hxxps://github[.]com/KeparYTbcc/KeparMenu/tree/main

Analysis

max time kernel
147s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
04-01-2025 00:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/KeparYTbcc/KeparMenu/tree/main

Score

5^/10

paypal discovery phishing

Malware Config

Signatures

Detected potential entity reuse from brand PAYPAL.
phishing paypal
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 9 IoCs

evasion

pid	Process
2172	timeout.exe
4472	timeout.exe
4436	timeout.exe
4936	timeout.exe
2084	timeout.exe
5008	timeout.exe
3876	timeout.exe
3716	timeout.exe
3096	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
3452	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2436	msedge.exe
2436	msedge.exe
1332	msedge.exe
1332	msedge.exe
388	identity_helper.exe
388	identity_helper.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
1332	msedge.exe
1332	msedge.exe
1332	msedge.exe
1332	msedge.exe
1332	msedge.exe
1332	msedge.exe
1332	msedge.exe
1332	msedge.exe
1332	msedge.exe
1332	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1332	msedge.exe
1332	msedge.exe
1332	msedge.exe
1332	msedge.exe
1332	msedge.exe
1332	msedge.exe
1332	msedge.exe
1332	msedge.exe
1332	msedge.exe
1332	msedge.exe
1332	msedge.exe
1332	msedge.exe
1332	msedge.exe
1332	msedge.exe
1332	msedge.exe
1332	msedge.exe
1332	msedge.exe
1332	msedge.exe
1332	msedge.exe
1332	msedge.exe
1332	msedge.exe
1332	msedge.exe
1332	msedge.exe
1332	msedge.exe
1332	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1332	msedge.exe
1332	msedge.exe
1332	msedge.exe
1332	msedge.exe
1332	msedge.exe
1332	msedge.exe
1332	msedge.exe
1332	msedge.exe
1332	msedge.exe
1332	msedge.exe
1332	msedge.exe
1332	msedge.exe
1332	msedge.exe
1332	msedge.exe
1332	msedge.exe
1332	msedge.exe
1332	msedge.exe
1332	msedge.exe
1332	msedge.exe
1332	msedge.exe
1332	msedge.exe
1332	msedge.exe
1332	msedge.exe
1332	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1332 wrote to memory of 4064	1332	msedge.exe	83
PID 1332 wrote to memory of 4064	1332	msedge.exe	83
PID 1332 wrote to memory of 4336	1332	msedge.exe	84
PID 1332 wrote to memory of 4336	1332	msedge.exe	84
PID 1332 wrote to memory of 4336	1332	msedge.exe	84
PID 1332 wrote to memory of 4336	1332	msedge.exe	84
PID 1332 wrote to memory of 4336	1332	msedge.exe	84
PID 1332 wrote to memory of 4336	1332	msedge.exe	84
PID 1332 wrote to memory of 4336	1332	msedge.exe	84
PID 1332 wrote to memory of 4336	1332	msedge.exe	84
PID 1332 wrote to memory of 4336	1332	msedge.exe	84
PID 1332 wrote to memory of 4336	1332	msedge.exe	84
PID 1332 wrote to memory of 4336	1332	msedge.exe	84
PID 1332 wrote to memory of 4336	1332	msedge.exe	84
PID 1332 wrote to memory of 4336	1332	msedge.exe	84
PID 1332 wrote to memory of 4336	1332	msedge.exe	84
PID 1332 wrote to memory of 4336	1332	msedge.exe	84
PID 1332 wrote to memory of 4336	1332	msedge.exe	84
PID 1332 wrote to memory of 4336	1332	msedge.exe	84
PID 1332 wrote to memory of 4336	1332	msedge.exe	84
PID 1332 wrote to memory of 4336	1332	msedge.exe	84
PID 1332 wrote to memory of 4336	1332	msedge.exe	84
PID 1332 wrote to memory of 4336	1332	msedge.exe	84
PID 1332 wrote to memory of 4336	1332	msedge.exe	84
PID 1332 wrote to memory of 4336	1332	msedge.exe	84
PID 1332 wrote to memory of 4336	1332	msedge.exe	84
PID 1332 wrote to memory of 4336	1332	msedge.exe	84
PID 1332 wrote to memory of 4336	1332	msedge.exe	84
PID 1332 wrote to memory of 4336	1332	msedge.exe	84
PID 1332 wrote to memory of 4336	1332	msedge.exe	84
PID 1332 wrote to memory of 4336	1332	msedge.exe	84
PID 1332 wrote to memory of 4336	1332	msedge.exe	84
PID 1332 wrote to memory of 4336	1332	msedge.exe	84
PID 1332 wrote to memory of 4336	1332	msedge.exe	84
PID 1332 wrote to memory of 4336	1332	msedge.exe	84
PID 1332 wrote to memory of 4336	1332	msedge.exe	84
PID 1332 wrote to memory of 4336	1332	msedge.exe	84
PID 1332 wrote to memory of 4336	1332	msedge.exe	84
PID 1332 wrote to memory of 4336	1332	msedge.exe	84
PID 1332 wrote to memory of 4336	1332	msedge.exe	84
PID 1332 wrote to memory of 4336	1332	msedge.exe	84
PID 1332 wrote to memory of 4336	1332	msedge.exe	84
PID 1332 wrote to memory of 2436	1332	msedge.exe	85
PID 1332 wrote to memory of 2436	1332	msedge.exe	85
PID 1332 wrote to memory of 684	1332	msedge.exe	86
PID 1332 wrote to memory of 684	1332	msedge.exe	86
PID 1332 wrote to memory of 684	1332	msedge.exe	86
PID 1332 wrote to memory of 684	1332	msedge.exe	86
PID 1332 wrote to memory of 684	1332	msedge.exe	86
PID 1332 wrote to memory of 684	1332	msedge.exe	86
PID 1332 wrote to memory of 684	1332	msedge.exe	86
PID 1332 wrote to memory of 684	1332	msedge.exe	86
PID 1332 wrote to memory of 684	1332	msedge.exe	86
PID 1332 wrote to memory of 684	1332	msedge.exe	86
PID 1332 wrote to memory of 684	1332	msedge.exe	86
PID 1332 wrote to memory of 684	1332	msedge.exe	86
PID 1332 wrote to memory of 684	1332	msedge.exe	86
PID 1332 wrote to memory of 684	1332	msedge.exe	86
PID 1332 wrote to memory of 684	1332	msedge.exe	86
PID 1332 wrote to memory of 684	1332	msedge.exe	86
PID 1332 wrote to memory of 684	1332	msedge.exe	86
PID 1332 wrote to memory of 684	1332	msedge.exe	86
PID 1332 wrote to memory of 684	1332	msedge.exe	86
PID 1332 wrote to memory of 684	1332	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/KeparYTbcc/KeparMenu/tree/main
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xd8,0x10c,0x7ffae5c746f8,0x7ffae5c74708,0x7ffae5c74718
  2⤵
  PID:4064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2016,15320043882267308690,14473371742715747818,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2040 /prefetch:2
  2⤵
  PID:4336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2016,15320043882267308690,14473371742715747818,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2320 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2016,15320043882267308690,14473371742715747818,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2852 /prefetch:8
  2⤵
  PID:684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,15320043882267308690,14473371742715747818,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
  2⤵
  PID:1160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,15320043882267308690,14473371742715747818,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
  2⤵
  PID:2916
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2016,15320043882267308690,14473371742715747818,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5380 /prefetch:8
  2⤵
  PID:4620
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2016,15320043882267308690,14473371742715747818,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5380 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,15320043882267308690,14473371742715747818,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5684 /prefetch:1
  2⤵
  PID:440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,15320043882267308690,14473371742715747818,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5712 /prefetch:1
  2⤵
  PID:636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,15320043882267308690,14473371742715747818,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4732 /prefetch:1
  2⤵
  PID:3764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,15320043882267308690,14473371742715747818,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5124 /prefetch:1
  2⤵
  PID:2748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,15320043882267308690,14473371742715747818,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4868 /prefetch:1
  2⤵
  PID:3948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,15320043882267308690,14473371742715747818,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5796 /prefetch:1
  2⤵
  PID:440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2016,15320043882267308690,14473371742715747818,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2180 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,15320043882267308690,14473371742715747818,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6088 /prefetch:1
  2⤵
  PID:3572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,15320043882267308690,14473371742715747818,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5748 /prefetch:1
  2⤵
  PID:3116

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2996

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2312

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2708

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\fd.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:3452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\fd.bat" "
1⤵
PID:4820
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:2084
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:3096
- C:\Windows\system32\timeout.exe
  timeout /t 2
  2⤵
  - Delays execution with timeout.exe
  PID:5008
- C:\Windows\system32\msg.exe
  msg * Thanks for using the "Kepar Menu", if u want to give me donations:
  2⤵
  PID:2764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://paypal.me/keparmc
  2⤵
  PID:4160
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffae5c746f8,0x7ffae5c74708,0x7ffae5c74718
    3⤵
    PID:1728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\fd.bat" "
1⤵
PID:4512
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:2172
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:3876
- C:\Windows\system32\timeout.exe
  timeout /t 2
  2⤵
  - Delays execution with timeout.exe
  PID:4472
- C:\Windows\system32\msg.exe
  msg * Thanks for using the "Kepar Menu", if u want to give me donations:
  2⤵
  PID:1932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://paypal.me/keparmc
  2⤵
  PID:2236
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffae5c746f8,0x7ffae5c74708,0x7ffae5c74718
    3⤵
    PID:3460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\fd.bat" "
1⤵
PID:2484
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:4436
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:4936
- C:\Windows\system32\timeout.exe
  timeout /t 2
  2⤵
  - Delays execution with timeout.exe
  PID:3716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8749e21d9d0a17dac32d5aa2027f7a75

SHA1
a5d555f8b035c7938a4a864e89218c0402ab7cde

SHA256
915193bd331ee9ea7c750398a37fbb552b8c5a1d90edec6293688296bda6f304

SHA512
c645a41180ed01e854f197868283f9b40620dbbc813a1c122f6870db574ebc1c4917da4d320bdfd1cc67f23303a2c6d74e4f36dd9d3ffcfa92d3dfca3b7ca31a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
34d2c4f40f47672ecdf6f66fea242f4a

SHA1
4bcad62542aeb44cae38a907d8b5a8604115ada2

SHA256
b214e3affb02a2ea4469a8bbdfa8a179e7cc57cababd83b4bafae9cdbe23fa33

SHA512
50fba54ec95d694211a005d0e3e6cf5b5677efa16989cbf854207a1a67e3a139f32b757c6f2ce824a48f621440b93fde60ad1dc790fcec4b76edddd0d92a75d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
18KB

MD5
7d54dd3fa3c51a1609e97e814ed449a0

SHA1
860bdd97dcd771d4ce96662a85c9328f95b17639

SHA256
7a258cd27f674e03eafc4f11af7076fb327d0202ce7a0a0e95a01fb33c989247

SHA512
17791e03584e77f2a6a03a7e3951bdc3220cd4c723a1f3be5d9b8196c5746a342a85226fcd0dd60031d3c3001c6bdfee0dcc21d7921ea2912225054d7f75c896

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
97cfb67d2c8ffedad082a01dae234ccd

SHA1
8e3ce648a69b8f7e9fa55454519514984d910c38

SHA256
beeb85c769c1f185ce400c3c86c786abda0ddb76356fd4b335b237f7efbc2a16

SHA512
62bdce857633a5cbffc62d7432e326c8680ab9be0d264119f74d099c5193d7453cbc91f0dccaf60e8e99960594c3eea56abb62293a7ab8a09b4d2b958ef7c5c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
c4545cec71bfc7a296a9b112ffb08b1d

SHA1
1bdaff939089d06651ea90d8de97c448cc902df7

SHA256
8298a5ec8d52132ac3b1b47c3259304ee8d9a29563c75d567505dd4af54eecfe

SHA512
60a608601c149f0c4313db8bfcd9fdbe2786b26d6e525e07a63d777075dba62ce14c325255472d42f832305ac87982ee7c5ed1c202f823bbc667afb65c1a7368

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
1cdbd1530d7fb075f71862786acdc104

SHA1
f6997750cf45a709e04c5478d8f34bfa5970b111

SHA256
a1a90935f31d97ebfe34d71c5db96e86a59ca313b68db56a39c9faa929f7cd01

SHA512
77d9573ff15b06ed6138eb315b3dcff2fd4691d999e01daa7be0465420c0cd8e7c9d2d81876325da0f347d545127f67bdf22c5caefcababbf7d9bbaecbf6e9d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
496B

MD5
5760b7dffb8e58306c53414558155a22

SHA1
742020b1ba3d0aaea7c0b9767ebca81ee2e7d9cb

SHA256
3f623f00ff0c445cfdb7d3858755ff615a4b00123b05a364c2ec253621b0eb72

SHA512
c53684e05514b6a8f6b1689429cb25beb82af91e3abd3d72962cd11dd0d4698f47047562087cef2b6c9e4e6134dabc90604ffa75ec8930f7b187f0341de4b842

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
14d0bf71d8f5aaa1731e0a16d15915b7

SHA1
d4b3b3ad325801359fc324579ef5a77efcea2f82

SHA256
c2fa1d4ef563581b06f041f7bc400ff74c48ba61a912a9f4e19d2ddcff86f8a1

SHA512
6ed733eb2aea9efd462784d1f86dfa6abe59642c715a6d292c774a5a691da6b7333085fab3aa7788d8094c1e96116a1c6806477188643d3bd0b7e21cc4bf1ab4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0ed110788165c3949b90254085e2114c

SHA1
d7a45d91a3a7a38c9dfd0941830e85dfa3c81387

SHA256
4c15e459258975bdb4d83c669e381aab8cbb3b05b8ac962ab2c4954e15cfeb20

SHA512
cfae170324040bfc5627bcbc8aad92cb2964dbc5c363fe1417783331961d097ce955a810cd4c399f60e9de7abd8dae47b39ddafc1fe7185c8d29ee413b05079c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
fa93ef9178f42f4393a7a39a7078b2eb

SHA1
be4b3ab1bcc242c6669ffa46f0a989aef0284945

SHA256
c9bd624a664a636db5565e6a251f05a704b95daa3988f465c558790872d4c8ee

SHA512
796416168aec878f9020b37ae9e81b7cd6dbb8fc34f58881858fe6fe4a8f33c4294725ab06c6f176add8c15508888e1bfd67dd6dad66e5ccfa6aefb05f4e0af6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
babd8909f88b9219f15c2fffc4d4d33d

SHA1
3e09aef267fb8063fb39148d1f60d4313f165e50

SHA256
a15709f823b54d27566134417bee681243191aa012bcc825bcefb75d4d729160

SHA512
a02eb3a5550df3b8bafb7438615cae1542deed8b186b260471d923e9db378d4be5205c4fe8a69f502639faaf0d6725810347800f01fdb8398ea10f9633f8c8cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
e41147335c6606afbab739bbefc50f4f

SHA1
98e43253776d55274e1d03f91a121af00f3adbe1

SHA256
1c9d69d2326649f387d760cbcfb64b6f7118a1d56b34adaab49a2ea7204431bd

SHA512
2fd5203d71d9c69ad8788e3b31d45bd08ba373e752a9fa2d1c396704dce97360f6eb43d92512ac834d3a18cc8cb585e839e78a8490f67ec76d2ae5e3f0df00f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
1607625e680c618142732b86365ae20f

SHA1
2863b3ce3d5faf5721e4349c967c1750ebc0ef6b

SHA256
bcdf5998b1f8b71a7fd6ef2f59bc938f97c67d6b48eef5f0ac1a85f755534bee

SHA512
0af1cab0d126d5b112304914aae14058c6bcd786f023b2f353bd08983a8cbe870fb45569199de02c14848c1580671839e62b91e0594d99d3d28dd79df8c32e80

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
8d9623140d3baf8ee5b0b8f6b51e3642

SHA1
11d45b62a887e31f7ef6278258ed100f8199ca9a

SHA256
d9630f8fac555212425c106355599bfc81d062cf3d7423a7cc964de3fe8fb0a5

SHA512
10fbc27b4deb1fa4b7ef468099132e73013bb95e045ae254b107780fabf5e2068cbe9b027f21e9bee1855ae5aa4039819194541e3a8075354b40984786b0c1a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
8c706b4e83056ee7f7f81d1952dd22ff

SHA1
86fbf561cafdfcd66e4fa8f7533bd2111ad8eec5

SHA256
02ddf23406197eb34f8320ff95710f8f21258d3c5fbe5bf0e1607e916c457f82

SHA512
1e667764340ff5e564d3da6fbf02f259f98e2a6c3fef0f5f9551362d7a30dae49c9d2230713631d8426cac558d39b132433db8a69597f49ba6ba1cceae082ccf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
874B

MD5
21f5533c35e18749aaff14b467fb0bdf

SHA1
47931bd689e5b018b5724578842bc46d737fcbac

SHA256
b91536ee3d1acb1e23779f7cb482efeaa8e88f4b88bd7b2007f9319e602da4d5

SHA512
6e9042f57bf878b9317574517309a4717a40a1312d3148286dbc8f14821196165820614a796d423726ce95eef1130630d3abab971fff175865f48e56f6353edc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
874B

MD5
a23734b825efa8b00365607c7c1fe93e

SHA1
27893c86732b452593bc368abe774af66795de8b

SHA256
b3a7bf59398dce286c67ce86b66789d974bb02225b87bd83350600c840f06472

SHA512
982ed7f99aded465b87018f026ec8b78d6b34b9e0880c35fa60e6b5a02ca1161b062314bd4f5088c8c1d577767dae89f900459aaf66cb319d810bcb9d21e446c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
874B

MD5
c9896ad0e1a7894fe4a1e2c2c5231f2b

SHA1
00aabb3f6d261f0056134124862cc9a5e24e75cd

SHA256
bc2efc29038a4accce626ca0dcef2b6b2f0f6d941e6f55cc1737e5eca375cb08

SHA512
53537f99d8a7b6b633bde422c79d7b470a15cf7c72a62fabd505ec8c8ba830161908f40cb577538f5599e1ac03057e61d4ed9580e208545933b6f26260ab5f54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57f627.TMP

Filesize
874B

MD5
faecbf6e6b7fa511c1a14fe3d2e41c0e

SHA1
ad819d8398ffb433404b8bde0d2ecfd178d5534d

SHA256
a62d5a47bbeeadf1e8c553ee722d07836453da63156cad68691ce17b4160379d

SHA512
885f0c74c070ff1c359b6872f1b281ef21ddd20b3c63835c1168252b7f40e220012f0aaabea72fb14266ff13b7b44a099d1e3c49115e343a92e386582846f725

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
1131385c94478babc200949a1c948bd5

SHA1
68cce3836956acf90bdc46ec5b73eb6509a51ec4

SHA256
ec56ca4162aa1adf425d467a72699981fc603590e34598ea052c96cd1070af30

SHA512
427808cebe63544290982bc3e4555f4a9c0123259da6d97bae0fb811dab366ff83f0996f7d59c0374f7541ab063fd3de6f07910a40053fb9d00459c649ca523a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
956f29f9543707c119008ce62ed86843

SHA1
94cc0b1be7ed45f17f3c5941561d8d694f580461

SHA256
125e820e2c3728ca6fa0ebb92ad474aad895b1ec98b45cbb502b4e1595437926

SHA512
ee0045ff6fe7a489c2cf291d3c1c1151132842d722907fa2e1982d18690b26c90286c112a7b099ffa008130f7afd3dd808dcdd5d7b8590ea39c66d571bec4de4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
55431c091d0bdf097bbd0478ae89a0e3

SHA1
56d3d2bb0a5aa4f34731f3d351d87377e3476999

SHA256
16d83dda1b912351407e9f18739a978d4b6ef2b36db17daa54e505580366553d

SHA512
57461354c62ada32888c58f2d0088376b632d61e9139491e001f57f02e6c9fa0a9da3ab4aeb3b90a0ecc49861c3d3c2bbc0997fd57a7ae4d4c7fc45607846ac5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
8aa8039ca9e9c371fb4582bb3f520958

SHA1
75dbf8ec74cb1e44ee03cc1938b8fe09d63f1298

SHA256
a095b1696d3367a296f2ac712a511531890cddcbebd810894d9cbac71e0f3072

SHA512
c875b0741e6832b7d762f7f49667ea4094e9a4d58aaf89db346e939274d175d20b0c407e020e3c56e04bcdf7460bee8dd76aa3829b684bd6c9541739b11eafa9

Download Submit
C:\Users\Admin\Downloads\fd.bat

Filesize
3KB

MD5
db66e911eed48c6d7e9cc11afc1454cc

SHA1
99f5ab6795c8b159387aeb6cb80f4e8f2c56a32a

SHA256
c53652e6d632eb8a6114ba230d8f33d2c122ee677b8cd714b2128748c0e0b6ed

SHA512
0dd94544b51df6c84cd52b8e3ed0475c54d982a1d264c50fd7fad40b657cac0a0fdd6e436e6e04ad170c45ada380e2a6a6942d229a2375d90638007431bf2f29

Download Submit