hxxps://steamunlocked[.]net/16-ultrakill-free-download/

Analysis

max time kernel
150s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
12-10-2023 09:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://steamunlocked.net/16-ultrakill-free-download/

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1856	msedge.exe
1856	msedge.exe
4576	msedge.exe
4576	msedge.exe
3376	identity_helper.exe
3376	identity_helper.exe
4620	msedge.exe
4620	msedge.exe
4620	msedge.exe
4620	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4576 wrote to memory of 3404	4576	msedge.exe	85
PID 4576 wrote to memory of 3404	4576	msedge.exe	85
PID 4576 wrote to memory of 2260	4576	msedge.exe	86
PID 4576 wrote to memory of 2260	4576	msedge.exe	86
PID 4576 wrote to memory of 2260	4576	msedge.exe	86
PID 4576 wrote to memory of 2260	4576	msedge.exe	86
PID 4576 wrote to memory of 2260	4576	msedge.exe	86
PID 4576 wrote to memory of 2260	4576	msedge.exe	86
PID 4576 wrote to memory of 2260	4576	msedge.exe	86
PID 4576 wrote to memory of 2260	4576	msedge.exe	86
PID 4576 wrote to memory of 2260	4576	msedge.exe	86
PID 4576 wrote to memory of 2260	4576	msedge.exe	86
PID 4576 wrote to memory of 2260	4576	msedge.exe	86
PID 4576 wrote to memory of 2260	4576	msedge.exe	86
PID 4576 wrote to memory of 2260	4576	msedge.exe	86
PID 4576 wrote to memory of 2260	4576	msedge.exe	86
PID 4576 wrote to memory of 2260	4576	msedge.exe	86
PID 4576 wrote to memory of 2260	4576	msedge.exe	86
PID 4576 wrote to memory of 2260	4576	msedge.exe	86
PID 4576 wrote to memory of 2260	4576	msedge.exe	86
PID 4576 wrote to memory of 2260	4576	msedge.exe	86
PID 4576 wrote to memory of 2260	4576	msedge.exe	86
PID 4576 wrote to memory of 2260	4576	msedge.exe	86
PID 4576 wrote to memory of 2260	4576	msedge.exe	86
PID 4576 wrote to memory of 2260	4576	msedge.exe	86
PID 4576 wrote to memory of 2260	4576	msedge.exe	86
PID 4576 wrote to memory of 2260	4576	msedge.exe	86
PID 4576 wrote to memory of 2260	4576	msedge.exe	86
PID 4576 wrote to memory of 2260	4576	msedge.exe	86
PID 4576 wrote to memory of 2260	4576	msedge.exe	86
PID 4576 wrote to memory of 2260	4576	msedge.exe	86
PID 4576 wrote to memory of 2260	4576	msedge.exe	86
PID 4576 wrote to memory of 2260	4576	msedge.exe	86
PID 4576 wrote to memory of 2260	4576	msedge.exe	86
PID 4576 wrote to memory of 2260	4576	msedge.exe	86
PID 4576 wrote to memory of 2260	4576	msedge.exe	86
PID 4576 wrote to memory of 2260	4576	msedge.exe	86
PID 4576 wrote to memory of 2260	4576	msedge.exe	86
PID 4576 wrote to memory of 2260	4576	msedge.exe	86
PID 4576 wrote to memory of 2260	4576	msedge.exe	86
PID 4576 wrote to memory of 2260	4576	msedge.exe	86
PID 4576 wrote to memory of 2260	4576	msedge.exe	86
PID 4576 wrote to memory of 1856	4576	msedge.exe	87
PID 4576 wrote to memory of 1856	4576	msedge.exe	87
PID 4576 wrote to memory of 4260	4576	msedge.exe	88
PID 4576 wrote to memory of 4260	4576	msedge.exe	88
PID 4576 wrote to memory of 4260	4576	msedge.exe	88
PID 4576 wrote to memory of 4260	4576	msedge.exe	88
PID 4576 wrote to memory of 4260	4576	msedge.exe	88
PID 4576 wrote to memory of 4260	4576	msedge.exe	88
PID 4576 wrote to memory of 4260	4576	msedge.exe	88
PID 4576 wrote to memory of 4260	4576	msedge.exe	88
PID 4576 wrote to memory of 4260	4576	msedge.exe	88
PID 4576 wrote to memory of 4260	4576	msedge.exe	88
PID 4576 wrote to memory of 4260	4576	msedge.exe	88
PID 4576 wrote to memory of 4260	4576	msedge.exe	88
PID 4576 wrote to memory of 4260	4576	msedge.exe	88
PID 4576 wrote to memory of 4260	4576	msedge.exe	88
PID 4576 wrote to memory of 4260	4576	msedge.exe	88
PID 4576 wrote to memory of 4260	4576	msedge.exe	88
PID 4576 wrote to memory of 4260	4576	msedge.exe	88
PID 4576 wrote to memory of 4260	4576	msedge.exe	88
PID 4576 wrote to memory of 4260	4576	msedge.exe	88
PID 4576 wrote to memory of 4260	4576	msedge.exe	88

