Analysis
-
max time kernel
147s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-05-2022 03:36
Static task
static1
Behavioral task
behavioral1
Sample
340b6dde731c4ad30afc48d0266f38390c369c3d5a3b3021b667a239de8fbbf6.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
340b6dde731c4ad30afc48d0266f38390c369c3d5a3b3021b667a239de8fbbf6.exe
Resource
win10v2004-20220414-en
General
-
Target
340b6dde731c4ad30afc48d0266f38390c369c3d5a3b3021b667a239de8fbbf6.exe
-
Size
222KB
-
MD5
d5bf56df56fb286035f2ba1be411577b
-
SHA1
83f913a90bc11aba30f7873455de57365b9f9bf2
-
SHA256
340b6dde731c4ad30afc48d0266f38390c369c3d5a3b3021b667a239de8fbbf6
-
SHA512
897cf30a94f32ad87d8c56542f6fc07269e015b8b7a8f14f08eb07b431b9f70d25b7e509e8ae70bdcf37427d2b757a10adc7d569f42224f499c862d13a90b1f2
Malware Config
Signatures
-
Executes dropped EXE 7 IoCs
Processes:
MEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exepid process 5076 MEMZ.exe 100 MEMZ.exe 4928 MEMZ.exe 4268 MEMZ.exe 4076 MEMZ.exe 2936 MEMZ.exe 3668 MEMZ.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
340b6dde731c4ad30afc48d0266f38390c369c3d5a3b3021b667a239de8fbbf6.exeMEMZ.exeMEMZ.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation 340b6dde731c4ad30afc48d0266f38390c369c3d5a3b3021b667a239de8fbbf6.exe Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation MEMZ.exe Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation MEMZ.exe -
Drops startup file 1 IoCs
Processes:
340b6dde731c4ad30afc48d0266f38390c369c3d5a3b3021b667a239de8fbbf6.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MEMZ.lnk 340b6dde731c4ad30afc48d0266f38390c369c3d5a3b3021b667a239de8fbbf6.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
MEMZ.exedescription ioc process File opened for modification \??\PhysicalDrive0 MEMZ.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
Taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 Taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A Taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName Taskmgr.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 1 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
MEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exepid process 100 MEMZ.exe 100 MEMZ.exe 100 MEMZ.exe 100 MEMZ.exe 100 MEMZ.exe 100 MEMZ.exe 100 MEMZ.exe 4928 MEMZ.exe 100 MEMZ.exe 4928 MEMZ.exe 4268 MEMZ.exe 4268 MEMZ.exe 100 MEMZ.exe 100 MEMZ.exe 4928 MEMZ.exe 4928 MEMZ.exe 4268 MEMZ.exe 4268 MEMZ.exe 4928 MEMZ.exe 2936 MEMZ.exe 4928 MEMZ.exe 2936 MEMZ.exe 4076 MEMZ.exe 4076 MEMZ.exe 4268 MEMZ.exe 4268 MEMZ.exe 4928 MEMZ.exe 100 MEMZ.exe 4928 MEMZ.exe 100 MEMZ.exe 100 MEMZ.exe 100 MEMZ.exe 4928 MEMZ.exe 4928 MEMZ.exe 4268 MEMZ.exe 4268 MEMZ.exe 2936 MEMZ.exe 2936 MEMZ.exe 4076 MEMZ.exe 4076 MEMZ.exe 100 MEMZ.exe 100 MEMZ.exe 2936 MEMZ.exe 100 MEMZ.exe 2936 MEMZ.exe 100 MEMZ.exe 4076 MEMZ.exe 4076 MEMZ.exe 4268 MEMZ.exe 4268 MEMZ.exe 4928 MEMZ.exe 4928 MEMZ.exe 2936 MEMZ.exe 2936 MEMZ.exe 2936 MEMZ.exe 4928 MEMZ.exe 2936 MEMZ.exe 4928 MEMZ.exe 4268 MEMZ.exe 4268 MEMZ.exe 4076 MEMZ.exe 4076 MEMZ.exe 100 MEMZ.exe 100 MEMZ.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
Processes:
msedge.exepid process 1848 msedge.exe 1848 msedge.exe 1848 msedge.exe 1848 msedge.exe 1848 msedge.exe 1848 msedge.exe 1848 msedge.exe 1848 msedge.exe 1848 msedge.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
Taskmgr.exeAUDIODG.EXEdescription pid process Token: SeDebugPrivilege 1748 Taskmgr.exe Token: SeSystemProfilePrivilege 1748 Taskmgr.exe Token: SeCreateGlobalPrivilege 1748 Taskmgr.exe Token: 33 772 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 772 AUDIODG.EXE -
Suspicious use of FindShellTrayWindow 16 IoCs
Processes:
msedge.exeTaskmgr.exepid process 1848 msedge.exe 1848 msedge.exe 1748 Taskmgr.exe 1748 Taskmgr.exe 1748 Taskmgr.exe 1748 Taskmgr.exe 1748 Taskmgr.exe 1748 Taskmgr.exe 1748 Taskmgr.exe 1748 Taskmgr.exe 1748 Taskmgr.exe 1748 Taskmgr.exe 1748 Taskmgr.exe 1748 Taskmgr.exe 1748 Taskmgr.exe 1748 Taskmgr.exe -
Suspicious use of SendNotifyMessage 14 IoCs
Processes:
Taskmgr.exepid process 1748 Taskmgr.exe 1748 Taskmgr.exe 1748 Taskmgr.exe 1748 Taskmgr.exe 1748 Taskmgr.exe 1748 Taskmgr.exe 1748 Taskmgr.exe 1748 Taskmgr.exe 1748 Taskmgr.exe 1748 Taskmgr.exe 1748 Taskmgr.exe 1748 Taskmgr.exe 1748 Taskmgr.exe 1748 Taskmgr.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
MEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exepid process 5076 MEMZ.exe 100 MEMZ.exe 4928 MEMZ.exe 4268 MEMZ.exe 4076 MEMZ.exe 2936 MEMZ.exe 3668 MEMZ.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
340b6dde731c4ad30afc48d0266f38390c369c3d5a3b3021b667a239de8fbbf6.exeMEMZ.exeMEMZ.exemsedge.exedescription pid process target process PID 2528 wrote to memory of 5076 2528 340b6dde731c4ad30afc48d0266f38390c369c3d5a3b3021b667a239de8fbbf6.exe MEMZ.exe PID 2528 wrote to memory of 5076 2528 340b6dde731c4ad30afc48d0266f38390c369c3d5a3b3021b667a239de8fbbf6.exe MEMZ.exe PID 2528 wrote to memory of 5076 2528 340b6dde731c4ad30afc48d0266f38390c369c3d5a3b3021b667a239de8fbbf6.exe MEMZ.exe PID 5076 wrote to memory of 100 5076 MEMZ.exe MEMZ.exe PID 5076 wrote to memory of 100 5076 MEMZ.exe MEMZ.exe PID 5076 wrote to memory of 100 5076 MEMZ.exe MEMZ.exe PID 5076 wrote to memory of 4928 5076 MEMZ.exe MEMZ.exe PID 5076 wrote to memory of 4928 5076 MEMZ.exe MEMZ.exe PID 5076 wrote to memory of 4928 5076 MEMZ.exe MEMZ.exe PID 5076 wrote to memory of 4268 5076 MEMZ.exe MEMZ.exe PID 5076 wrote to memory of 4268 5076 MEMZ.exe MEMZ.exe PID 5076 wrote to memory of 4268 5076 MEMZ.exe MEMZ.exe PID 5076 wrote to memory of 4076 5076 MEMZ.exe MEMZ.exe PID 5076 wrote to memory of 4076 5076 MEMZ.exe MEMZ.exe PID 5076 wrote to memory of 4076 5076 MEMZ.exe MEMZ.exe PID 5076 wrote to memory of 2936 5076 MEMZ.exe MEMZ.exe PID 5076 wrote to memory of 2936 5076 MEMZ.exe MEMZ.exe PID 5076 wrote to memory of 2936 5076 MEMZ.exe MEMZ.exe PID 5076 wrote to memory of 3668 5076 MEMZ.exe MEMZ.exe PID 5076 wrote to memory of 3668 5076 MEMZ.exe MEMZ.exe PID 5076 wrote to memory of 3668 5076 MEMZ.exe MEMZ.exe PID 3668 wrote to memory of 644 3668 MEMZ.exe notepad.exe PID 3668 wrote to memory of 644 3668 MEMZ.exe notepad.exe PID 3668 wrote to memory of 644 3668 MEMZ.exe notepad.exe PID 3668 wrote to memory of 1848 3668 MEMZ.exe msedge.exe PID 3668 wrote to memory of 1848 3668 MEMZ.exe msedge.exe PID 1848 wrote to memory of 4956 1848 msedge.exe msedge.exe PID 1848 wrote to memory of 4956 1848 msedge.exe msedge.exe PID 1848 wrote to memory of 2200 1848 msedge.exe msedge.exe PID 1848 wrote to memory of 2200 1848 msedge.exe msedge.exe PID 1848 wrote to memory of 2200 1848 msedge.exe msedge.exe PID 1848 wrote to memory of 2200 1848 msedge.exe msedge.exe PID 1848 wrote to memory of 2200 1848 msedge.exe msedge.exe PID 1848 wrote to memory of 2200 1848 msedge.exe msedge.exe PID 1848 wrote to memory of 2200 1848 msedge.exe msedge.exe PID 1848 wrote to memory of 2200 1848 msedge.exe msedge.exe PID 1848 wrote to memory of 2200 1848 msedge.exe msedge.exe PID 1848 wrote to memory of 2200 1848 msedge.exe msedge.exe PID 1848 wrote to memory of 2200 1848 msedge.exe msedge.exe PID 1848 wrote to memory of 2200 1848 msedge.exe msedge.exe PID 1848 wrote to memory of 2200 1848 msedge.exe msedge.exe PID 1848 wrote to memory of 2200 1848 msedge.exe msedge.exe PID 1848 wrote to memory of 2200 1848 msedge.exe msedge.exe PID 1848 wrote to memory of 2200 1848 msedge.exe msedge.exe PID 1848 wrote to memory of 2200 1848 msedge.exe msedge.exe PID 1848 wrote to memory of 2200 1848 msedge.exe msedge.exe PID 1848 wrote to memory of 2200 1848 msedge.exe msedge.exe PID 1848 wrote to memory of 2200 1848 msedge.exe msedge.exe PID 1848 wrote to memory of 2200 1848 msedge.exe msedge.exe PID 1848 wrote to memory of 2200 1848 msedge.exe msedge.exe PID 1848 wrote to memory of 2200 1848 msedge.exe msedge.exe PID 1848 wrote to memory of 2200 1848 msedge.exe msedge.exe PID 1848 wrote to memory of 2200 1848 msedge.exe msedge.exe PID 1848 wrote to memory of 2200 1848 msedge.exe msedge.exe PID 1848 wrote to memory of 2200 1848 msedge.exe msedge.exe PID 1848 wrote to memory of 2200 1848 msedge.exe msedge.exe PID 1848 wrote to memory of 2200 1848 msedge.exe msedge.exe PID 1848 wrote to memory of 2200 1848 msedge.exe msedge.exe PID 1848 wrote to memory of 2200 1848 msedge.exe msedge.exe PID 1848 wrote to memory of 2200 1848 msedge.exe msedge.exe PID 1848 wrote to memory of 2200 1848 msedge.exe msedge.exe PID 1848 wrote to memory of 2200 1848 msedge.exe msedge.exe PID 1848 wrote to memory of 2200 1848 msedge.exe msedge.exe PID 1848 wrote to memory of 2200 1848 msedge.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\340b6dde731c4ad30afc48d0266f38390c369c3d5a3b3021b667a239de8fbbf6.exe"C:\Users\Admin\AppData\Local\Temp\340b6dde731c4ad30afc48d0266f38390c369c3d5a3b3021b667a239de8fbbf6.exe"1⤵
- Checks computer location settings
- Drops startup file
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\MEMZ.exe"C:\Users\Admin\AppData\Local\Temp\MEMZ.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\MEMZ.exe"C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\MEMZ.exe"C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\MEMZ.exe"C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\MEMZ.exe"C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\MEMZ.exe"C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\MEMZ.exe"C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /main3⤵
- Executes dropped EXE
- Checks computer location settings
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\System32\notepad.exe" \note.txt4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=internet+explorer+is+the+best+browser4⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffcb05f46f8,0x7ffcb05f4708,0x7ffcb05f47185⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,9423100260580293450,4924625520665145791,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2184 /prefetch:25⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,9423100260580293450,4924625520665145791,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2260 /prefetch:35⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2152,9423100260580293450,4924625520665145791,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2220 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9423100260580293450,4924625520665145791,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9423100260580293450,4924625520665145791,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2152,9423100260580293450,4924625520665145791,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4980 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9423100260580293450,4924625520665145791,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5056 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2152,9423100260580293450,4924625520665145791,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5640 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9423100260580293450,4924625520665145791,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5856 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9423100260580293450,4924625520665145791,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6100 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9423100260580293450,4924625520665145791,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6152 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9423100260580293450,4924625520665145791,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6292 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9423100260580293450,4924625520665145791,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5940 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9423100260580293450,4924625520665145791,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1728 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,9423100260580293450,4924625520665145791,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6596 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings5⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff778c85460,0x7ff778c85470,0x7ff778c854806⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,9423100260580293450,4924625520665145791,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6596 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=how+2+remove+a+virus4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffcb05f46f8,0x7ffcb05f4708,0x7ffcb05f47185⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=minecraft+hax+download+no+virus4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffcb05f46f8,0x7ffcb05f4708,0x7ffcb05f47185⤵
-
C:\Windows\SysWOW64\Taskmgr.exe"C:\Windows\System32\Taskmgr.exe"4⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x240 0x4701⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s camsvc1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD553473ab893aa74c050da4b15a702cea9
SHA185c34c1138235afa21eae7c142640358ee110a5d
SHA2560ab2a2ba17aad5490bd5c0e2febf6087af97eff3cf347b615b1542a70909b852
SHA5123ffad5f15b37bcddd4018adfc0633e7e1573b5de829e217550d805870afdbe13194e1f0ef3026d1d26a50fc2a231966ed5eff465df4f9ea8e8490dc478df7e6d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD553473ab893aa74c050da4b15a702cea9
SHA185c34c1138235afa21eae7c142640358ee110a5d
SHA2560ab2a2ba17aad5490bd5c0e2febf6087af97eff3cf347b615b1542a70909b852
SHA5123ffad5f15b37bcddd4018adfc0633e7e1573b5de829e217550d805870afdbe13194e1f0ef3026d1d26a50fc2a231966ed5eff465df4f9ea8e8490dc478df7e6d
-
C:\Users\Admin\AppData\Local\Temp\MEMZ.exeFilesize
14KB
MD519dbec50735b5f2a72d4199c4e184960
SHA16fed7732f7cb6f59743795b2ab154a3676f4c822
SHA256a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d
SHA512aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d
-
C:\Users\Admin\AppData\Local\Temp\MEMZ.exeFilesize
14KB
MD519dbec50735b5f2a72d4199c4e184960
SHA16fed7732f7cb6f59743795b2ab154a3676f4c822
SHA256a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d
SHA512aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d
-
C:\Users\Admin\AppData\Local\Temp\MEMZ.exeFilesize
14KB
MD519dbec50735b5f2a72d4199c4e184960
SHA16fed7732f7cb6f59743795b2ab154a3676f4c822
SHA256a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d
SHA512aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d
-
C:\Users\Admin\AppData\Local\Temp\MEMZ.exeFilesize
14KB
MD519dbec50735b5f2a72d4199c4e184960
SHA16fed7732f7cb6f59743795b2ab154a3676f4c822
SHA256a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d
SHA512aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d
-
C:\Users\Admin\AppData\Local\Temp\MEMZ.exeFilesize
14KB
MD519dbec50735b5f2a72d4199c4e184960
SHA16fed7732f7cb6f59743795b2ab154a3676f4c822
SHA256a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d
SHA512aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d
-
C:\Users\Admin\AppData\Local\Temp\MEMZ.exeFilesize
14KB
MD519dbec50735b5f2a72d4199c4e184960
SHA16fed7732f7cb6f59743795b2ab154a3676f4c822
SHA256a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d
SHA512aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d
-
C:\Users\Admin\AppData\Local\Temp\MEMZ.exeFilesize
14KB
MD519dbec50735b5f2a72d4199c4e184960
SHA16fed7732f7cb6f59743795b2ab154a3676f4c822
SHA256a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d
SHA512aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d
-
C:\Users\Admin\AppData\Local\Temp\MEMZ.exeFilesize
14KB
MD519dbec50735b5f2a72d4199c4e184960
SHA16fed7732f7cb6f59743795b2ab154a3676f4c822
SHA256a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d
SHA512aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d
-
C:\note.txtFilesize
218B
MD5afa6955439b8d516721231029fb9ca1b
SHA1087a043cc123c0c0df2ffadcf8e71e3ac86bbae9
SHA2568e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270
SHA5125da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf
-
\??\pipe\LOCAL\crashpad_1848_ZNOQLFUXPGDVMSRXMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/100-133-0x0000000000000000-mapping.dmp
-
memory/644-145-0x0000000000000000-mapping.dmp
-
memory/760-180-0x0000000000000000-mapping.dmp
-
memory/964-176-0x0000000000000000-mapping.dmp
-
memory/1104-177-0x0000000000000000-mapping.dmp
-
memory/1348-175-0x0000000000000000-mapping.dmp
-
memory/1460-162-0x0000000000000000-mapping.dmp
-
memory/1544-169-0x0000000000000000-mapping.dmp
-
memory/1584-151-0x0000000000000000-mapping.dmp
-
memory/1732-171-0x0000000000000000-mapping.dmp
-
memory/1748-183-0x0000000000000000-mapping.dmp
-
memory/1840-163-0x0000000000000000-mapping.dmp
-
memory/1848-147-0x0000000000000000-mapping.dmp
-
memory/2088-184-0x0000000000000000-mapping.dmp
-
memory/2200-150-0x0000000000000000-mapping.dmp
-
memory/2620-160-0x0000000000000000-mapping.dmp
-
memory/2836-158-0x0000000000000000-mapping.dmp
-
memory/2936-141-0x0000000000000000-mapping.dmp
-
memory/3024-164-0x0000000000000000-mapping.dmp
-
memory/3100-185-0x0000000000000000-mapping.dmp
-
memory/3168-154-0x0000000000000000-mapping.dmp
-
memory/3668-143-0x0000000000000000-mapping.dmp
-
memory/4012-182-0x0000000000000000-mapping.dmp
-
memory/4076-139-0x0000000000000000-mapping.dmp
-
memory/4196-173-0x0000000000000000-mapping.dmp
-
memory/4200-186-0x0000000000000000-mapping.dmp
-
memory/4268-137-0x0000000000000000-mapping.dmp
-
memory/4344-156-0x0000000000000000-mapping.dmp
-
memory/4392-167-0x0000000000000000-mapping.dmp
-
memory/4928-135-0x0000000000000000-mapping.dmp
-
memory/4956-148-0x0000000000000000-mapping.dmp
-
memory/5076-130-0x0000000000000000-mapping.dmp