hxxps://steamgift[.]cfd/105394106

Resubmissions

30/03/2025, 22:57

250330-2xqpbs1kt3 10

30/03/2025, 19:24

250330-x4d7navxb1 10

Analysis

max time kernel
32s
max time network
44s
platform
windows10-2004_x64
resource
win10v2004-20250313-en
resource tags

arch:x64arch:x86image:win10v2004-20250313-enlocale:en-usos:windows10-2004-x64system
submitted
30/03/2025, 19:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://steamgift.cfd/105394106

Score

5^/10

steam discovery phishing

Malware Config

Signatures

Detected potential entity reuse from brand STEAM. 1 IoCs

phishing steam

flow	pid	Process
66	3164	msedge.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5932_277948174\_locales\kn\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5932_277948174\manifest.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5932_277948174\page_embed_script.js	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5932_277948174\_locales\af\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5932_277948174\_locales\eu\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5932_277948174\_locales\gl\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5932_277948174\_locales\ca\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5932_277948174\_locales\zu\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5932_277948174\_locales\el\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5932_277948174\_locales\hi\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5932_277948174\_locales\fil\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5932_277948174\_locales\es\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5932_277948174\_locales\id\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5932_277948174\_locales\az\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5932_277948174\_locales\fr\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5932_277948174\_locales\pt_PT\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5932_277948174\_locales\ja\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5932_277948174\_locales\zh_TW\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5932_277948174\_locales\bg\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5932_277948174\_locales\pt_BR\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5932_277948174\_locales\ur\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5932_277948174\manifest.fingerprint	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5932_277948174\_locales\lt\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5932_277948174\_locales\be\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5932_277948174\_locales\si\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5932_277948174\offscreendocument_main.js	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5932_277948174\_locales\cs\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5932_277948174\_locales\kk\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5932_277948174\_locales\am\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5932_277948174\_locales\ro\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5932_277948174\_locales\no\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5932_277948174\_locales\nl\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5932_277948174\_locales\pa\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5932_277948174\_locales\sw\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5932_277948174\_locales\sr\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5932_277948174\_locales\iw\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5932_277948174\_metadata\verified_contents.json	msedge.exe
File created	C:\Program Files\msedge_url_fetcher_5932_1177370739\GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_90_1_0.crx	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5932_277948174\_locales\fi\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5932_277948174\_locales\ta\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5932_277948174\_locales\en_CA\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5932_277948174\_locales\mn\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5932_277948174\_locales\hr\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5932_277948174\_locales\lv\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5932_277948174\_locales\hu\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5932_277948174\_locales\lo\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5932_277948174\_locales\sl\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5932_277948174\_locales\is\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5932_277948174\_locales\sv\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5932_277948174\service_worker_bin_prod.js	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5932_277948174\_locales\ka\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5932_277948174\_locales\te\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5932_277948174\_locales\fr_CA\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5932_277948174\_locales\th\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5932_277948174\_locales\de\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5932_277948174\_locales\cy\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5932_277948174\_locales\da\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5932_277948174\_locales\tr\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5932_277948174\_locales\zh_CN\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5932_277948174\_locales\fa\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5932_277948174\_locales\en\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5932_277948174\_locales\hy\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5932_277948174\_locales\ms\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5932_277948174\_locales\mr\messages.json	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msedge.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133878362877248657"	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1279544337-3716153908-718418795-1000\{0B56ED3F-2D67-428A-B5C8-E2D46B14EAD3}	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
5932	msedge.exe
5932	msedge.exe
5932	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
5932	msedge.exe
5932	msedge.exe
5932	msedge.exe
5932	msedge.exe
5932	msedge.exe
5932	msedge.exe
5932	msedge.exe
5932	msedge.exe
5932	msedge.exe
5932	msedge.exe
5932	msedge.exe
5932	msedge.exe
5932	msedge.exe
5932	msedge.exe
5932	msedge.exe
5932	msedge.exe
5932	msedge.exe
5932	msedge.exe
5932	msedge.exe
5932	msedge.exe
5932	msedge.exe
5932	msedge.exe
5932	msedge.exe
5932	msedge.exe
5932	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
5932	msedge.exe
5932	msedge.exe
5932	msedge.exe
5932	msedge.exe
5932	msedge.exe
5932	msedge.exe
5932	msedge.exe
5932	msedge.exe
5932	msedge.exe
5932	msedge.exe
5932	msedge.exe
5932	msedge.exe
5932	msedge.exe
5932	msedge.exe
5932	msedge.exe
5932	msedge.exe
5932	msedge.exe
5932	msedge.exe
5932	msedge.exe
5932	msedge.exe
5932	msedge.exe
5932	msedge.exe
5932	msedge.exe
5932	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5932 wrote to memory of 536	5932	msedge.exe	85
PID 5932 wrote to memory of 536	5932	msedge.exe	85
PID 5932 wrote to memory of 3164	5932	msedge.exe	86
PID 5932 wrote to memory of 3164	5932	msedge.exe	86
PID 5932 wrote to memory of 4620	5932	msedge.exe	87
PID 5932 wrote to memory of 4620	5932	msedge.exe	87
PID 5932 wrote to memory of 4620	5932	msedge.exe	87
PID 5932 wrote to memory of 4620	5932	msedge.exe	87
PID 5932 wrote to memory of 4620	5932	msedge.exe	87
PID 5932 wrote to memory of 4620	5932	msedge.exe	87
PID 5932 wrote to memory of 4620	5932	msedge.exe	87
PID 5932 wrote to memory of 4620	5932	msedge.exe	87
PID 5932 wrote to memory of 4620	5932	msedge.exe	87
PID 5932 wrote to memory of 4620	5932	msedge.exe	87
PID 5932 wrote to memory of 4620	5932	msedge.exe	87
PID 5932 wrote to memory of 4620	5932	msedge.exe	87
PID 5932 wrote to memory of 4620	5932	msedge.exe	87
PID 5932 wrote to memory of 4620	5932	msedge.exe	87
PID 5932 wrote to memory of 4620	5932	msedge.exe	87
PID 5932 wrote to memory of 4620	5932	msedge.exe	87
PID 5932 wrote to memory of 4620	5932	msedge.exe	87
PID 5932 wrote to memory of 4620	5932	msedge.exe	87
PID 5932 wrote to memory of 4620	5932	msedge.exe	87
PID 5932 wrote to memory of 4620	5932	msedge.exe	87
PID 5932 wrote to memory of 4620	5932	msedge.exe	87
PID 5932 wrote to memory of 4620	5932	msedge.exe	87
PID 5932 wrote to memory of 4620	5932	msedge.exe	87
PID 5932 wrote to memory of 4620	5932	msedge.exe	87
PID 5932 wrote to memory of 4620	5932	msedge.exe	87
PID 5932 wrote to memory of 4620	5932	msedge.exe	87
PID 5932 wrote to memory of 4620	5932	msedge.exe	87
PID 5932 wrote to memory of 4620	5932	msedge.exe	87
PID 5932 wrote to memory of 4620	5932	msedge.exe	87
PID 5932 wrote to memory of 4620	5932	msedge.exe	87
PID 5932 wrote to memory of 4620	5932	msedge.exe	87
PID 5932 wrote to memory of 4620	5932	msedge.exe	87
PID 5932 wrote to memory of 4620	5932	msedge.exe	87
PID 5932 wrote to memory of 4620	5932	msedge.exe	87
PID 5932 wrote to memory of 4620	5932	msedge.exe	87
PID 5932 wrote to memory of 4620	5932	msedge.exe	87
PID 5932 wrote to memory of 4620	5932	msedge.exe	87
PID 5932 wrote to memory of 4620	5932	msedge.exe	87
PID 5932 wrote to memory of 4620	5932	msedge.exe	87
PID 5932 wrote to memory of 4620	5932	msedge.exe	87
PID 5932 wrote to memory of 4620	5932	msedge.exe	87
PID 5932 wrote to memory of 4620	5932	msedge.exe	87
PID 5932 wrote to memory of 4620	5932	msedge.exe	87
PID 5932 wrote to memory of 4620	5932	msedge.exe	87
PID 5932 wrote to memory of 4620	5932	msedge.exe	87
PID 5932 wrote to memory of 4620	5932	msedge.exe	87
PID 5932 wrote to memory of 4620	5932	msedge.exe	87
PID 5932 wrote to memory of 4620	5932	msedge.exe	87
PID 5932 wrote to memory of 4620	5932	msedge.exe	87
PID 5932 wrote to memory of 4620	5932	msedge.exe	87
PID 5932 wrote to memory of 4620	5932	msedge.exe	87
PID 5932 wrote to memory of 5024	5932	msedge.exe	88
PID 5932 wrote to memory of 5024	5932	msedge.exe	88
PID 5932 wrote to memory of 5024	5932	msedge.exe	88
PID 5932 wrote to memory of 5024	5932	msedge.exe	88
PID 5932 wrote to memory of 5024	5932	msedge.exe	88
PID 5932 wrote to memory of 5024	5932	msedge.exe	88
PID 5932 wrote to memory of 5024	5932	msedge.exe	88
PID 5932 wrote to memory of 5024	5932	msedge.exe	88
PID 5932 wrote to memory of 5024	5932	msedge.exe	88

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://steamgift.cfd/105394106
1⤵
- Drops file in Program Files directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x23c,0x240,0x244,0x238,0x24c,0x7ffe2adcf208,0x7ffe2adcf214,0x7ffe2adcf220
  2⤵
  PID:536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1856,i,14949304981653721884,15074298752951500059,262144 --variations-seed-version --mojo-platform-channel-handle=2292 /prefetch:3
  2⤵
  - Detected potential entity reuse from brand STEAM.
  PID:3164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2264,i,14949304981653721884,15074298752951500059,262144 --variations-seed-version --mojo-platform-channel-handle=2252 /prefetch:2
  2⤵
  PID:4620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=1420,i,14949304981653721884,15074298752951500059,262144 --variations-seed-version --mojo-platform-channel-handle=2672 /prefetch:8
  2⤵
  PID:5024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3552,i,14949304981653721884,15074298752951500059,262144 --variations-seed-version --mojo-platform-channel-handle=3596 /prefetch:1
  2⤵
  PID:4612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3556,i,14949304981653721884,15074298752951500059,262144 --variations-seed-version --mojo-platform-channel-handle=3620 /prefetch:1
  2⤵
  PID:4732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=4992,i,14949304981653721884,15074298752951500059,262144 --variations-seed-version --mojo-platform-channel-handle=5052 /prefetch:1
  2⤵
  PID:8
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3676,i,14949304981653721884,15074298752951500059,262144 --variations-seed-version --mojo-platform-channel-handle=3832 /prefetch:8
  2⤵
  PID:4044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4856,i,14949304981653721884,15074298752951500059,262144 --variations-seed-version --mojo-platform-channel-handle=4864 /prefetch:8
  2⤵
  PID:5512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5480,i,14949304981653721884,15074298752951500059,262144 --variations-seed-version --mojo-platform-channel-handle=5492 /prefetch:8
  2⤵
  PID:1852
- C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5624,i,14949304981653721884,15074298752951500059,262144 --variations-seed-version --mojo-platform-channel-handle=5828 /prefetch:8
  2⤵
  PID:1740
- C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5624,i,14949304981653721884,15074298752951500059,262144 --variations-seed-version --mojo-platform-channel-handle=5828 /prefetch:8
  2⤵
  PID:5096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6128,i,14949304981653721884,15074298752951500059,262144 --variations-seed-version --mojo-platform-channel-handle=6148 /prefetch:8
  2⤵
  PID:4836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6028,i,14949304981653721884,15074298752951500059,262144 --variations-seed-version --mojo-platform-channel-handle=6060 /prefetch:8
  2⤵
  PID:5936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6132,i,14949304981653721884,15074298752951500059,262144 --variations-seed-version --mojo-platform-channel-handle=5856 /prefetch:8
  2⤵
  PID:4228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6160,i,14949304981653721884,15074298752951500059,262144 --variations-seed-version --mojo-platform-channel-handle=6256 /prefetch:8
  2⤵
  PID:2740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6168,i,14949304981653721884,15074298752951500059,262144 --variations-seed-version --mojo-platform-channel-handle=6176 /prefetch:8
  2⤵
  PID:4204

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:4764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start
1⤵
PID:4160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start
  2⤵
  PID:5728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
998db8a9f40f71e2f3d9e19aac4db4a9

SHA1
dade0e68faef54a59d68ae8cb3b8314b6947b6d7

SHA256
1b28744565eb600485d9800703f2fb635ecf4187036c12d47f86bbd1e078e06b

SHA512
0e66fd26a11507f78fb1b173fd50555dbd95b0d330e095cdd93206757c6af2780ece914a11a23cd4c840636a59470f44c6db35fa392303fb583806264e652016

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
313be5de22812b8d3b69500283ec4071

SHA1
7bb9cc6e853672951a4b972c54b52e2a620bd663

SHA256
2031469d1790caba0bfbc61421a9984f25a1e13fdf6136783f7dd57959f83907

SHA512
9f75814bebd85747acd18455a1382e01c3f887e62eb0c928a36c35f4b44f6d8fbf9ab92e1cd4940b76ed847c85f51df19208331a7da188ba49eaa58fe584b988

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe580ae8.TMP

Filesize
3KB

MD5
9fefa90d3c183bc7aaf5b3cde82e4188

SHA1
2e0f1bab18077eb2c489d32852864e7698ae8d04

SHA256
62a29b7b532304bb762932a5ff70aedccb7e4c54d085191d32f27900730a929e

SHA512
978f4fa85b29e99a2b0813c5730f2ef39b3f8ecdf308d23b4876ddda3e13cb47cdc3a2e2d68c1ff5b7c45030f31cf01c58f48b7879a9bca86deaafc48dda461e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\HubApps

Filesize
107KB

MD5
40e2018187b61af5be8caf035fb72882

SHA1
72a0b7bcb454b6b727bf90da35879b3e9a70621e

SHA256
b3efd9d75856016510dd0bdb5e22359925cee7f2056b3cde6411c55ae8ae8ee5

SHA512
a21b8f3f7d646909d6aed605ad5823269f52fda1255aa9bb4d4643e165a7b11935572bf9e0a6a324874f99c20a6f3b6d1e457c7ccd30adcac83c15febc063d12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

Filesize
40B

MD5
20d4b8fa017a12a108c87f540836e250

SHA1
1ac617fac131262b6d3ce1f52f5907e31d5f6f00

SHA256
6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

SHA512
507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
16KB

MD5
9df8eb9d2f675a415e81bf6af4a8e929

SHA1
228568a9d1c337c65194bd84d1df3c0e19fa6664

SHA256
4750d9c12c187721f413e440e6a894d4581e2305211944c0e75ca489be961bf5

SHA512
547c113a6dcf7baaae2940c9c1a76b969f32d5c40bee96b62cba4e7c9973a15427b622d31863be543ebbd12ad8a8e14bc609f0e88e5618a951016a9da29a4995

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
36KB

MD5
c1d6f2fb2a3b6826e26505884dac1e52

SHA1
41c3f6c255faa00010ca6e0cefbb870c90f07d3c

SHA256
e29620fe10f1c13ad6e39f1df17134af000b7361a1f737a9373e0be6133b8728

SHA512
6a2075ceead82f4f697cec55ce04ed58c128671d8d38e45e845d1dac9a8363a674471794757d45ba103a0126f8714e2cee535970cb96844d6060eb93f7fa1a2c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\Logs\sync_diagnostic.log

Filesize
22KB

MD5
67f2e69d8f1822b0423667531f0c4c6c

SHA1
8e91efc9de510323125b1f25b2dd1d15af559a54

SHA256
75ca524b40d300f6964185297fdeb8f73a476febbd6bf9a94b64e4291e6e142d

SHA512
7de6ca1989b7f9211396c00c1e758463600ecfc2d3f14c8f1ae0279a7ee0dfaffb888c513aac89f2270cef413f8b2b50ab4ed13ef905cab51a8cdbb86db1d1df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
40KB

MD5
613058c88108d90e816cc7673f76b1b5

SHA1
152d094a16361d6a05fc69f8566a9f49ad1c3d88

SHA256
33213d240dc5fd7d6c63f2e4eb90ab89c9b542e72b311ba69d25fbe34da2fd2c

SHA512
e7151e40c5edef2e1f467c4f3be2ec06ab91152cdff3fdbc66db86f6e6899f103fe2f90e6b2e3ac6fa8542b79a07eeaff572a14c4b12cc2715a69a727d092cbd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
40KB

MD5
65baa523494e6f45cee3925ce024a658

SHA1
068f0bc1d2c9dac0a65e6117ae6d91e2973b4ef7

SHA256
9227ac6b2f0d411a09f2e42031d208cc336a242e0c9e3cc6e5f2f29584f3a3d3

SHA512
2125d70c94bbbd768e9e5d8c5d60459d37e6653816f1f1118af8488036497460701d19714188270ddc1a66006eb8544056cb16441868419327b0780e1f8cac44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\extensions_crx_cache\ghbmnnjooekpmoecnnnilnnbdlolhkhi_1.fa2232917a5656ea4f811936561ea6b7c92b3c0004c5e08ecb97636d3afc6f72

Filesize
152KB

MD5
dd9bf8448d3ddcfd067967f01e8bf6d7

SHA1
d7829475b2bd6a3baa8fabfaf39af57c6439b35e

SHA256
fa2232917a5656ea4f811936561ea6b7c92b3c0004c5e08ecb97636d3afc6f72

SHA512
65347df34378c2bbb34417e2cccfb3251a0b2412422cc190eed9df525b6e0a9948e0295ea3c33b3ad873ce81e369e89a138ac41d6eb7229546c3269107e661de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres

Filesize
2KB

MD5
2694a87464e28731ccaa6f85bc646677

SHA1
c2956ccb1334698cdb10d1793f38001cdb367414

SHA256
7e03520704b620ef403a0efe891a4566f6269d2d4d8485b0aaa21c666b4436c4

SHA512
73f1407df6fa0fefff91a94729782212a249395e852533a415aaa962b58536d6d20a4a3029e7f452a1334c9ffcf335244e977276575fbb45b9ef205b9ae28ff0

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads