hxxps://u[.]to/5s42Ig

Analysis

max time kernel
54s
max time network
41s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
31/03/2025, 23:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://u.to/5s42Ig

Score

5^/10

steam discovery phishing

Malware Config

Signatures

Detected potential entity reuse from brand STEAM. 1 IoCs

phishing steam

flow	pid	Process
66	2160	msedge.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5436_1506518691\_locales\eu\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5436_1506518691\_locales\kn\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5436_1506518691\_locales\it\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5436_1506518691\_locales\ms\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5436_1506518691\_locales\sk\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5436_1506518691\_locales\fr\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5436_1506518691\128.png	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5436_1506518691\_locales\fr_CA\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5436_1506518691\_locales\th\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5436_1506518691\_locales\et\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5436_1506518691\_locales\mn\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5436_1506518691\_locales\ne\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5436_1506518691\_locales\ka\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5436_1506518691\_locales\ko\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5436_1506518691\_locales\hu\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5436_1506518691\_locales\en_US\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5436_1506518691\_locales\vi\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5436_1506518691\page_embed_script.js	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5436_1506518691\_locales\de\messages.json	msedge.exe
File created	C:\Program Files\msedge_url_fetcher_5436_756186253\GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_90_1_0.crx	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5436_1506518691\_locales\km\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5436_1506518691\_locales\ur\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5436_1506518691\_locales\iw\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5436_1506518691\_locales\hy\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5436_1506518691\_locales\lv\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5436_1506518691\_locales\uk\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5436_1506518691\_locales\my\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5436_1506518691\_locales\pt_BR\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5436_1506518691\_locales\be\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5436_1506518691\_locales\pa\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5436_1506518691\_locales\en\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5436_1506518691\_locales\zu\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5436_1506518691\service_worker_bin_prod.js	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5436_1506518691\_locales\ja\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5436_1506518691\_locales\da\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5436_1506518691\_locales\sl\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5436_1506518691\_locales\fi\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5436_1506518691\_locales\sr\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5436_1506518691\_locales\ro\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5436_1506518691\_locales\lo\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5436_1506518691\_locales\pl\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5436_1506518691\_locales\ml\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5436_1506518691\_locales\cs\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5436_1506518691\_locales\zh_HK\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5436_1506518691\_locales\si\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5436_1506518691\_locales\sw\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5436_1506518691\_locales\en_CA\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5436_1506518691\manifest.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5436_1506518691\_locales\am\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5436_1506518691\_locales\el\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5436_1506518691\_locales\ar\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5436_1506518691\manifest.fingerprint	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5436_1506518691\dasherSettingSchema.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5436_1506518691\_locales\no\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5436_1506518691\_locales\mr\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5436_1506518691\_locales\ca\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5436_1506518691\_locales\hi\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5436_1506518691\offscreendocument_main.js	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5436_1506518691\_locales\te\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5436_1506518691\_locales\kk\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5436_1506518691\_locales\ta\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5436_1506518691\_locales\cy\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5436_1506518691\_locales\en_GB\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5436_1506518691\_locales\ru\messages.json	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	msedge.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133879390570212256"	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3342763580-2723508992-2885672917-1000\{741D7D7B-6069-4BA5-B1F2-2855A80ED79D}	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
5436	msedge.exe
5436	msedge.exe
5436	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
5436	msedge.exe
5436	msedge.exe
5436	msedge.exe
5436	msedge.exe
5436	msedge.exe
5436	msedge.exe
5436	msedge.exe
5436	msedge.exe
5436	msedge.exe
5436	msedge.exe
5436	msedge.exe
5436	msedge.exe
5436	msedge.exe
5436	msedge.exe
5436	msedge.exe
5436	msedge.exe
5436	msedge.exe
5436	msedge.exe
5436	msedge.exe
5436	msedge.exe
5436	msedge.exe
5436	msedge.exe
5436	msedge.exe
5436	msedge.exe
5436	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
5436	msedge.exe
5436	msedge.exe
5436	msedge.exe
5436	msedge.exe
5436	msedge.exe
5436	msedge.exe
5436	msedge.exe
5436	msedge.exe
5436	msedge.exe
5436	msedge.exe
5436	msedge.exe
5436	msedge.exe
5436	msedge.exe
5436	msedge.exe
5436	msedge.exe
5436	msedge.exe
5436	msedge.exe
5436	msedge.exe
5436	msedge.exe
5436	msedge.exe
5436	msedge.exe
5436	msedge.exe
5436	msedge.exe
5436	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5436 wrote to memory of 1380	5436	msedge.exe	86
PID 5436 wrote to memory of 1380	5436	msedge.exe	86
PID 5436 wrote to memory of 2160	5436	msedge.exe	87
PID 5436 wrote to memory of 2160	5436	msedge.exe	87
PID 5436 wrote to memory of 5968	5436	msedge.exe	88
PID 5436 wrote to memory of 5968	5436	msedge.exe	88
PID 5436 wrote to memory of 3024	5436	msedge.exe	89
PID 5436 wrote to memory of 3024	5436	msedge.exe	89
PID 5436 wrote to memory of 5968	5436	msedge.exe	88
PID 5436 wrote to memory of 5968	5436	msedge.exe	88
PID 5436 wrote to memory of 5968	5436	msedge.exe	88
PID 5436 wrote to memory of 5968	5436	msedge.exe	88
PID 5436 wrote to memory of 5968	5436	msedge.exe	88
PID 5436 wrote to memory of 5968	5436	msedge.exe	88
PID 5436 wrote to memory of 5968	5436	msedge.exe	88
PID 5436 wrote to memory of 5968	5436	msedge.exe	88
PID 5436 wrote to memory of 5968	5436	msedge.exe	88
PID 5436 wrote to memory of 5968	5436	msedge.exe	88
PID 5436 wrote to memory of 5968	5436	msedge.exe	88
PID 5436 wrote to memory of 5968	5436	msedge.exe	88
PID 5436 wrote to memory of 5968	5436	msedge.exe	88
PID 5436 wrote to memory of 5968	5436	msedge.exe	88
PID 5436 wrote to memory of 5968	5436	msedge.exe	88
PID 5436 wrote to memory of 5968	5436	msedge.exe	88
PID 5436 wrote to memory of 5968	5436	msedge.exe	88
PID 5436 wrote to memory of 5968	5436	msedge.exe	88
PID 5436 wrote to memory of 5968	5436	msedge.exe	88
PID 5436 wrote to memory of 5968	5436	msedge.exe	88
PID 5436 wrote to memory of 5968	5436	msedge.exe	88
PID 5436 wrote to memory of 5968	5436	msedge.exe	88
PID 5436 wrote to memory of 5968	5436	msedge.exe	88
PID 5436 wrote to memory of 5968	5436	msedge.exe	88
PID 5436 wrote to memory of 5968	5436	msedge.exe	88
PID 5436 wrote to memory of 5968	5436	msedge.exe	88
PID 5436 wrote to memory of 5968	5436	msedge.exe	88
PID 5436 wrote to memory of 5968	5436	msedge.exe	88
PID 5436 wrote to memory of 5968	5436	msedge.exe	88
PID 5436 wrote to memory of 5968	5436	msedge.exe	88
PID 5436 wrote to memory of 5968	5436	msedge.exe	88
PID 5436 wrote to memory of 5968	5436	msedge.exe	88
PID 5436 wrote to memory of 5968	5436	msedge.exe	88
PID 5436 wrote to memory of 5968	5436	msedge.exe	88
PID 5436 wrote to memory of 5968	5436	msedge.exe	88
PID 5436 wrote to memory of 5968	5436	msedge.exe	88
PID 5436 wrote to memory of 5968	5436	msedge.exe	88
PID 5436 wrote to memory of 5968	5436	msedge.exe	88
PID 5436 wrote to memory of 5968	5436	msedge.exe	88
PID 5436 wrote to memory of 5968	5436	msedge.exe	88
PID 5436 wrote to memory of 5968	5436	msedge.exe	88
PID 5436 wrote to memory of 5968	5436	msedge.exe	88
PID 5436 wrote to memory of 5968	5436	msedge.exe	88
PID 5436 wrote to memory of 5968	5436	msedge.exe	88
PID 5436 wrote to memory of 5968	5436	msedge.exe	88
PID 5436 wrote to memory of 5968	5436	msedge.exe	88
PID 5436 wrote to memory of 5968	5436	msedge.exe	88
PID 5436 wrote to memory of 5968	5436	msedge.exe	88
PID 5436 wrote to memory of 5968	5436	msedge.exe	88
PID 5436 wrote to memory of 3024	5436	msedge.exe	89
PID 5436 wrote to memory of 3024	5436	msedge.exe	89
PID 5436 wrote to memory of 3024	5436	msedge.exe	89
PID 5436 wrote to memory of 3024	5436	msedge.exe	89
PID 5436 wrote to memory of 3024	5436	msedge.exe	89
PID 5436 wrote to memory of 3024	5436	msedge.exe	89
PID 5436 wrote to memory of 3024	5436	msedge.exe	89

