hxxps://youareanidiot[.]cc/

Resubmissions

18/05/2024, 21:49

240518-1pasgahh83 1

18/05/2024, 21:46

240518-1mtskahg89 10

18/05/2024, 21:42

240518-1kssgshf65 1

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
18/05/2024, 21:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://youareanidiot.cc/

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4124900551-4068476067-3491212533-1000\{88196992-C99C-46D6-AED9-1742C0CFA432}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
868	msedge.exe
868	msedge.exe
3260	msedge.exe
3260	msedge.exe
1012	identity_helper.exe
1012	identity_helper.exe
2888	msedge.exe
2888	msedge.exe
5284	msedge.exe
5284	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs

pid	Process
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3260 wrote to memory of 2148	3260	msedge.exe	84
PID 3260 wrote to memory of 2148	3260	msedge.exe	84
PID 3260 wrote to memory of 1376	3260	msedge.exe	85
PID 3260 wrote to memory of 1376	3260	msedge.exe	85
PID 3260 wrote to memory of 1376	3260	msedge.exe	85
PID 3260 wrote to memory of 1376	3260	msedge.exe	85
PID 3260 wrote to memory of 1376	3260	msedge.exe	85
PID 3260 wrote to memory of 1376	3260	msedge.exe	85
PID 3260 wrote to memory of 1376	3260	msedge.exe	85
PID 3260 wrote to memory of 1376	3260	msedge.exe	85
PID 3260 wrote to memory of 1376	3260	msedge.exe	85
PID 3260 wrote to memory of 1376	3260	msedge.exe	85
PID 3260 wrote to memory of 1376	3260	msedge.exe	85
PID 3260 wrote to memory of 1376	3260	msedge.exe	85
PID 3260 wrote to memory of 1376	3260	msedge.exe	85
PID 3260 wrote to memory of 1376	3260	msedge.exe	85
PID 3260 wrote to memory of 1376	3260	msedge.exe	85
PID 3260 wrote to memory of 1376	3260	msedge.exe	85
PID 3260 wrote to memory of 1376	3260	msedge.exe	85
PID 3260 wrote to memory of 1376	3260	msedge.exe	85
PID 3260 wrote to memory of 1376	3260	msedge.exe	85
PID 3260 wrote to memory of 1376	3260	msedge.exe	85
PID 3260 wrote to memory of 1376	3260	msedge.exe	85
PID 3260 wrote to memory of 1376	3260	msedge.exe	85
PID 3260 wrote to memory of 1376	3260	msedge.exe	85
PID 3260 wrote to memory of 1376	3260	msedge.exe	85
PID 3260 wrote to memory of 1376	3260	msedge.exe	85
PID 3260 wrote to memory of 1376	3260	msedge.exe	85
PID 3260 wrote to memory of 1376	3260	msedge.exe	85
PID 3260 wrote to memory of 1376	3260	msedge.exe	85
PID 3260 wrote to memory of 1376	3260	msedge.exe	85
PID 3260 wrote to memory of 1376	3260	msedge.exe	85
PID 3260 wrote to memory of 1376	3260	msedge.exe	85
PID 3260 wrote to memory of 1376	3260	msedge.exe	85
PID 3260 wrote to memory of 1376	3260	msedge.exe	85
PID 3260 wrote to memory of 1376	3260	msedge.exe	85
PID 3260 wrote to memory of 1376	3260	msedge.exe	85
PID 3260 wrote to memory of 1376	3260	msedge.exe	85
PID 3260 wrote to memory of 1376	3260	msedge.exe	85
PID 3260 wrote to memory of 1376	3260	msedge.exe	85
PID 3260 wrote to memory of 1376	3260	msedge.exe	85
PID 3260 wrote to memory of 1376	3260	msedge.exe	85
PID 3260 wrote to memory of 868	3260	msedge.exe	86
PID 3260 wrote to memory of 868	3260	msedge.exe	86
PID 3260 wrote to memory of 1216	3260	msedge.exe	87
PID 3260 wrote to memory of 1216	3260	msedge.exe	87
PID 3260 wrote to memory of 1216	3260	msedge.exe	87
PID 3260 wrote to memory of 1216	3260	msedge.exe	87
PID 3260 wrote to memory of 1216	3260	msedge.exe	87
PID 3260 wrote to memory of 1216	3260	msedge.exe	87
PID 3260 wrote to memory of 1216	3260	msedge.exe	87
PID 3260 wrote to memory of 1216	3260	msedge.exe	87
PID 3260 wrote to memory of 1216	3260	msedge.exe	87
PID 3260 wrote to memory of 1216	3260	msedge.exe	87
PID 3260 wrote to memory of 1216	3260	msedge.exe	87
PID 3260 wrote to memory of 1216	3260	msedge.exe	87
PID 3260 wrote to memory of 1216	3260	msedge.exe	87
PID 3260 wrote to memory of 1216	3260	msedge.exe	87
PID 3260 wrote to memory of 1216	3260	msedge.exe	87
PID 3260 wrote to memory of 1216	3260	msedge.exe	87
PID 3260 wrote to memory of 1216	3260	msedge.exe	87
PID 3260 wrote to memory of 1216	3260	msedge.exe	87
PID 3260 wrote to memory of 1216	3260	msedge.exe	87
PID 3260 wrote to memory of 1216	3260	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://youareanidiot.cc/
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdc2ac46f8,0x7ffdc2ac4708,0x7ffdc2ac4718
  2⤵
  PID:2148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2268,4124816847796382080,2183292809904071967,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2276 /prefetch:2
  2⤵
  PID:1376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2268,4124816847796382080,2183292809904071967,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2324 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2268,4124816847796382080,2183292809904071967,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2680 /prefetch:8
  2⤵
  PID:1216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2268,4124816847796382080,2183292809904071967,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
  2⤵
  PID:4736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2268,4124816847796382080,2183292809904071967,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
  2⤵
  PID:452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2268,4124816847796382080,2183292809904071967,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5032 /prefetch:1
  2⤵
  PID:4868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2268,4124816847796382080,2183292809904071967,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5220 /prefetch:1
  2⤵
  PID:3088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2268,4124816847796382080,2183292809904071967,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3700 /prefetch:1
  2⤵
  PID:2436
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2268,4124816847796382080,2183292809904071967,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3448 /prefetch:8
  2⤵
  PID:5116
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2268,4124816847796382080,2183292809904071967,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3448 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2268,4124816847796382080,2183292809904071967,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5388 /prefetch:1
  2⤵
  PID:2888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2268,4124816847796382080,2183292809904071967,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=180 /prefetch:1
  2⤵
  PID:1392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2268,4124816847796382080,2183292809904071967,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4812 /prefetch:1
  2⤵
  PID:4392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2268,4124816847796382080,2183292809904071967,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5432 /prefetch:1
  2⤵
  PID:1292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2268,4124816847796382080,2183292809904071967,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3716 /prefetch:8
  2⤵
  PID:3212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2268,4124816847796382080,2183292809904071967,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5288 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:2888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2268,4124816847796382080,2183292809904071967,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4792 /prefetch:1
  2⤵
  PID:4052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2268,4124816847796382080,2183292809904071967,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5428 /prefetch:8
  2⤵
  PID:5264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2268,4124816847796382080,2183292809904071967,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5960 /prefetch:1
  2⤵
  PID:5272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2268,4124816847796382080,2183292809904071967,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5300 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2268,4124816847796382080,2183292809904071967,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2892 /prefetch:1
  2⤵
  PID:5632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2268,4124816847796382080,2183292809904071967,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6168 /prefetch:1
  2⤵
  PID:5640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2268,4124816847796382080,2183292809904071967,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6788 /prefetch:1
  2⤵
  PID:5816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2268,4124816847796382080,2183292809904071967,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6108 /prefetch:1
  2⤵
  PID:5824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2268,4124816847796382080,2183292809904071967,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4492 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1612

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:628

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1680

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a8e767fd33edd97d306efb6905f93252

SHA1
a6f80ace2b57599f64b0ae3c7381f34e9456f9d3

SHA256
c8077a9fc79e2691ef321d556c4ce9933ca0570f2bbaa32fa32999dfd5f908bb

SHA512
07b748582fe222795bce74919aa06e9a09025c14493edb6f3b1f112d9a97ac2225fe0904cac9adf2a62c98c42f7877076e409803014f0afd395f4cc8be207241

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
439b5e04ca18c7fb02cf406e6eb24167

SHA1
e0c5bb6216903934726e3570b7d63295b9d28987

SHA256
247d0658695a1eb44924a32363906e37e9864ba742fe35362a71f3a520ad2654

SHA512
d0241e397060eebd4535197de4f1ae925aa88ae413a3a9ded6e856b356c4324dfd45dddfef9a536f04e4a258e8fe5dc1586d92d1d56b649f75ded8eddeb1f3e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\63b55c01-5710-4450-b395-c76324af4e0b.tmp

Filesize
1KB

MD5
2ecc477d6d70ba7a04419930bc3e9d0d

SHA1
47ed32d815638b1c235a93d2aca7c83538e08aa9

SHA256
22059f6bf0c515560cfe917967c0ef075bc2e6965f9a9c49bd649b44723bc477

SHA512
94e3b91094b2869ed227b346266d8ff2b1367eb7317328af2b4761620aaf2af332a329160e6b636d299c020651619112870ed104b3d40af8a6ef72bee2c5b077

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000010

Filesize
20KB

MD5
0f3de113dc536643a187f641efae47f4

SHA1
729e48891d13fb7581697f5fee8175f60519615e

SHA256
9bef33945e76bc0012cdbd9941eab34f9472aca8e0ddbbaea52658423dc579f8

SHA512
8332bf7bd97ec1ebfc8e7fcf75132ca3f6dfd820863f2559ab22ac867aa882921f2b208ab76a6deb2e6fa2907bb0244851023af6c9960a77d3ad4101b314797f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
25f9a28e796e24189ce1dfb0df0cad85

SHA1
b19148f3c8d228f22e36d1355543e34e45311949

SHA256
5b2be832d28e7e3f20ce7dface48c41d96840fbe49445107f05571046dec4a9e

SHA512
a835539bd6a1a27155aae5b529b1682f05be169ca6185241ad66e71e2e53e0dc4d67ba92db6b807917f147e75e205f10340a6241ef561b1b33bdd209764ae6d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
e97a0f210ca6f29be05e126f26a2b74b

SHA1
0a4039b5aa6ee91c48860633f0da02e5f7d99f1f

SHA256
f5b7ba0912861509f6d520f40accd27e8b1e0df083c258ba0b05e59d4d3af03f

SHA512
b9dd9eee615add19769076cbe0d612c024b62f10ee8a0e0b80bcb25eca37c154ad143cf58ec2b1cd05f177f80873867a28f3baf1c5cc34664493a34965eab5cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
a240872a6487761148b1f722fbb3ba25

SHA1
70719146a89aac1a74710ecd80c9af44a691764d

SHA256
e8012ff5713d50d6c6b974feb86507cf8d69d13041d6f1fd2cf2d2383686594d

SHA512
f58ac2aa161378654046c82272a86365f811c38f80c39ad456811403b9efc6470f570cd4e253d1199b7c27c6186959d9511a3a156a7994d2d87e7d20516b915e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e42a3556b60779643c330b88b2c46693

SHA1
3b290328414375b647a276afebd296d4217f69bd

SHA256
6c45309717c93b16965d30d356bf150d3634ee180c11e2ad5bb3009a6eee5592

SHA512
289ca8a6d1ee9a5c75da8c76d3a1e323cd7c20b252df0eb7812806b8d0bf2ad9e2af454be167dcc0258474b848942865ff29a142634d6cd19db46383accb72f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
8394b97d30c9e7f1585d8dfd189eef16

SHA1
cc7eb4fa97b2500d49d2d5f7c2c4c3181569f248

SHA256
db5e12ba26f33b9925f88c80593b549604a85f4352275b390984e9f6f38a7c98

SHA512
df7109fc7fb471d544c60ea186630c566cc0ba27c767264442430a53c9239ace842510ac9e34574757e0c9564557c05b6581e150b736ec95b2ba69265c05deb8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
e501feaa276812ffd957b70592dcc122

SHA1
64d3a582dc7d1d2f52cc0e383787e69a75ed2eed

SHA256
35364068d7bfbec00b7fa09694c4b99ec405f4b2e9ea7045ebf6b7823dc7d38f

SHA512
5d96963fbb1121859694fb859aeb1696d4903ca3fd904b5670185e1c161b751b8fda574b43d00a49631bc4d6fb046f1494b8b0c819d3d166744879d23873d11c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
1c84b26f7f3dd85e354c6aa78b69336d

SHA1
fe9a8673de4656075a961af4912856b6dadbc221

SHA256
34155eef82ae45f99e77c8ad3fc93757c5055502384d5a0b76bb871eb26d5037

SHA512
31e917a995b2510ea5e2c603bfc4bc01ab44d5db1f92edc65ac88f81401b34a9a3403eab45dbc6a914a54b5ccbe9042d61873118cde8c95ba5d907b227083d60

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
0aecf6ce19bf06a1c26869f49592f78d

SHA1
0c198435bf5127eddb67431daebd61392205af78

SHA256
e63dd919e56c3ca7771ae0ae00ceafd232aa73b62d1c218bb89e4800b30a3f67

SHA512
398389db027a16b074fea95b40dafb9706b678c69a98720faca825da3a6b811b7a3a475aa43bb2c5370dee6d59ad8c9d9425682fe95e1ed08d0d5039e7631cff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58fd85.TMP

Filesize
1KB

MD5
9fa3d1f8d79a6093e31eaca9da34b048

SHA1
e16503e2e46af5f80634dd96436f700c578e739a

SHA256
14131b35d3b78c8030c654d2c68907a6fff62665880fb2e3a043376f02dbec2e

SHA512
6b3b135d9afdb55ed8de4b3ff1fd34638371cea93b65a864432652dc59b7f3c1bc254fef6d963125504aed3431db17f08f8fe02ea1a95efca99830df791d7e47

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
78ce52a483ba8a08922f0b61d5cc6f88

SHA1
dc58642b83cb4f5a232e59900499395e77b1d978

SHA256
70fbebdd57bc2fffee85f704ae7925427438c3c3990491af786a90d80e7689ee

SHA512
b3d4c5de25ba4516897bab3dde36a1e923f1dbcaf2c24ec0fa2877efd593dccfd2b0478bef817b0268045863dda3e07d1d4ae1ed09085627be211bf9c6a6bd54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
ea8f2df9578496531bf292918d0701fc

SHA1
87c84a494df9180eda9b2f181eea4d81520a657b

SHA256
af8e0afc667d62a5dbfc523e2f4156f77b6a9fd649dab6cb71caf4f9f7f09e4a

SHA512
87aaef9103f5ef34965c48c58116d4cb7585697f9e3ce486df7e409a3ee5af931fb1939cebae119301f7f7605f2493699cbb48590ff369b51bd16c5b1441eda0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
e7730d7c23af7c7f804bfa7d8d0ccb49

SHA1
7326456f912380689c39caf8d80082d6149a2eee

SHA256
fddadcb2239b9574d7a82b310888f649186fded2cdb27af5c8206d2719cc23ad

SHA512
ae38cdca2814a7206cb2f1cdab040d45521ff0bc8e7900a5666747495d23c999c088a8dcabc8506a62b858335b64661eaedb360bd53293e4325edcc9dbe6dd81

Download Submit
C:\Users\Admin\Downloads\MEMZ.4.0.Clean.zip

Filesize
12KB

MD5
8ce8fc61248ec439225bdd3a71ad4be9

SHA1
881d4c3f400b74fdde172df440a2eddb22eb90f6

SHA256
15ef265d305f4a1eac11fc0e65515b94b115cf6cbb498597125fa3a8a1af44f5

SHA512
fe66db34bde67304091281872510354c8381f2d1cf053b91dcd2ff16839e6e58969b2c4cb8f70544f5ddef2e7898af18aaaacb074fb2d51883687034ec18cdd9

Download Submit