hxxps://u[.]to/7IJpIQ

Analysis

max time kernel
145s
max time network
134s
platform
windows11-21h2_x64
resource
win11-20241023-en
resource tags

arch:x64arch:x86image:win11-20241023-enlocale:en-usos:windows11-21h2-x64system
submitted
23-01-2025 11:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://u.to/7IJpIQ

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2144	msedge.exe
2144	msedge.exe
896	msedge.exe
896	msedge.exe
3104	msedge.exe
3104	msedge.exe
2648	identity_helper.exe
2648	identity_helper.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
896	msedge.exe
896	msedge.exe
896	msedge.exe
896	msedge.exe
896	msedge.exe
896	msedge.exe
896	msedge.exe
896	msedge.exe
896	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
896	msedge.exe
896	msedge.exe
896	msedge.exe
896	msedge.exe
896	msedge.exe
896	msedge.exe
896	msedge.exe
896	msedge.exe
896	msedge.exe
896	msedge.exe
896	msedge.exe
896	msedge.exe
896	msedge.exe
896	msedge.exe
896	msedge.exe
896	msedge.exe
896	msedge.exe
896	msedge.exe
896	msedge.exe
896	msedge.exe
896	msedge.exe
896	msedge.exe
896	msedge.exe
896	msedge.exe
896	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
896	msedge.exe
896	msedge.exe
896	msedge.exe
896	msedge.exe
896	msedge.exe
896	msedge.exe
896	msedge.exe
896	msedge.exe
896	msedge.exe
896	msedge.exe
896	msedge.exe
896	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 896 wrote to memory of 1540	896	msedge.exe	77
PID 896 wrote to memory of 1540	896	msedge.exe	77
PID 896 wrote to memory of 2236	896	msedge.exe	78
PID 896 wrote to memory of 2236	896	msedge.exe	78
PID 896 wrote to memory of 2236	896	msedge.exe	78
PID 896 wrote to memory of 2236	896	msedge.exe	78
PID 896 wrote to memory of 2236	896	msedge.exe	78
PID 896 wrote to memory of 2236	896	msedge.exe	78
PID 896 wrote to memory of 2236	896	msedge.exe	78
PID 896 wrote to memory of 2236	896	msedge.exe	78
PID 896 wrote to memory of 2236	896	msedge.exe	78
PID 896 wrote to memory of 2236	896	msedge.exe	78
PID 896 wrote to memory of 2236	896	msedge.exe	78
PID 896 wrote to memory of 2236	896	msedge.exe	78
PID 896 wrote to memory of 2236	896	msedge.exe	78
PID 896 wrote to memory of 2236	896	msedge.exe	78
PID 896 wrote to memory of 2236	896	msedge.exe	78
PID 896 wrote to memory of 2236	896	msedge.exe	78
PID 896 wrote to memory of 2236	896	msedge.exe	78
PID 896 wrote to memory of 2236	896	msedge.exe	78
PID 896 wrote to memory of 2236	896	msedge.exe	78
PID 896 wrote to memory of 2236	896	msedge.exe	78
PID 896 wrote to memory of 2236	896	msedge.exe	78
PID 896 wrote to memory of 2236	896	msedge.exe	78
PID 896 wrote to memory of 2236	896	msedge.exe	78
PID 896 wrote to memory of 2236	896	msedge.exe	78
PID 896 wrote to memory of 2236	896	msedge.exe	78
PID 896 wrote to memory of 2236	896	msedge.exe	78
PID 896 wrote to memory of 2236	896	msedge.exe	78
PID 896 wrote to memory of 2236	896	msedge.exe	78
PID 896 wrote to memory of 2236	896	msedge.exe	78
PID 896 wrote to memory of 2236	896	msedge.exe	78
PID 896 wrote to memory of 2236	896	msedge.exe	78
PID 896 wrote to memory of 2236	896	msedge.exe	78
PID 896 wrote to memory of 2236	896	msedge.exe	78
PID 896 wrote to memory of 2236	896	msedge.exe	78
PID 896 wrote to memory of 2236	896	msedge.exe	78
PID 896 wrote to memory of 2236	896	msedge.exe	78
PID 896 wrote to memory of 2236	896	msedge.exe	78
PID 896 wrote to memory of 2236	896	msedge.exe	78
PID 896 wrote to memory of 2236	896	msedge.exe	78
PID 896 wrote to memory of 2236	896	msedge.exe	78
PID 896 wrote to memory of 2144	896	msedge.exe	79
PID 896 wrote to memory of 2144	896	msedge.exe	79
PID 896 wrote to memory of 532	896	msedge.exe	80
PID 896 wrote to memory of 532	896	msedge.exe	80
PID 896 wrote to memory of 532	896	msedge.exe	80
PID 896 wrote to memory of 532	896	msedge.exe	80
PID 896 wrote to memory of 532	896	msedge.exe	80
PID 896 wrote to memory of 532	896	msedge.exe	80
PID 896 wrote to memory of 532	896	msedge.exe	80
PID 896 wrote to memory of 532	896	msedge.exe	80
PID 896 wrote to memory of 532	896	msedge.exe	80
PID 896 wrote to memory of 532	896	msedge.exe	80
PID 896 wrote to memory of 532	896	msedge.exe	80
PID 896 wrote to memory of 532	896	msedge.exe	80
PID 896 wrote to memory of 532	896	msedge.exe	80
PID 896 wrote to memory of 532	896	msedge.exe	80
PID 896 wrote to memory of 532	896	msedge.exe	80
PID 896 wrote to memory of 532	896	msedge.exe	80
PID 896 wrote to memory of 532	896	msedge.exe	80
PID 896 wrote to memory of 532	896	msedge.exe	80
PID 896 wrote to memory of 532	896	msedge.exe	80
PID 896 wrote to memory of 532	896	msedge.exe	80

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://u.to/7IJpIQ
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffdd9af3cb8,0x7ffdd9af3cc8,0x7ffdd9af3cd8
  2⤵
  PID:1540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1928,13375220220913931905,17919842583710907115,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1948 /prefetch:2
  2⤵
  PID:2236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1928,13375220220913931905,17919842583710907115,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2372 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1928,13375220220913931905,17919842583710907115,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2616 /prefetch:8
  2⤵
  PID:532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,13375220220913931905,17919842583710907115,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3160 /prefetch:1
  2⤵
  PID:4536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,13375220220913931905,17919842583710907115,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
  2⤵
  PID:1712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,13375220220913931905,17919842583710907115,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5980 /prefetch:1
  2⤵
  PID:672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,13375220220913931905,17919842583710907115,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3508 /prefetch:1
  2⤵
  PID:4804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1928,13375220220913931905,17919842583710907115,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5984 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3104
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1928,13375220220913931905,17919842583710907115,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5300 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,13375220220913931905,17919842583710907115,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5692 /prefetch:1
  2⤵
  PID:1856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,13375220220913931905,17919842583710907115,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5600 /prefetch:1
  2⤵
  PID:3100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,13375220220913931905,17919842583710907115,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4896 /prefetch:1
  2⤵
  PID:4908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,13375220220913931905,17919842583710907115,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3956 /prefetch:1
  2⤵
  PID:4616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,13375220220913931905,17919842583710907115,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5012 /prefetch:1
  2⤵
  PID:4172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1928,13375220220913931905,17919842583710907115,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1196 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4416

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3392

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
5431d6602455a6db6e087223dd47f600

SHA1
27255756dfecd4e0afe4f1185e7708a3d07dea6e

SHA256
7502d9453168c86631fb40ec90567bf80404615d387afc7ec2beb7a075bcc763

SHA512
868f6dcf32ef80459f3ea122b0d2c79191193b5885c86934a97bfec7e64250e10c23e4d00f34c6c2387a04a15f3f266af96e571bbe37077fb374d6d30f35b829

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7bed1eca5620a49f52232fd55246d09a

SHA1
e429d9d401099a1917a6fb31ab2cf65fcee22030

SHA256
49c484f08c5e22ee6bec6d23681b26b0426ee37b54020f823a2908ab7d0d805e

SHA512
afc8f0b5b95d593f863ad32186d1af4ca333710bcfba86416800e79528616e7b15f8813a20c2cfa9d13688c151bf8c85db454a9eb5c956d6e49db84b4b222ee8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
92bc6c2232da03fa79bb92cbc86bc413

SHA1
4848be7aba46cebdb7152b2ca95d9422e95c466f

SHA256
3270a9cd2b2b752cf4fae065a856e93e539f2901803e99a881472a9f3e9a3ab5

SHA512
81c3c6dd13b8e4250ee156f34e0aab612040cbd6aace923ddb9c50ec838d1a2bc6335e3770e9c2af47bb7733c5331445a7ffa2fd157d32399f078b654f83deb8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
cd3d398162abcee432c4fdc8bb3dfa84

SHA1
64a21a203e2c5c250cce1306f535bb94e263e85b

SHA256
f792d873998fac5afe360f397b5306c87a60cc9bdcf8062036941614c92e0131

SHA512
0ff31585092e3fd5e6e9ad60e918505c67f04b176e8537ab89bf345aba6fd424e7f866809c33194472b0f1de958d1b1c659ae7c9d466f0cdfa2bb42da98ed1a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
4feff98213fe68afd993a1c3f423c0ee

SHA1
14a5758bf91fdc6b1ce3d1e359150b16b71714d1

SHA256
4d8f2e417aa45d72992c528320a1bc9157548d077c32a8e9987b3b4bd3599bc0

SHA512
a97ad5c34a1a57f9ba9cf329ec4ba892ca9622733942cf1096cd9d3c517da1ca8539b5881528dd4139c35cb4712c3fbbb7a5bb15e17b2fad5f5cb6e5cc8b84d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
78d03ed154224b61dc3c51db9a83024c

SHA1
62008fe72b44b8f4ac991bdd0cbff2d30908a03b

SHA256
cfde1d382cc6cbd54c929abd222a55fb6dfd7e583b9781abd1ef2f1553454511

SHA512
2303a1df0b6bc7edb8dbf82bf8519f86de9277e4e5389a6b0f9a2f1290e2bbc49ccb8c1edc3809e585494d1c2ee3c30ee32fc697ac2012b41dfbb50b05fdb0ad

Download Submit