hxxps://u[.]to/hs82Ig

Analysis

max time kernel
50s
max time network
39s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
31/03/2025, 15:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://u.to/hs82Ig

Score

5^/10

steam discovery phishing

Malware Config

Signatures

Detected potential entity reuse from brand STEAM. 1 IoCs

phishing steam

flow	pid	Process
76	4020	msedge.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping312_1044989102\_locales\en_CA\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping312_1044989102\_locales\zh_CN\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping312_1044989102\service_worker_bin_prod.js	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping312_1044989102\_locales\pt_PT\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping312_1044989102\_locales\eu\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping312_1044989102\_locales\en_GB\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping312_1044989102\_locales\sw\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping312_1044989102\_locales\id\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping312_1044989102\_locales\ja\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping312_1044989102\_locales\hr\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping312_1044989102\manifest.fingerprint	msedge.exe
File created	C:\Program Files\msedge_url_fetcher_312_2095175339\GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_90_1_0.crx	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping312_1044989102\_locales\es_419\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping312_1044989102\_locales\no\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping312_1044989102\_locales\nl\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping312_1044989102\_locales\mn\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping312_1044989102\_locales\en\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping312_1044989102\offscreendocument_main.js	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping312_1044989102\_locales\et\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping312_1044989102\_locales\hu\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping312_1044989102\_locales\kn\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping312_1044989102\_locales\cy\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping312_1044989102\_locales\hy\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping312_1044989102\dasherSettingSchema.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping312_1044989102\offscreendocument.html	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping312_1044989102\_locales\am\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping312_1044989102\_locales\hi\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping312_1044989102\_locales\az\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping312_1044989102\_locales\de\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping312_1044989102\_locales\ko\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping312_1044989102\_locales\gl\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping312_1044989102\128.png	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping312_1044989102\_locales\af\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping312_1044989102\_locales\da\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping312_1044989102\_locales\zh_HK\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping312_1044989102\_locales\kk\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping312_1044989102\_locales\pa\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping312_1044989102\_locales\is\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping312_1044989102\_locales\be\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping312_1044989102\_locales\te\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping312_1044989102\_locales\sr\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping312_1044989102\_locales\cs\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping312_1044989102\_locales\ro\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping312_1044989102\_locales\tr\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping312_1044989102\_locales\fil\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping312_1044989102\_locales\fa\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping312_1044989102\_locales\fr_CA\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping312_1044989102\_locales\my\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping312_1044989102\_locales\pt_BR\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping312_1044989102\_locales\it\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping312_1044989102\_locales\sk\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping312_1044989102\_locales\fi\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping312_1044989102\_locales\zh_TW\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping312_1044989102\_locales\mr\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping312_1044989102\_locales\bg\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping312_1044989102\_locales\en_US\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping312_1044989102\_locales\ca\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping312_1044989102\_locales\ur\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping312_1044989102\_locales\pl\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping312_1044989102\_locales\uk\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping312_1044989102\_locales\ml\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping312_1044989102\_locales\th\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping312_1044989102\_locales\ta\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping312_1044989102\_locales\ms\messages.json	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	msedge.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133879102644141069"	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-308834014-1004923324-1191300197-1000\{76CB1DFC-6B5A-4DE0-B5DF-C0C1D41E39EC}	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
312	msedge.exe
312	msedge.exe
312	msedge.exe
312	msedge.exe
312	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
312	msedge.exe
312	msedge.exe
312	msedge.exe
312	msedge.exe
312	msedge.exe
312	msedge.exe
312	msedge.exe
312	msedge.exe
312	msedge.exe
312	msedge.exe
312	msedge.exe
312	msedge.exe
312	msedge.exe
312	msedge.exe
312	msedge.exe
312	msedge.exe
312	msedge.exe
312	msedge.exe
312	msedge.exe
312	msedge.exe
312	msedge.exe
312	msedge.exe
312	msedge.exe
312	msedge.exe
312	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
312	msedge.exe
312	msedge.exe
312	msedge.exe
312	msedge.exe
312	msedge.exe
312	msedge.exe
312	msedge.exe
312	msedge.exe
312	msedge.exe
312	msedge.exe
312	msedge.exe
312	msedge.exe
312	msedge.exe
312	msedge.exe
312	msedge.exe
312	msedge.exe
312	msedge.exe
312	msedge.exe
312	msedge.exe
312	msedge.exe
312	msedge.exe
312	msedge.exe
312	msedge.exe
312	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 312 wrote to memory of 2200	312	msedge.exe	87
PID 312 wrote to memory of 2200	312	msedge.exe	87
PID 312 wrote to memory of 4020	312	msedge.exe	88
PID 312 wrote to memory of 4020	312	msedge.exe	88
PID 312 wrote to memory of 2424	312	msedge.exe	89
PID 312 wrote to memory of 2424	312	msedge.exe	89
PID 312 wrote to memory of 2464	312	msedge.exe	90
PID 312 wrote to memory of 2464	312	msedge.exe	90
PID 312 wrote to memory of 2424	312	msedge.exe	89
PID 312 wrote to memory of 2424	312	msedge.exe	89
PID 312 wrote to memory of 2424	312	msedge.exe	89
PID 312 wrote to memory of 2424	312	msedge.exe	89
PID 312 wrote to memory of 2424	312	msedge.exe	89
PID 312 wrote to memory of 2424	312	msedge.exe	89
PID 312 wrote to memory of 2424	312	msedge.exe	89
PID 312 wrote to memory of 2424	312	msedge.exe	89
PID 312 wrote to memory of 2424	312	msedge.exe	89
PID 312 wrote to memory of 2424	312	msedge.exe	89
PID 312 wrote to memory of 2424	312	msedge.exe	89
PID 312 wrote to memory of 2424	312	msedge.exe	89
PID 312 wrote to memory of 2424	312	msedge.exe	89
PID 312 wrote to memory of 2424	312	msedge.exe	89
PID 312 wrote to memory of 2424	312	msedge.exe	89
PID 312 wrote to memory of 2424	312	msedge.exe	89
PID 312 wrote to memory of 2424	312	msedge.exe	89
PID 312 wrote to memory of 2424	312	msedge.exe	89
PID 312 wrote to memory of 2424	312	msedge.exe	89
PID 312 wrote to memory of 2424	312	msedge.exe	89
PID 312 wrote to memory of 2424	312	msedge.exe	89
PID 312 wrote to memory of 2424	312	msedge.exe	89
PID 312 wrote to memory of 2424	312	msedge.exe	89
PID 312 wrote to memory of 2424	312	msedge.exe	89
PID 312 wrote to memory of 2424	312	msedge.exe	89
PID 312 wrote to memory of 2424	312	msedge.exe	89
PID 312 wrote to memory of 2424	312	msedge.exe	89
PID 312 wrote to memory of 2424	312	msedge.exe	89
PID 312 wrote to memory of 2424	312	msedge.exe	89
PID 312 wrote to memory of 2424	312	msedge.exe	89
PID 312 wrote to memory of 2424	312	msedge.exe	89
PID 312 wrote to memory of 2424	312	msedge.exe	89
PID 312 wrote to memory of 2424	312	msedge.exe	89
PID 312 wrote to memory of 2424	312	msedge.exe	89
PID 312 wrote to memory of 2424	312	msedge.exe	89
PID 312 wrote to memory of 2424	312	msedge.exe	89
PID 312 wrote to memory of 2424	312	msedge.exe	89
PID 312 wrote to memory of 2424	312	msedge.exe	89
PID 312 wrote to memory of 2424	312	msedge.exe	89
PID 312 wrote to memory of 2424	312	msedge.exe	89
PID 312 wrote to memory of 2424	312	msedge.exe	89
PID 312 wrote to memory of 2424	312	msedge.exe	89
PID 312 wrote to memory of 2424	312	msedge.exe	89
PID 312 wrote to memory of 2424	312	msedge.exe	89
PID 312 wrote to memory of 2424	312	msedge.exe	89
PID 312 wrote to memory of 2424	312	msedge.exe	89
PID 312 wrote to memory of 2424	312	msedge.exe	89
PID 312 wrote to memory of 2424	312	msedge.exe	89
PID 312 wrote to memory of 2424	312	msedge.exe	89
PID 312 wrote to memory of 2464	312	msedge.exe	90
PID 312 wrote to memory of 2464	312	msedge.exe	90
PID 312 wrote to memory of 2464	312	msedge.exe	90
PID 312 wrote to memory of 2464	312	msedge.exe	90
PID 312 wrote to memory of 2464	312	msedge.exe	90
PID 312 wrote to memory of 2464	312	msedge.exe	90
PID 312 wrote to memory of 2464	312	msedge.exe	90

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://u.to/hs82Ig
1⤵
- Drops file in Program Files directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x23c,0x240,0x244,0x238,0x264,0x7ffa92c0f208,0x7ffa92c0f214,0x7ffa92c0f220
  2⤵
  PID:2200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1836,i,3437893326551886332,5931427898001886032,262144 --variations-seed-version --mojo-platform-channel-handle=2828 /prefetch:3
  2⤵
  - Detected potential entity reuse from brand STEAM.
  PID:4020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2800,i,3437893326551886332,5931427898001886032,262144 --variations-seed-version --mojo-platform-channel-handle=2792 /prefetch:2
  2⤵
  PID:2424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2268,i,3437893326551886332,5931427898001886032,262144 --variations-seed-version --mojo-platform-channel-handle=2736 /prefetch:8
  2⤵
  PID:2464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3452,i,3437893326551886332,5931427898001886032,262144 --variations-seed-version --mojo-platform-channel-handle=3496 /prefetch:1
  2⤵
  PID:1972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3456,i,3437893326551886332,5931427898001886032,262144 --variations-seed-version --mojo-platform-channel-handle=3544 /prefetch:1
  2⤵
  PID:932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=4888,i,3437893326551886332,5931427898001886032,262144 --variations-seed-version --mojo-platform-channel-handle=4900 /prefetch:1
  2⤵
  PID:4892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5088,i,3437893326551886332,5931427898001886032,262144 --variations-seed-version --mojo-platform-channel-handle=5144 /prefetch:8
  2⤵
  PID:3252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5092,i,3437893326551886332,5931427898001886032,262144 --variations-seed-version --mojo-platform-channel-handle=5208 /prefetch:8
  2⤵
  PID:3564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5604,i,3437893326551886332,5931427898001886032,262144 --variations-seed-version --mojo-platform-channel-handle=5580 /prefetch:8
  2⤵
  PID:4952
- C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5700,i,3437893326551886332,5931427898001886032,262144 --variations-seed-version --mojo-platform-channel-handle=5664 /prefetch:8
  2⤵
  PID:1052
- C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5700,i,3437893326551886332,5931427898001886032,262144 --variations-seed-version --mojo-platform-channel-handle=5664 /prefetch:8
  2⤵
  PID:5564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3500,i,3437893326551886332,5931427898001886032,262144 --variations-seed-version --mojo-platform-channel-handle=6080 /prefetch:8
  2⤵
  PID:748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6076,i,3437893326551886332,5931427898001886032,262144 --variations-seed-version --mojo-platform-channel-handle=3512 /prefetch:8
  2⤵
  PID:4748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6012,i,3437893326551886332,5931427898001886032,262144 --variations-seed-version --mojo-platform-channel-handle=5680 /prefetch:8
  2⤵
  PID:4628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --always-read-main-dll --field-trial-handle=6096,i,3437893326551886332,5931427898001886032,262144 --variations-seed-version --mojo-platform-channel-handle=6192 /prefetch:1
  2⤵
  PID:4148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --always-read-main-dll --field-trial-handle=6388,i,3437893326551886332,5931427898001886032,262144 --variations-seed-version --mojo-platform-channel-handle=6408 /prefetch:1
  2⤵
  PID:5036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6348,i,3437893326551886332,5931427898001886032,262144 --variations-seed-version --mojo-platform-channel-handle=6352 /prefetch:8
  2⤵
  PID:4424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3944,i,3437893326551886332,5931427898001886032,262144 --variations-seed-version --mojo-platform-channel-handle=6520 /prefetch:8
  2⤵
  PID:4408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3420,i,3437893326551886332,5931427898001886032,262144 --variations-seed-version --mojo-platform-channel-handle=5020 /prefetch:8
  2⤵
  PID:1452

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:3400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start
1⤵
PID:3004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start
  2⤵
  PID:5632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
01cc3a42395638ce669dd0d7aba1f929

SHA1
89aa0871fa8e25b55823dd0db9a028ef46dfbdd8

SHA256
d0c6ee43e769188d8a32f782b44cb00052099222be21cbe8bf119469c6612dee

SHA512
d3b88e797333416a4bc6c7f7e224ba68362706747e191a1cd8846a080329473b8f1bfebee5e3fe21faa4d24c8a7683041705e995777714330316e9b563d38e41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
a458c8f40908370f5a0ead954363689b

SHA1
4f9f14a00a80f3448cf3efb689aaec358656b4f9

SHA256
6b1ef8c476f8da0d1acbbaaa6a8cbeccaf8cd103f051f6dc99c05cb50bdb1169

SHA512
1dfc0163e5127864172706d1223fe9a327b434e890d502c1bf072d419ced27c1790889aee97272c84439586bb81aedb90b6f1583abf4d85acccbf00e3d8c948a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe57c9f7.TMP

Filesize
3KB

MD5
70e1e1950facf7d4d7c8531e5873a0e1

SHA1
d9b6b57aa0a5877b4baa7ba505528c7d3bce7e8c

SHA256
c007e1eacf939411573d22554950543c30f816507a30af2d4db2491e204f3438

SHA512
30a7eb83621cc41317e57163a8379c4fa4ef535475a139a8db9cd95076f8d4b3613da07952b7532466e56b74390fd539f9b8f2b420c06bf705f8e4ce2bb1ea69

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\HubApps

Filesize
107KB

MD5
40e2018187b61af5be8caf035fb72882

SHA1
72a0b7bcb454b6b727bf90da35879b3e9a70621e

SHA256
b3efd9d75856016510dd0bdb5e22359925cee7f2056b3cde6411c55ae8ae8ee5

SHA512
a21b8f3f7d646909d6aed605ad5823269f52fda1255aa9bb4d4643e165a7b11935572bf9e0a6a324874f99c20a6f3b6d1e457c7ccd30adcac83c15febc063d12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

Filesize
40B

MD5
20d4b8fa017a12a108c87f540836e250

SHA1
1ac617fac131262b6d3ce1f52f5907e31d5f6f00

SHA256
6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

SHA512
507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
16KB

MD5
5cae344c66598e16d8f8cc64b85f258c

SHA1
61dd93ec97a59ce029ca04b230a376c8ba0a5ce9

SHA256
c03e45f73bf76c22af106cd9c784a684da7dfa91a52658e939e0513652a2a88a

SHA512
7183cca4bc17871a3498864846b7562f270ff970973c04551d6ce993295c9fbaffe854643b3157e483f9c936f28dd95b668470f74221ac095471b4db49875a6d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
36KB

MD5
46c3188a82e1dcaeaf11f244c751369b

SHA1
1c92d9d5ec2d19d9a5cc6caab560c906028dcc68

SHA256
1477145c2ceea7324b26836d1ebfd608eadfe1b0cbe0aa6ca74cd707ada0899d

SHA512
1f4cdd56a6cec18cf49e25bf7a3dca5a620618c6c0ff44b1dbc81a6c0e40a4c6c7c9f952da911b2eb80928e6fdee0f896003ebc8b12b2032468195ce0304a498

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\Logs\sync_diagnostic.log

Filesize
23KB

MD5
27b5d11ed933171629bcbc971926cb06

SHA1
2a871dbceaf0e5916df9d83986899838532d0b7b

SHA256
196fd64c3f798e7b9acdd9e1a70188653a084df4a0f36ae09c44c217cc7473de

SHA512
4f7825f57e584e63fc9226ae8f8b1adad0d1fd60d2abb9447cfd08674af1b5cb4a8be6e3934461e5ceee0254e5104ca4078ec829cfa570b71dabdb3173e0cc8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
40KB

MD5
f85c26e55e6581aa798ab881060bc2f5

SHA1
e78290985f052e6f1400fdf72fe5690229e1c787

SHA256
524228b709fb60659f4a9536580ac994afa6250487fd0833b36e4dc5f066f158

SHA512
0b2e7cfcd818d49970dcb3f2d55c241b2418fb931fe4bd574ac964f447e6bb6103cfbd90a573d12de0c92d4fd87c27f06930b1ce7941521eb16fd8c303f85595

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
40KB

MD5
27777bb02079b946a995534099916385

SHA1
a7f0066831bff5e40e1e4f871e668414b252eedf

SHA256
547f4477f32adbe3c5de35ccd6709e1d528e085d765c0bf6415e97877a3387f6

SHA512
b9b708df83da836fa69f51bc8b6a723ef25350cffcb2bc5b1fde46f39a500881f94f461d7ddb68a00cbd340e032d4565e7de1a5493033af6b399639da04d0204

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\extensions_crx_cache\ghbmnnjooekpmoecnnnilnnbdlolhkhi_1.fa2232917a5656ea4f811936561ea6b7c92b3c0004c5e08ecb97636d3afc6f72

Filesize
152KB

MD5
dd9bf8448d3ddcfd067967f01e8bf6d7

SHA1
d7829475b2bd6a3baa8fabfaf39af57c6439b35e

SHA256
fa2232917a5656ea4f811936561ea6b7c92b3c0004c5e08ecb97636d3afc6f72

SHA512
65347df34378c2bbb34417e2cccfb3251a0b2412422cc190eed9df525b6e0a9948e0295ea3c33b3ad873ce81e369e89a138ac41d6eb7229546c3269107e661de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres

Filesize
2KB

MD5
135ca7e647b347dd31a1c49b592a2c3c

SHA1
136c2fff35ee8e6a7cef11307d490fa83349d2f5

SHA256
71b812fd14e7324f5c6d9168a100c8189ca5b4923c7e6e1233d95c7dd8ce48e1

SHA512
7185ab196e6c911322d4706f40c779ded2ef365e14307ee4a4521e58d748146a348ea477b3b3e960ab64414cf5d6178e3c29c1c18868735c2ba602d31eb95402

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads