hxxps://aka[.]ms/AAb9ysg

Analysis

max time kernel
11s
max time network
12s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
24/03/2025, 11:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://aka.ms/AAb9ysg

Score

5^/10

microsoft discovery phishing

Malware Config

Signatures

Detected potential entity reuse from brand MICROSOFT. 1 IoCs

phishing microsoft

flow	pid	Process
62	5624	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	msedge.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133872904682352313"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-308834014-1004923324-1191300197-1000\{48832588-6B50-435B-929B-5B99A4FD388A}	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
864	msedge.exe
864	msedge.exe
864	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
864	msedge.exe
864	msedge.exe
864	msedge.exe
864	msedge.exe
864	msedge.exe
864	msedge.exe
864	msedge.exe
864	msedge.exe
864	msedge.exe
864	msedge.exe
864	msedge.exe
864	msedge.exe
864	msedge.exe
864	msedge.exe
864	msedge.exe
864	msedge.exe
864	msedge.exe
864	msedge.exe
864	msedge.exe
864	msedge.exe
864	msedge.exe
864	msedge.exe
864	msedge.exe
864	msedge.exe
864	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
864	msedge.exe
864	msedge.exe
864	msedge.exe
864	msedge.exe
864	msedge.exe
864	msedge.exe
864	msedge.exe
864	msedge.exe
864	msedge.exe
864	msedge.exe
864	msedge.exe
864	msedge.exe
864	msedge.exe
864	msedge.exe
864	msedge.exe
864	msedge.exe
864	msedge.exe
864	msedge.exe
864	msedge.exe
864	msedge.exe
864	msedge.exe
864	msedge.exe
864	msedge.exe
864	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 864 wrote to memory of 6108	864	msedge.exe	88
PID 864 wrote to memory of 6108	864	msedge.exe	88
PID 864 wrote to memory of 5624	864	msedge.exe	89
PID 864 wrote to memory of 5624	864	msedge.exe	89
PID 864 wrote to memory of 2076	864	msedge.exe	90
PID 864 wrote to memory of 2076	864	msedge.exe	90
PID 864 wrote to memory of 2076	864	msedge.exe	90
PID 864 wrote to memory of 2076	864	msedge.exe	90
PID 864 wrote to memory of 2076	864	msedge.exe	90
PID 864 wrote to memory of 2076	864	msedge.exe	90
PID 864 wrote to memory of 2076	864	msedge.exe	90
PID 864 wrote to memory of 2076	864	msedge.exe	90
PID 864 wrote to memory of 2076	864	msedge.exe	90
PID 864 wrote to memory of 2076	864	msedge.exe	90
PID 864 wrote to memory of 2076	864	msedge.exe	90
PID 864 wrote to memory of 2076	864	msedge.exe	90
PID 864 wrote to memory of 2076	864	msedge.exe	90
PID 864 wrote to memory of 2076	864	msedge.exe	90
PID 864 wrote to memory of 2076	864	msedge.exe	90
PID 864 wrote to memory of 2076	864	msedge.exe	90
PID 864 wrote to memory of 2076	864	msedge.exe	90
PID 864 wrote to memory of 2076	864	msedge.exe	90
PID 864 wrote to memory of 2076	864	msedge.exe	90
PID 864 wrote to memory of 2076	864	msedge.exe	90
PID 864 wrote to memory of 2076	864	msedge.exe	90
PID 864 wrote to memory of 2076	864	msedge.exe	90
PID 864 wrote to memory of 2076	864	msedge.exe	90
PID 864 wrote to memory of 2076	864	msedge.exe	90
PID 864 wrote to memory of 2076	864	msedge.exe	90
PID 864 wrote to memory of 2076	864	msedge.exe	90
PID 864 wrote to memory of 2076	864	msedge.exe	90
PID 864 wrote to memory of 2076	864	msedge.exe	90
PID 864 wrote to memory of 2076	864	msedge.exe	90
PID 864 wrote to memory of 2076	864	msedge.exe	90
PID 864 wrote to memory of 2076	864	msedge.exe	90
PID 864 wrote to memory of 2076	864	msedge.exe	90
PID 864 wrote to memory of 2076	864	msedge.exe	90
PID 864 wrote to memory of 2076	864	msedge.exe	90
PID 864 wrote to memory of 2076	864	msedge.exe	90
PID 864 wrote to memory of 2076	864	msedge.exe	90
PID 864 wrote to memory of 2076	864	msedge.exe	90
PID 864 wrote to memory of 2076	864	msedge.exe	90
PID 864 wrote to memory of 2076	864	msedge.exe	90
PID 864 wrote to memory of 2076	864	msedge.exe	90
PID 864 wrote to memory of 2076	864	msedge.exe	90
PID 864 wrote to memory of 2076	864	msedge.exe	90
PID 864 wrote to memory of 2076	864	msedge.exe	90
PID 864 wrote to memory of 2076	864	msedge.exe	90
PID 864 wrote to memory of 2076	864	msedge.exe	90
PID 864 wrote to memory of 2076	864	msedge.exe	90
PID 864 wrote to memory of 2076	864	msedge.exe	90
PID 864 wrote to memory of 2076	864	msedge.exe	90
PID 864 wrote to memory of 2076	864	msedge.exe	90
PID 864 wrote to memory of 2076	864	msedge.exe	90
PID 864 wrote to memory of 2076	864	msedge.exe	90
PID 864 wrote to memory of 632	864	msedge.exe	91
PID 864 wrote to memory of 632	864	msedge.exe	91
PID 864 wrote to memory of 632	864	msedge.exe	91
PID 864 wrote to memory of 632	864	msedge.exe	91
PID 864 wrote to memory of 632	864	msedge.exe	91
PID 864 wrote to memory of 632	864	msedge.exe	91
PID 864 wrote to memory of 632	864	msedge.exe	91
PID 864 wrote to memory of 632	864	msedge.exe	91
PID 864 wrote to memory of 632	864	msedge.exe	91

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://aka.ms/AAb9ysg
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x23c,0x240,0x244,0x238,0x25c,0x7ffb6c2ef208,0x7ffb6c2ef214,0x7ffb6c2ef220
  2⤵
  PID:6108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1748,i,187261336052601315,3161890197746767095,262144 --variations-seed-version --mojo-platform-channel-handle=2412 /prefetch:3
  2⤵
  - Detected potential entity reuse from brand MICROSOFT.
  PID:5624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2372,i,187261336052601315,3161890197746767095,262144 --variations-seed-version --mojo-platform-channel-handle=2368 /prefetch:2
  2⤵
  PID:2076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2192,i,187261336052601315,3161890197746767095,262144 --variations-seed-version --mojo-platform-channel-handle=2692 /prefetch:8
  2⤵
  PID:632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3452,i,187261336052601315,3161890197746767095,262144 --variations-seed-version --mojo-platform-channel-handle=3540 /prefetch:1
  2⤵
  PID:4580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3444,i,187261336052601315,3161890197746767095,262144 --variations-seed-version --mojo-platform-channel-handle=3536 /prefetch:1
  2⤵
  PID:4592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=4812,i,187261336052601315,3161890197746767095,262144 --variations-seed-version --mojo-platform-channel-handle=4832 /prefetch:1
  2⤵
  PID:2012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5148,i,187261336052601315,3161890197746767095,262144 --variations-seed-version --mojo-platform-channel-handle=5192 /prefetch:8
  2⤵
  PID:5132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5144,i,187261336052601315,3161890197746767095,262144 --variations-seed-version --mojo-platform-channel-handle=3680 /prefetch:8
  2⤵
  PID:2924
- C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5752,i,187261336052601315,3161890197746767095,262144 --variations-seed-version --mojo-platform-channel-handle=5780 /prefetch:8
  2⤵
  PID:4080
- C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5752,i,187261336052601315,3161890197746767095,262144 --variations-seed-version --mojo-platform-channel-handle=5780 /prefetch:8
  2⤵
  PID:1044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6028,i,187261336052601315,3161890197746767095,262144 --variations-seed-version --mojo-platform-channel-handle=6092 /prefetch:8
  2⤵
  PID:6016

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:2380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
01cc3a42395638ce669dd0d7aba1f929

SHA1
89aa0871fa8e25b55823dd0db9a028ef46dfbdd8

SHA256
d0c6ee43e769188d8a32f782b44cb00052099222be21cbe8bf119469c6612dee

SHA512
d3b88e797333416a4bc6c7f7e224ba68362706747e191a1cd8846a080329473b8f1bfebee5e3fe21faa4d24c8a7683041705e995777714330316e9b563d38e41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\HubApps

Filesize
107KB

MD5
40e2018187b61af5be8caf035fb72882

SHA1
72a0b7bcb454b6b727bf90da35879b3e9a70621e

SHA256
b3efd9d75856016510dd0bdb5e22359925cee7f2056b3cde6411c55ae8ae8ee5

SHA512
a21b8f3f7d646909d6aed605ad5823269f52fda1255aa9bb4d4643e165a7b11935572bf9e0a6a324874f99c20a6f3b6d1e457c7ccd30adcac83c15febc063d12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

Filesize
40B

MD5
20d4b8fa017a12a108c87f540836e250

SHA1
1ac617fac131262b6d3ce1f52f5907e31d5f6f00

SHA256
6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

SHA512
507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
16KB

MD5
6b6fd075db74c3fe557972e205968d73

SHA1
ed5fd0cc46fff2715b1f4a45dd4e266eee777ddc

SHA256
9a88fe182bf2c23ce5d156c2ce699693cdfde3ba3b3c0abb4907243f4f193f51

SHA512
b917d5ceeb9ddf28ac099bbb1e7340b4884a66783c8cfda01853e4581c1775bd92ef7c91c3db255ddd1a577494bc9fc0d2b82737dac60f2ae96e891f3e89f12a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
36KB

MD5
fae3479e1a2bbd6c2e5147af0c3ef34c

SHA1
61dde56ce98cbc53060c089139e800d7510502a2

SHA256
082ee63482e8017581fbe4a33a62842e2fdd13389b3067a7e0e4629ba4ebea36

SHA512
fa02715450b2087f68cedcfabfbe2c70fda6526efb1eb514ac373b3e7325e94cd045152ab87d77bb0d6afc7004382bc5d460019a16528c84396071a4937ddb13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\Logs\sync_diagnostic.log

Filesize
23KB

MD5
8a77c36abb9fbcd1b64101d382e71c12

SHA1
fb113c6f7f5dcd46c022698b800fc691bc6956c8

SHA256
5a3e5cf77d1143f2be22802c0a00a5568b1583022b805af5a9acd1876682091b

SHA512
16c68094e423f3e3150f1355483116429006555b001197ed615acbd703b193c1f6412f43db90b92c2f36c0aa7d75c7328e601c570946f1ac1ea7e666f48676ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
49KB

MD5
d0d7944760de0088de99060e2211a6c1

SHA1
e95d72d5822b1da016dfd927d34dfc4693696189

SHA256
c2b3791f030958095fc5e49e93de0458bf3808b4790cb591fb4a52f3849ae1ba

SHA512
69872b9f545383708bab5ffa57f437b138c5e1a3ffe2b70566f42b5d6507f26af64f1d57f92136c2da61be084cc9e413afa3ee936f226d893c911bc46a877e39

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
40KB

MD5
216fd2636ec1edf45357a50d4c05e9d1

SHA1
e5607dd587d5a2a0862b2171f0bce4ece9b86081

SHA256
6e6b1578bc598972023866d06abd10a784b9ec696e535fa2bf1d65157bc2c72f

SHA512
052ed677553b40453a3f2495bfe5feba968bd6d00fe14b1426512a755e87fab4c5487b4f7693bf0642ac2dab1fa1cc6d21256eeba10e58ac423f5334bb53522f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres

Filesize
2KB

MD5
c615fdf8aca288a37f56bf6f7d64f158

SHA1
25d8f4c4022014fd707306e5569f1fb629c31a20

SHA256
ae388d4a49d580a8bf3f5ad5e378e8e3df0680f55bab5721e027940d92b173de

SHA512
428796e492fe04a6dbce32d54effdb1def0049d0300af391c8a42d8d1118d1ad53514bb3a71c01b89b3a76744fc6681c0265f8530b3902cf8e20bd23b54fcfd5

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads