hxxp://Youareanidiot[.]cc

Resubmissions

31-03-2024 14:38

240331-rzx63sdf2v 10

31-03-2024 14:35

31-03-2024 14:31

31-03-2024 14:27

31-03-2024 14:14

Analysis

max time kernel
195s
max time network
208s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
31-03-2024 14:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://Youareanidiot.cc

Score

6^/10

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

111 raw.githubusercontent.com
112 raw.githubusercontent.com

flow	ioc
111	raw.githubusercontent.com
112	raw.githubusercontent.com

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

Processes:

iexplore.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Software\Microsoft\Internet Explorer\PhishingFilter	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = 1da5a46f0069da01	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 17 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{41CB7012-EF6B-11EE-96FD-D2E65CF77D40} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Software\Microsoft\Internet Explorer\RepId	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Internet Explorer\RepId\PublicId = "{2911DE5E-4A9F-47BB-9F56-75E0669CE76F}"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe

Modifies registry class 3 IoCs

Processes:

msedge.exemsedge.exeOpenWith.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3045580317-3728985860-206385570-1000\{449935CA-2428-43F9-B62D-696A6E3E2B5C}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exe

pid	process
3796	msedge.exe
3796	msedge.exe
3272	msedge.exe
3272	msedge.exe
2100	identity_helper.exe
2100	identity_helper.exe
4032	msedge.exe
4032	msedge.exe
5080	msedge.exe
5080	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

OpenWith.exe

pid process

4112 OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs

Processes:

msedge.exe

pid	process
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe

Suspicious use of FindShellTrayWindow 35 IoCs

Processes:

msedge.exeiexplore.exe

pid	process
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
2656	iexplore.exe
2656	iexplore.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe

Suspicious use of SetWindowsHookEx 43 IoCs

Processes:

OpenWith.exeiexplore.exeIEXPLORE.EXE

pid	process
4112	OpenWith.exe
4112	OpenWith.exe
4112	OpenWith.exe
4112	OpenWith.exe
4112	OpenWith.exe
4112	OpenWith.exe
4112	OpenWith.exe
4112	OpenWith.exe
4112	OpenWith.exe
4112	OpenWith.exe
4112	OpenWith.exe
4112	OpenWith.exe
4112	OpenWith.exe
4112	OpenWith.exe
4112	OpenWith.exe
4112	OpenWith.exe
4112	OpenWith.exe
4112	OpenWith.exe
4112	OpenWith.exe
4112	OpenWith.exe
4112	OpenWith.exe
4112	OpenWith.exe
4112	OpenWith.exe
4112	OpenWith.exe
4112	OpenWith.exe
4112	OpenWith.exe
4112	OpenWith.exe
4112	OpenWith.exe
4112	OpenWith.exe
4112	OpenWith.exe
4112	OpenWith.exe
4112	OpenWith.exe
4112	OpenWith.exe
4112	OpenWith.exe
4112	OpenWith.exe
4112	OpenWith.exe
4112	OpenWith.exe
4112	OpenWith.exe
4112	OpenWith.exe
2656	iexplore.exe
2656	iexplore.exe
676	IEXPLORE.EXE
676	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 3272 wrote to memory of 2008	3272	msedge.exe	msedge.exe
PID 3272 wrote to memory of 2008	3272	msedge.exe	msedge.exe
PID 3272 wrote to memory of 964	3272	msedge.exe	msedge.exe
PID 3272 wrote to memory of 964	3272	msedge.exe	msedge.exe
PID 3272 wrote to memory of 964	3272	msedge.exe	msedge.exe
PID 3272 wrote to memory of 964	3272	msedge.exe	msedge.exe
PID 3272 wrote to memory of 964	3272	msedge.exe	msedge.exe
PID 3272 wrote to memory of 964	3272	msedge.exe	msedge.exe
PID 3272 wrote to memory of 964	3272	msedge.exe	msedge.exe
PID 3272 wrote to memory of 964	3272	msedge.exe	msedge.exe
PID 3272 wrote to memory of 964	3272	msedge.exe	msedge.exe
PID 3272 wrote to memory of 964	3272	msedge.exe	msedge.exe
PID 3272 wrote to memory of 964	3272	msedge.exe	msedge.exe
PID 3272 wrote to memory of 964	3272	msedge.exe	msedge.exe
PID 3272 wrote to memory of 964	3272	msedge.exe	msedge.exe
PID 3272 wrote to memory of 964	3272	msedge.exe	msedge.exe
PID 3272 wrote to memory of 964	3272	msedge.exe	msedge.exe
PID 3272 wrote to memory of 964	3272	msedge.exe	msedge.exe
PID 3272 wrote to memory of 964	3272	msedge.exe	msedge.exe
PID 3272 wrote to memory of 964	3272	msedge.exe	msedge.exe
PID 3272 wrote to memory of 964	3272	msedge.exe	msedge.exe
PID 3272 wrote to memory of 964	3272	msedge.exe	msedge.exe
PID 3272 wrote to memory of 964	3272	msedge.exe	msedge.exe
PID 3272 wrote to memory of 964	3272	msedge.exe	msedge.exe
PID 3272 wrote to memory of 964	3272	msedge.exe	msedge.exe
PID 3272 wrote to memory of 964	3272	msedge.exe	msedge.exe
PID 3272 wrote to memory of 964	3272	msedge.exe	msedge.exe
PID 3272 wrote to memory of 964	3272	msedge.exe	msedge.exe
PID 3272 wrote to memory of 964	3272	msedge.exe	msedge.exe
PID 3272 wrote to memory of 964	3272	msedge.exe	msedge.exe
PID 3272 wrote to memory of 964	3272	msedge.exe	msedge.exe
PID 3272 wrote to memory of 964	3272	msedge.exe	msedge.exe
PID 3272 wrote to memory of 964	3272	msedge.exe	msedge.exe
PID 3272 wrote to memory of 964	3272	msedge.exe	msedge.exe
PID 3272 wrote to memory of 964	3272	msedge.exe	msedge.exe
PID 3272 wrote to memory of 964	3272	msedge.exe	msedge.exe
PID 3272 wrote to memory of 964	3272	msedge.exe	msedge.exe
PID 3272 wrote to memory of 964	3272	msedge.exe	msedge.exe
PID 3272 wrote to memory of 964	3272	msedge.exe	msedge.exe
PID 3272 wrote to memory of 964	3272	msedge.exe	msedge.exe
PID 3272 wrote to memory of 964	3272	msedge.exe	msedge.exe
PID 3272 wrote to memory of 964	3272	msedge.exe	msedge.exe
PID 3272 wrote to memory of 3796	3272	msedge.exe	msedge.exe
PID 3272 wrote to memory of 3796	3272	msedge.exe	msedge.exe
PID 3272 wrote to memory of 3640	3272	msedge.exe	msedge.exe
PID 3272 wrote to memory of 3640	3272	msedge.exe	msedge.exe
PID 3272 wrote to memory of 3640	3272	msedge.exe	msedge.exe
PID 3272 wrote to memory of 3640	3272	msedge.exe	msedge.exe
PID 3272 wrote to memory of 3640	3272	msedge.exe	msedge.exe
PID 3272 wrote to memory of 3640	3272	msedge.exe	msedge.exe
PID 3272 wrote to memory of 3640	3272	msedge.exe	msedge.exe
PID 3272 wrote to memory of 3640	3272	msedge.exe	msedge.exe
PID 3272 wrote to memory of 3640	3272	msedge.exe	msedge.exe
PID 3272 wrote to memory of 3640	3272	msedge.exe	msedge.exe
PID 3272 wrote to memory of 3640	3272	msedge.exe	msedge.exe
PID 3272 wrote to memory of 3640	3272	msedge.exe	msedge.exe
PID 3272 wrote to memory of 3640	3272	msedge.exe	msedge.exe
PID 3272 wrote to memory of 3640	3272	msedge.exe	msedge.exe
PID 3272 wrote to memory of 3640	3272	msedge.exe	msedge.exe
PID 3272 wrote to memory of 3640	3272	msedge.exe	msedge.exe
PID 3272 wrote to memory of 3640	3272	msedge.exe	msedge.exe
PID 3272 wrote to memory of 3640	3272	msedge.exe	msedge.exe
PID 3272 wrote to memory of 3640	3272	msedge.exe	msedge.exe
PID 3272 wrote to memory of 3640	3272	msedge.exe	msedge.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://Youareanidiot.cc
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3272

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa386646f8,0x7ffa38664708,0x7ffa38664718
2⤵
PID:2008

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,13793784962930576653,9793012444361568336,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2184 /prefetch:2
2⤵
PID:964

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2172,13793784962930576653,9793012444361568336,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3796

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2172,13793784962930576653,9793012444361568336,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2584 /prefetch:8
2⤵
PID:3640

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,13793784962930576653,9793012444361568336,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1
2⤵
PID:2792

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,13793784962930576653,9793012444361568336,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
2⤵
PID:2312

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,13793784962930576653,9793012444361568336,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4984 /prefetch:1
2⤵
PID:2728

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2172,13793784962930576653,9793012444361568336,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4764 /prefetch:8
2⤵
PID:3732

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2172,13793784962930576653,9793012444361568336,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4764 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2100

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,13793784962930576653,9793012444361568336,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5252 /prefetch:1
2⤵
PID:1708

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,13793784962930576653,9793012444361568336,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4760 /prefetch:1
2⤵
PID:3932

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,13793784962930576653,9793012444361568336,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5132 /prefetch:1
2⤵
PID:1984

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,13793784962930576653,9793012444361568336,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5532 /prefetch:1
2⤵
PID:216

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,13793784962930576653,9793012444361568336,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5344 /prefetch:1
2⤵
PID:3476

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,13793784962930576653,9793012444361568336,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5300 /prefetch:1
2⤵
PID:3596

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,13793784962930576653,9793012444361568336,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5020 /prefetch:1
2⤵
PID:2132

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,13793784962930576653,9793012444361568336,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3972 /prefetch:1
2⤵
PID:2592

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,13793784962930576653,9793012444361568336,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5628 /prefetch:1
2⤵
PID:2072

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2172,13793784962930576653,9793012444361568336,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5428 /prefetch:8
2⤵
PID:3944

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2172,13793784962930576653,9793012444361568336,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5588 /prefetch:8
2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4032

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,13793784962930576653,9793012444361568336,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5836 /prefetch:1
2⤵
PID:4564

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,13793784962930576653,9793012444361568336,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4180 /prefetch:1
2⤵
PID:4904

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,13793784962930576653,9793012444361568336,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5368 /prefetch:1
2⤵
PID:3960

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2172,13793784962930576653,9793012444361568336,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6380 /prefetch:8
2⤵
PID:2932

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,13793784962930576653,9793012444361568336,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5444 /prefetch:1
2⤵
PID:4980

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2172,13793784962930576653,9793012444361568336,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6776 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5080

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,13793784962930576653,9793012444361568336,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6792 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4064

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4944

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3516

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3300

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4112

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Downloads\001eb377f0452060012124cb214f658754c7488ccb82e23ec56b2f45a636c859
2⤵
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2656

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2656 CREDAT:17410 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:676

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:4372

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
e494d16e4b331d7fc483b3ae3b2e0973

SHA1
d13ca61b6404902b716f7b02f0070dec7f36edbf

SHA256
a43f82254638f7e05d1fea29e83545642f163a7a852f567fb2e94f0634347165

SHA512
016b0ed886b33d010c84ca080d74fa343da110db696655c94b71a4cb8eb8284748dd83e06d0891a6e1e859832b0f1d07748b11d4d1a4576bbe1bee359e218737

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
0764f5481d3c05f5d391a36463484b49

SHA1
2c96194f04e768ac9d7134bc242808e4d8aeb149

SHA256
cc773d1928f4a87e10944d153c23a7b20222b6795c9a0a09b81a94c1bd026ac3

SHA512
a39e4cb7064fdd7393ffe7bb3a5e672b1bdc14d878cac1c5c9ceb97787454c5a4e7f9ae0020c6d524920caf7eadc9d49e10bee8799d73ee4e8febe7e51e22224

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
4KB

MD5
87aef89adefc6f7988e43489addf747b

SHA1
207bf78617c46cfe73b1982214424d7b2596e0c4

SHA256
83011df76149685c40fab652bb9a1872ac9df30aec911539d498655f64bcda11

SHA512
bdc0707a795a4af6096d2840964ad28a6194a61f7f94d48e66addc969c50f2346a536847ad79c197834cbeeda3315f6b970bf0e4256bd4b1fa1c18c28dca2a50

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
3KB

MD5
7c9477ba1be7740bb108d7ee61018677

SHA1
c91079940d1c09d2f15ff7a552f41b2657e97d22

SHA256
5d49598f58ee5d03d75ff9a46fae18e34d1d4007465156f95dfb5a43ab4a9ec6

SHA512
1018a25d07f4566ce27f900b0286049be397ff1ecb2a3403b7e719ceec48735f4f69b2bbe913c6e8b17a2d85b4991480691c915fb291f5a09468b27e45cae1d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
941B

MD5
78dd7890a8d33a4dbb993ef929c05778

SHA1
5651578dabd66878f26829da69bd446742c485d5

SHA256
705859abdd0545ad12288fa896ab92c8cb500b68a02186d64786111cc62531ae

SHA512
adfa95854d97bc00161185eb094961539a075dbd7f981cf9dde20592303b850b7a92216f5acf65d90318586f27b34ee1f53da73a63243353e0e5768becf8fb1a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
1024B

MD5
a947f58a02d4b64b0b5f533b5f7ca8c4

SHA1
0e346917825b3bebd82bf5f35ae4781967c22b88

SHA256
f1bac78296ea7f0a5db987cabf65dfd93cc47c6188e009baef108853613aa40d

SHA512
718491149244ad8b8e1bd7896293b40501097306acf74d89f8885552418294680a4cb3b2fff801560ab321103f03b4e6762b29687c7edf7da7d688ca92888d0e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
61fa872d1092ba090f34d497dbdc26be

SHA1
8d704722d61baaf6e04f285d4df2ed05948e850c

SHA256
4372f3b742d311b815a5549e9e149c7db0fe96fb4947bdafebe017d542859d95

SHA512
c0afd5b98282068680c99c4c1f245c88d1a019e2eec7dbd7667b7a7a11fb777c75c8e0cd4f52bfe100adae77db44d853659e60ed708cdb52fc12012ec46bcb88

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
c32c242ff14fe78a0c14b00f977245de

SHA1
11cc8961b384afdb190968054e5696eac68a32e2

SHA256
01b6deea222bae98864606f76e64d2f161e60f9e556325bf78ca651ff8239a6e

SHA512
31fd25d4375b1e7d67c58e216a206a531af396000ffb90356ddb2537fd687f2a961f0a1a20cb8010aedcb978a4cc24a19c6c82c247778e0a3fb42bfec9e74e21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
493b0366f78c522c078b99f8e2d59326

SHA1
6e2b843d8958148322e6ec54845a72271bda9474

SHA256
326e5ef433856ed07e43ef61714e0194b7a9e4cb08bc9ca57863e1264cb1e3ff

SHA512
63fc06de773efe36d35331253c2eee7f0850652363cd59e99b880dca9fe83808970b15faea5859216b67f7301e77f38b7cae979f4b1075068f940d27137413ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
cbed772bb1c2c1a98501a5a3575e9c0c

SHA1
d56a6099f629e89eeb82a4b41fb6882d4d196f34

SHA256
bef98caabf0ebd42ab13bb5f1713127391e915258931b27d80f5190aa781f56e

SHA512
45c1466aa63ef287b1ede35c02d3e81bd8b95f48405ee0ee9270cfdd95e527174bd2f5eb216c939ac97d4351ddbf0daf48686620b08e5edfea7245b8dfdcd1f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
de158a650453c10e305e56ae6df95317

SHA1
346086702d58c9ae6e11327041a5a6ea1720100a

SHA256
90cbef284ba5d1d5798a6a96559e65ae488c6d7c233fc3c74df4917a6e6d0a16

SHA512
8b5fa31111cf10f2ed11788837709313d0819acd6430014b6955dfca4ba94f6bcd0763e8a1844e81158110da941d3cf44c112bdf7935b6e8f2ca109387da2390

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
87a2d299a5667b376ecf6ea44641fbeb

SHA1
b771e24cff82a24ac9f7c5280432079a19101514

SHA256
b152ec7dacae385b63cd9adf85139287a5e5d890d5aaed27da19cec45d329c43

SHA512
92d71ab566f24fbbb2017ba769830757202d7ae70b7788b6a2cd4cd733f9b4463b463fc5787a6c1cb036bfa99e4fde31d08231b2b1feb9b604a6b3f9858df532

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
85013ac1834f8db0390a375bf444c5ff

SHA1
608e2d9f9269f90f08d6a9d4b4ab9dc5f2032dbc

SHA256
ae0f42d206e224e8764549f0c28fd034db36b95c08ddfad2f24380dd1a8f2773

SHA512
cbdac78a64ac515ae5254ce27a20861792fcfd498ccf140785ba5c667d452a32b34d0bbf2af1202e3f15624d2d103e648cce1001c9496c2bc60c7786b8a7ba51

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
49e388ab5af9eaae173c65beddb11d5f

SHA1
ff84a365cd1ef0b01d0917cd1c18cfd603ae8425

SHA256
ae3c28c3131f4d2624f1a60fa8095fa9367560958cc9feb09ce4082d1d407a6f

SHA512
970aae59d13fbed187cd219859b752f363da6ecc1307be98242695d037d386ce9616962b392e55ea9da952eb93f2a705427e284bf4dc6c8381e99a22c8840de2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
ff7940c20f6e1e9af7ba0f2542c3dd7a

SHA1
ee650665f06bf0f2429d3d36ec5f90bc59ad52f0

SHA256
0135cd0600ccb88af09204cc94d2b7c0ea3f2460121574fe997f15f82fb1bd31

SHA512
739130fa1633875f254aeba43a078060fcfea341258e165c91ea6cb0ddc59bc8e5b608274aff7dd6909331f3b69b82ec3cf162fd058ad668798feefcb0e3be08

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe580f1e.TMP
Filesize
538B

MD5
848ac7f8770a61b71858c6e2d769a17c

SHA1
823a7f15adcfb10fd167039d26131419d8af6ea1

SHA256
ffc55f64f562b258906c441522a299330e9e47d9a7043c6a9af53052693f9f6f

SHA512
8a5703efe57b180173422d991f8f6ed730e08a1fd69d1cf7ade0bb7abb4bf97c379fe29f8c3894b508d126bcc9afa0539dc6b81a026501b1f6327127d46d0f1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
61658c6cbf2f38fd71ecc5237c11298c

SHA1
3ed37b451e5357d14be35ede0097a9212a998018

SHA256
0bd8259f92f3e3067e1f45bac954a17ef278bbb4125ff2d39cc1691d858b0012

SHA512
565b0d8d6772f670d5106c406d38515b091e3c450301a4285a601dd4bf42940794e8eba33e9dfaf824ee06c3e6139f32465abfba33df62bac1cd94600a42d12c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
59b3917998183371dd9be69074427b9e

SHA1
e79e1f232b258c0f404c674352f054e079c686a2

SHA256
1ce8e3513b8067d97b52a82e8b94a13ffb0e80c457026732a143057bc6a8d0ac

SHA512
5c3a465774d4a50b7623e6e290c1dd2dbe47c00a7f76e765274282a6120aaa09091c9cfb48c7ba0dcd937c25ff371a0d8981202a6220712aef8c8e9299687a96

Download Submit
C:\Users\Admin\Downloads\001eb377f0452060012124cb214f658754c7488ccb82e23ec56b2f45a636c859
Filesize
8.7MB

MD5
799c965e0a5a132ec2263d5fea0b0e1c

SHA1
a15c5a706122fabdef1989c893c72c6530fedcb4

SHA256
001eb377f0452060012124cb214f658754c7488ccb82e23ec56b2f45a636c859

SHA512
6c481a855ee6f81dd388c8a4623e519bfbb9f496dada93672360f0a7476fb2b32fd261324156fd4729cef3cbe13f0a8b5862fe47b6db1860d0d67a77283b5ad8

Download Submit
\??\pipe\LOCAL\crashpad_3272_FONDSRXPYDUNRWJX
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit