c9f2e2abb046ff2535537182edf9a9b748aa10a22e98a1d8c948d874f4ffb304

Resubmissions

16-11-2024 01:52

241116-caldnaxeqf 8

16-11-2024 01:51

241116-caabdsxeph 3

16-11-2024 01:51

241116-b9ybtsxfqj 3

Analysis

max time kernel
94s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
16-11-2024 01:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SteamtoolsSetup.exe
Size

978KB
MD5

bbf15e65d4e3c3580fc54adf1be95201
SHA1

79091be8f7f7a6e66669b6a38e494cf7a62b5117
SHA256

c9f2e2abb046ff2535537182edf9a9b748aa10a22e98a1d8c948d874f4ffb304
SHA512

9bb261b4ed84af846e07ffb6352960687e59428fd497faa0a37d70b57a1a7430d48ac350fbb0c3f0f11e4231a98ebca4d6923deba0949fdd7a247a3c02737355
SSDEEP

24576:4Fa9OUi2VoN2gZ1M8UQag3BXrYZt+GgGTfG74T+TRcL:Z9OUiTN2gZ1MExEZkkf+4TARg

Score

8^/10

discovery phishing

Malware Config

Signatures

Downloads MZ/PE file
A potential corporate email address has been identified in the URL: [email protected]
phishing
A potential corporate email address has been identified in the URL: clipboard@2
phishing
A potential corporate email address has been identified in the URL: [email protected]
phishing
A potential corporate email address has been identified in the URL: [email protected]
phishing
A potential corporate email address has been identified in the URL: [email protected]
phishing
A potential corporate email address has been identified in the URL: [email protected]
phishing
A potential corporate email address has been identified in the URL: [email protected]
phishing
A potential corporate email address has been identified in the URL: [email protected]
phishing
A potential corporate email address has been identified in the URL: [email protected]
phishing
Executes dropped EXE 3 IoCs

Processes:

SteamtoolsSetup.exeSteamtoolsSetup.exeSteamtoolsSetup.exe

pid process

5876 SteamtoolsSetup.exe
5940 SteamtoolsSetup.exe
5208 SteamtoolsSetup.exe
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

pid	process
5876	SteamtoolsSetup.exe
5940	SteamtoolsSetup.exe
5208	SteamtoolsSetup.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 2 IoCs

Processes:

msedge.exemsedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3227495264-2217614367-4027411560-1000\{9B36BFBC-D9F9-4AA2-AE33-2BD16F46A142}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	msedge.exe

NTFS ADS 1 IoCs

Processes:

msedge.exe

description ioc process

File opened for modification C:\Users\Admin\Downloads\Unconfirmed 918641.crdownload:SmartScreen msedge.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 918641.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exe

pid	process
4440	msedge.exe
4440	msedge.exe
3936	msedge.exe
3936	msedge.exe
1508	identity_helper.exe
1508	identity_helper.exe
5780	msedge.exe
5780	msedge.exe
5560	msedge.exe
5560	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 21 IoCs

Processes:

msedge.exe

pid	process
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe

Suspicious use of FindShellTrayWindow 36 IoCs

Processes:

msedge.exe

pid	process
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 3936 wrote to memory of 3468	3936	msedge.exe	msedge.exe
PID 3936 wrote to memory of 3468	3936	msedge.exe	msedge.exe
PID 3936 wrote to memory of 3276	3936	msedge.exe	msedge.exe
PID 3936 wrote to memory of 3276	3936	msedge.exe	msedge.exe
PID 3936 wrote to memory of 3276	3936	msedge.exe	msedge.exe
PID 3936 wrote to memory of 3276	3936	msedge.exe	msedge.exe
PID 3936 wrote to memory of 3276	3936	msedge.exe	msedge.exe
PID 3936 wrote to memory of 3276	3936	msedge.exe	msedge.exe
PID 3936 wrote to memory of 3276	3936	msedge.exe	msedge.exe
PID 3936 wrote to memory of 3276	3936	msedge.exe	msedge.exe
PID 3936 wrote to memory of 3276	3936	msedge.exe	msedge.exe
PID 3936 wrote to memory of 3276	3936	msedge.exe	msedge.exe
PID 3936 wrote to memory of 3276	3936	msedge.exe	msedge.exe
PID 3936 wrote to memory of 3276	3936	msedge.exe	msedge.exe
PID 3936 wrote to memory of 3276	3936	msedge.exe	msedge.exe
PID 3936 wrote to memory of 3276	3936	msedge.exe	msedge.exe
PID 3936 wrote to memory of 3276	3936	msedge.exe	msedge.exe
PID 3936 wrote to memory of 3276	3936	msedge.exe	msedge.exe
PID 3936 wrote to memory of 3276	3936	msedge.exe	msedge.exe
PID 3936 wrote to memory of 3276	3936	msedge.exe	msedge.exe
PID 3936 wrote to memory of 3276	3936	msedge.exe	msedge.exe
PID 3936 wrote to memory of 3276	3936	msedge.exe	msedge.exe
PID 3936 wrote to memory of 3276	3936	msedge.exe	msedge.exe
PID 3936 wrote to memory of 3276	3936	msedge.exe	msedge.exe
PID 3936 wrote to memory of 3276	3936	msedge.exe	msedge.exe
PID 3936 wrote to memory of 3276	3936	msedge.exe	msedge.exe
PID 3936 wrote to memory of 3276	3936	msedge.exe	msedge.exe
PID 3936 wrote to memory of 3276	3936	msedge.exe	msedge.exe
PID 3936 wrote to memory of 3276	3936	msedge.exe	msedge.exe
PID 3936 wrote to memory of 3276	3936	msedge.exe	msedge.exe
PID 3936 wrote to memory of 3276	3936	msedge.exe	msedge.exe
PID 3936 wrote to memory of 3276	3936	msedge.exe	msedge.exe
PID 3936 wrote to memory of 3276	3936	msedge.exe	msedge.exe
PID 3936 wrote to memory of 3276	3936	msedge.exe	msedge.exe
PID 3936 wrote to memory of 3276	3936	msedge.exe	msedge.exe
PID 3936 wrote to memory of 3276	3936	msedge.exe	msedge.exe
PID 3936 wrote to memory of 3276	3936	msedge.exe	msedge.exe
PID 3936 wrote to memory of 3276	3936	msedge.exe	msedge.exe
PID 3936 wrote to memory of 3276	3936	msedge.exe	msedge.exe
PID 3936 wrote to memory of 3276	3936	msedge.exe	msedge.exe
PID 3936 wrote to memory of 3276	3936	msedge.exe	msedge.exe
PID 3936 wrote to memory of 3276	3936	msedge.exe	msedge.exe
PID 3936 wrote to memory of 4440	3936	msedge.exe	msedge.exe
PID 3936 wrote to memory of 4440	3936	msedge.exe	msedge.exe
PID 3936 wrote to memory of 3548	3936	msedge.exe	msedge.exe
PID 3936 wrote to memory of 3548	3936	msedge.exe	msedge.exe
PID 3936 wrote to memory of 3548	3936	msedge.exe	msedge.exe
PID 3936 wrote to memory of 3548	3936	msedge.exe	msedge.exe
PID 3936 wrote to memory of 3548	3936	msedge.exe	msedge.exe
PID 3936 wrote to memory of 3548	3936	msedge.exe	msedge.exe
PID 3936 wrote to memory of 3548	3936	msedge.exe	msedge.exe
PID 3936 wrote to memory of 3548	3936	msedge.exe	msedge.exe
PID 3936 wrote to memory of 3548	3936	msedge.exe	msedge.exe
PID 3936 wrote to memory of 3548	3936	msedge.exe	msedge.exe
PID 3936 wrote to memory of 3548	3936	msedge.exe	msedge.exe
PID 3936 wrote to memory of 3548	3936	msedge.exe	msedge.exe
PID 3936 wrote to memory of 3548	3936	msedge.exe	msedge.exe
PID 3936 wrote to memory of 3548	3936	msedge.exe	msedge.exe
PID 3936 wrote to memory of 3548	3936	msedge.exe	msedge.exe
PID 3936 wrote to memory of 3548	3936	msedge.exe	msedge.exe
PID 3936 wrote to memory of 3548	3936	msedge.exe	msedge.exe
PID 3936 wrote to memory of 3548	3936	msedge.exe	msedge.exe
PID 3936 wrote to memory of 3548	3936	msedge.exe	msedge.exe
PID 3936 wrote to memory of 3548	3936	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\SteamtoolsSetup.exe
"C:\Users\Admin\AppData\Local\Temp\SteamtoolsSetup.exe"
1⤵
PID:4724

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff827eb46f8,0x7ff827eb4708,0x7ff827eb4718
  2⤵
  PID:3468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,4524951428744862503,10813502037743087977,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2076 /prefetch:2
  2⤵
  PID:3276
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2064,4524951428744862503,10813502037743087977,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2064,4524951428744862503,10813502037743087977,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2808 /prefetch:8
  2⤵
  PID:3548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,4524951428744862503,10813502037743087977,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
  2⤵
  PID:1344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,4524951428744862503,10813502037743087977,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
  2⤵
  PID:4052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,4524951428744862503,10813502037743087977,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4296 /prefetch:1
  2⤵
  PID:4964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,4524951428744862503,10813502037743087977,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3760 /prefetch:1
  2⤵
  PID:2324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,4524951428744862503,10813502037743087977,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3444 /prefetch:1
  2⤵
  PID:4940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,4524951428744862503,10813502037743087977,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4232 /prefetch:1
  2⤵
  PID:5028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,4524951428744862503,10813502037743087977,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5156 /prefetch:1
  2⤵
  PID:2536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,4524951428744862503,10813502037743087977,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3656 /prefetch:1
  2⤵
  PID:2024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,4524951428744862503,10813502037743087977,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5752 /prefetch:1
  2⤵
  PID:2704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,4524951428744862503,10813502037743087977,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4352 /prefetch:1
  2⤵
  PID:2380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,4524951428744862503,10813502037743087977,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5392 /prefetch:1
  2⤵
  PID:2116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,4524951428744862503,10813502037743087977,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5972 /prefetch:1
  2⤵
  PID:4756
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2064,4524951428744862503,10813502037743087977,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6572 /prefetch:8
  2⤵
  PID:1028
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2064,4524951428744862503,10813502037743087977,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6572 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2064,4524951428744862503,10813502037743087977,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6368 /prefetch:8
  2⤵
  PID:5288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,4524951428744862503,10813502037743087977,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6928 /prefetch:1
  2⤵
  PID:5296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2064,4524951428744862503,10813502037743087977,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7112 /prefetch:8
  2⤵
  PID:5440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2064,4524951428744862503,10813502037743087977,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6216 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5780
- C:\Users\Admin\Downloads\SteamtoolsSetup.exe
  "C:\Users\Admin\Downloads\SteamtoolsSetup.exe"
  2⤵
  - Executes dropped EXE
  PID:5876
- C:\Users\Admin\Downloads\SteamtoolsSetup.exe
  "C:\Users\Admin\Downloads\SteamtoolsSetup.exe"
  2⤵
  - Executes dropped EXE
  PID:5940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,4524951428744862503,10813502037743087977,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3132 /prefetch:1
  2⤵
  PID:5280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,4524951428744862503,10813502037743087977,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1892 /prefetch:1
  2⤵
  PID:2332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,4524951428744862503,10813502037743087977,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4248 /prefetch:1
  2⤵
  PID:1648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,4524951428744862503,10813502037743087977,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5452 /prefetch:1
  2⤵
  PID:3912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,4524951428744862503,10813502037743087977,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6008 /prefetch:1
  2⤵
  PID:5744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,4524951428744862503,10813502037743087977,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6980 /prefetch:1
  2⤵
  PID:5892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,4524951428744862503,10813502037743087977,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7324 /prefetch:1
  2⤵
  PID:5920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,4524951428744862503,10813502037743087977,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6036 /prefetch:1
  2⤵
  PID:4952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2064,4524951428744862503,10813502037743087977,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=7312 /prefetch:8
  2⤵
  PID:5552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2064,4524951428744862503,10813502037743087977,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6696 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:5560

