hxxp://Youareanidiot[.]cc

Resubmissions

31-03-2024 14:38

240331-rzx63sdf2v 10

31-03-2024 14:35

31-03-2024 14:31

31-03-2024 14:27

31-03-2024 14:14

Analysis

max time kernel
240s
max time network
241s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
31-03-2024 14:31

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

http://Youareanidiot.cc

Score

8^/10

bootkit persistence

Malware Config

Signatures

Downloads MZ/PE file
Drops startup file 1 IoCs

Processes:

explorer.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a4581ce5.exe explorer.exe
Executes dropped EXE 8 IoCs

Processes:

CryptoWall.exeCryptoWall.exeCryptoWall.exeCryptoWall.exeCryptoWall.exeCryptoWall.exePowerPoint.exesys3.exe

pid process

3724 CryptoWall.exe
332 CryptoWall.exe
2536 CryptoWall.exe
1464 CryptoWall.exe
3680 CryptoWall.exe
428 CryptoWall.exe
4376 PowerPoint.exe
3512 sys3.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a4581ce5.exe	explorer.exe

pid	process
3724	CryptoWall.exe
332	CryptoWall.exe
2536	CryptoWall.exe
1464	CryptoWall.exe
3680	CryptoWall.exe
428	CryptoWall.exe
4376	PowerPoint.exe
3512	sys3.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a4581ce = "C:\\a4581ce5\\a4581ce5.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a4581ce5 = "C:\\Users\\Admin\\AppData\\Roaming\\a4581ce5.exe"	explorer.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

130 raw.githubusercontent.com
131 raw.githubusercontent.com
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

137 ip-addr.es
139 ip-addr.es
Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

PowerPoint.exesys3.exe

description ioc process

File opened for modification \??\PHYSICALDRIVE0 PowerPoint.exe
File opened for modification \??\PHYSICALDRIVE0 sys3.exe

flow	ioc
130	raw.githubusercontent.com
131	raw.githubusercontent.com

flow	ioc
137	ip-addr.es
139	ip-addr.es

description	ioc	process
File opened for modification	\??\PHYSICALDRIVE0	PowerPoint.exe
File opened for modification	\??\PHYSICALDRIVE0	sys3.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies data under HKEY_USERS 15 IoCs

Processes:

LogonUI.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "24"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-275798769-4264537674-1142822080-1000\{9B6D0DD1-DA05-4C9A-9EB2-26135B710509}	msedge.exe

NTFS ADS 4 IoCs

Processes:

msedge.exePowerPoint.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 20303.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 612821.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 953487.crdownload:SmartScreen	msedge.exe
File created	C:\Users\Admin\AppData\Local\Temp\sys3.exe\:SmartScreen:$DATA	PowerPoint.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exe

pid	process
3068	msedge.exe
3068	msedge.exe
3692	msedge.exe
3692	msedge.exe
3116	identity_helper.exe
3116	identity_helper.exe
4148	msedge.exe
4148	msedge.exe
3684	msedge.exe
3684	msedge.exe
3684	msedge.exe
3684	msedge.exe
2112	msedge.exe
2112	msedge.exe
4948	msedge.exe
4948	msedge.exe
4808	msedge.exe
4808	msedge.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

CryptoWall.exeexplorer.exe

pid process

3724 CryptoWall.exe
4552 explorer.exe

pid	process
3724	CryptoWall.exe
4552	explorer.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 18 IoCs

Processes:

msedge.exe

pid	process
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

sys3.exe

description pid process

Token: SeShutdownPrivilege 3512 sys3.exe

description	pid	process
Token: SeShutdownPrivilege	3512	sys3.exe

Suspicious use of FindShellTrayWindow 55 IoCs

Processes:

msedge.exe

pid	process
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

LogonUI.exe

pid process

4836 LogonUI.exe

pid	process
4836	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 3692 wrote to memory of 3540	3692	msedge.exe	msedge.exe
PID 3692 wrote to memory of 3540	3692	msedge.exe	msedge.exe
PID 3692 wrote to memory of 4404	3692	msedge.exe	msedge.exe
PID 3692 wrote to memory of 4404	3692	msedge.exe	msedge.exe
PID 3692 wrote to memory of 4404	3692	msedge.exe	msedge.exe
PID 3692 wrote to memory of 4404	3692	msedge.exe	msedge.exe
PID 3692 wrote to memory of 4404	3692	msedge.exe	msedge.exe
PID 3692 wrote to memory of 4404	3692	msedge.exe	msedge.exe
PID 3692 wrote to memory of 4404	3692	msedge.exe	msedge.exe
PID 3692 wrote to memory of 4404	3692	msedge.exe	msedge.exe
PID 3692 wrote to memory of 4404	3692	msedge.exe	msedge.exe
PID 3692 wrote to memory of 4404	3692	msedge.exe	msedge.exe
PID 3692 wrote to memory of 4404	3692	msedge.exe	msedge.exe
PID 3692 wrote to memory of 4404	3692	msedge.exe	msedge.exe
PID 3692 wrote to memory of 4404	3692	msedge.exe	msedge.exe
PID 3692 wrote to memory of 4404	3692	msedge.exe	msedge.exe
PID 3692 wrote to memory of 4404	3692	msedge.exe	msedge.exe
PID 3692 wrote to memory of 4404	3692	msedge.exe	msedge.exe
PID 3692 wrote to memory of 4404	3692	msedge.exe	msedge.exe
PID 3692 wrote to memory of 4404	3692	msedge.exe	msedge.exe
PID 3692 wrote to memory of 4404	3692	msedge.exe	msedge.exe
PID 3692 wrote to memory of 4404	3692	msedge.exe	msedge.exe
PID 3692 wrote to memory of 4404	3692	msedge.exe	msedge.exe
PID 3692 wrote to memory of 4404	3692	msedge.exe	msedge.exe
PID 3692 wrote to memory of 4404	3692	msedge.exe	msedge.exe
PID 3692 wrote to memory of 4404	3692	msedge.exe	msedge.exe
PID 3692 wrote to memory of 4404	3692	msedge.exe	msedge.exe
PID 3692 wrote to memory of 4404	3692	msedge.exe	msedge.exe
PID 3692 wrote to memory of 4404	3692	msedge.exe	msedge.exe
PID 3692 wrote to memory of 4404	3692	msedge.exe	msedge.exe
PID 3692 wrote to memory of 4404	3692	msedge.exe	msedge.exe
PID 3692 wrote to memory of 4404	3692	msedge.exe	msedge.exe
PID 3692 wrote to memory of 4404	3692	msedge.exe	msedge.exe
PID 3692 wrote to memory of 4404	3692	msedge.exe	msedge.exe
PID 3692 wrote to memory of 4404	3692	msedge.exe	msedge.exe
PID 3692 wrote to memory of 4404	3692	msedge.exe	msedge.exe
PID 3692 wrote to memory of 4404	3692	msedge.exe	msedge.exe
PID 3692 wrote to memory of 4404	3692	msedge.exe	msedge.exe
PID 3692 wrote to memory of 4404	3692	msedge.exe	msedge.exe
PID 3692 wrote to memory of 4404	3692	msedge.exe	msedge.exe
PID 3692 wrote to memory of 4404	3692	msedge.exe	msedge.exe
PID 3692 wrote to memory of 4404	3692	msedge.exe	msedge.exe
PID 3692 wrote to memory of 3068	3692	msedge.exe	msedge.exe
PID 3692 wrote to memory of 3068	3692	msedge.exe	msedge.exe
PID 3692 wrote to memory of 3696	3692	msedge.exe	msedge.exe
PID 3692 wrote to memory of 3696	3692	msedge.exe	msedge.exe
PID 3692 wrote to memory of 3696	3692	msedge.exe	msedge.exe
PID 3692 wrote to memory of 3696	3692	msedge.exe	msedge.exe
PID 3692 wrote to memory of 3696	3692	msedge.exe	msedge.exe
PID 3692 wrote to memory of 3696	3692	msedge.exe	msedge.exe
PID 3692 wrote to memory of 3696	3692	msedge.exe	msedge.exe
PID 3692 wrote to memory of 3696	3692	msedge.exe	msedge.exe
PID 3692 wrote to memory of 3696	3692	msedge.exe	msedge.exe
PID 3692 wrote to memory of 3696	3692	msedge.exe	msedge.exe
PID 3692 wrote to memory of 3696	3692	msedge.exe	msedge.exe
PID 3692 wrote to memory of 3696	3692	msedge.exe	msedge.exe
PID 3692 wrote to memory of 3696	3692	msedge.exe	msedge.exe
PID 3692 wrote to memory of 3696	3692	msedge.exe	msedge.exe
PID 3692 wrote to memory of 3696	3692	msedge.exe	msedge.exe
PID 3692 wrote to memory of 3696	3692	msedge.exe	msedge.exe
PID 3692 wrote to memory of 3696	3692	msedge.exe	msedge.exe
PID 3692 wrote to memory of 3696	3692	msedge.exe	msedge.exe
PID 3692 wrote to memory of 3696	3692	msedge.exe	msedge.exe
PID 3692 wrote to memory of 3696	3692	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://Youareanidiot.cc
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3692

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff84bcf46f8,0x7ff84bcf4708,0x7ff84bcf4718
2⤵
PID:3540

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,15921700029344131816,724279227247389598,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:2
2⤵
PID:4404

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,15921700029344131816,724279227247389598,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3068

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2076,15921700029344131816,724279227247389598,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2660 /prefetch:8
2⤵
PID:3696

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,15921700029344131816,724279227247389598,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1
2⤵
PID:4600

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,15921700029344131816,724279227247389598,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1
2⤵
PID:4512

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,15921700029344131816,724279227247389598,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4884 /prefetch:1
2⤵
PID:2536

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,15921700029344131816,724279227247389598,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5232 /prefetch:8
2⤵
PID:904

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,15921700029344131816,724279227247389598,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5232 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3116

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,15921700029344131816,724279227247389598,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4692 /prefetch:1
2⤵
PID:2476

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,15921700029344131816,724279227247389598,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5324 /prefetch:1
2⤵
PID:5008

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,15921700029344131816,724279227247389598,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4924 /prefetch:1
2⤵
PID:3580

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,15921700029344131816,724279227247389598,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4976 /prefetch:1
2⤵
PID:4192

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,15921700029344131816,724279227247389598,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5480 /prefetch:1
2⤵
PID:1348

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,15921700029344131816,724279227247389598,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5316 /prefetch:1
2⤵
PID:3548

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,15921700029344131816,724279227247389598,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4624 /prefetch:1
2⤵
PID:888

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,15921700029344131816,724279227247389598,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5744 /prefetch:1
2⤵
PID:2348

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,15921700029344131816,724279227247389598,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
2⤵
PID:4744

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2076,15921700029344131816,724279227247389598,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5340 /prefetch:8
2⤵
PID:4308

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2076,15921700029344131816,724279227247389598,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=3632 /prefetch:8
2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4148

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,15921700029344131816,724279227247389598,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5360 /prefetch:1
2⤵
PID:4284

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,15921700029344131816,724279227247389598,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3104 /prefetch:1
2⤵
PID:4156

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,15921700029344131816,724279227247389598,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
2⤵
PID:4840

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,15921700029344131816,724279227247389598,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1756 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3684

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2076,15921700029344131816,724279227247389598,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=1636 /prefetch:8
2⤵
PID:3292

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,15921700029344131816,724279227247389598,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4712 /prefetch:1
2⤵
PID:4776

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2076,15921700029344131816,724279227247389598,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6584 /prefetch:8
2⤵
PID:3600

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2076,15921700029344131816,724279227247389598,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5724 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2112

C:\Users\Admin\Downloads\CryptoWall.exe
"C:\Users\Admin\Downloads\CryptoWall.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: MapViewOfSection
PID:3724

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\syswow64\explorer.exe"
3⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: MapViewOfSection
PID:4552

C:\Windows\SysWOW64\svchost.exe
-k netsvcs
4⤵
PID:592

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,15921700029344131816,724279227247389598,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6404 /prefetch:1
2⤵
PID:4176

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2076,15921700029344131816,724279227247389598,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4916 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4948

C:\Users\Admin\Downloads\CryptoWall.exe
"C:\Users\Admin\Downloads\CryptoWall.exe"
2⤵
- Executes dropped EXE
PID:332

C:\Users\Admin\Downloads\CryptoWall.exe
"C:\Users\Admin\Downloads\CryptoWall.exe"
2⤵
- Executes dropped EXE
PID:2536

C:\Users\Admin\Downloads\CryptoWall.exe
"C:\Users\Admin\Downloads\CryptoWall.exe"
2⤵
- Executes dropped EXE
PID:1464

C:\Users\Admin\Downloads\CryptoWall.exe
"C:\Users\Admin\Downloads\CryptoWall.exe"
2⤵
- Executes dropped EXE
PID:3680

C:\Users\Admin\Downloads\CryptoWall.exe
"C:\Users\Admin\Downloads\CryptoWall.exe"
2⤵
- Executes dropped EXE
PID:428

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,15921700029344131816,724279227247389598,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4604 /prefetch:1
2⤵
PID:4528

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2076,15921700029344131816,724279227247389598,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4744 /prefetch:8
2⤵
PID:1960

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2076,15921700029344131816,724279227247389598,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6684 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4808

C:\Users\Admin\Downloads\PowerPoint.exe
"C:\Users\Admin\Downloads\PowerPoint.exe"
2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- NTFS ADS
PID:4376

C:\Users\Admin\AppData\Local\Temp\sys3.exe
C:\Users\Admin\AppData\Local\Temp\\sys3.exe
3⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of AdjustPrivilegeToken
PID:3512

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:440

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3428

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa395f055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4836

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
f35bb0615bb9816f562b83304e456294

SHA1
1049e2bd3e1bbb4cea572467d7c4a96648659cb4

SHA256
05e80abd624454e5b860a08f40ddf33d672c3fed319aac180b7de5754bc07b71

SHA512
db9100f3e324e74a9c58c7d9f50c25eaa4c6c4553c93bab9b80c6f7bef777db04111ebcd679f94015203b240fe9f4f371cae0d4290ec891a4173c746ff4b11c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
1eb86108cb8f5a956fdf48efbd5d06fe

SHA1
7b2b299f753798e4891df2d9cbf30f94b39ef924

SHA256
1b53367e0041d54af89e7dd59733231f5da1393c551ed2b943c89166c0baca40

SHA512
e2a661437688a4a01a6eb3b2bd7979ecf96b806f5a487d39354a7f0d44cb693a3b1c2cf6b1247b04e4106cc816105e982569572042bdddb3cd5bec23b4fce29d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
4KB

MD5
9f964781b7fb7a14e200c1cbeec3efc4

SHA1
51b506635f115a96a80b9990d9925f49c56c123e

SHA256
d0d06077d1fb9b1d2d44f7bbae58f158f3f21022a84fcb6e3bc1cc962c42047a

SHA512
d2f32c870f630c26619bcbf8060978d218a1f3744e96b04b4891f621fbe5ee3d6cf2af43a650ab7de17e1699a76afc9127a8738ab7c20677134be2cdfabf809c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
3KB

MD5
21dc27529157bb34fcd7fe2451570660

SHA1
26e02bde89a07021464f2be6e6c60d24d1953e61

SHA256
b7f7cfd92a877be8f6d50658b497bbc30dd6d6a78e350f582098011755f5354c

SHA512
74b6a351de47a95dce6b600737264738a1cebd6a79410ae5432583ad559b377fc3fcc6a6d0054ceef003ffb69989ad8762c99e6bbcb76b368532a9fbdcb87ce0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
1KB

MD5
94b7051476f46e38c14e83b683b248b6

SHA1
f1ac4ae8b61d8e84a03d2086f2c97a0706da7529

SHA256
e78bd3058040428fed0fb722192a599560f1a3c849284070b053a369d8f3bf4c

SHA512
4aa7276a3e2a8222a92f14d6576e37636ead88978bda22213afeebcf31a20d5615e070686c93c7fc18f69d38e98e8118acba8c94ffe06a8e9268be1c8c2c9ef8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
1KB

MD5
c0c6badff90125bad19111e1eef11fc5

SHA1
6fb92dd449c81e41ee0e607ad616282d3be88e21

SHA256
690c12067223b4cf59682c2920988ac107d3ee1057c6a0dd914ae98797cf3f70

SHA512
a639c744c6e59447050a5052626de5fa71932e4610ed6f7770af7d95d109d260138fc91110c19d90ef06cdf2dd7baa0c1ba86f9ba075ba2986828bc1ee4e0ae3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
aea7553969ea4f821346e0f4defaa915

SHA1
33767849e4b8d6bcdf943179d2549ad944bc7476

SHA256
6d7d1e4a257eaad1f2de12379bf724c21c1376080b5c2fa7afc650d720dc0eef

SHA512
98579990e7dddb2465ba55f04103e679f55a43a578669f367c8b8ad1e8afb2fbef671a35b3ecd79e68922e9d40537c9e3e608a806880bdedea8ae28234beb037

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
5a814351c7848ee8edbccdc12559b4ff

SHA1
41ec422e19f246fd6f364a4c0457a3f8e3b598a6

SHA256
437cd374fd8a3ed588aed1acb6226dc1329946f6d0d744bb277640033e81207d

SHA512
d1fb94bb3c1304972cedc07b729b75ae5e8f5b4ae8173854cdf25982c277a3de63ad72ee6b75ec5666d7287b84a18d112c125863e3984753d5ae3787c4dd9f5e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
3acb90acd8e059908238fd0870426655

SHA1
c673668eeb3834e0f53bf1317b151a7496a9f17b

SHA256
6fc94c1275bb73b4cedd2d33107945fe3ce4ac66b401607b572ee62477894fbc

SHA512
6ab5756fec0be0a221076e92aa0ef49b216547ce2be1ec3549c2483086a43ab574564b5cf71e198e137a1829a5cfcc83043b364332c1cbf7819bf1e883dbca6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
8ff872171b96e6b5e0b8f661689ea788

SHA1
6d1e20f71400af59fad7f09a1674b2c0d582a1c4

SHA256
50c0db1b3baa57c66136d8a4acecefc3e88c1b1bbd933dba363a7384e887457a

SHA512
f97ace01d6b321b16d12ab38345b74a8a93a3f2b3b0909f157abf49f06e77cba0fd69ee373be7595d8d185cf312431c4e2a13816969d43a3b7f064fe75c88925

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
8ab6f913ed29131afe39409945db48c0

SHA1
6082ccb7ccdec9defeefcab7055785b0848f40b5

SHA256
c6c5e1407e8490ddaf79cb53b6cbaf6ee291e5c2a1482d31544eb44882216096

SHA512
c088819ad2aa72d3bf2760536e0b41d8f68127f9bb8ece20c11a5ed73ec0097e8f0b99a1b55b188b50197ddcc1d97bf68ab94fc0a9ab1c64692a8d82070407e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
34ae729996ff93ea78ace776e1e84462

SHA1
c4d9129ace0598a5aef36bd6710a0f28b1be294b

SHA256
cd921f59b67751a132da4f16cfa47ef5303a725cb2a0ff642e9adf4f70a7b106

SHA512
997b2bc365872d9af77a5a679709bc972cc0bdd6014e0818850c6398f33131d605d1d5b2488963e948a31a9bf902b13f9746f61c3519b2a09170a63f718a19c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
a1d2af1acccff1793b9b70688536ba5e

SHA1
75d8d248ea96b14e401b707f218f02e41940bde6

SHA256
0dadedf67d2259f494e7c99ee621846a0d5fb252bf4ce9c5fd6362c27ea4189f

SHA512
ba3f8624f8d3ed7284ff0e98ed3a2cf9c70c2d4a7285097f177ca87af5187a28f8b2f9e95af561947004e387106ac0cd678b0726513129b84d3da0f520ef1f5a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
1af0f5198eeb527833e2fff5f12ce0af

SHA1
4c63abe983c5f5cbbbf22e676d57a799614f4c57

SHA256
8d2debbfdfaefa31dcde861efe852a72c50ac00e8747c4cd3b91f203b2a31365

SHA512
2abb2e517d432228a8517e2483efb0112d4d0e0fc60aaffe263fb65a47e9db755c6a2bfa0a21da6e9d0b0910f6d4ef78ae32bec23e49658169f710d24e409535

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe591f94.TMP
Filesize
1KB

MD5
25adce784991d6a33892623442c68644

SHA1
45057754455209a7ca1f1252ba0d3e93af8a6231

SHA256
273dd4f14879c5556f665fc9967be4f4eaaa7609832f26c35a377d248e5bc139

SHA512
c6e3e62fa1c029f48e960cfee3dd34e4f4bead8ced561babdff146653d0fb53c7c72b47248603bcbbcbbe4b033fc01835371852bdc3708d08ad7707e588e3a2d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
d103fee4a8d1c9c3466bea8f4e1df49e

SHA1
ad3f200106475557c949f1bbf4bc0bef6da89c40

SHA256
69fc7ac647f5a752cd6b30121b114fe87bf6b82afe52d5d48f847f2a32a28bca

SHA512
f7b00f02b9c8e76d6f9a436489c45802fae2e3fb571292ed058f9b5c6b4d76c8d0094f04cd5367409d07c60e47394059bdfad5d189b22a7344097f03bb8e705c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
14ae44de90f7d5fad8f0908d62df7124

SHA1
ce22124cfffea9dfbdfee46294806bd6e907ca0a

SHA256
996ee5513ebac0313cb4d45d4fed4e5371acca13733f7e36ebc7710290bd6a0a

SHA512
78a9cea5dd6376cf2f61a11eb0cef58b99efac6bf9404088b13b7e30b85dd3f44c4c81e755968ae051ee98d84c7e75a67bb8741f8ee6d1e45797bda45cd4a433

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
c1037078d9b643987f30c125d758814d

SHA1
4bb521a3f43e6366cc44db7a8239cebe6c5c848b

SHA256
72c8694698873cdf75059d59c0db8a956bfb2a960abaadf8e330c4a77906aa0a

SHA512
b8b1726541f3af312dfdc4b97f6bcb1b7420b4fc3b16a729e4499be6b40fe2e99e659c5e84b62827edbf54487c643f68e8471ffbf5e267acaddb9385bed025ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
a2a3aa9f39b6b12f59144e1558460688

SHA1
bc674bdfa4793856fe6a434496328efd0479d2ab

SHA256
4d3f28b89f705b9ac6cf5d27358e4e575a2192c40632361ec350bd85b2ae2e4a

SHA512
dcbaf861b3bfa5398764b7bc442432e29bd41405d012ff5accf8a312c12e3670e4a1acaaf4de5bf1a423a956f76b2db1e50dbde1c5462b0a14ff9ed8ea1da964

Download Submit
C:\Users\Admin\AppData\Local\Temp\systm.txt
Filesize
39B

MD5
5bab23550d87f5289492508850e965b8

SHA1
753ba866033acefce32ce0b9221f087310bcc5ad

SHA256
092680746cc546b40d62a2c718599c2031fc590fff2f72e08b8a357970619474

SHA512
2518bce1ed90225be957bb038549e086fb541e32a377d912571da0b29b59effbabd75dba82ce37f74ee237920a6c8614c62865a013004f18477844857db7a399

Download Submit
C:\Users\Admin\Downloads\50b5f612-9be8-4384-9380-18297f9cc028.tmp
Filesize
132KB

MD5
919034c8efb9678f96b47a20fa6199f2

SHA1
747070c74d0400cffeb28fbea17b64297f14cfbd

SHA256
e036d68b8f8b7afc6c8b6252876e1e290f11a26d4ad18ac6f310662845b2c734

SHA512
745a81c50bbfd62234edb9788c83a22e0588c5d25c00881901923a02d7096c71ef5f0cd5b73f92ad974e5174de064b0c5ea8044509039aab14b2aed83735a7c4

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 953487.crdownload
Filesize
136KB

MD5
70108103a53123201ceb2e921fcfe83c

SHA1
c71799a6a6d09ee758b04cdf90a4ab76fbd2a7e3

SHA256
9c3f8df80193c085912c9950c58051ae77c321975784cc069ceacd4f57d5861d

SHA512
996701c65eee7f781c2d22dce63f4a95900f36b97a99dcf833045bce239a08b3c2f6326b3a808431cdab92d59161dd80763e44126578e160d79b7095175d276b

Download Submit
\??\pipe\LOCAL\crashpad_3692_SIDHJQEIUJUSZIEX
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/592-526-0x0000000000320000-0x0000000000345000-memory.dmp

Filesize
148KB

Download
memory/592-571-0x0000000000320000-0x0000000000345000-memory.dmp

Filesize
148KB

Download
memory/592-527-0x0000000000320000-0x0000000000345000-memory.dmp

Filesize
148KB

Download
memory/4376-703-0x000000002AA00000-0x000000002AA24000-memory.dmp

Filesize
144KB

Download
memory/4376-711-0x000000002AA00000-0x000000002AA24000-memory.dmp

Filesize
144KB

Download
memory/4552-522-0x0000000000F20000-0x0000000000F45000-memory.dmp

Filesize
148KB

Download
memory/4552-521-0x0000000000F20000-0x0000000000F45000-memory.dmp

Filesize
148KB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads