrote to memory of 4636	2140	msedge.exe	84
PID 2140 wrote to memory of 4636	2140	msedge.exe	84
PID 2140 wrote to memory of 4636	2140	msedge.exe	84
PID 2140 wrote to memory of 4636	2140	msedge.exe	84
PID 2140 wrote to memory of 4636	2140	msedge.exe	84
PID 2140 wrote to memory of 4636	2140	msedge.exe	84
PID 2140 wrote to memory of 4636	2140	msedge.exe	84
PID 2140 wrote to memory of 4636	2140	msedge.exe	84
PID 2140 wrote to memory of 3348	2140	msedge.exe	85
PID 2140 wrote to memory of 3348	2140	msedge.exe	85
PID 2140 wrote to memory of 1348	2140	msedge.exe	86
PID 2140 wrote to memory of 1348	2140	msedge.exe	86
PID 2140 wrote to memory of 1348	2140	msedge.exe	86
PID 2140 wrote to memory of 1348	2140	msedge.exe	86
PID 2140 wrote to memory of 1348	2140	msedge.exe	86
PID 2140 wrote to memory of 1348	2140	msedge.exe	86
PID 2140 wrote to memory of 1348	2140	msedge.exe	86
PID 2140 wrote to memory of 1348	2140	msedge.exe	86
PID 2140 wrote to memory of 1348	2140	msedge.exe	86
PID 2140 wrote to memory of 1348	2140	msedge.exe	86
PID 2140 wrote to memory of 1348	2140	msedge.exe	86
PID 2140 wrote to memory of 1348	2140	msedge.exe	86
PID 2140 wrote to memory of 1348	2140	msedge.exe	86
PID 2140 wrote to memory of 1348	2140	msedge.exe	86
PID 2140 wrote to memory of 1348	2140	msedge.exe	86
PID 2140 wrote to memory of 1348	2140	msedge.exe	86
PID 2140 wrote to memory of 1348	2140	msedge.exe	86
PID 2140 wrote to memory of 1348	2140	msedge.exe	86
PID 2140 wrote to memory of 1348	2140	msedge.exe	86
PID 2140 wrote to memory of 1348	2140	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument C:\Users\Admin\AppData\Local\Temp\search.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa815846f8,0x7ffa81584708,0x7ffa81584718
  2⤵
  PID:4768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,12611617950716570233,1250436400821984801,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:2
  2⤵
  PID:4636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,12611617950716570233,1250436400821984801,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2156,12611617950716570233,1250436400821984801,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2776 /prefetch:8
  2⤵
  PID:1348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,12611617950716570233,1250436400821984801,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3216 /prefetch:1
  2⤵
  PID:2080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,12611617950716570233,1250436400821984801,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
  2⤵
  PID:3048
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,12611617950716570233,1250436400821984801,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5504 /prefetch:8
  2⤵
  PID:2668
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,12611617950716570233,1250436400821984801,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5504 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,12611617950716570233,1250436400821984801,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5332 /prefetch:1
  2⤵
  PID:4956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,12611617950716570233,1250436400821984801,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5292 /prefetch:1
  2⤵
  PID:2900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,12611617950716570233,1250436400821984801,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5180 /prefetch:1
  2⤵
  PID:116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,12611617950716570233,1250436400821984801,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5564 /prefetch:1
  2⤵
  PID:1020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,12611617950716570233,1250436400821984801,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4944 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2028

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3064

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
37d04af7fe040412c05f24f2c6cd8f2f

SHA1
2443f06f4525f3d766514f122857ecc74fc2941a

SHA256
1ab5a5199a050f7d642f1d2793d42657778c954a3fc31a799cdae6b5439cf725

SHA512
b3449a38062566d668b5823876a48762e67959723fd1ee37168f58d150269e25300e43342611a72052b956a2602c44ca3ceb452eed1a4ab12b5f752461e32555

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4c76084ef5a62345ea5fe42f496230ce

SHA1
ab677a8684211939ded110b61dcecd68d3e0b606

SHA256
1db95ee6e5eb9737bfb6df17177540cd05454c27f4fd73c916c39f690f749c76

SHA512
d0c3578750ae89785645d31a931c598c8dba7035a17b6fb9bcd3ceb76a69c8dcb4b23ecc89ed85be30599382db72d167bf91313ec44b59778247537e14cba66b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
267B

MD5
d3921d9ec1820f4621bdffec3762586a

SHA1
91d9db20f48a0035de47c3ec8b749fbb2a569789

SHA256
b80a5552bb73446ff1fdc17ce495d7bb734776ea9eb02bdfa0d352148c163513

SHA512
486e24d296a4c1c4c01a053e24a4bdc9ee2d6483c65836f56aa63cf49dfe882f91117f3efd9780f431faf9b41b2ecb9f584f43e42c2ddd91fb57085ad783ef3f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8498d14d268660fcab734b7c75be8eba

SHA1
31890c862aa0d4465d8ccb3606db513def0fd14f

SHA256
bc924d87414afbe74153fae751b1f6ac093b312430f5acb3728a760ded18c726

SHA512
e2cdf988c5cad82d54ee482ae1ca228458e052d6e63d906a47bdcbce8545562436abf85ad545a3a5f1e3e9346d24ca6351fd7f2e0dae7218e366341d81c49c3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
11170dfa8cb05953f8e274614c8d9f82

SHA1
3ccb0d88c900354f1a9a2c4cc86bce6f1481d8b1

SHA256
affd530c8c946ecca3d63432d2259f02c7dd2d667c50b81d68be3f279a4352e0

SHA512
5bd669e4238da0985719bbaa3c9c535bbedce7835e967137030b59769bcfadfdb655a77a40a10e126eb4fb46b2c950459b8b9388cfb5b7bd85915a489ea97260

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
a45049f202252c67c00014e31e422c04

SHA1
2932d4877e67a4111e5888c24c0fa1d9bd82c3bf

SHA256
2f9865f3160d5f1f075fdaf3243de03ed4ae205f2895ef54a89a083ec9c58cc3

SHA512
4d602505656fd49065a98d28db0a3b8ad5f63fb94ea9b05c986e3103ef1c44f4fa6b58a4a86892c1063eb74916fb94c8336c803380b05257bbf88b313d3a9f6b

Download Submit