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4504

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4852

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:6092

C:\Users\Admin\Downloads\SteamtoolsSetup.exe
"C:\Users\Admin\Downloads\SteamtoolsSetup.exe"
1⤵
- Executes dropped EXE
PID:5208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
fab8d8d865e33fe195732aa7dcb91c30

SHA1
2637e832f38acc70af3e511f5eba80fbd7461f2c

SHA256
1b034ffe38e534e2b7a21be7c1f207ff84a1d5f3893207d0b4bb1a509b4185ea

SHA512
39a3d43ef7e28fea2cb247a5d09576a4904a43680db8c32139f22a03d80f6ede98708a2452f3f82232b868501340f79c0b3f810f597bcaf5267c3ccfb1704b43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
36988ca14952e1848e81a959880ea217

SHA1
a0482ef725657760502c2d1a5abe0bb37aebaadb

SHA256
d7e96088b37cec1bde202ae8ec2d2f3c3aafc368b6ebd91b3e2985846facf2e6

SHA512
d04b2f5afec92eb3d9f9cdc148a3eddd1b615e0dfb270566a7969576f50881d1f8572bccb8b9fd7993724bdfe36fc7633a33381d43e0b96c4e9bbd53fc010173

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
fdf28b1ae66971f5e0900abf9d7c3713

SHA1
212b81239e1f358d725b45ba0ccf6607b8457dd5

SHA256
605f022e4dad6ad7caf4035c51ae98fb3367307ba5c2d3336cad532b2ec8e546

SHA512
6e380ccc43868a14167321b7c7270300f79a496a688dc7923cf58d489dba3e346a8e50f5a6ecd03e45c0b8cd4b0ed6220ab6f17c7e0fa514d6157023dc32d04e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
f4c047d0b805520024ea2b99bb67a465

SHA1
a76baec7c8da6762782234d715e42c30755da986

SHA256
7bc0445134700e1ca2b4f3e3272548ae49bc9a96bf6f22f3a97b00dcd31e1f12

SHA512
a06166f8ab4518d4a27110597d030e5231c2d1c1a6371749239b1fd28cf6e86d401d286c919bfa7010ebefe1ab4e4fd3019e33c986b8b311183ddb9234d7368a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
b5786edb62d0b4109515aeba6c7eb9f2

SHA1
0caa3376b23c6c19b07195a8b7724628f08bba43

SHA256
932f55701745b655eeec0f1542c7c8fd31a8df9e6aacfc02d41697bdfc6145fb

SHA512
e1c4c11b070c675102e77bbbdb55c61ca00102da4c35d60d5c3776e2a24bf6d9931b3fb8eccac0eff6aa625ec2a46522c760e5cdeb6f5b271b1d9d2a0cb6c003

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f89381faed6c156be11f0bcc03f66b40

SHA1
cc07fd02fc73d63436ffca8bb03f98911662015e

SHA256
7a6cb79a1b437a5af080cd7fb69165fc3dea9e4b733726606ae478334dfac0d3

SHA512
930c5b528ec6544c58303ecd95f124b2df6e93496efe0831d00224ec4e0574c369e7bdba4f058f34c59ff17c64cbf8d0b0b598bb63cff67cc227abb37d273946

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
f014cc1a09a18f4b380b6b404e9803de

SHA1
2a6baff98ac0f3af656a78f7646124e6600b0080

SHA256
f4189aaeccae671852060ec2bf85055f64c4b583ee010d92930ff190f0c9fadb

SHA512
094d113ad29d416069b4c648f13c09358b29c6af8fd48256955dbfd5c6e47a3daadf6b425d47a997d1df3f647ef10b4a72b9895b859b495fdea52837c61cf38d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
3cc19ab6a56ffe83e9ba5bdb841a9995

SHA1
fdb02295116b94ebe978e14f3b76e0d467434fd1

SHA256
e0c2872fcf13929b0d362e7f4de5197ebd0a41054c7c36ea9da8ee26837276a5

SHA512
d30493013617c4dea45b390378776620461a7e68a6474ce41d4ac51e8d3bf990e32f3ad160f57e3400a87f7e7e0d622c38a4492b1bf7f07c03d779e97ae97490

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
6915f7b2c7c828de918ad5d80f62f863

SHA1
27c698bc3dc168304dbce4a4d615c86f65d4b29e

SHA256
0b98cd8430508069ee7a551565ffe9cb27e7c8d62823b00a9c8f4600519e073d

SHA512
bb50fe22bf255fdde87b1a9b62a64704a09ea373bf7da4c8ec6fbaf0b4c67afbd182e14658e8cd17746cce3e2cd1eccd0ee94a622299d1ee4c41227baf164169

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
749cfd327dedfd88e891857fc4b246e5

SHA1
d3f218634e49e5aacee2798fa294e27d5e55ae8c

SHA256
32193948ed220415373f807d9cc0bc510af6b7d4bef195b03884e07a3b4ff56e

SHA512
6e5b29faa052a845b7e958bd728078b16e16a16becc72b952733a92639cee8415d92c6c2dccf4b3831cf92bdd2065f7338e85106dc4657c6fd07bad0fbf8f1e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
779d25ff0f56ed8efc67f2110fcca244

SHA1
23dacc87512f436ae982717f4829eac2f3ead12c

SHA256
7474cd9b962d1f0a222f43f74dcc079c07f62d7520d51a45c143cd9c001f1ae1

SHA512
68e00dde013a3c6ddaf16dece1b1c4bc3d2f288dbcbe9e16e5c5f1b491c190a9ab15c50ea75128a5eabbf385784668f4a685c24f29539683ff89b42dfe8eda5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe589ce7.TMP

Filesize
874B

MD5
3666008a472258a8b6ca5cb2892f4b79

SHA1
fdbd7e16343cd0f60da70d8a3df3ef7ff7d329db

SHA256
eea7b3ef55e1ef06104db27dbe01945e9b8360b1c0f7e7b55a26b8f1d7ff4a23

SHA512
20989559dade2edc065fee94f0a7f2467a03d6fb4d73e6eecb48f11a7563666865b0b3c7e861c5beeb704f8732c47e3dbdc86c28b017c30c7eb2f1a71c896e1d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
791f95fbf6de7685402da7d797c49ebf

SHA1
acce8b9e19718b56ecc9e33ccf093e0bf9b2c51c

SHA256
b38673d1953140a98b67d2a455a7877ffd4254e52516814360f9c90a217d8111

SHA512
bec137ecfedfe47be078f68559167ee72db7089ca2445d305114d6f44e8fcf002c195b525b3c8db896e08cf077b0f2580e219bc0a5a551a6bb43b3f9f79c4456

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
d24a3a5b6d652b1cc16264bd101b3ef1

SHA1
fab3bc40c29b9ef412c8bb1dfd8b91bca2c9784c

SHA256
fdca6cba21ccfb70f1090947c4fbd29548017976f249fcf4e5a2f0eec3e5248e

SHA512
5e9575a9a0c3e37259b61bf921b1911e37571c167a531d0d586ac51f95ecbba59debd8eaa242da006870303b15bdfbe1826f27d21aaea947b0867234c314ea89

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
546835a27e4dbf0140a3501845534909

SHA1
ac44270f256b589c9b640d619870316da77fadb8

SHA256
df600c5cda7407d5c025d1ecf304d1671408c49cc5d32e317a9b277848cfc3d2

SHA512
2a1b1fc1cbb91fd8cd794856739fdbf610a800e3398449b657cee56e794326ae91210af4488c86be5ad94783aaacaea19c58391f3663ccaa427cdb580b05c5fd

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 918641.crdownload

Filesize
978KB

MD5
bbf15e65d4e3c3580fc54adf1be95201

SHA1
79091be8f7f7a6e66669b6a38e494cf7a62b5117

SHA256
c9f2e2abb046ff2535537182edf9a9b748aa10a22e98a1d8c948d874f4ffb304

SHA512
9bb261b4ed84af846e07ffb6352960687e59428fd497faa0a37d70b57a1a7430d48ac350fbb0c3f0f11e4231a98ebca4d6923deba0949fdd7a247a3c02737355

Download Submit
\??\pipe\LOCAL\crashpad_3936_HAOJFGINKTESAGRG

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit