Resubmissions
31-03-2024 14:38
240331-rzx63sdf2v 1031-03-2024 14:35
240331-rychzsde7x 1031-03-2024 14:31
240331-rvv6xsea86 831-03-2024 14:27
240331-rsj1wadd8t 631-03-2024 14:14
240331-rj4nxsdc3v 10Analysis
-
max time kernel
195s -
max time network
208s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
31-03-2024 14:27
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
http://Youareanidiot.cc
Resource
win10v2004-20240226-en
General
-
Target
http://Youareanidiot.cc
Malware Config
Signatures
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
Processes:
iexplore.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Software\Microsoft\Internet Explorer\PhishingFilter iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = 1da5a46f0069da01 iexplore.exe -
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{41CB7012-EF6B-11EE-96FD-D2E65CF77D40} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Software\Microsoft\Internet Explorer\RepId iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Internet Explorer\RepId\PublicId = "{2911DE5E-4A9F-47BB-9F56-75E0669CE76F}" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Software\Microsoft\Internet Explorer\MINIE iexplore.exe -
Modifies registry class 3 IoCs
Processes:
msedge.exemsedge.exeOpenWith.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3045580317-3728985860-206385570-1000\{449935CA-2428-43F9-B62D-696A6E3E2B5C} msedge.exe Key created \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings msedge.exe Key created \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings OpenWith.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exepid process 3796 msedge.exe 3796 msedge.exe 3272 msedge.exe 3272 msedge.exe 2100 identity_helper.exe 2100 identity_helper.exe 4032 msedge.exe 4032 msedge.exe 5080 msedge.exe 5080 msedge.exe 4064 msedge.exe 4064 msedge.exe 4064 msedge.exe 4064 msedge.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
OpenWith.exepid process 4112 OpenWith.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs
Processes:
msedge.exepid process 3272 msedge.exe 3272 msedge.exe 3272 msedge.exe 3272 msedge.exe 3272 msedge.exe 3272 msedge.exe 3272 msedge.exe 3272 msedge.exe 3272 msedge.exe 3272 msedge.exe 3272 msedge.exe 3272 msedge.exe 3272 msedge.exe 3272 msedge.exe 3272 msedge.exe 3272 msedge.exe -
Suspicious use of FindShellTrayWindow 35 IoCs
Processes:
msedge.exeiexplore.exepid process 3272 msedge.exe 3272 msedge.exe 3272 msedge.exe 3272 msedge.exe 3272 msedge.exe 3272 msedge.exe 3272 msedge.exe 3272 msedge.exe 3272 msedge.exe 3272 msedge.exe 3272 msedge.exe 3272 msedge.exe 3272 msedge.exe 3272 msedge.exe 3272 msedge.exe 3272 msedge.exe 3272 msedge.exe 3272 msedge.exe 3272 msedge.exe 3272 msedge.exe 3272 msedge.exe 3272 msedge.exe 3272 msedge.exe 3272 msedge.exe 3272 msedge.exe 3272 msedge.exe 3272 msedge.exe 3272 msedge.exe 3272 msedge.exe 3272 msedge.exe 3272 msedge.exe 3272 msedge.exe 3272 msedge.exe 2656 iexplore.exe 2656 iexplore.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 3272 msedge.exe 3272 msedge.exe 3272 msedge.exe 3272 msedge.exe 3272 msedge.exe 3272 msedge.exe 3272 msedge.exe 3272 msedge.exe 3272 msedge.exe 3272 msedge.exe 3272 msedge.exe 3272 msedge.exe 3272 msedge.exe 3272 msedge.exe 3272 msedge.exe 3272 msedge.exe 3272 msedge.exe 3272 msedge.exe 3272 msedge.exe 3272 msedge.exe 3272 msedge.exe 3272 msedge.exe 3272 msedge.exe 3272 msedge.exe -
Suspicious use of SetWindowsHookEx 43 IoCs
Processes:
OpenWith.exeiexplore.exeIEXPLORE.EXEpid process 4112 OpenWith.exe 4112 OpenWith.exe 4112 OpenWith.exe 4112 OpenWith.exe 4112 OpenWith.exe 4112 OpenWith.exe 4112 OpenWith.exe 4112 OpenWith.exe 4112 OpenWith.exe 4112 OpenWith.exe 4112 OpenWith.exe 4112 OpenWith.exe 4112 OpenWith.exe 4112 OpenWith.exe 4112 OpenWith.exe 4112 OpenWith.exe 4112 OpenWith.exe 4112 OpenWith.exe 4112 OpenWith.exe 4112 OpenWith.exe 4112 OpenWith.exe 4112 OpenWith.exe 4112 OpenWith.exe 4112 OpenWith.exe 4112 OpenWith.exe 4112 OpenWith.exe 4112 OpenWith.exe 4112 OpenWith.exe 4112 OpenWith.exe 4112 OpenWith.exe 4112 OpenWith.exe 4112 OpenWith.exe 4112 OpenWith.exe 4112 OpenWith.exe 4112 OpenWith.exe 4112 OpenWith.exe 4112 OpenWith.exe 4112 OpenWith.exe 4112 OpenWith.exe 2656 iexplore.exe 2656 iexplore.exe 676 IEXPLORE.EXE 676 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 3272 wrote to memory of 2008 3272 msedge.exe msedge.exe PID 3272 wrote to memory of 2008 3272 msedge.exe msedge.exe PID 3272 wrote to memory of 964 3272 msedge.exe msedge.exe PID 3272 wrote to memory of 964 3272 msedge.exe msedge.exe PID 3272 wrote to memory of 964 3272 msedge.exe msedge.exe PID 3272 wrote to memory of 964 3272 msedge.exe msedge.exe PID 3272 wrote to memory of 964 3272 msedge.exe msedge.exe PID 3272 wrote to memory of 964 3272 msedge.exe msedge.exe PID 3272 wrote to memory of 964 3272 msedge.exe msedge.exe PID 3272 wrote to memory of 964 3272 msedge.exe msedge.exe PID 3272 wrote to memory of 964 3272 msedge.exe msedge.exe PID 3272 wrote to memory of 964 3272 msedge.exe msedge.exe PID 3272 wrote to memory of 964 3272 msedge.exe msedge.exe PID 3272 wrote to memory of 964 3272 msedge.exe msedge.exe PID 3272 wrote to memory of 964 3272 msedge.exe msedge.exe PID 3272 wrote to memory of 964 3272 msedge.exe msedge.exe PID 3272 wrote to memory of 964 3272 msedge.exe msedge.exe PID 3272 wrote to memory of 964 3272 msedge.exe msedge.exe PID 3272 wrote to memory of 964 3272 msedge.exe msedge.exe PID 3272 wrote to memory of 964 3272 msedge.exe msedge.exe PID 3272 wrote to memory of 964 3272 msedge.exe msedge.exe PID 3272 wrote to memory of 964 3272 msedge.exe msedge.exe PID 3272 wrote to memory of 964 3272 msedge.exe msedge.exe PID 3272 wrote to memory of 964 3272 msedge.exe msedge.exe PID 3272 wrote to memory of 964 3272 msedge.exe msedge.exe PID 3272 wrote to memory of 964 3272 msedge.exe msedge.exe PID 3272 wrote to memory of 964 3272 msedge.exe msedge.exe PID 3272 wrote to memory of 964 3272 msedge.exe msedge.exe PID 3272 wrote to memory of 964 3272 msedge.exe msedge.exe PID 3272 wrote to memory of 964 3272 msedge.exe msedge.exe PID 3272 wrote to memory of 964 3272 msedge.exe msedge.exe PID 3272 wrote to memory of 964 3272 msedge.exe msedge.exe PID 3272 wrote to memory of 964 3272 msedge.exe msedge.exe PID 3272 wrote to memory of 964 3272 msedge.exe msedge.exe PID 3272 wrote to memory of 964 3272 msedge.exe msedge.exe PID 3272 wrote to memory of 964 3272 msedge.exe msedge.exe PID 3272 wrote to memory of 964 3272 msedge.exe msedge.exe PID 3272 wrote to memory of 964 3272 msedge.exe msedge.exe PID 3272 wrote to memory of 964 3272 msedge.exe msedge.exe PID 3272 wrote to memory of 964 3272 msedge.exe msedge.exe PID 3272 wrote to memory of 964 3272 msedge.exe msedge.exe PID 3272 wrote to memory of 964 3272 msedge.exe msedge.exe PID 3272 wrote to memory of 3796 3272 msedge.exe msedge.exe PID 3272 wrote to memory of 3796 3272 msedge.exe msedge.exe PID 3272 wrote to memory of 3640 3272 msedge.exe msedge.exe PID 3272 wrote to memory of 3640 3272 msedge.exe msedge.exe PID 3272 wrote to memory of 3640 3272 msedge.exe msedge.exe PID 3272 wrote to memory of 3640 3272 msedge.exe msedge.exe PID 3272 wrote to memory of 3640 3272 msedge.exe msedge.exe PID 3272 wrote to memory of 3640 3272 msedge.exe msedge.exe PID 3272 wrote to memory of 3640 3272 msedge.exe msedge.exe PID 3272 wrote to memory of 3640 3272 msedge.exe msedge.exe PID 3272 wrote to memory of 3640 3272 msedge.exe msedge.exe PID 3272 wrote to memory of 3640 3272 msedge.exe msedge.exe PID 3272 wrote to memory of 3640 3272 msedge.exe msedge.exe PID 3272 wrote to memory of 3640 3272 msedge.exe msedge.exe PID 3272 wrote to memory of 3640 3272 msedge.exe msedge.exe PID 3272 wrote to memory of 3640 3272 msedge.exe msedge.exe PID 3272 wrote to memory of 3640 3272 msedge.exe msedge.exe PID 3272 wrote to memory of 3640 3272 msedge.exe msedge.exe PID 3272 wrote to memory of 3640 3272 msedge.exe msedge.exe PID 3272 wrote to memory of 3640 3272 msedge.exe msedge.exe PID 3272 wrote to memory of 3640 3272 msedge.exe msedge.exe PID 3272 wrote to memory of 3640 3272 msedge.exe msedge.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://Youareanidiot.cc1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa386646f8,0x7ffa38664708,0x7ffa386647182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,13793784962930576653,9793012444361568336,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2184 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2172,13793784962930576653,9793012444361568336,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2172,13793784962930576653,9793012444361568336,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2584 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,13793784962930576653,9793012444361568336,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,13793784962930576653,9793012444361568336,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,13793784962930576653,9793012444361568336,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4984 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2172,13793784962930576653,9793012444361568336,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4764 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2172,13793784962930576653,9793012444361568336,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4764 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,13793784962930576653,9793012444361568336,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5252 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,13793784962930576653,9793012444361568336,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4760 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,13793784962930576653,9793012444361568336,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5132 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,13793784962930576653,9793012444361568336,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5532 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,13793784962930576653,9793012444361568336,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5344 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,13793784962930576653,9793012444361568336,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5300 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,13793784962930576653,9793012444361568336,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5020 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,13793784962930576653,9793012444361568336,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3972 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,13793784962930576653,9793012444361568336,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5628 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2172,13793784962930576653,9793012444361568336,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5428 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2172,13793784962930576653,9793012444361568336,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5588 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,13793784962930576653,9793012444361568336,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5836 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,13793784962930576653,9793012444361568336,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4180 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,13793784962930576653,9793012444361568336,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5368 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2172,13793784962930576653,9793012444361568336,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6380 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,13793784962930576653,9793012444361568336,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5444 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2172,13793784962930576653,9793012444361568336,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6776 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,13793784962930576653,9793012444361568336,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6792 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Downloads\001eb377f0452060012124cb214f658754c7488ccb82e23ec56b2f45a636c8592⤵
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2656 CREDAT:17410 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5e494d16e4b331d7fc483b3ae3b2e0973
SHA1d13ca61b6404902b716f7b02f0070dec7f36edbf
SHA256a43f82254638f7e05d1fea29e83545642f163a7a852f567fb2e94f0634347165
SHA512016b0ed886b33d010c84ca080d74fa343da110db696655c94b71a4cb8eb8284748dd83e06d0891a6e1e859832b0f1d07748b11d4d1a4576bbe1bee359e218737
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD50764f5481d3c05f5d391a36463484b49
SHA12c96194f04e768ac9d7134bc242808e4d8aeb149
SHA256cc773d1928f4a87e10944d153c23a7b20222b6795c9a0a09b81a94c1bd026ac3
SHA512a39e4cb7064fdd7393ffe7bb3a5e672b1bdc14d878cac1c5c9ceb97787454c5a4e7f9ae0020c6d524920caf7eadc9d49e10bee8799d73ee4e8febe7e51e22224
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
4KB
MD587aef89adefc6f7988e43489addf747b
SHA1207bf78617c46cfe73b1982214424d7b2596e0c4
SHA25683011df76149685c40fab652bb9a1872ac9df30aec911539d498655f64bcda11
SHA512bdc0707a795a4af6096d2840964ad28a6194a61f7f94d48e66addc969c50f2346a536847ad79c197834cbeeda3315f6b970bf0e4256bd4b1fa1c18c28dca2a50
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
3KB
MD57c9477ba1be7740bb108d7ee61018677
SHA1c91079940d1c09d2f15ff7a552f41b2657e97d22
SHA2565d49598f58ee5d03d75ff9a46fae18e34d1d4007465156f95dfb5a43ab4a9ec6
SHA5121018a25d07f4566ce27f900b0286049be397ff1ecb2a3403b7e719ceec48735f4f69b2bbe913c6e8b17a2d85b4991480691c915fb291f5a09468b27e45cae1d7
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
941B
MD578dd7890a8d33a4dbb993ef929c05778
SHA15651578dabd66878f26829da69bd446742c485d5
SHA256705859abdd0545ad12288fa896ab92c8cb500b68a02186d64786111cc62531ae
SHA512adfa95854d97bc00161185eb094961539a075dbd7f981cf9dde20592303b850b7a92216f5acf65d90318586f27b34ee1f53da73a63243353e0e5768becf8fb1a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
1024B
MD5a947f58a02d4b64b0b5f533b5f7ca8c4
SHA10e346917825b3bebd82bf5f35ae4781967c22b88
SHA256f1bac78296ea7f0a5db987cabf65dfd93cc47c6188e009baef108853613aa40d
SHA512718491149244ad8b8e1bd7896293b40501097306acf74d89f8885552418294680a4cb3b2fff801560ab321103f03b4e6762b29687c7edf7da7d688ca92888d0e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD561fa872d1092ba090f34d497dbdc26be
SHA18d704722d61baaf6e04f285d4df2ed05948e850c
SHA2564372f3b742d311b815a5549e9e149c7db0fe96fb4947bdafebe017d542859d95
SHA512c0afd5b98282068680c99c4c1f245c88d1a019e2eec7dbd7667b7a7a11fb777c75c8e0cd4f52bfe100adae77db44d853659e60ed708cdb52fc12012ec46bcb88
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD5c32c242ff14fe78a0c14b00f977245de
SHA111cc8961b384afdb190968054e5696eac68a32e2
SHA25601b6deea222bae98864606f76e64d2f161e60f9e556325bf78ca651ff8239a6e
SHA51231fd25d4375b1e7d67c58e216a206a531af396000ffb90356ddb2537fd687f2a961f0a1a20cb8010aedcb978a4cc24a19c6c82c247778e0a3fb42bfec9e74e21
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD5493b0366f78c522c078b99f8e2d59326
SHA16e2b843d8958148322e6ec54845a72271bda9474
SHA256326e5ef433856ed07e43ef61714e0194b7a9e4cb08bc9ca57863e1264cb1e3ff
SHA51263fc06de773efe36d35331253c2eee7f0850652363cd59e99b880dca9fe83808970b15faea5859216b67f7301e77f38b7cae979f4b1075068f940d27137413ac
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5cbed772bb1c2c1a98501a5a3575e9c0c
SHA1d56a6099f629e89eeb82a4b41fb6882d4d196f34
SHA256bef98caabf0ebd42ab13bb5f1713127391e915258931b27d80f5190aa781f56e
SHA51245c1466aa63ef287b1ede35c02d3e81bd8b95f48405ee0ee9270cfdd95e527174bd2f5eb216c939ac97d4351ddbf0daf48686620b08e5edfea7245b8dfdcd1f2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5de158a650453c10e305e56ae6df95317
SHA1346086702d58c9ae6e11327041a5a6ea1720100a
SHA25690cbef284ba5d1d5798a6a96559e65ae488c6d7c233fc3c74df4917a6e6d0a16
SHA5128b5fa31111cf10f2ed11788837709313d0819acd6430014b6955dfca4ba94f6bcd0763e8a1844e81158110da941d3cf44c112bdf7935b6e8f2ca109387da2390
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD587a2d299a5667b376ecf6ea44641fbeb
SHA1b771e24cff82a24ac9f7c5280432079a19101514
SHA256b152ec7dacae385b63cd9adf85139287a5e5d890d5aaed27da19cec45d329c43
SHA51292d71ab566f24fbbb2017ba769830757202d7ae70b7788b6a2cd4cd733f9b4463b463fc5787a6c1cb036bfa99e4fde31d08231b2b1feb9b604a6b3f9858df532
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD585013ac1834f8db0390a375bf444c5ff
SHA1608e2d9f9269f90f08d6a9d4b4ab9dc5f2032dbc
SHA256ae0f42d206e224e8764549f0c28fd034db36b95c08ddfad2f24380dd1a8f2773
SHA512cbdac78a64ac515ae5254ce27a20861792fcfd498ccf140785ba5c667d452a32b34d0bbf2af1202e3f15624d2d103e648cce1001c9496c2bc60c7786b8a7ba51
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD549e388ab5af9eaae173c65beddb11d5f
SHA1ff84a365cd1ef0b01d0917cd1c18cfd603ae8425
SHA256ae3c28c3131f4d2624f1a60fa8095fa9367560958cc9feb09ce4082d1d407a6f
SHA512970aae59d13fbed187cd219859b752f363da6ecc1307be98242695d037d386ce9616962b392e55ea9da952eb93f2a705427e284bf4dc6c8381e99a22c8840de2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD5ff7940c20f6e1e9af7ba0f2542c3dd7a
SHA1ee650665f06bf0f2429d3d36ec5f90bc59ad52f0
SHA2560135cd0600ccb88af09204cc94d2b7c0ea3f2460121574fe997f15f82fb1bd31
SHA512739130fa1633875f254aeba43a078060fcfea341258e165c91ea6cb0ddc59bc8e5b608274aff7dd6909331f3b69b82ec3cf162fd058ad668798feefcb0e3be08
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe580f1e.TMPFilesize
538B
MD5848ac7f8770a61b71858c6e2d769a17c
SHA1823a7f15adcfb10fd167039d26131419d8af6ea1
SHA256ffc55f64f562b258906c441522a299330e9e47d9a7043c6a9af53052693f9f6f
SHA5128a5703efe57b180173422d991f8f6ed730e08a1fd69d1cf7ade0bb7abb4bf97c379fe29f8c3894b508d126bcc9afa0539dc6b81a026501b1f6327127d46d0f1b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD561658c6cbf2f38fd71ecc5237c11298c
SHA13ed37b451e5357d14be35ede0097a9212a998018
SHA2560bd8259f92f3e3067e1f45bac954a17ef278bbb4125ff2d39cc1691d858b0012
SHA512565b0d8d6772f670d5106c406d38515b091e3c450301a4285a601dd4bf42940794e8eba33e9dfaf824ee06c3e6139f32465abfba33df62bac1cd94600a42d12c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD559b3917998183371dd9be69074427b9e
SHA1e79e1f232b258c0f404c674352f054e079c686a2
SHA2561ce8e3513b8067d97b52a82e8b94a13ffb0e80c457026732a143057bc6a8d0ac
SHA5125c3a465774d4a50b7623e6e290c1dd2dbe47c00a7f76e765274282a6120aaa09091c9cfb48c7ba0dcd937c25ff371a0d8981202a6220712aef8c8e9299687a96
-
C:\Users\Admin\Downloads\001eb377f0452060012124cb214f658754c7488ccb82e23ec56b2f45a636c859Filesize
8.7MB
MD5799c965e0a5a132ec2263d5fea0b0e1c
SHA1a15c5a706122fabdef1989c893c72c6530fedcb4
SHA256001eb377f0452060012124cb214f658754c7488ccb82e23ec56b2f45a636c859
SHA5126c481a855ee6f81dd388c8a4623e519bfbb9f496dada93672360f0a7476fb2b32fd261324156fd4729cef3cbe13f0a8b5862fe47b6db1860d0d67a77283b5ad8
-
\??\pipe\LOCAL\crashpad_3272_FONDSRXPYDUNRWJXMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e