hxxps://github[.]com/Da2dalus/The-MALWARE-Repo

Resubmissions

07/03/2024, 17:12

240307-vq9qasgd66 1

07/03/2024, 17:11

07/03/2024, 17:10

07/03/2024, 17:07

07/03/2024, 16:58

07/03/2024, 16:58

07/03/2024, 16:49

07/03/2024, 16:45

Analysis

max time kernel
155s
max time network
170s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
07/03/2024, 16:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Da2dalus/The-MALWARE-Repo

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
1268	YouAreAnIdiot.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
49	raw.githubusercontent.com
52	raw.githubusercontent.com

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2684	1268	WerFault.exe	107

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

NTFS ADS 7 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 27793.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\AxInterop.ShockwaveFlashObjects.dll:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 572336.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 418692.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 994125.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\YouAreAnIdiot.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\YouAreAnIdiot (2).exe:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
4532	msedge.exe
4532	msedge.exe
1176	msedge.exe
1176	msedge.exe
2696	msedge.exe
2696	msedge.exe
4020	identity_helper.exe
4020	identity_helper.exe
2028	msedge.exe
2028	msedge.exe
4004	msedge.exe
4004	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
652	msedge.exe
652	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe

Suspicious use of FindShellTrayWindow 62 IoCs

pid	Process
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1176 wrote to memory of 1160	1176	msedge.exe	78
PID 1176 wrote to memory of 1160	1176	msedge.exe	78
PID 1176 wrote to memory of 812	1176	msedge.exe	79
PID 1176 wrote to memory of 812	1176	msedge.exe	79
PID 1176 wrote to memory of 812	1176	msedge.exe	79
PID 1176 wrote to memory of 812	1176	msedge.exe	79
PID 1176 wrote to memory of 812	1176	msedge.exe	79
PID 1176 wrote to memory of 812	1176	msedge.exe	79
PID 1176 wrote to memory of 812	1176	msedge.exe	79
PID 1176 wrote to memory of 812	1176	msedge.exe	79
PID 1176 wrote to memory of 812	1176	msedge.exe	79
PID 1176 wrote to memory of 812	1176	msedge.exe	79
PID 1176 wrote to memory of 812	1176	msedge.exe	79
PID 1176 wrote to memory of 812	1176	msedge.exe	79
PID 1176 wrote to memory of 812	1176	msedge.exe	79
PID 1176 wrote to memory of 812	1176	msedge.exe	79
PID 1176 wrote to memory of 812	1176	msedge.exe	79
PID 1176 wrote to memory of 812	1176	msedge.exe	79
PID 1176 wrote to memory of 812	1176	msedge.exe	79
PID 1176 wrote to memory of 812	1176	msedge.exe	79
PID 1176 wrote to memory of 812	1176	msedge.exe	79
PID 1176 wrote to memory of 812	1176	msedge.exe	79
PID 1176 wrote to memory of 812	1176	msedge.exe	79
PID 1176 wrote to memory of 812	1176	msedge.exe	79
PID 1176 wrote to memory of 812	1176	msedge.exe	79
PID 1176 wrote to memory of 812	1176	msedge.exe	79
PID 1176 wrote to memory of 812	1176	msedge.exe	79
PID 1176 wrote to memory of 812	1176	msedge.exe	79
PID 1176 wrote to memory of 812	1176	msedge.exe	79
PID 1176 wrote to memory of 812	1176	msedge.exe	79
PID 1176 wrote to memory of 812	1176	msedge.exe	79
PID 1176 wrote to memory of 812	1176	msedge.exe	79
PID 1176 wrote to memory of 812	1176	msedge.exe	79
PID 1176 wrote to memory of 812	1176	msedge.exe	79
PID 1176 wrote to memory of 812	1176	msedge.exe	79
PID 1176 wrote to memory of 812	1176	msedge.exe	79
PID 1176 wrote to memory of 812	1176	msedge.exe	79
PID 1176 wrote to memory of 812	1176	msedge.exe	79
PID 1176 wrote to memory of 812	1176	msedge.exe	79
PID 1176 wrote to memory of 812	1176	msedge.exe	79
PID 1176 wrote to memory of 812	1176	msedge.exe	79
PID 1176 wrote to memory of 812	1176	msedge.exe	79
PID 1176 wrote to memory of 4532	1176	msedge.exe	80
PID 1176 wrote to memory of 4532	1176	msedge.exe	80
PID 1176 wrote to memory of 1460	1176	msedge.exe	81
PID 1176 wrote to memory of 1460	1176	msedge.exe	81
PID 1176 wrote to memory of 1460	1176	msedge.exe	81
PID 1176 wrote to memory of 1460	1176	msedge.exe	81
PID 1176 wrote to memory of 1460	1176	msedge.exe	81
PID 1176 wrote to memory of 1460	1176	msedge.exe	81
PID 1176 wrote to memory of 1460	1176	msedge.exe	81
PID 1176 wrote to memory of 1460	1176	msedge.exe	81
PID 1176 wrote to memory of 1460	1176	msedge.exe	81
PID 1176 wrote to memory of 1460	1176	msedge.exe	81
PID 1176 wrote to memory of 1460	1176	msedge.exe	81
PID 1176 wrote to memory of 1460	1176	msedge.exe	81
PID 1176 wrote to memory of 1460	1176	msedge.exe	81
PID 1176 wrote to memory of 1460	1176	msedge.exe	81
PID 1176 wrote to memory of 1460	1176	msedge.exe	81
PID 1176 wrote to memory of 1460	1176	msedge.exe	81
PID 1176 wrote to memory of 1460	1176	msedge.exe	81
PID 1176 wrote to memory of 1460	1176	msedge.exe	81
PID 1176 wrote to memory of 1460	1176	msedge.exe	81
PID 1176 wrote to memory of 1460	1176	msedge.exe	81

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Da2dalus/The-MALWARE-Repo
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffdfc2d3cb8,0x7ffdfc2d3cc8,0x7ffdfc2d3cd8
  2⤵
  PID:1160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1876,16505627454588880653,16960331788157160637,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1856 /prefetch:2
  2⤵
  PID:812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1876,16505627454588880653,16960331788157160637,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2392 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1876,16505627454588880653,16960331788157160637,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2776 /prefetch:8
  2⤵
  PID:1460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,16505627454588880653,16960331788157160637,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1
  2⤵
  PID:3940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,16505627454588880653,16960331788157160637,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
  2⤵
  PID:3900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1876,16505627454588880653,16960331788157160637,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4500 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2696
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1876,16505627454588880653,16960331788157160637,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5476 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,16505627454588880653,16960331788157160637,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4688 /prefetch:1
  2⤵
  PID:3040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,16505627454588880653,16960331788157160637,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5152 /prefetch:1
  2⤵
  PID:2496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,16505627454588880653,16960331788157160637,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
  2⤵
  PID:964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,16505627454588880653,16960331788157160637,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
  2⤵
  PID:1960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,16505627454588880653,16960331788157160637,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5324 /prefetch:1
  2⤵
  PID:4392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,16505627454588880653,16960331788157160637,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3924 /prefetch:1
  2⤵
  PID:3256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,16505627454588880653,16960331788157160637,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6412 /prefetch:1
  2⤵
  PID:5012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1876,16505627454588880653,16960331788157160637,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3352 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:2028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1876,16505627454588880653,16960331788157160637,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3252 /prefetch:8
  2⤵
  PID:2280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1876,16505627454588880653,16960331788157160637,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6512 /prefetch:8
  2⤵
  PID:3412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1876,16505627454588880653,16960331788157160637,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4740 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4004
- C:\Users\Admin\Downloads\YouAreAnIdiot.exe
  "C:\Users\Admin\Downloads\YouAreAnIdiot.exe"
  2⤵
  - Executes dropped EXE
  PID:1268
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1268 -s 1236
    3⤵
    - Program crash
    PID:2684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1876,16505627454588880653,16960331788157160637,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1908 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,16505627454588880653,16960331788157160637,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6276 /prefetch:1
  2⤵
  PID:4516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1876,16505627454588880653,16960331788157160637,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4368 /prefetch:8
  2⤵
  PID:1676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1876,16505627454588880653,16960331788157160637,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6496 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:652

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:424

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1268 -ip 1268
1⤵
PID:4940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\6d1de6a3-ae45-45c9-ab32-eb3fba91fada.tmp

Filesize
11KB

MD5
0282c259a1099dac7087904ef4638db7

SHA1
c100fed349da45b8de6d5377b3c729366a0628ca

SHA256
fbe978e5246924f77a048ad38c2dcabbb8604a602bc68d55387ab2acb45381ae

SHA512
2eb865f76213c45682b7430ba2c04f6d0fe83e01b43fa5cdafc3149950decdb07db8db907a13ffa0b94e80dabf759190a60aa1a3d4fb299e05f1332d149e8460

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
caaacbd78b8e7ebc636ff19241b2b13d

SHA1
4435edc68c0594ebb8b0aa84b769d566ad913bc8

SHA256
989cc6f5cdc43f7bac8f6bc10624a47d46cbc366c671c495c6900eabc5276f7a

SHA512
c668a938bef9bbe432af676004beb1ae9c06f1ba2f154d1973e691a892cb39c345b12265b5996127efff3258ebba333847df09238f69e95f2f35879b5db7b7fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7c194bbd45fc5d3714e8db77e01ac25a

SHA1
e758434417035cccc8891d516854afb4141dd72a

SHA256
253f8f4a60bdf1763526998865311c1f02085388892f14e94f858c50bf6e53c3

SHA512
aca42768dcc4334e49cd6295bd563c797b11523f4405cd5b4aeb41dec9379d155ae241ce937ec55063ecbf82136154e4dc5065afb78d18b42af86829bac6900d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\6f588903-dd9d-4e08-8297-b16c613185ac.tmp

Filesize
874B

MD5
67042b9493542a4dfad99f667636294a

SHA1
5d05a5965d3a61310a8460f789a00e529af979bd

SHA256
5c0f7985b6996f18e5e359b69b846fd5e1078b6ff2594a852c5038bc391fb680

SHA512
54d0a3235b56271b2c4c549ae8918188ba559785c3cc03e218e2c2dcd0e5c368d2353b9b24388fa4be7483f58e8f241a3e03b7c56a4d0fe4672051b9eb79d0c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
f91ecc41a07dfac3843c4484490c44e6

SHA1
2871c422ebaacb1e1cf139316b77cfe6197aa8eb

SHA256
4632db194da661b9fb952f59fa1cb14e8ece4d5ed62f841550d06cd783b1cbd2

SHA512
f7fe1c8fcbc2b4f9bc789696adf5220d454d68f37fbf8c96d6a7e66f4e94a53d5277b6aa07b74db6bd0a1d5cadba7332c27302f5fa5f7e3e8dc9839df0045075

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
684549e012e3c92c64da2628a436b17f

SHA1
8632a828b24f618ae897ae0b1e6bfc4a7738d72a

SHA256
378ca3fd2b1d2918cbf450128c2c03d1fa058c4b3855d0447962b20134edaf73

SHA512
84253b70517331e4555ccd92c37db3b5b071ea35ce23a22c27002071d4e88df23dfd71946abce741f37bc4a74771f92cafabd13bc82fc297968452f97117e682

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
496B

MD5
1b92794633aaa7d8ca83e408ef516a36

SHA1
4ae0678d6cf8abedb3e9819fc9d7d715d3f72bb6

SHA256
0ff76dc871bd6e59abe386781ef988b4c8d734bca726a4d1eb556d3d78f1e7e0

SHA512
698bb4adf1932dd48fbffb344b0053b9dc753b97a92d88a26341e0c3b0fa2e03481c5193bd2b4a1caaa2aa2f00e41eae73c53aaadc1ac6bb8be17d0f229a61bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
579B

MD5
0a215e77048a147d5ca6a0f085a6cbfd

SHA1
8d4abdcbbcd3dced499301ee4398952285ebd9ac

SHA256
81bbfe3f5fb2f5d99a723db8d227299126998b0a3f5658011c7b626bafd305ce

SHA512
6dd9741242244cb55cf2f9c59f7f9fc73ed8df53810beff13407cc7a27992b30591df5f5c4eb9dc6327369a9483f82e069578c2c18790caeb4e54768665f9b49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
496B

MD5
42b5a4e81342526eb6f8b40625e49097

SHA1
8ab39cf7669ae0e4bb1146d62af59777d8e30fc4

SHA256
2a7b38b09957e985444c358e91b19b2b7f19016b78b1f1041f39106c4025d2a7

SHA512
e0a8da2d25d09f3cb89df84b95c90439b8408d73faa5d52101025fa984dee87fdbede98985a40a605332253d2b4160e5bcce010c7eb24446a68e679c3b58fcf9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7a44f8c2db16203d6eb10a60a38861f6

SHA1
32ea4e7a4e818617cf98a621b5561eeae97b3ad1

SHA256
d2cda3a3862caff3334f8301b0119c9cac4d2f009afc5cc65bca8cd8592d5eeb

SHA512
fdf4168fa4be585b65e747cddf9fc8aa2ce1c94f67b01d7c46b7542d30e71642eb4cf101d6aca202da98c206a67700050543b01a20955883451afad11d5402a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6bd15d79076b70b5135a8853c9661427

SHA1
d3faf6ee91d3f98c9b82ef5c11076656a611de75

SHA256
9540b2e07c9c79759bbd6869c599d20ca4c086dadc70e81b81b212fd21a2f2b7

SHA512
6ddff5df478f39e582ba56e7092dedbc0881f9f1e7bd83cd1fee6526094ffad420022f4567ec849ae4aadb9a3e8be7c15953a607eee45edec54e789830ddde72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
874B

MD5
37694b59b213f7673349b82515cb3817

SHA1
299d41357730665fa4bcc21636d9ad535cbe06e0

SHA256
89804712f2eb03eb1fdd8264fe354f927e4e1d4d0a45e5e5754952d4670c4eca

SHA512
1fa959cab9f2676373d06459e54494b693bacf8db1126999058701fb0adab28c2f2d58a9ae8b8192f2183d325fefea6119120586b63ab68c1b2f70f7989ce063

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
2a47b533d7bfd3e1bae86ecc4da603b7

SHA1
0f32d13c1ebdf93d27f2aad6e15c6804b9d65415

SHA256
89f07e53f68ac0e6e267b8dd56296d68ce0f2debd97d9627d9ce5847d30b1f92

SHA512
e106096d2854de9b5c0438b1c48fbdb40c4ac86cae7510da691db1b9893e379d741fa84a6f980bdd2b688f952d38df4ce9c72f1f40e44cff32f9e3d1d1e52d8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
1c2dbdf312d4338aad0264c29df680d4

SHA1
4e439cff765fd291cccc16e466c679ae7fe2df74

SHA256
380e0226794f6ed564d97dce85543a356f190aa25ea4c8b5a30ec6b0b7902a42

SHA512
5faf01b1f9fce509c9f0e5ad08b01049f1e64f5272ebe55f9f5923670b80b3e6c4eb25a136564d41b5ba8623bc7048b326531985d9dd8be2704d4e7b86dde64f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
874B

MD5
0819243b9162d48c41902522e2444f89

SHA1
e3fd4602ec50a368e96b70b5f1204d8b85db26a6

SHA256
1051cf11a0ca31e6b2d61e796f52f8e0d77c4a0a237f532330282aeacf2048ac

SHA512
2b389cd0f661a500afc5bc1d836d899eb07c936543c686e2999cfed01108601a5c7a2bd42e98ef0d1dd21f75fb49bc73503c96594786be5cb0c350203bc67215

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
53e651f792093a5ffd0324af2c4736ef

SHA1
17cdddd43cbd594be6154b08ff13884df59f6f15

SHA256
d5d589bb79af2ad4037b8967cac0f6d44a1058fd8543ffa52a162b697629be9e

SHA512
bf68e6f0761e5707bbe773a3a8de26f6521de7b4218a32d072dbfef8682fda8ec27cb420d15c3d4223a89a5941371b8fc65f5b82ffd35c11aca23d45a806fe81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
80485ed724a4f361e5701eab7b093a4a

SHA1
28c751e1f4230c36a5a5213175f58244d95366ca

SHA256
8ca1c0b09d37bbb8a7f5320014ee4c7a99fde9142555b8359f6611dbf1b93758

SHA512
6a5ccc7e5357445018de3109884f9086231d40a8eccc1437ac871f3839958ade19b5a078c2bfde0aa1197a2d9f793b5778762d5e27545a6372f0afd263df68e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
25a702c8281decf99bd65abaef7dcc05

SHA1
295e66da11c013bfc91bd1ea5fc6033909a340cb

SHA256
b7ddab424e7235b9c69466c9685217b0149d18017390a95548e4c858eec5b7b4

SHA512
cfb3270f97c0f4e123a8d5fc9a621eff1e00a01a19e68e8a6ce9dacb54fdd6dae7ba488632d7e1ebdf6237d7da94ed032c2a04efccb3b257eecd4ed6fd8e26a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe583ec9.TMP

Filesize
874B

MD5
3b520d40e2ffcb8909368e399e8a8464

SHA1
b4e8b8a4386ebefb61d8df6ddf2c1ee6fa1f30ed

SHA256
8720694901d6415ef3ca227453bcdee2f1d160fec6341fdb527c6d192b838aae

SHA512
af75781fdcf11866c5d189c327d763a3516a10259d3908ad5f36f91f017224f5431a4d91e8d0d2ae4b935da114ff6e8179efe66a6aea88c2ebbd06a4af5585d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\e72f802a-2c1e-4e71-90d5-dcdfe9c78c83.tmp

Filesize
5KB

MD5
10404b96ca66caf7b4c44f978884883e

SHA1
e3fb1535487d9f44062bb39fe23582a57d44d0c4

SHA256
db229f79b33777a19d52596a0747b9a3f4ea101f1ca8d666e26cbbcc7f859a3a

SHA512
c157c933eed54a60de74ab16238e3c1dbbb448a646eec759c336dedb777418abed19922bdf6292333c923bb51a7c8cd478abefe46cf7d3d9fbb36b1c55c18ced

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
1438a956b0f64b12d9d34be917a939a0

SHA1
9c7524442c4f7996dca9f872bb59ba61606528e2

SHA256
9f1b13c4c0e47d6ed89befff86d6482611fbf979c17c6300ad1c9572bd2339e1

SHA512
89efab5fb870c3df44693dbf9a87ab5226f14a2e563f785c85f9f8bab492edf44ecaa37d3168225e22907a28879fe9655f53da5364974577d0070d30560799cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
44572ef2bb5b04063d62fbf8471c878a

SHA1
41091134567fd57447fd3ca3b282898d3ca1d253

SHA256
c30c18b505bf5b61541f3021474e89d0fa5702948dc9669a53b2d3866dc83ac2

SHA512
198320c0e5cfba824360858eaf9613c8bd0be5b95ece0c55dc4e6d240f85f6e13ec543e58b5a17dc7168988b037289ce1d9cdb42814feb2fd40762b3ed730b31

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 27793.crdownload

Filesize
17KB

MD5
451112d955af4fe3c0d00f303d811d20

SHA1
1619c35078ba891091de6444099a69ef364e0c10

SHA256
0d57a706d4e10cca3aed49b341a651f29046f5ef1328878d616be93c3b4cbce9

SHA512
35357d2c4b8229ef9927fa37d85e22f3ae26606f577c4c4655b2126f0ecea4c69dae03043927207ca426cc3cd54fc3e72124369418932e04733a368c9316cf87

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 572336.crdownload

Filesize
424KB

MD5
e263c5b306480143855655233f76dc5a

SHA1
e7dcd6c23c72209ee5aa0890372de1ce52045815

SHA256
1f69810b8fe71e30a8738278adf09dd982f7de0ab9891d296ce7ea61b3fa4f69

SHA512
e95981eae02d0a8bf44493c64cca8b7e50023332e91d75164735a1d0e38138f358100c93633ff3a0652e1c12a5155cba77d81e01027422d7d5f71000eafb4113

Download Submit
C:\Users\Admin\Downloads\YouAreAnIdiot.exe:Zone.Identifier

Filesize
55B

MD5
0f98a5550abe0fb880568b1480c96a1c

SHA1
d2ce9f7057b201d31f79f3aee2225d89f36be07d

SHA256
2dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1

SHA512
dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6

Download Submit
memory/1268-439-0x00000000002F0000-0x0000000000362000-memory.dmp

Filesize
456KB

Download
memory/1268-443-0x00000000050D0000-0x00000000050E0000-memory.dmp

Filesize
64KB

Download
memory/1268-444-0x0000000004E10000-0x0000000004E1A000-memory.dmp

Filesize
40KB

Download
memory/1268-445-0x00000000050E0000-0x0000000005136000-memory.dmp

Filesize
344KB

Download
memory/1268-446-0x00000000747C0000-0x0000000074F71000-memory.dmp

Filesize
7.7MB

Download
memory/1268-442-0x0000000004ED0000-0x0000000004F62000-memory.dmp

Filesize
584KB

Download
memory/1268-441-0x0000000005480000-0x0000000005A26000-memory.dmp

Filesize
5.6MB

Download
memory/1268-440-0x0000000004E30000-0x0000000004ECC000-memory.dmp

Filesize
624KB

Download
memory/1268-438-0x00000000747C0000-0x0000000074F71000-memory.dmp

Filesize
7.7MB

Download