hxxps://aka[.]ms/o0ukef

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
31/12/2024, 15:30 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://aka.ms/o0ukef

Score

5^/10

microsoft discovery phishing

Malware Config

Signatures

Detected potential entity reuse from brand MICROSOFT.
phishing microsoft
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3012	msedge.exe
3012	msedge.exe
5060	msedge.exe
5060	msedge.exe
2540	identity_helper.exe
2540	identity_helper.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5060 wrote to memory of 3156	5060	msedge.exe	82
PID 5060 wrote to memory of 3156	5060	msedge.exe	82
PID 5060 wrote to memory of 1532	5060	msedge.exe	83
PID 5060 wrote to memory of 1532	5060	msedge.exe	83
PID 5060 wrote to memory of 1532	5060	msedge.exe	83
PID 5060 wrote to memory of 1532	5060	msedge.exe	83
PID 5060 wrote to memory of 1532	5060	msedge.exe	83
PID 5060 wrote to memory of 1532	5060	msedge.exe	83
PID 5060 wrote to memory of 1532	5060	msedge.exe	83
PID 5060 wrote to memory of 1532	5060	msedge.exe	83
PID 5060 wrote to memory of 1532	5060	msedge.exe	83
PID 5060 wrote to memory of 1532	5060	msedge.exe	83
PID 5060 wrote to memory of 1532	5060	msedge.exe	83
PID 5060 wrote to memory of 1532	5060	msedge.exe	83
PID 5060 wrote to memory of 1532	5060	msedge.exe	83
PID 5060 wrote to memory of 1532	5060	msedge.exe	83
PID 5060 wrote to memory of 1532	5060	msedge.exe	83
PID 5060 wrote to memory of 1532	5060	msedge.exe	83
PID 5060 wrote to memory of 1532	5060	msedge.exe	83
PID 5060 wrote to memory of 1532	5060	msedge.exe	83
PID 5060 wrote to memory of 1532	5060	msedge.exe	83
PID 5060 wrote to memory of 1532	5060	msedge.exe	83
PID 5060 wrote to memory of 1532	5060	msedge.exe	83
PID 5060 wrote to memory of 1532	5060	msedge.exe	83
PID 5060 wrote to memory of 1532	5060	msedge.exe	83
PID 5060 wrote to memory of 1532	5060	msedge.exe	83
PID 5060 wrote to memory of 1532	5060	msedge.exe	83
PID 5060 wrote to memory of 1532	5060	msedge.exe	83
PID 5060 wrote to memory of 1532	5060	msedge.exe	83
PID 5060 wrote to memory of 1532	5060	msedge.exe	83
PID 5060 wrote to memory of 1532	5060	msedge.exe	83
PID 5060 wrote to memory of 1532	5060	msedge.exe	83
PID 5060 wrote to memory of 1532	5060	msedge.exe	83
PID 5060 wrote to memory of 1532	5060	msedge.exe	83
PID 5060 wrote to memory of 1532	5060	msedge.exe	83
PID 5060 wrote to memory of 1532	5060	msedge.exe	83
PID 5060 wrote to memory of 1532	5060	msedge.exe	83
PID 5060 wrote to memory of 1532	5060	msedge.exe	83
PID 5060 wrote to memory of 1532	5060	msedge.exe	83
PID 5060 wrote to memory of 1532	5060	msedge.exe	83
PID 5060 wrote to memory of 1532	5060	msedge.exe	83
PID 5060 wrote to memory of 1532	5060	msedge.exe	83
PID 5060 wrote to memory of 3012	5060	msedge.exe	84
PID 5060 wrote to memory of 3012	5060	msedge.exe	84
PID 5060 wrote to memory of 1884	5060	msedge.exe	85
PID 5060 wrote to memory of 1884	5060	msedge.exe	85
PID 5060 wrote to memory of 1884	5060	msedge.exe	85
PID 5060 wrote to memory of 1884	5060	msedge.exe	85
PID 5060 wrote to memory of 1884	5060	msedge.exe	85
PID 5060 wrote to memory of 1884	5060	msedge.exe	85
PID 5060 wrote to memory of 1884	5060	msedge.exe	85
PID 5060 wrote to memory of 1884	5060	msedge.exe	85
PID 5060 wrote to memory of 1884	5060	msedge.exe	85
PID 5060 wrote to memory of 1884	5060	msedge.exe	85
PID 5060 wrote to memory of 1884	5060	msedge.exe	85
PID 5060 wrote to memory of 1884	5060	msedge.exe	85
PID 5060 wrote to memory of 1884	5060	msedge.exe	85
PID 5060 wrote to memory of 1884	5060	msedge.exe	85
PID 5060 wrote to memory of 1884	5060	msedge.exe	85
PID 5060 wrote to memory of 1884	5060	msedge.exe	85
PID 5060 wrote to memory of 1884	5060	msedge.exe	85
PID 5060 wrote to memory of 1884	5060	msedge.exe	85
PID 5060 wrote to memory of 1884	5060	msedge.exe	85
PID 5060 wrote to memory of 1884	5060	msedge.exe	85

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://aka.ms/o0ukef
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffdcc846f8,0x7fffdcc84708,0x7fffdcc84718
  2⤵
  PID:3156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,8069425640312585576,4645090378731680009,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:2
  2⤵
  PID:1532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2068,8069425640312585576,4645090378731680009,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2516 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2068,8069425640312585576,4645090378731680009,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2856 /prefetch:8
  2⤵
  PID:1884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,8069425640312585576,4645090378731680009,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
  2⤵
  PID:4080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,8069425640312585576,4645090378731680009,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
  2⤵
  PID:1460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,8069425640312585576,4645090378731680009,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4024 /prefetch:1
  2⤵
  PID:3316
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,8069425640312585576,4645090378731680009,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4988 /prefetch:8
  2⤵
  PID:264
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,8069425640312585576,4645090378731680009,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4988 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,8069425640312585576,4645090378731680009,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5432 /prefetch:1
  2⤵
  PID:724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,8069425640312585576,4645090378731680009,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5492 /prefetch:1
  2⤵
  PID:4844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,8069425640312585576,4645090378731680009,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5496 /prefetch:1
  2⤵
  PID:2796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,8069425640312585576,4645090378731680009,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5216 /prefetch:1
  2⤵
  PID:3000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,8069425640312585576,4645090378731680009,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5340 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3724

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4796

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3436

Network

DNS

aka.ms

msedge.exe

Remote address:

8.8.8.8:53

Request

aka.ms

IN A

Response

aka.ms

IN A

2.22.5.149
DNS

13.86.106.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

13.86.106.20.in-addr.arpa

IN PTR

Response
GET

https://aka.ms/o0ukef

msedge.exe

Remote address:

2.22.5.149:443

Request

GET /o0ukef HTTP/1.1
Host: aka.ms
Connection: keep-alive
sec-ch-ua: "Chromium";v="92", " Not A;Brand";v="99", "Microsoft Edge";v="92"
sec-ch-ua-mobile: ?0
DNT: 1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9

Response

HTTP/1.1 301 Moved Permanently

Content-Length: 0
Server: Kestrel
Location: https://aka.ms/krs?id=-crYd9Lj
Request-Context: appId=cid-v1:b47e5e27-bf85-45ba-a97c-0377ce0e5779
X-Response-Cache-Status: True
Expires: Tue, 31 Dec 2024 15:30:17 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 31 Dec 2024 15:30:17 GMT
Connection: keep-alive
Strict-Transport-Security: max-age=31536000 ; includeSubDomains
GET

https://aka.ms/krs?id=-crYd9Lj

msedge.exe

Remote address:

2.22.5.149:443

Request

GET /krs?id=-crYd9Lj HTTP/1.1
Host: aka.ms
Connection: keep-alive
DNT: 1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
sec-ch-ua: "Chromium";v="92", " Not A;Brand";v="99", "Microsoft Edge";v="92"
sec-ch-ua-mobile: ?0
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9

Response

HTTP/1.1 301 Moved Permanently

Content-Length: 0
Server: Kestrel
Location: https://krs.microsoft.com/redirect?id=-crYd9Lj
Request-Context: appId=cid-v1:d94c0f68-64bf-4036-8409-a0e761bb7ee1
X-Response-Cache-Status: True
Expires: Tue, 31 Dec 2024 15:30:17 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 31 Dec 2024 15:30:17 GMT
Connection: keep-alive
Strict-Transport-Security: max-age=31536000 ; includeSubDomains
DNS

krs.microsoft.com

msedge.exe

Remote address:

8.8.8.8:53

Request

krs.microsoft.com

IN A

Response

krs.microsoft.com

IN CNAME

kmas-prod.azurefd.net

kmas-prod.azurefd.net

IN CNAME

azurefd-t-prod.trafficmanager.net

azurefd-t-prod.trafficmanager.net

IN CNAME

shed.dual-low.s-part-0036.t-0009.t-msedge.net

shed.dual-low.s-part-0036.t-0009.t-msedge.net

IN CNAME

s-part-0036.t-0009.t-msedge.net

s-part-0036.t-0009.t-msedge.net

IN A

13.107.246.64
GET

https://krs.microsoft.com/redirect?id=-crYd9Lj

msedge.exe

Remote address:

13.107.246.64:443

Request

GET /redirect?id=-crYd9Lj HTTP/2.0
host: krs.microsoft.com
dnt: 1
upgrade-insecure-requests: 1
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
sec-fetch-site: none
sec-fetch-mode: navigate
sec-fetch-user: ?1
sec-fetch-dest: document
sec-ch-ua: "Chromium";v="92", " Not A;Brand";v="99", "Microsoft Edge";v="92"
sec-ch-ua-mobile: ?0
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9

Response

HTTP/2.0 200

date: Tue, 31 Dec 2024 15:30:18 GMT
content-type: text/html; charset=utf-8
content-encoding: br
set-cookie: TiPMix=14.677892452535634; path=/; HttpOnly; Domain=krs.microsoft.com; Max-Age=3600; Secure; SameSite=None
set-cookie: x-ms-routing-name=self; path=/; HttpOnly; Domain=krs.microsoft.com; Max-Age=3600; Secure; SameSite=None
vary: Accept-Encoding
strict-transport-security: max-age=2592000
request-context: appId=cid-v1:21c5cddf-c4b1-44ff-854e-6e2d0ac6af45
x-azure-ref: 20241231T153018Z-r1d8dc5d876kswtwhC1LON7dyc0000000bhg000000007rcn
x-cache: CONFIG_NOCACHE
GET

https://krs.microsoft.com/css/styles.css

msedge.exe

Remote address:

13.107.246.64:443

Request

GET /css/styles.css HTTP/2.0
host: krs.microsoft.com
sec-ch-ua: "Chromium";v="92", " Not A;Brand";v="99", "Microsoft Edge";v="92"
dnt: 1
sec-ch-ua-mobile: ?0
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
accept: text/css,*/*;q=0.1
sec-fetch-site: same-origin
sec-fetch-mode: no-cors
sec-fetch-dest: style
referer: https://krs.microsoft.com/redirect?id=-crYd9Lj
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
cookie: TiPMix=14.677892452535634
cookie: x-ms-routing-name=self

Response

HTTP/2.0 200

date: Tue, 31 Dec 2024 15:30:18 GMT
content-type: text/css
content-encoding: br
etag: "1db4a6132ac552b"
last-modified: Mon, 09 Dec 2024 17:38:46 GMT
vary: Accept-Encoding
strict-transport-security: max-age=2592000
request-context: appId=cid-v1:21c5cddf-c4b1-44ff-854e-6e2d0ac6af45
x-azure-ref: 20241231T153018Z-r1d8dc5d876kswtwhC1LON7dyc0000000bhg000000007reg
x-cache: CONFIG_NOCACHE
GET

https://krs.microsoft.com/images/GooglePlayStoreBadge.png

msedge.exe

Remote address:

13.107.246.64:443

Request

GET /images/GooglePlayStoreBadge.png HTTP/2.0
host: krs.microsoft.com
sec-ch-ua: "Chromium";v="92", " Not A;Brand";v="99", "Microsoft Edge";v="92"
dnt: 1
sec-ch-ua-mobile: ?0
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
sec-fetch-site: same-origin
sec-fetch-mode: no-cors
sec-fetch-dest: image
referer: https://krs.microsoft.com/redirect?id=-crYd9Lj
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
cookie: TiPMix=14.677892452535634
cookie: x-ms-routing-name=self

Response

HTTP/2.0 200

date: Tue, 31 Dec 2024 15:30:18 GMT
content-type: image/png
content-encoding: br
etag: "1db4a6132ac4ff7"
last-modified: Mon, 09 Dec 2024 17:38:46 GMT
vary: Accept-Encoding
strict-transport-security: max-age=2592000
request-context: appId=cid-v1:21c5cddf-c4b1-44ff-854e-6e2d0ac6af45
x-azure-ref: 20241231T153018Z-r1d8dc5d876kswtwhC1LON7dyc0000000bhg000000007rek
x-cache: CONFIG_NOCACHE
GET

https://krs.microsoft.com/images/AppleAppStoreBadge.png

msedge.exe

Remote address:

13.107.246.64:443

Request

GET /images/AppleAppStoreBadge.png HTTP/2.0
host: krs.microsoft.com
sec-ch-ua: "Chromium";v="92", " Not A;Brand";v="99", "Microsoft Edge";v="92"
dnt: 1
sec-ch-ua-mobile: ?0
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
sec-fetch-site: same-origin
sec-fetch-mode: no-cors
sec-fetch-dest: image
referer: https://krs.microsoft.com/redirect?id=-crYd9Lj
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
cookie: TiPMix=14.677892452535634
cookie: x-ms-routing-name=self

Response

HTTP/2.0 200

date: Tue, 31 Dec 2024 15:30:18 GMT
content-type: image/png
content-encoding: br
etag: "1db4a6132ac739b"
last-modified: Mon, 09 Dec 2024 17:38:46 GMT
vary: Accept-Encoding
strict-transport-security: max-age=2592000
request-context: appId=cid-v1:21c5cddf-c4b1-44ff-854e-6e2d0ac6af45
x-azure-ref: 20241231T153018Z-r1d8dc5d876kswtwhC1LON7dyc0000000bhg000000007reh
x-cache: CONFIG_NOCACHE
DNS

www.microsoft.com

msedge.exe

Remote address:

8.8.8.8:53

Request

www.microsoft.com

IN A

Response

www.microsoft.com

IN CNAME

www.microsoft.com-c-3.edgekey.net

www.microsoft.com-c-3.edgekey.net

IN CNAME

www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net

www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net

IN CNAME

e13678.dscb.akamaiedge.net

e13678.dscb.akamaiedge.net

IN A

95.100.245.144
DNS

play-lh.googleusercontent.com

msedge.exe

Remote address:

8.8.8.8:53

Request

play-lh.googleusercontent.com

IN A

Response

play-lh.googleusercontent.com

IN A

142.250.179.118
DNS

149.5.22.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

149.5.22.2.in-addr.arpa

IN PTR

Response

149.5.22.2.in-addr.arpa

IN PTR

a2-22-5-149deploystaticakamaitechnologiescom
DNS

134.32.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

134.32.126.40.in-addr.arpa

IN PTR

Response
GET

https://www.microsoft.com/mwf/_h/v3.54/mwf.app/fonts/mwfmdl2-v3.54.woff2

msedge.exe

Remote address:

95.100.245.144:443

Request

GET /mwf/_h/v3.54/mwf.app/fonts/mwfmdl2-v3.54.woff2 HTTP/2.0
host: www.microsoft.com
sec-ch-ua: "Chromium";v="92", " Not A;Brand";v="99", "Microsoft Edge";v="92"
origin: https://krs.microsoft.com
sec-ch-ua-mobile: ?0
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
dnt: 1
accept: */*
sec-fetch-site: same-site
sec-fetch-mode: cors
sec-fetch-dest: font
referer: https://krs.microsoft.com/
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9

Response

HTTP/2.0 200

content-type: application/font-woff2
last-modified: Thu, 18 Jan 2024 08:42:04 GMT
x-activity-id: bef6c1e8-35e3-4b43-8e2b-be5cc2daf505
x-appversion: 1.0.8745.29656
x-az: {did:92e7dc58ca2143cfb2c818b047cc5cd1, rid: OneDeployContainer, sn: marketingsites-prod-odnortheurope, dt: 2018-05-03T20:14:23.4188992Z, bt: 2023-12-12T00:28:32.0000000Z}
ms-operation-id: b25f79f24452824498d02803dad0fa8d
p3p: CP="CAO CONi OTR OUR DEM ONL"
x-content-type-options: nosniff
access-control-allow-origin: *
access-control-allow-methods: HEAD,GET,POST,PATCH,PUT,OPTIONS
x-xss-protection: 1; mode=block
content-length: 22904
ak-forward-host:
ak-forward-host:
cache-control: public, max-age=26221205
expires: Fri, 31 Oct 2025 03:10:23 GMT
date: Tue, 31 Dec 2024 15:30:18 GMT
tls_version: tls1.3
strict-transport-security: max-age=31536000
ms-cv: CASMicrosoftCV9565d03a.0
ms-cv-esi: CASMicrosoftCV9565d03a.0
x-rtag: RT
GET

https://play-lh.googleusercontent.com/Zk9elS0eGXDr0L4W6-Ey7YwHbRNjkyezHC8iCc8rWp64lNIjlByS8TDF9qDSZbiEWY4=w240-h480-rw

msedge.exe

Remote address:

142.250.179.118:443

Request

GET /Zk9elS0eGXDr0L4W6-Ey7YwHbRNjkyezHC8iCc8rWp64lNIjlByS8TDF9qDSZbiEWY4=w240-h480-rw HTTP/2.0
host: play-lh.googleusercontent.com
sec-ch-ua: "Chromium";v="92", " Not A;Brand";v="99", "Microsoft Edge";v="92"
dnt: 1
sec-ch-ua-mobile: ?0
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
sec-fetch-site: cross-site
sec-fetch-mode: no-cors
sec-fetch-dest: image
referer: https://krs.microsoft.com/
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
DNS

c.s-microsoft.com

msedge.exe

Remote address:

8.8.8.8:53

Request

c.s-microsoft.com

IN A

Response

c.s-microsoft.com

IN CNAME

c-s.cms.ms.akadns.net

c-s.cms.ms.akadns.net

IN CNAME

c.s-microsoft.com-c.edgekey.net

c.s-microsoft.com-c.edgekey.net

IN CNAME

e13678.dscg.akamaiedge.net

e13678.dscg.akamaiedge.net

IN A

2.18.109.131
GET

https://c.s-microsoft.com/favicon.ico?v2

msedge.exe

Remote address:

2.18.109.131:443

Request

GET /favicon.ico?v2 HTTP/2.0
host: c.s-microsoft.com
sec-ch-ua: "Chromium";v="92", " Not A;Brand";v="99", "Microsoft Edge";v="92"
dnt: 1
sec-ch-ua-mobile: ?0
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
sec-fetch-site: cross-site
sec-fetch-mode: no-cors
sec-fetch-dest: image
referer: https://krs.microsoft.com/
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9

Response

HTTP/2.0 200

content-type: image/x-icon
access-control-allow-credentials: true
access-control-allow-headers: Origin, X-Requested-With, Content-Type, Accept
etag: "1DAFB001B73DA00"
last-modified: Fri, 30 Aug 2024 17:14:44 GMT
p3p: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
x-frame-options: SAMEORIGIN
x-sitemuse-origin: Azure
x-azure-ref: 20240904T125510Z-r15b8bc659bgl2smzyeuqqn71s0000000ehg00000000a6zc
accept-ranges: bytes
vary: Accept-Encoding
content-encoding: gzip
content-length: 540
cache-control: public, max-age=562625
expires: Tue, 07 Jan 2025 03:47:24 GMT
date: Tue, 31 Dec 2024 15:30:19 GMT
access-control-allow-methods: GET,POST
access-control-allow-origin: *
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

172.214.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.214.232.199.in-addr.arpa

IN PTR

Response
DNS

64.246.107.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

64.246.107.13.in-addr.arpa

IN PTR

Response
DNS

144.245.100.95.in-addr.arpa

Remote address:

8.8.8.8:53

Request

144.245.100.95.in-addr.arpa

IN PTR

Response

144.245.100.95.in-addr.arpa

IN PTR

a95-100-245-144deploystaticakamaitechnologiescom
DNS

118.179.250.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

118.179.250.142.in-addr.arpa

IN PTR

Response

118.179.250.142.in-addr.arpa

IN PTR

par21s20-in-f221e100net
DNS

131.109.18.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

131.109.18.2.in-addr.arpa

IN PTR

Response

131.109.18.2.in-addr.arpa

IN PTR

a2-18-109-131deploystaticakamaitechnologiescom
DNS

217.106.137.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

217.106.137.52.in-addr.arpa

IN PTR

Response
DNS

50.23.12.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

50.23.12.20.in-addr.arpa

IN PTR

Response
DNS

241.42.69.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

241.42.69.40.in-addr.arpa

IN PTR

Response
DNS

18.134.221.88.in-addr.arpa

Remote address:

8.8.8.8:53

Request

18.134.221.88.in-addr.arpa

IN PTR

Response

18.134.221.88.in-addr.arpa

IN PTR

a88-221-134-18deploystaticakamaitechnologiescom
DNS

88.210.23.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

88.210.23.2.in-addr.arpa

IN PTR

Response

88.210.23.2.in-addr.arpa

IN PTR

a2-23-210-88deploystaticakamaitechnologiescom
DNS

20.49.80.91.in-addr.arpa

Remote address:

8.8.8.8:53

Request

20.49.80.91.in-addr.arpa

IN PTR

Response
DNS

43.229.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

43.229.111.52.in-addr.arpa

IN PTR

Response

2.22.5.149:443

https://aka.ms/krs?id=-crYd9Lj

tls, http

msedge.exe

3.6kB
8.4kB
15
17

HTTP Request

GET https://aka.ms/o0ukef

HTTP Response

301

HTTP Request

GET https://aka.ms/krs?id=-crYd9Lj

HTTP Response

301
13.107.246.64:443

https://krs.microsoft.com/images/AppleAppStoreBadge.png

tls, http2

msedge.exe

3.4kB
23.0kB
28
36

HTTP Request

GET https://krs.microsoft.com/redirect?id=-crYd9Lj

HTTP Response

200

HTTP Request

GET https://krs.microsoft.com/css/styles.css

HTTP Request

GET https://krs.microsoft.com/images/GooglePlayStoreBadge.png

HTTP Request

GET https://krs.microsoft.com/images/AppleAppStoreBadge.png

HTTP Response

200

HTTP Response

200

HTTP Response

200
95.100.245.144:443

https://www.microsoft.com/mwf/_h/v3.54/mwf.app/fonts/mwfmdl2-v3.54.woff2

tls, http2

msedge.exe

2.6kB
32.1kB
33
39

HTTP Request

GET https://www.microsoft.com/mwf/_h/v3.54/mwf.app/fonts/mwfmdl2-v3.54.woff2

HTTP Response

200
142.250.179.118:443

https://play-lh.googleusercontent.com/Zk9elS0eGXDr0L4W6-Ey7YwHbRNjkyezHC8iCc8rWp64lNIjlByS8TDF9qDSZbiEWY4=w240-h480-rw

tls, http2

msedge.exe

2.2kB
16.2kB
21
23

HTTP Request

GET https://play-lh.googleusercontent.com/Zk9elS0eGXDr0L4W6-Ey7YwHbRNjkyezHC8iCc8rWp64lNIjlByS8TDF9qDSZbiEWY4=w240-h480-rw
2.18.109.131:443