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://u.to/5s42Ig
1⤵
- Drops file in Program Files directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x23c,0x240,0x244,0x238,0x280,0x7ff96a6df208,0x7ff96a6df214,0x7ff96a6df220
  2⤵
  PID:1380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1916,i,2094755691553074917,14565193192115264460,262144 --variations-seed-version --mojo-platform-channel-handle=2476 /prefetch:3
  2⤵
  - Detected potential entity reuse from brand STEAM.
  PID:2160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2416,i,2094755691553074917,14565193192115264460,262144 --variations-seed-version --mojo-platform-channel-handle=2352 /prefetch:2
  2⤵
  PID:5968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2428,i,2094755691553074917,14565193192115264460,262144 --variations-seed-version --mojo-platform-channel-handle=2580 /prefetch:8
  2⤵
  PID:3024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3456,i,2094755691553074917,14565193192115264460,262144 --variations-seed-version --mojo-platform-channel-handle=3540 /prefetch:1
  2⤵
  PID:5068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3472,i,2094755691553074917,14565193192115264460,262144 --variations-seed-version --mojo-platform-channel-handle=3544 /prefetch:1
  2⤵
  PID:5088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=4868,i,2094755691553074917,14565193192115264460,262144 --variations-seed-version --mojo-platform-channel-handle=3448 /prefetch:1
  2⤵
  PID:3724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4908,i,2094755691553074917,14565193192115264460,262144 --variations-seed-version --mojo-platform-channel-handle=3564 /prefetch:8
  2⤵
  PID:1616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3720,i,2094755691553074917,14565193192115264460,262144 --variations-seed-version --mojo-platform-channel-handle=5156 /prefetch:8
  2⤵
  PID:5284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5576,i,2094755691553074917,14565193192115264460,262144 --variations-seed-version --mojo-platform-channel-handle=5584 /prefetch:8
  2⤵
  PID:5832
- C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5696,i,2094755691553074917,14565193192115264460,262144 --variations-seed-version --mojo-platform-channel-handle=5624 /prefetch:8
  2⤵
  PID:5616
- C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5696,i,2094755691553074917,14565193192115264460,262144 --variations-seed-version --mojo-platform-channel-handle=5624 /prefetch:8
  2⤵
  PID:4412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6116,i,2094755691553074917,14565193192115264460,262144 --variations-seed-version --mojo-platform-channel-handle=5452 /prefetch:8
  2⤵
  PID:1156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6260,i,2094755691553074917,14565193192115264460,262144 --variations-seed-version --mojo-platform-channel-handle=6128 /prefetch:8
  2⤵
  PID:1320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=564,i,2094755691553074917,14565193192115264460,262144 --variations-seed-version --mojo-platform-channel-handle=5928 /prefetch:8
  2⤵
  PID:2896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5892,i,2094755691553074917,14565193192115264460,262144 --variations-seed-version --mojo-platform-channel-handle=5896 /prefetch:8
  2⤵
  PID:960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5960,i,2094755691553074917,14565193192115264460,262144 --variations-seed-version --mojo-platform-channel-handle=6324 /prefetch:8
  2⤵
  PID:4104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5248,i,2094755691553074917,14565193192115264460,262144 --variations-seed-version --mojo-platform-channel-handle=3528 /prefetch:8
  2⤵
  PID:4500

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start
1⤵
PID:4588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start
  2⤵
  PID:4884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
df2d1721cd4e4eff7049314710dc7c11

SHA1
f5aed0158b2c0a00302f743841188881d811637a

SHA256
ba336ffd1b01965d7ab0e5fac5415e43cb594139c76b19e4c0d9b5b3b67c1e93

SHA512
11fd520176193f284563c7d050e6a7ab4e9895bac49fdc05759bab2c8a69f224858ccc784b351fc1d3ee5d39345430f9234623c9390978d7daf6a08ff5576ef4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
851ba744796fe1c2ab78aab3420670b9

SHA1
27c4162f5e576a2aca7b6d501b629f06920958dc

SHA256
804b12b04f866777b3f72199bbb1ccd5d8074bb4c4918c3eac497aae0b476d11

SHA512
8d4944a44da8a782eeca27317fdf8e6f1188a1b01d690827a86f865c2c4e9cba8073cde30d319407dc48c44dd6f45571304b09968f1980c98a3c69f1b04d82e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe582630.TMP

Filesize
3KB

MD5
a02cd70d1ed0c12586742ef672d3c90e

SHA1
9a3725144f6e8950a3c302851e60636bd940207a

SHA256
4d9c80f94ff79e5c7e7c02d0f4a545a1f72569a80e8f524a855e62617e91e347

SHA512
fcc6079969fbaac9bbf327f3fba626a9ec61635278e0d8de237d84bc9af3b2a4ef765bd6bc604dd0a01717bc01798737a65c2c28d30428696494b39973c54dfb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\HubApps

Filesize
107KB

MD5
40e2018187b61af5be8caf035fb72882

SHA1
72a0b7bcb454b6b727bf90da35879b3e9a70621e

SHA256
b3efd9d75856016510dd0bdb5e22359925cee7f2056b3cde6411c55ae8ae8ee5

SHA512
a21b8f3f7d646909d6aed605ad5823269f52fda1255aa9bb4d4643e165a7b11935572bf9e0a6a324874f99c20a6f3b6d1e457c7ccd30adcac83c15febc063d12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

Filesize
40B

MD5
20d4b8fa017a12a108c87f540836e250

SHA1
1ac617fac131262b6d3ce1f52f5907e31d5f6f00

SHA256
6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

SHA512
507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
16KB

MD5
be9a606654ee938f5a0716affeca2524

SHA1
7dd1d184ffb1725a1bac801160df8d104a7a6e01

SHA256
2a51aa8243508814a589b67f2ab580ea7d73332008d9b40b4805aa57046e2dac

SHA512
46126fd3f3cfa03463abe369861748b9e2202809b9329fe9e8653494603c9f43813d06b815a1b8a2e7b5ba397f917bc9fc8ce35b115362d61f95e1c8bdece3e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
16KB

MD5
933b4d27c870f5d37c4362fbeea2ffea

SHA1
e98573bb7888f19075d7d28b1980a21744044228

SHA256
0fc28df62111883b49518417abf8214dc0ca6e3016a2478b6620f28a730a4e78

SHA512
ea22b96124a7070aced60f425e61b06846b76cf13d4bd424097cc00ae8f640e433b52719dc4cdc8d909e98455bb4bef0bdf6a2e134eb9eb60bc435ef77c22e70

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
36KB

MD5
bd7ca49f76e16bdf58c1d07d80345ddc

SHA1
1360514d43466deca60af7d09250b91f55b27d64

SHA256
9dbc0564c28364fc660afefa30b131c758691468b942cafe8f3f45c0a6d13211

SHA512
083fd4192fb0ddf3b17b4dd962486ea4d506157d7a9d3aac7fba846064863aacc584524d0b7176088b0aa2cd5f39e7f7ae8a3b616fe0f12f94891d6152146251

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\Logs\sync_diagnostic.log

Filesize
22KB

MD5
81bc48dd1b24fd7c696798769fa0ec79

SHA1
7d5acf5567ed39a572bb2b8ceef484ad178213bd

SHA256
09076f479ad13bc275d4745b2d2b60f1b60f52be2532df86813cb834c9926691

SHA512
c1ca3cc031e11cac93fa2d1d8076335d6b35687ec6da3eaa56753dc7b3defa6738d4c9880a800d56b4890bd40d42583b9776f852ccc042018fad5f8919e85a89

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
40KB

MD5
6ff98dbfaa1cfa6f1a2b0892687a2fc6

SHA1
2e2a6ea8a1878f209b67b45bbc1eb195e0d47b8f

SHA256
4513d4101789e6934c1f2668b18dcea21a518505894a51da993ae2b7bcd94fff

SHA512
b2c47854fa4f53a5b69c68908565ada0b0c4bac8f9bd5394147d8008d53b262ac32667ab95cce6c247b16c261f65de494d0b09a2c75f1a343290d7e983a3ac93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
40KB

MD5
11b1e4f890db4c5526e4e3b5e8626340

SHA1
433d0015e353f6e8ad17a3a7ec9569b1aea471fd

SHA256
9ec9451db4d2232a5863183a7b8fcdda5913985c7eee71d50bf1af855f23c9d2

SHA512
61cdf7049094162242f32fbe3e69d1d815a7d2ff6cc188c7ef0a5403559181eba4107b9cb1a2eae9e2cd5f51d8de5df12e1db8451a2bc7ca544156ad1b2bc818

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\extensions_crx_cache\ghbmnnjooekpmoecnnnilnnbdlolhkhi_1.fa2232917a5656ea4f811936561ea6b7c92b3c0004c5e08ecb97636d3afc6f72

Filesize
152KB

MD5
dd9bf8448d3ddcfd067967f01e8bf6d7

SHA1
d7829475b2bd6a3baa8fabfaf39af57c6439b35e

SHA256
fa2232917a5656ea4f811936561ea6b7c92b3c0004c5e08ecb97636d3afc6f72

SHA512
65347df34378c2bbb34417e2cccfb3251a0b2412422cc190eed9df525b6e0a9948e0295ea3c33b3ad873ce81e369e89a138ac41d6eb7229546c3269107e661de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres

Filesize
2KB

MD5
635ead427668edbff2c289a69ac005af

SHA1
89204599fa7813f1d2433bdebfed171289d2e612

SHA256
0edc40913c6bf425f2a88a65ceaa5964684515c766d091b3c1539890efd3101d

SHA512
ec958765074cb153292a2bd7538014dfcdc186d695022807d04268627565078824011156712fc4768ebe23de2cc1d71528fe8c96c69909e8eb699a9b2a870dfa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads