hxxp://youareanidiot[.]cc

Analysis

max time kernel
48s
max time network
32s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
01-09-2024 04:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://youareanidiot.cc

Score

4^/10

Malware Config

Signatures

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdgeCP.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\ACGPolicyState = "6"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Cookies	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI\IsSignedIn = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VendorId = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content\CacheLimit = "256000"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\DisallowDefaultBrowserPrompt = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Explorer\Main\OperationalData = "1"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\New Windows\Allow	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 18bc564a24fcda01	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 562f074a24fcda01	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating\NextPromptBuild = "15063"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\PrivacyAdvanced = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionHigh = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\ACGStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Cookies	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\OneTimeCleanup = "1"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 427a294724fcda01	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Explorer\Main	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\Extensions	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionHigh = "268435456"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History\CacheLimit = "1"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath\dummySetting = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DeviceId = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Extensible Cache	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\MrtCache	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Cookies\CacheLimit = "1"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 8905bf5a24fcda01	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\LowMic	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DXFeatureLevel = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = c93dac4a24fcda01	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DXFeatureLevel = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\Active = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\EnablementState = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\History\CacheLimit = "1"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify = 01000000b09a97dbb28e8682b27e93e2c54a0f02701224ea6637fd0d8f541bbf1d59f40278373fea59d88cb2bc4109dbee53f8d3cc5a19f9e64c63b825ee	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 6a00085324fcda01	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-Revision = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe

Suspicious behavior: MapViewOfSection 16 IoCs

pid	Process
1728	MicrosoftEdgeCP.exe
1728	MicrosoftEdgeCP.exe
1728	MicrosoftEdgeCP.exe
1728	MicrosoftEdgeCP.exe
1728	MicrosoftEdgeCP.exe
1728	MicrosoftEdgeCP.exe
1728	MicrosoftEdgeCP.exe
1728	MicrosoftEdgeCP.exe
1728	MicrosoftEdgeCP.exe
1728	MicrosoftEdgeCP.exe
1728	MicrosoftEdgeCP.exe
1728	MicrosoftEdgeCP.exe
1728	MicrosoftEdgeCP.exe
1728	MicrosoftEdgeCP.exe
1728	MicrosoftEdgeCP.exe
1728	MicrosoftEdgeCP.exe

Suspicious use of AdjustPrivilegeToken 52 IoCs

description	pid	Process
Token: SeDebugPrivilege	5048	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	5048	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	5048	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	5048	MicrosoftEdgeCP.exe
Token: SeShutdownPrivilege	1952	MicrosoftEdgeCP.exe
Token: SeCreatePagefilePrivilege	1952	MicrosoftEdgeCP.exe
Token: SeShutdownPrivilege	1952	MicrosoftEdgeCP.exe
Token: SeCreatePagefilePrivilege	1952	MicrosoftEdgeCP.exe
Token: 33	2448	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2448	AUDIODG.EXE
Token: 33	1952	MicrosoftEdgeCP.exe
Token: SeIncBasePriorityPrivilege	1952	MicrosoftEdgeCP.exe
Token: SeShutdownPrivilege	1952	MicrosoftEdgeCP.exe
Token: SeCreatePagefilePrivilege	1952	MicrosoftEdgeCP.exe
Token: SeShutdownPrivilege	1952	MicrosoftEdgeCP.exe
Token: SeCreatePagefilePrivilege	1952	MicrosoftEdgeCP.exe
Token: SeShutdownPrivilege	1952	MicrosoftEdgeCP.exe
Token: SeCreatePagefilePrivilege	1952	MicrosoftEdgeCP.exe
Token: SeShutdownPrivilege	1952	MicrosoftEdgeCP.exe
Token: SeCreatePagefilePrivilege	1952	MicrosoftEdgeCP.exe
Token: SeShutdownPrivilege	1952	MicrosoftEdgeCP.exe
Token: SeCreatePagefilePrivilege	1952	MicrosoftEdgeCP.exe
Token: SeShutdownPrivilege	1952	MicrosoftEdgeCP.exe
Token: SeCreatePagefilePrivilege	1952	MicrosoftEdgeCP.exe
Token: SeShutdownPrivilege	1952	MicrosoftEdgeCP.exe
Token: SeCreatePagefilePrivilege	1952	MicrosoftEdgeCP.exe
Token: SeShutdownPrivilege	1952	MicrosoftEdgeCP.exe
Token: SeCreatePagefilePrivilege	1952	MicrosoftEdgeCP.exe
Token: SeShutdownPrivilege	1952	MicrosoftEdgeCP.exe
Token: SeCreatePagefilePrivilege	1952	MicrosoftEdgeCP.exe
Token: SeShutdownPrivilege	1952	MicrosoftEdgeCP.exe
Token: SeCreatePagefilePrivilege	1952	MicrosoftEdgeCP.exe
Token: SeShutdownPrivilege	1952	MicrosoftEdgeCP.exe
Token: SeCreatePagefilePrivilege	1952	MicrosoftEdgeCP.exe
Token: SeShutdownPrivilege	1952	MicrosoftEdgeCP.exe
Token: SeCreatePagefilePrivilege	1952	MicrosoftEdgeCP.exe
Token: SeShutdownPrivilege	1952	MicrosoftEdgeCP.exe
Token: SeCreatePagefilePrivilege	1952	MicrosoftEdgeCP.exe
Token: SeShutdownPrivilege	1952	MicrosoftEdgeCP.exe
Token: SeCreatePagefilePrivilege	1952	MicrosoftEdgeCP.exe
Token: SeShutdownPrivilege	1952	MicrosoftEdgeCP.exe
Token: SeCreatePagefilePrivilege	1952	MicrosoftEdgeCP.exe
Token: SeShutdownPrivilege	1952	MicrosoftEdgeCP.exe
Token: SeCreatePagefilePrivilege	1952	MicrosoftEdgeCP.exe
Token: SeShutdownPrivilege	1952	MicrosoftEdgeCP.exe
Token: SeCreatePagefilePrivilege	1952	MicrosoftEdgeCP.exe
Token: SeShutdownPrivilege	1952	MicrosoftEdgeCP.exe
Token: SeCreatePagefilePrivilege	1952	MicrosoftEdgeCP.exe
Token: SeShutdownPrivilege	1952	MicrosoftEdgeCP.exe
Token: SeCreatePagefilePrivilege	1952	MicrosoftEdgeCP.exe
Token: SeShutdownPrivilege	1952	MicrosoftEdgeCP.exe
Token: SeCreatePagefilePrivilege	1952	MicrosoftEdgeCP.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
4852	MicrosoftEdge.exe
1728	MicrosoftEdgeCP.exe
5048	MicrosoftEdgeCP.exe
1728	MicrosoftEdgeCP.exe
4852	MicrosoftEdge.exe
4852	MicrosoftEdge.exe
4852	MicrosoftEdge.exe
4852	MicrosoftEdge.exe
4852	MicrosoftEdge.exe
4852	MicrosoftEdge.exe
4852	MicrosoftEdge.exe
4852	MicrosoftEdge.exe

Suspicious use of WriteProcessMemory 49 IoCs

description	pid	Process	procid_target
PID 1728 wrote to memory of 1952	1728	MicrosoftEdgeCP.exe	77
PID 1728 wrote to memory of 1952	1728	MicrosoftEdgeCP.exe	77
PID 1728 wrote to memory of 1952	1728	MicrosoftEdgeCP.exe	77
PID 1728 wrote to memory of 1952	1728	MicrosoftEdgeCP.exe	77
PID 1728 wrote to memory of 1952	1728	MicrosoftEdgeCP.exe	77
PID 1728 wrote to memory of 1952	1728	MicrosoftEdgeCP.exe	77
PID 1728 wrote to memory of 1952	1728	MicrosoftEdgeCP.exe	77
PID 1728 wrote to memory of 1952	1728	MicrosoftEdgeCP.exe	77
PID 1728 wrote to memory of 1952	1728	MicrosoftEdgeCP.exe	77
PID 1728 wrote to memory of 1952	1728	MicrosoftEdgeCP.exe	77
PID 1728 wrote to memory of 1952	1728	MicrosoftEdgeCP.exe	77
PID 1728 wrote to memory of 1952	1728	MicrosoftEdgeCP.exe	77
PID 1728 wrote to memory of 1952	1728	MicrosoftEdgeCP.exe	77
PID 1728 wrote to memory of 1952	1728	MicrosoftEdgeCP.exe	77
PID 1728 wrote to memory of 1952	1728	MicrosoftEdgeCP.exe	77
PID 1728 wrote to memory of 1952	1728	MicrosoftEdgeCP.exe	77
PID 1728 wrote to memory of 1952	1728	MicrosoftEdgeCP.exe	77
PID 1728 wrote to memory of 1952	1728	MicrosoftEdgeCP.exe	77
PID 1728 wrote to memory of 1952	1728	MicrosoftEdgeCP.exe	77
PID 1728 wrote to memory of 1952	1728	MicrosoftEdgeCP.exe	77
PID 1728 wrote to memory of 1952	1728	MicrosoftEdgeCP.exe	77
PID 1728 wrote to memory of 1952	1728	MicrosoftEdgeCP.exe	77
PID 1728 wrote to memory of 1952	1728	MicrosoftEdgeCP.exe	77
PID 1728 wrote to memory of 1952	1728	MicrosoftEdgeCP.exe	77
PID 1728 wrote to memory of 1952	1728	MicrosoftEdgeCP.exe	77
PID 1728 wrote to memory of 1952	1728	MicrosoftEdgeCP.exe	77
PID 1728 wrote to memory of 1952	1728	MicrosoftEdgeCP.exe	77
PID 1728 wrote to memory of 1952	1728	MicrosoftEdgeCP.exe	77
PID 1728 wrote to memory of 1952	1728	MicrosoftEdgeCP.exe	77
PID 1728 wrote to memory of 1952	1728	MicrosoftEdgeCP.exe	77
PID 1728 wrote to memory of 1952	1728	MicrosoftEdgeCP.exe	77
PID 1728 wrote to memory of 1952	1728	MicrosoftEdgeCP.exe	77
PID 1728 wrote to memory of 1952	1728	MicrosoftEdgeCP.exe	77
PID 1728 wrote to memory of 1952	1728	MicrosoftEdgeCP.exe	77
PID 1728 wrote to memory of 1952	1728	MicrosoftEdgeCP.exe	77
PID 1728 wrote to memory of 1952	1728	MicrosoftEdgeCP.exe	77
PID 1728 wrote to memory of 1952	1728	MicrosoftEdgeCP.exe	77
PID 1728 wrote to memory of 1952	1728	MicrosoftEdgeCP.exe	77
PID 1728 wrote to memory of 1952	1728	MicrosoftEdgeCP.exe	77
PID 1728 wrote to memory of 1952	1728	MicrosoftEdgeCP.exe	77
PID 1728 wrote to memory of 1952	1728	MicrosoftEdgeCP.exe	77
PID 1728 wrote to memory of 1952	1728	MicrosoftEdgeCP.exe	77
PID 1728 wrote to memory of 1952	1728	MicrosoftEdgeCP.exe	77
PID 1728 wrote to memory of 1952	1728	MicrosoftEdgeCP.exe	77
PID 1728 wrote to memory of 1952	1728	MicrosoftEdgeCP.exe	77
PID 1728 wrote to memory of 1952	1728	MicrosoftEdgeCP.exe	77
PID 1728 wrote to memory of 1952	1728	MicrosoftEdgeCP.exe	77
PID 1728 wrote to memory of 1952	1728	MicrosoftEdgeCP.exe	77
PID 1728 wrote to memory of 1952	1728	MicrosoftEdgeCP.exe	77

C:\Windows\system32\LaunchWinApp.exe
"C:\Windows\system32\LaunchWinApp.exe" "http://youareanidiot.cc"
1⤵
PID:3648

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4852

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:648

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1728

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5048

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1952

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3b8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2448

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:5568

C:\Windows\System32\DataExchangeHost.exe
C:\Windows\System32\DataExchangeHost.exe -Embedding
1⤵
PID:5900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\XCFODRP5\edgecompatviewlist[1].xml

Filesize
74KB

MD5
d4fc49dc14f63895d997fa4940f24378

SHA1
3efb1437a7c5e46034147cbbc8db017c69d02c31

SHA256
853d2f4eb81c9fdcea2ee079f6faf98214b111b77cdf68709b38989d123890f1

SHA512
cc60d79b4afe5007634ac21dc4bc92081880be4c0d798a1735b63b27e936c02f399964f744dc73711987f01e8a1064b02a4867dd6cac27538e5fbe275cc61e0a

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\1UP23Y21\lol[1].htm

Filesize
55KB

MD5
aa1804b5344fc4ea85d54a599ddd220b

SHA1
c6d1306cc287147091b24a222ff4ce0e3fbd6792

SHA256
504c86338150a0692d46aeacc72056ec78a09d912e02cedf75cc8eed28669dbf

SHA512
93c1aa6525c0364712d5ae5b5fd78e57f0ac435e58e6071a00e0cb56e929497bc28536d377ad081bc89f5d34029f8b278486fad3bee26965d5a3035155433372

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\JW0LDKGL\math[1].js

Filesize
1KB

MD5
91a6ca262b43459c5ffc7d26dd7ec517

SHA1
65fc0670eb58bbc3697926813712b0edf4c57778

SHA256
7a68a5e6ad9128312249540e6fff8a369b953fcf8cd668a64b357e659b37b817

SHA512
e10e5490fa469cc4f789ae55b841602b8c9e81c0db84d3193f3a8f3fd1423be83fabe1a4276fa15bdb79e6cb6d9a8c8dbd2fc394312b513152faba1485ac0656

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\LKKQMH1H\styles[1].css

Filesize
2KB

MD5
ed96e327dc9d8338c9e8c83ec72ab5e1

SHA1
d4023cc8f7e294f28328366af2044e7fc0e2e615

SHA256
6fa264b7e5e4758facd452a22af99a6a5a3fc9c877a597b03be5756b206bd12c

SHA512
b332768d871853dfeda27db6e162efd56c96c3eb9f6a4225ba17c557d994fa04966d6f7a8fb68eb9d987ce4ab4c157f720854fc9d855696404af37848348a13b

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\RNY4WYIL\lol[1].js

Filesize
503B

MD5
790c1b2b06aa85e813b9c203a15d1827

SHA1
e56b220da7111f339db4f716ce23ffeb60c5c7bb

SHA256
a64245f6e396f1f026efc23d0d8c454edaedf2c8074167945b92802eee05fce3

SHA512
f7a082323ad82b5c572cd64d445db75b15c5740309d82a425364f14434aafd2b42e0913fae8d8ba314c0e57aa836272b9351e1e9ab96c1c8d46cb318c6d8d871

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\0BHRQGY3\favicon[1].ico

Filesize
1KB

MD5
0b6dcf9c1429088c7f079d7cc291bb66

SHA1
d23f9a17c55011a829c1365bcba999b27c4115f4

SHA256
4b0358b16230208179720a09d205b99a3e9764e63815b09e9f1716a02fccadcb

SHA512
50b3d19252cf4601c93108639c0c82cd578c1869aeedbb327a7f917c7c9142ebe893347c9a065ad8dbd61b0edcb160b5169b7272c2f3a3f807649b007461ab74

Download Submit
memory/1952-93-0x00000201FDBF0000-0x00000201FDBF2000-memory.dmp

Filesize
8KB

Download
memory/1952-120-0x00000201FE100000-0x00000201FE200000-memory.dmp

Filesize
1024KB

Download
memory/1952-91-0x00000201FDBD0000-0x00000201FDBD2000-memory.dmp

Filesize
8KB

Download
memory/1952-87-0x00000201FDAF0000-0x00000201FDAF2000-memory.dmp

Filesize
8KB

Download
memory/1952-85-0x00000201FDAD0000-0x00000201FDAD2000-memory.dmp

Filesize
8KB

Download
memory/1952-83-0x00000201FDAC0000-0x00000201FDAC2000-memory.dmp

Filesize
8KB

Download
memory/1952-178-0x000001F9B0700000-0x000001F9B0800000-memory.dmp

Filesize
1024KB

Download
memory/1952-151-0x00000201FFA00000-0x00000201FFB00000-memory.dmp

Filesize
1024KB

Download
memory/1952-81-0x00000201FDAA0000-0x00000201FDAA2000-memory.dmp

Filesize
8KB

Download
memory/1952-89-0x00000201FDB10000-0x00000201FDB12000-memory.dmp

Filesize
8KB

Download
memory/1952-121-0x00000201FE100000-0x00000201FE200000-memory.dmp

Filesize
1024KB

Download
memory/1952-119-0x00000201FE100000-0x00000201FE200000-memory.dmp

Filesize
1024KB

Download
memory/4852-16-0x000001E6D3F20000-0x000001E6D3F30000-memory.dmp

Filesize
64KB

Download
memory/4852-109-0x000001E6DACF0000-0x000001E6DACF1000-memory.dmp

Filesize
4KB

Download
memory/4852-110-0x000001E6DAF00000-0x000001E6DAF01000-memory.dmp

Filesize
4KB

Download
memory/4852-35-0x000001E6D2FF0000-0x000001E6D2FF2000-memory.dmp

Filesize
8KB

Download
memory/4852-0-0x000001E6D3E20000-0x000001E6D3E30000-memory.dmp

Filesize
64KB

Download
memory/5048-44-0x000001F9C9600000-0x000001F9C9700000-memory.dmp

Filesize
1024KB

Download
memory/5048-45-0x000001F9C9600000-0x000001F9C9700000-memory.dmp

Filesize
1024KB

Download