hxxp://steamcommuntity[.]com/activation=Tvc2Fh8mw1

Analysis

max time kernel
600s
max time network
434s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
30-12-2024 08:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://steamcommuntity.com/activation=Tvc2Fh8mw1

Score

7^/10

discovery phishing

Malware Config

Signatures

A potential corporate email address has been identified in the URL: [email protected]
phishing
A potential corporate email address has been identified in the URL: [email protected]
phishing
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4580	msedge.exe
4580	msedge.exe
4184	msedge.exe
4184	msedge.exe
2964	msedge.exe
2964	msedge.exe
228	identity_helper.exe
228	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4184 wrote to memory of 3472	4184	msedge.exe	77
PID 4184 wrote to memory of 3472	4184	msedge.exe	77
PID 4184 wrote to memory of 1988	4184	msedge.exe	78
PID 4184 wrote to memory of 1988	4184	msedge.exe	78
PID 4184 wrote to memory of 1988	4184	msedge.exe	78
PID 4184 wrote to memory of 1988	4184	msedge.exe	78
PID 4184 wrote to memory of 1988	4184	msedge.exe	78
PID 4184 wrote to memory of 1988	4184	msedge.exe	78
PID 4184 wrote to memory of 1988	4184	msedge.exe	78
PID 4184 wrote to memory of 1988	4184	msedge.exe	78
PID 4184 wrote to memory of 1988	4184	msedge.exe	78
PID 4184 wrote to memory of 1988	4184	msedge.exe	78
PID 4184 wrote to memory of 1988	4184	msedge.exe	78
PID 4184 wrote to memory of 1988	4184	msedge.exe	78
PID 4184 wrote to memory of 1988	4184	msedge.exe	78
PID 4184 wrote to memory of 1988	4184	msedge.exe	78
PID 4184 wrote to memory of 1988	4184	msedge.exe	78
PID 4184 wrote to memory of 1988	4184	msedge.exe	78
PID 4184 wrote to memory of 1988	4184	msedge.exe	78
PID 4184 wrote to memory of 1988	4184	msedge.exe	78
PID 4184 wrote to memory of 1988	4184	msedge.exe	78
PID 4184 wrote to memory of 1988	4184	msedge.exe	78
PID 4184 wrote to memory of 1988	4184	msedge.exe	78
PID 4184 wrote to memory of 1988	4184	msedge.exe	78
PID 4184 wrote to memory of 1988	4184	msedge.exe	78
PID 4184 wrote to memory of 1988	4184	msedge.exe	78
PID 4184 wrote to memory of 1988	4184	msedge.exe	78
PID 4184 wrote to memory of 1988	4184	msedge.exe	78
PID 4184 wrote to memory of 1988	4184	msedge.exe	78
PID 4184 wrote to memory of 1988	4184	msedge.exe	78
PID 4184 wrote to memory of 1988	4184	msedge.exe	78
PID 4184 wrote to memory of 1988	4184	msedge.exe	78
PID 4184 wrote to memory of 1988	4184	msedge.exe	78
PID 4184 wrote to memory of 1988	4184	msedge.exe	78
PID 4184 wrote to memory of 1988	4184	msedge.exe	78
PID 4184 wrote to memory of 1988	4184	msedge.exe	78
PID 4184 wrote to memory of 1988	4184	msedge.exe	78
PID 4184 wrote to memory of 1988	4184	msedge.exe	78
PID 4184 wrote to memory of 1988	4184	msedge.exe	78
PID 4184 wrote to memory of 1988	4184	msedge.exe	78
PID 4184 wrote to memory of 1988	4184	msedge.exe	78
PID 4184 wrote to memory of 1988	4184	msedge.exe	78
PID 4184 wrote to memory of 4580	4184	msedge.exe	79
PID 4184 wrote to memory of 4580	4184	msedge.exe	79
PID 4184 wrote to memory of 4640	4184	msedge.exe	80
PID 4184 wrote to memory of 4640	4184	msedge.exe	80
PID 4184 wrote to memory of 4640	4184	msedge.exe	80
PID 4184 wrote to memory of 4640	4184	msedge.exe	80
PID 4184 wrote to memory of 4640	4184	msedge.exe	80
PID 4184 wrote to memory of 4640	4184	msedge.exe	80
PID 4184 wrote to memory of 4640	4184	msedge.exe	80
PID 4184 wrote to memory of 4640	4184	msedge.exe	80
PID 4184 wrote to memory of 4640	4184	msedge.exe	80
PID 4184 wrote to memory of 4640	4184	msedge.exe	80
PID 4184 wrote to memory of 4640	4184	msedge.exe	80
PID 4184 wrote to memory of 4640	4184	msedge.exe	80
PID 4184 wrote to memory of 4640	4184	msedge.exe	80
PID 4184 wrote to memory of 4640	4184	msedge.exe	80
PID 4184 wrote to memory of 4640	4184	msedge.exe	80
PID 4184 wrote to memory of 4640	4184	msedge.exe	80
PID 4184 wrote to memory of 4640	4184	msedge.exe	80
PID 4184 wrote to memory of 4640	4184	msedge.exe	80
PID 4184 wrote to memory of 4640	4184	msedge.exe	80
PID 4184 wrote to memory of 4640	4184	msedge.exe	80