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://steamunlocked.net/16-ultrakill-free-download/
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc301346f8,0x7ffc30134708,0x7ffc30134718
  2⤵
  PID:3404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,7907538218276600833,13056973240955777990,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2
  2⤵
  PID:2260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,7907538218276600833,13056973240955777990,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,7907538218276600833,13056973240955777990,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2860 /prefetch:8
  2⤵
  PID:4260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,7907538218276600833,13056973240955777990,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
  2⤵
  PID:3780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,7907538218276600833,13056973240955777990,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
  2⤵
  PID:924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,7907538218276600833,13056973240955777990,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5060 /prefetch:1
  2⤵
  PID:4364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,7907538218276600833,13056973240955777990,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5044 /prefetch:1
  2⤵
  PID:4128
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,7907538218276600833,13056973240955777990,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5528 /prefetch:8
  2⤵
  PID:1992
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,7907538218276600833,13056973240955777990,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5528 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,7907538218276600833,13056973240955777990,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5524 /prefetch:1
  2⤵
  PID:844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,7907538218276600833,13056973240955777990,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5624 /prefetch:1
  2⤵
  PID:3664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,7907538218276600833,13056973240955777990,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5296 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4620

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3516

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
16c2a9f4b2e1386aab0e353614a63f0d

SHA1
6edd3be593b653857e579cbd3db7aa7e1df3e30f

SHA256
0f7c58a653ae1f3999627721bad03793edc1e9d12e8f5253c30b61b8478f5c81

SHA512
aba1ed22c7b9ae1942d69a7cd7a618597300ae5c56be88187ddec6227df056f81c1d9217778d87fa8c36402bce7275d707118ff62d3a241297738da434556e06

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
0cdf57845a23623c37fa8d32ee6c3b58

SHA1
270137d8bb3ce3952e54c061849373c1af305ff7

SHA256
7763e4b9d0184b7a515db2a0125b2dba1bd7ebce85408765be3fcac038c1b023

SHA512
ecac3e60cff131f0ad66ba86d332f59c258dd7869f15cc76700c07948c249cde99fdd891bb1bbfda5fd45ee2b42db64f5cb3332fdb08db9c0ac903c3113ee5e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
6b6e0a832359e2b5626c3cee012f4ef5

SHA1
9e383e7d90a281d8bdbf3b47955db827f49c710a

SHA256
f8520fcf288fa2f3bdc1a58490bd73457fe11d38901ec0a27bf2a739516314de

SHA512
991fa24ece794f914987cb4bea6c3b2721323af5a26611b04cc90a1ba11d8671618a8147d89e327f41db34f8ace846bef0583f34b261d418dbd6824693f9e89d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
c4c8ab179499ba2b5a7e1b0598f4bdd4

SHA1
3853eb3b23c68efed8f79be07379a468a456f306

SHA256
f5f5583f9e22a5f346d3ec40cdecd674a705f5225793646c99a29f85060a7ca9

SHA512
ea448461e02e0c6a1f339dc9115fb038ebafa36f2fd1568af174d919106a0c6dbb89f679be0507f612ecf0f3101b7b8907a9e1e4e09fdc6891c4155cdc3f56ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
3be4be843f9468abf244781acd569d62

SHA1
6cb3459ee48634bab2909752ba9dcdff0afa8845

SHA256
19c7d7329b1e8c264a75150b819245888c97f5b701e409c308f46b191a75b052

SHA512
58e124443fafaa8701fcc480546b8aba3a4c6e8e1b3ffc29d59acf236ebea1029d768f062705fcb7ba073fd33fcbf2dc38bb7ca515ad594621e9968a50766e1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
699e3636ed7444d9b47772e4446ccfc1

SHA1
db0459ca6ceeea2e87e0023a6b7ee06aeed6fded

SHA256
9205233792628ecf0d174de470b2986abf3adfed702330dc54c4a76c9477949a

SHA512
d5d4c08b6aec0f3e3506e725decc1bdf0b2e2fb50703c36d568c1ea3c3ab70720f5aec9d49ad824505731eb64db399768037c9f1be655779ed77331a7bab1d51

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
54cf8f3f9ce8f54c5dd808da8cfb2738

SHA1
3917ecd81e1bc6e24d59155ce7ac3529276fe855

SHA256
b29b068665aac1389410860b7ac23f8216be1743bdee024572fb26a61bcd88ae

SHA512
b447627b42dd85e4b628fa9fd4c9df81cf4e0ffd3f00c3ee038b8278dcca75083409bd0f264ef63b452ceaa4cc19b0d70ead2d52797fae05bcb2a16ebacc32ac

Download Submit