https://c.s-microsoft.com/favicon.ico?v2

tls, http2

msedge.exe

1.9kB
9.0kB
18
24

HTTP Request

GET https://c.s-microsoft.com/favicon.ico?v2

HTTP Response

200

8.8.8.8:53

aka.ms

dns

msedge.exe

52 B
68 B
1
1

DNS Request

aka.ms

DNS Response

2.22.5.149
8.8.8.8:53

13.86.106.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

13.86.106.20.in-addr.arpa
8.8.8.8:53

krs.microsoft.com

dns

msedge.exe

63 B
228 B
1
1

DNS Request

krs.microsoft.com

DNS Response

13.107.246.64
8.8.8.8:53

www.microsoft.com

dns

msedge.exe

63 B
230 B
1
1

DNS Request

www.microsoft.com

DNS Response

95.100.245.144
8.8.8.8:53

play-lh.googleusercontent.com

dns

msedge.exe

75 B
91 B
1
1

DNS Request

play-lh.googleusercontent.com

DNS Response

142.250.179.118
8.8.8.8:53

149.5.22.2.in-addr.arpa

dns

69 B
131 B
1
1

DNS Request

149.5.22.2.in-addr.arpa
8.8.8.8:53

134.32.126.40.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

134.32.126.40.in-addr.arpa
8.8.8.8:53

c.s-microsoft.com

dns

msedge.exe

63 B
193 B
1
1

DNS Request

c.s-microsoft.com

DNS Response

2.18.109.131
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

172.214.232.199.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

172.214.232.199.in-addr.arpa
8.8.8.8:53

64.246.107.13.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

64.246.107.13.in-addr.arpa
8.8.8.8:53

144.245.100.95.in-addr.arpa

dns

73 B
139 B
1
1

DNS Request

144.245.100.95.in-addr.arpa
8.8.8.8:53

118.179.250.142.in-addr.arpa

dns

74 B
113 B
1
1

DNS Request

118.179.250.142.in-addr.arpa
8.8.8.8:53

131.109.18.2.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

131.109.18.2.in-addr.arpa
224.0.0.251:5353

572 B
9
8.8.8.8:53

217.106.137.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

217.106.137.52.in-addr.arpa
8.8.8.8:53

50.23.12.20.in-addr.arpa

dns

70 B
156 B
1
1

DNS Request

50.23.12.20.in-addr.arpa
8.8.8.8:53

241.42.69.40.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

241.42.69.40.in-addr.arpa
8.8.8.8:53

18.134.221.88.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

18.134.221.88.in-addr.arpa
8.8.8.8:53

88.210.23.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

88.210.23.2.in-addr.arpa
8.8.8.8:53

20.49.80.91.in-addr.arpa

dns

70 B
145 B
1
1

DNS Request

20.49.80.91.in-addr.arpa
8.8.8.8:53

43.229.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

43.229.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6960857d16aadfa79d36df8ebbf0e423

SHA1
e1db43bd478274366621a8c6497e270d46c6ed4f

SHA256
f40b812ce44e391423eb66602ac0af138a1e948aa8c4116045fef671ef21cd32

SHA512
6deb2a63055a643759dd0ae125fb2f68ec04a443dbf8b066a812b42352bbcfa4517382ed0910c190c986a864559c3453c772e153ee2e9432fb2de2e1e49ca7fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f426165d1e5f7df1b7a3758c306cd4ae

SHA1
59ef728fbbb5c4197600f61daec48556fec651c1

SHA256
b68dfc21866d0abe5c75d70acc54670421fa9b26baf98af852768676a901b841

SHA512
8d437fcb85acb0705bf080141e7a021740901248985a76299ea8c43e46ad78fb88c738322cf302f6a550caa5e79d85b36827e9b329b1094521b17cf638c015b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
543B

MD5
c3e07636f3b7438fc40633436a22227d

SHA1
24519fb6879685d3924e05c570f01930dec05296

SHA256
bf1129f2dfaad6555a2b46d492da1ca676c84e1c2effea62dc2292b9fd48f6b8

SHA512
9535ec5d543429121bd6af9dfbf9218acb512a3647c085055cb6f14267628223bd10d5b1c3b775c95dc2f3636e8f3ce3c7b1776791195c9a77ac1c166c93166a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0c51111b94545f90cac92448b1c504c4

SHA1
f0c95606d07b619da61d6d5e4c1092a5a15a0bf0

SHA256
d6ddc7835e1532c9f1bd14519e0545c5a2c0d9b8611f86935568c5a5851a864d

SHA512
29a0c33c5cf68a9989fb4af16b98f071e1d843bd9ca188ae015bc51d6705d0d15607984a8f186cce1551597e2cc6fb3b0990f67883c9f319ac19c2b39a2b17e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
0163599a5e4e9f04b36f1d1e0eddac73

SHA1
2ec825234ef6235676073c8b2b5be9472a044ba3

SHA256
ec751261c3255dbea7d260a6d2d90beb813db2b5f07325eb7a05e2d6fe61490e

SHA512
35fbe7f18260568e123754481266783c356a0bcf9f46306c6c335e024ec3f3c6c8c9345fa7804342ef7d5d90f36271052724fab21e3590a4b56f3cfebbd08284

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
f0549caba10f559a4d8ead6fa0027a3d

SHA1
f0e03abad89c6c53ede47ac9e0fda2f4bc3f07dd

SHA256
692ca3e226a95efb43e2663d1ace808905974585ef31a43600bdcc08036f4cff

SHA512
7002a4a1fa736458d6716e3f7c7c7c0f43e66bc2a4a19010325fa81233885871dd4f8aa5370a6a7bf4d29c6f889ff34ae65f54553908175dcaecab28e1d7c8f8

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Request

HTTP Request

HTTP Response

HTTP Response

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Request

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.