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument http://steamcommuntity.com/activation=Tvc2Fh8mw1
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd11023cb8,0x7ffd11023cc8,0x7ffd11023cd8
  2⤵
  PID:3472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1916,16241201617479076521,11942169873797289858,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1928 /prefetch:2
  2⤵
  PID:1988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1916,16241201617479076521,11942169873797289858,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2272 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1916,16241201617479076521,11942169873797289858,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2764 /prefetch:8
  2⤵
  PID:4640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,16241201617479076521,11942169873797289858,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
  2⤵
  PID:232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,16241201617479076521,11942169873797289858,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1
  2⤵
  PID:2188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1916,16241201617479076521,11942169873797289858,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2888 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2964
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1916,16241201617479076521,11942169873797289858,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5588 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,16241201617479076521,11942169873797289858,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5656 /prefetch:1
  2⤵
  PID:4952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,16241201617479076521,11942169873797289858,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5640 /prefetch:1
  2⤵
  PID:4024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,16241201617479076521,11942169873797289858,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
  2⤵
  PID:2592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,16241201617479076521,11942169873797289858,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3412 /prefetch:1
  2⤵
  PID:2420

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4232

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4c1a24fa898d2a98b540b20272c8e47b

SHA1
3218bff9ce95b52842fa1b8bd00be073177141ef

SHA256
bbcc378fcbf64580e7a48b4e7ca9be57fa0a1f2e747f488325685bdb18d73a95

SHA512
e61f196e7f1c9a5fe249abe9b11eea770fb2f4babc61f60b12c71f43e6fe9354cf14869daf46abc2c2655bce180252acd43c10562a2dcd31fa7d90d33253820e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f1d2c7fd2ca29bb77a5da2d1847fbb92

SHA1
840de2cf36c22ba10ac96f90890b6a12a56526c6

SHA256
58d0f80310f4a84f687c5ce0adaa982eb42fe4480510399fa2ae975d40bb8bc5

SHA512
ede1fafea2404f16948fe0b5ea5161ccee3ee6e40c55ff98c337eac981a6776b9c73dc030a5c59e4347aec91259f497539206e71949c33adcecbf2c846709e14

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
528B

MD5
4c6d0c2aaae627cb8a154fb93c674f2c

SHA1
6e0e7afba2f9d9166279be4d05c4444c519cff0a

SHA256
c272b10dbb5ffd2f931affb7c28f389c9b4bb759da006183cbaeca13b1e1d8db

SHA512
84366ad0adaa99c0da9b1fd7b99c69cce3e8d7f33d0b051bd273bf367f4491a36a6143b285bce2446bfcdc478d836970869d977f59b923edb73975ceb7d5ad98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
693B

MD5
5f0bf60b0b97ffbe2d61980f554e82fc

SHA1
2daa9f7f3b3ceaf49ec17f0f7a472cafebbe16d7

SHA256
eccccfc55c2972482ba922d75e073f2d518a4ce939e8d10ac5c2d33a76f51a63

SHA512
c88e8e4af1f1b5c814f2bc28d17a376a4b9e1a57a69cda8b8f84ecbf599d095534f004acee92a41b97e98832d90a3250ccfa181d67b3c8f3339eb176d84f0225

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
77daf182da62b62daa8185b217e829c5

SHA1
b17329b3e74dd444358f04cbc7bfab2f2db5f115

SHA256
756d6e6170d8bb4ee23211f9d330f139a73a2b5563802caf12dd103bcbbd9381

SHA512
3c1d230dab38cd5dcec7266680380e7f81479f29244f6fbffb28521d88d5701cc266c9ce838d5104476281678d96406be2987048e214f7632b1e92cbaa3c03c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0b3a2756a3c43cbd1b4bc013f337280a

SHA1
adf7024fe0eb90e25cb7eadb1a0b0f8e4f8a9d4f

SHA256
8e1de1c74ad3539ae832bded732abc4b0d2c793dc670b8468fb4683595fa1bb5

SHA512
2e9c7604bdcb212b901a9c1d8980b1d0b5612d29ae2f6ccff8adc479080ccca1979f175cae13cbaba69fcb3626128d63acbbb3b4a7e407cb56f32c664b053ade

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6943333b3a49fc685989c6ad05569956

SHA1
293a03bb4af327730c1cb2c76101126c264bacee

SHA256
d7edbf9478b1dee478d6d623eb0769dfb526d1b0b225fe23c64bd8c807f9a188

SHA512
a2dbeb8ff6e87bfce8bfd6e7f6f7b8aae5b781be50d2f23ed6cc6c06b590c2723b2336c81f3992864afde0eb7369068c043712f50e66d8fcb3eee1075f9a7c5a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
54071703e13c34ae5c4104d4ec153c5b

SHA1
9cd2b4bbbfd7a8beb09b30126761dd4f54fcb83f

SHA256
5c6e17d9678faa05063cba6a0adb2ad49c31c08f595b0d44ee7e45b1e5a60146

SHA512
9a7156b054dd5e1dfbc3e5510ca52cedf37b640b09c2a02ae33718ec9702ee3560b8579f1d21bdf15e4de0f2f1e127d818dd99a1d153bff63737b0fd6be532c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
be14bedbe3fd1b451e036fe5fec9b4bd

SHA1
a21080eed8ea6aebe5f01fbab681c611cfa5d501

SHA256
cf4a9a4fd92dd9965b8d3ac2e683635b8bb5947555fd423b1f7a70af50d68754

SHA512
2b7f248dc9641e327e730f9ad139a91944858f0eea73b9aebec905a2e7ebd86766e436b936719f575d59065fc8048ae579947aad4daabfe6cc0f2780ce75f2f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
b2ee4e08a02229012611e8389de0fe56

SHA1
86372c67539064d88c5c353e495e1eeaae74d6ea

SHA256
98d0d17ac441ed62e7b514c070038feb3bd8f0c1e53cb74a99b3bd1ea86e8ba9

SHA512
ef299f34f3a9e8b77871885c72ddccace03f1208e143ad1dddab0fa9a06559a40168c569aaab0bd2a9ba862f95f521f295f900cfce2aba00eebbcaf8d6198f87

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
09374cff98829f22b0d3396d722315c6

SHA1
8283ef278e54d5dea5f01b58cdbb0e908a478698

SHA256
a563a10681437ac9f15a27b908bfa5a7ff65ffea1296298937cf817ade7bd8f8

SHA512
8b8f6fbcb9966e608c342173187553a542f1013364cc48a636a79ef60265ad0c7bd32195b7954bfaf4a9694f63cb123c3079ae91cc0118e92f133ce53207957f

Download Submit