a9cd3d966d453afd424d9ac54df414b80073bb51d249f4089185976fb316e254

Resubmissions

07-04-2023 08:11

230407-j3f3zaae2s 7

07-04-2023 08:08

230407-j1q56aad91 7

07-04-2023 07:42

230407-jj2wbsad6z 7

Analysis

max time kernel
147s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
07-04-2023 08:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MEMZ 3.0/MEMZ.exe
Size

12KB
MD5

a7bcf7ea8e9f3f36ebfb85b823e39d91
SHA1

761168201520c199dba68add3a607922d8d4a86e
SHA256

3ff64f10603f0330fa2386ff99471ca789391ace969bd0ec1c1b8ce1b4a6db42
SHA512

89923b669d31e590189fd06619bf27e47c5a47e82be6ae71fdb1b9b3b30b06fb7ca8ffed6d5c41ac410a367f2eb07589291e95a2644877d6bffd52775a5b1523
SSDEEP

192:HMDLTxWDf/pl3cIEiwqZKBktLe3P+qf2jhP6B5b2yL3:H4IDH3cIqqvUWq+jhyT2yL

Score

7^/10

bootkit persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

MEMZ.exeMEMZ.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	MEMZ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	MEMZ.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

MEMZ.exe

description ioc process

File opened for modification \??\PhysicalDrive0 MEMZ.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	MEMZ.exe

Drops file in Program Files directory 2 IoCs

Processes:

setup.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\12c88475-442a-461c-b2c5-aa67b1f98611.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20230407080920.pma	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe
Runs regedit.exe 1 IoCs

Processes:

regedit.exe

pid process

4900 regedit.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

pid	process
4900	regedit.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

MEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exe

pid	process
4920	MEMZ.exe
4920	MEMZ.exe
4920	MEMZ.exe
4920	MEMZ.exe
1508	MEMZ.exe
448	MEMZ.exe
1508	MEMZ.exe
448	MEMZ.exe
4920	MEMZ.exe
4920	MEMZ.exe
1508	MEMZ.exe
1508	MEMZ.exe
4920	MEMZ.exe
4920	MEMZ.exe
448	MEMZ.exe
448	MEMZ.exe
448	MEMZ.exe
4920	MEMZ.exe
448	MEMZ.exe
4920	MEMZ.exe
1508	MEMZ.exe
1508	MEMZ.exe
1304	MEMZ.exe
1304	MEMZ.exe
1016	MEMZ.exe
1016	MEMZ.exe
448	MEMZ.exe
448	MEMZ.exe
1304	MEMZ.exe
1304	MEMZ.exe
1508	MEMZ.exe
1508	MEMZ.exe
4920	MEMZ.exe
4920	MEMZ.exe
448	MEMZ.exe
1016	MEMZ.exe
448	MEMZ.exe
1016	MEMZ.exe
1304	MEMZ.exe
1304	MEMZ.exe
4920	MEMZ.exe
1508	MEMZ.exe
4920	MEMZ.exe
1508	MEMZ.exe
448	MEMZ.exe
448	MEMZ.exe
1016	MEMZ.exe
1016	MEMZ.exe
4920	MEMZ.exe
4920	MEMZ.exe
1304	MEMZ.exe
1304	MEMZ.exe
1508	MEMZ.exe
1508	MEMZ.exe
1016	MEMZ.exe
1016	MEMZ.exe
448	MEMZ.exe
448	MEMZ.exe
1304	MEMZ.exe
1304	MEMZ.exe
1508	MEMZ.exe
1508	MEMZ.exe
4920	MEMZ.exe
4920	MEMZ.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

mmc.exeregedit.exe

pid process

2996 mmc.exe
4900 regedit.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

Processes:

msedge.exe

pid process

996 msedge.exe
996 msedge.exe
996 msedge.exe
996 msedge.exe
996 msedge.exe
996 msedge.exe
996 msedge.exe
996 msedge.exe
996 msedge.exe
996 msedge.exe

pid	process
2996	mmc.exe
4900	regedit.exe

pid	process
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe
996	msedge.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

mmc.exeAUDIODG.EXE

description	pid	process
Token: 33	2996	mmc.exe
Token: SeIncBasePriorityPrivilege	2996	mmc.exe
Token: 33	2996	mmc.exe
Token: SeIncBasePriorityPrivilege	2996	mmc.exe
Token: 33	2996	mmc.exe
Token: SeIncBasePriorityPrivilege	2996	mmc.exe
Token: 33	4088	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4088	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msedge.exe

pid process

996 msedge.exe
996 msedge.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

MEMZ.exemmc.exemmc.exe

pid process

1736 MEMZ.exe
4952 mmc.exe
2996 mmc.exe
2996 mmc.exe

pid	process
996	msedge.exe
996	msedge.exe

pid	process
1736	MEMZ.exe
4952	mmc.exe
2996	mmc.exe
2996	mmc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

MEMZ.exeMEMZ.exemsedge.exe

description	pid	process	target process
PID 1348 wrote to memory of 4920	1348	MEMZ.exe	MEMZ.exe
PID 1348 wrote to memory of 4920	1348	MEMZ.exe	MEMZ.exe
PID 1348 wrote to memory of 4920	1348	MEMZ.exe	MEMZ.exe
PID 1348 wrote to memory of 448	1348	MEMZ.exe	MEMZ.exe
PID 1348 wrote to memory of 448	1348	MEMZ.exe	MEMZ.exe
PID 1348 wrote to memory of 448	1348	MEMZ.exe	MEMZ.exe
PID 1348 wrote to memory of 1508	1348	MEMZ.exe	MEMZ.exe
PID 1348 wrote to memory of 1508	1348	MEMZ.exe	MEMZ.exe
PID 1348 wrote to memory of 1508	1348	MEMZ.exe	MEMZ.exe
PID 1348 wrote to memory of 1304	1348	MEMZ.exe	MEMZ.exe
PID 1348 wrote to memory of 1304	1348	MEMZ.exe	MEMZ.exe
PID 1348 wrote to memory of 1304	1348	MEMZ.exe	MEMZ.exe
PID 1348 wrote to memory of 1016	1348	MEMZ.exe	MEMZ.exe
PID 1348 wrote to memory of 1016	1348	MEMZ.exe	MEMZ.exe
PID 1348 wrote to memory of 1016	1348	MEMZ.exe	MEMZ.exe
PID 1348 wrote to memory of 1736	1348	MEMZ.exe	MEMZ.exe
PID 1348 wrote to memory of 1736	1348	MEMZ.exe	MEMZ.exe
PID 1348 wrote to memory of 1736	1348	MEMZ.exe	MEMZ.exe
PID 1736 wrote to memory of 3736	1736	MEMZ.exe	notepad.exe
PID 1736 wrote to memory of 3736	1736	MEMZ.exe	notepad.exe
PID 1736 wrote to memory of 3736	1736	MEMZ.exe	notepad.exe
PID 1736 wrote to memory of 996	1736	MEMZ.exe	msedge.exe
PID 1736 wrote to memory of 996	1736	MEMZ.exe	msedge.exe
PID 996 wrote to memory of 1224	996	msedge.exe	msedge.exe
PID 996 wrote to memory of 1224	996	msedge.exe	msedge.exe
PID 996 wrote to memory of 3784	996	msedge.exe	msedge.exe
PID 996 wrote to memory of 3784	996	msedge.exe	msedge.exe
PID 996 wrote to memory of 3784	996	msedge.exe	msedge.exe
PID 996 wrote to memory of 3784	996	msedge.exe	msedge.exe
PID 996 wrote to memory of 3784	996	msedge.exe	msedge.exe
PID 996 wrote to memory of 3784	996	msedge.exe	msedge.exe
PID 996 wrote to memory of 3784	996	msedge.exe	msedge.exe
PID 996 wrote to memory of 3784	996	msedge.exe	msedge.exe
PID 996 wrote to memory of 3784	996	msedge.exe	msedge.exe
PID 996 wrote to memory of 3784	996	msedge.exe	msedge.exe
PID 996 wrote to memory of 3784	996	msedge.exe	msedge.exe
PID 996 wrote to memory of 3784	996	msedge.exe	msedge.exe
PID 996 wrote to memory of 3784	996	msedge.exe	msedge.exe
PID 996 wrote to memory of 3784	996	msedge.exe	msedge.exe
PID 996 wrote to memory of 3784	996	msedge.exe	msedge.exe
PID 996 wrote to memory of 3784	996	msedge.exe	msedge.exe
PID 996 wrote to memory of 3784	996	msedge.exe	msedge.exe
PID 996 wrote to memory of 3784	996	msedge.exe	msedge.exe
PID 996 wrote to memory of 3784	996	msedge.exe	msedge.exe
PID 996 wrote to memory of 3784	996	msedge.exe	msedge.exe
PID 996 wrote to memory of 3784	996	msedge.exe	msedge.exe
PID 996 wrote to memory of 3784	996	msedge.exe	msedge.exe
PID 996 wrote to memory of 3784	996	msedge.exe	msedge.exe
PID 996 wrote to memory of 3784	996	msedge.exe	msedge.exe
PID 996 wrote to memory of 3784	996	msedge.exe	msedge.exe
PID 996 wrote to memory of 3784	996	msedge.exe	msedge.exe
PID 996 wrote to memory of 3784	996	msedge.exe	msedge.exe
PID 996 wrote to memory of 3784	996	msedge.exe	msedge.exe
PID 996 wrote to memory of 3784	996	msedge.exe	msedge.exe
PID 996 wrote to memory of 3784	996	msedge.exe	msedge.exe
PID 996 wrote to memory of 3784	996	msedge.exe	msedge.exe
PID 996 wrote to memory of 3784	996	msedge.exe	msedge.exe
PID 996 wrote to memory of 3784	996	msedge.exe	msedge.exe
PID 996 wrote to memory of 3784	996	msedge.exe	msedge.exe
PID 996 wrote to memory of 3784	996	msedge.exe	msedge.exe
PID 996 wrote to memory of 3784	996	msedge.exe	msedge.exe
PID 996 wrote to memory of 3784	996	msedge.exe	msedge.exe
PID 996 wrote to memory of 3784	996	msedge.exe	msedge.exe
PID 996 wrote to memory of 3784	996	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\MEMZ.exe
"C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\MEMZ.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1348

C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\MEMZ.exe
"C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\MEMZ.exe" /watchdog
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4920

C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\MEMZ.exe
"C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\MEMZ.exe" /watchdog
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:448

C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\MEMZ.exe
"C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\MEMZ.exe" /watchdog
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1508

C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\MEMZ.exe
"C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\MEMZ.exe" /watchdog
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1304

C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\MEMZ.exe
"C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\MEMZ.exe" /watchdog
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1016

C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\MEMZ.exe
"C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\MEMZ.exe" /main
2⤵
- Checks computer location settings
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1736

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\System32\notepad.exe" \note.txt
3⤵
PID:3736

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://google.co.ck/search?q=what+happens+if+you+delete+system32
3⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:996

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffb37c046f8,0x7ffb37c04708,0x7ffb37c04718
4⤵
PID:1224

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,7181109136020774101,11840386926477397485,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:2
4⤵
PID:3784

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,7181109136020774101,11840386926477397485,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:3
4⤵
PID:3724

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2084,7181109136020774101,11840386926477397485,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2912 /prefetch:8
4⤵
PID:4296

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,7181109136020774101,11840386926477397485,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3716 /prefetch:1
4⤵
PID:3824

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,7181109136020774101,11840386926477397485,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3728 /prefetch:1
4⤵
PID:2968

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,7181109136020774101,11840386926477397485,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5176 /prefetch:1
4⤵
PID:3184

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,7181109136020774101,11840386926477397485,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
4⤵
PID:1004

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,7181109136020774101,11840386926477397485,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5584 /prefetch:1
4⤵
PID:3364

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,7181109136020774101,11840386926477397485,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5568 /prefetch:1
4⤵
PID:3332

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,7181109136020774101,11840386926477397485,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6104 /prefetch:8
4⤵
PID:5112

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
4⤵
- Drops file in Program Files directory
PID:3608

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff74a365460,0x7ff74a365470,0x7ff74a365480
5⤵
PID:4924

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,7181109136020774101,11840386926477397485,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6104 /prefetch:8
4⤵
PID:3868

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,7181109136020774101,11840386926477397485,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5796 /prefetch:1
4⤵
PID:1484

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,7181109136020774101,11840386926477397485,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6140 /prefetch:1
4⤵
PID:3104

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,7181109136020774101,11840386926477397485,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1312 /prefetch:1
4⤵
PID:4048

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,7181109136020774101,11840386926477397485,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6652 /prefetch:1
4⤵
PID:1908

C:\Windows\SysWOW64\mmc.exe
"C:\Windows\System32\mmc.exe"
3⤵
- Suspicious use of SetWindowsHookEx
PID:4952

C:\Windows\system32\mmc.exe
"C:\Windows\system32\mmc.exe"
4⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2996

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://google.co.ck/search?q=best+way+to+kill+yourself
3⤵
PID:1988

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffb37c046f8,0x7ffb37c04708,0x7ffb37c04718
4⤵
PID:404

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\System32\notepad.exe"
3⤵
PID:3396

C:\Windows\SysWOW64\regedit.exe
"C:\Windows\System32\regedit.exe"
3⤵
- Runs regedit.exe
- Suspicious behavior: GetForegroundWindowSpam
PID:4900

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3368

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3856

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4c8 0x2ec
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4088

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
462f3c1360a4b5e319363930bc4806f6

SHA1
9ba5e43d833c284b89519423f6b6dab5a859a8d0

SHA256
fec64069c72a8d223ed89a816501b3950f5e4f5dd88f289a923c5f961d259f85

SHA512
5584ef75dfb8a1907c071a194fa78f56d10d1555948dffb8afcacaaa2645fd9d842a923437d0e94fad1d1919dcef5b25bf065863405c8d2a28216df27c87a417

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
d2642245b1e4572ba7d7cd13a0675bb8

SHA1
96456510884685146d3fa2e19202fd2035d64833

SHA256
3763676934b31fe2e3078256adb25b01fdf899db6616b6b41dff3062b68e20a1

SHA512
99e35f5eefc1e654ecfcf0493ccc02475ca679d3527293f35c3adea66879e21575ab037bec77775915ec42ac53e30416c3928bc3c57910ce02f3addd880392e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
014c9ce3e520f19a8bba679c7296f8c0

SHA1
dea10f30a0c313c5c9e23e45b21ed5c5e02624b9

SHA256
8d37ac330684d1c59dfd971e5e5b8b1923e4d127262a8ed5159896358c52a295

SHA512
d473297d1104abedeb488e33d49b6d563d0c8e002dad29abdcd7b7735e14d1b32c36bd057421a52befdbbbce06260c58530ffd38aad4878af74a722e664f050f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\55aef7e4-31c6-48e9-ab07-21e12401ae4b.tmp
Filesize
24KB

MD5
130644a5f79b27202a13879460f2c31a

SHA1
29e213847a017531e849139c7449bce6b39cb2fa

SHA256
1306a93179e1eaf354d9daa6043ae8ffb37b76a1d1396e7b8df671485582bcd1

SHA512
fbc8606bf988cf0a6dea28c16d4394c9b1e47f6b68256132b5c85caf1ec7b516c0e3d33034db275adf267d5a84af2854f50bd38a9ed5e86eb392144c63252e01

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\temp-index
Filesize
672B

MD5
f9d332c3c35e94441b47bfc81fd8127d

SHA1
46cd185b8292fd137615995758a104f7d9fdcd1c

SHA256
ad448e99fc1e0a18cf74c321c55467902fbd1b366e516000e8869b0a4671b601

SHA512
bd9c452603f44d9ffd0ca43476db04edce2baecdec59d583e59bf6aff3517d3f8f6b974acfc38de3ccccf41d02651ddffae8ea7398fe35fc887d85bbb536bb18

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
48B

MD5
001958d6399c341c91ec11e4e3d33ed1

SHA1
21d69bc7636c91df9f3c5c63a8e7fed32e8d7ad5

SHA256
c8415c70ee49c9b95bd24a9d618d83997063e8ed9c5ecdab398a0220a2b2186e

SHA512
2eeaa629d88d9ba2e1c722639234c5ccc15fc6dea5f915be0d39f6d67139c628eb418ce21000cb0b11a80e79fc13ce0d721ba9c017487976819901d026b1853a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
456B

MD5
c7cba23747f57e57fc2e370a65320c1d

SHA1
861ef1161129486713593680c6ce2b3dbdf220fc

SHA256
edaf9fbaa58862373e93c2ab5f5d135150bed5e7607285808a9619517fdec070

SHA512
3d35b5b1978a1d4240b7e2fab586cee001ad3315f933ccee6a9d4f07dd5b6549b449de217ce5fdb20456b8438803ac7c3e7110141a5edec9e00f9751e062ba18

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico
Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Microsoft Edge.lnk
Filesize
2KB

MD5
558eb17c3e89ce3f0a2c04e4b807ee60

SHA1
2faa4214644db0e2de1411b8b253541e49b9f075

SHA256
8918ad27919513c6a3f5876705e8da1cd0b1ac809be7e2740e9f308f0bdf357c

SHA512
0cac82010006366a95ec0d74359b3fd53c8075de765cc5639591143daa01c532f1046cc78d8710c6cae2be5ae884e38e4b2afe2489aa97096d27598f724bc817

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
3KB

MD5
1c61f81fc006c543d4f36949b2448ea1

SHA1
ea4b0dc6b27efa73e72046c478f591c8d036131e

SHA256
fd85b0554bb568103bdb749d30bca61c586810768fa36e62049f32b4ff0e02de

SHA512
54725d289c7394264ac5a6e4e929d7dae4939bfae4a225804615d060942383a296bd632ca6d206a35e29bc205c26bfd8dfc98425a2d668a9b5fd09cc4a5b2bb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
b2b05144ed86d3b5d862cd901a77fb84

SHA1
013c708f2b21eb4a77d6f2ea970030ea66506eeb

SHA256
a0b52426c0c9936a6972094e7d86ee6af9cc11b01b2a45bc54ea521b0459cfed

SHA512
a4096387cee825b4fb421731a0e8d1620b862809874499db829ced52492170b38aa86418d7e4bce3b65610981d796d599eebfaced63f50e3fe6590048a9c5228

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
4KB

MD5
a9dadb85ba818277dfc6232042ed7755

SHA1
7289e55e0abc997fbf15581cceaf1961f260af91

SHA256
a165e4000eafd27a8fb9752b125cee1b9edac3c2a6368a24b0cdef99dbe3261f

SHA512
906eb8e5587d59143898e55987685b6848f32d34590c866f07145385451ffe20d7c71b7cc674f28212e7c9c3aff4a93981c2c85056978be9bba04a931c929167

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
59184861aedb1e6acbf0f98fc82468cb

SHA1
69094e046162fb5e30178426fb03ccb6d036e367

SHA256
8c3aa3297722031ff340691dd9f7530419f297ba88e99d0e11668883511ffc82

SHA512
55ce1e57b5505ebf34fc9fd6308de27499b638f1924cfb6de2682bf0225db2c945e4fd53eef51b09f01d25bfacfb342849c1e62e3723c8268b6c4cfeb88b77b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
984dc853468f2499c5069e89341c550e

SHA1
fd8a89e70d227b60121b137ebd2184d4fcbf2ade

SHA256
2da1c2c2a2d4bc26ce4f08b601d4a64fd4cbb45518632cd8071c5d1602e2b66c

SHA512
de6d1b46b853829f40176e44f9021773cc91e5c52c6f205d0c3bfe2d01f9b53280c7e6b7830a07d7a5bf071a0e27fdd04672e2122a3535165b02f034b909590a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize
90B

MD5
50b535031ee0c6007d65739d1331a5c4

SHA1
39ece0e9daf230e8fda3a7fd8594119b541ed2d0

SHA256
401dac50796235e24ec5541b6e5fe5dcd8c351d6f83a305b70e585dc010c1810

SHA512
14cb2c30cf9a882cef2cfbeeb7107b71961b21f7b6485d0e662062ae48c50c519b38532cfdffa0c2cf326bad1b32dca0bd0fd45cd60b575a46c74483d8d7522c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt.tmp
Filesize
26B

MD5
2892eee3e20e19a9ba77be6913508a54

SHA1
7c4ef82faa28393c739c517d706ac6919a8ffc49

SHA256
4f110831bb434c728a6895190323d159df6d531be8c4bb7109864eeb7c989ff2

SHA512
b13a336db33299ab3405e13811e3ed9e5a18542e5d835f2b7130a6ff4c22f74272002fc43e7d9f94ac3aa6a4d53518f87f25d90c29e0d286b6470667ea9336ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
370B

MD5
06119e236c57929a6b53882fbfbda24e

SHA1
d032fbcbbab05d853539688c916a8af90a9f82a9

SHA256
c0ce53bc17d3bbe10241a02abf05b5b6f415b82e28c2dff45bb8c25c9ad0e773

SHA512
33089adb0ee810524f748d3a7bbfa6fd5b9ca9c3e2dec147fb4529b48f03331083604c9e790eb8c6213cb24d8888ba3e1796c8bb619b836ea554fabd0d686366

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5824aa.TMP
Filesize
372B

MD5
fd6a8e5e2399d4acc7715c4d274bf7b2

SHA1
8980b0e51263d8b42665d54b4a15901b522495ab

SHA256
20b4ecd650900a21108a56ea19ffc805697523cd72af7a74b180d842cdd8e2fb

SHA512
c80ab51b111dc127ff90e6fb8b6b9eea1635b45ca63e2b9cd77ce95ca575e0ef2576d2f5ba80e4c2cc44e4c5eee43036e3f5693a282db38ebe082c1ef7c84880

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\MANIFEST-000001
Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
9KB

MD5
6c7dac39ce63f589a6f0cc75b9f8c51a

SHA1
8e1cac7d36e488f3f0d9990414fb756d6fd0a083

SHA256
a17a5c6f122ea24728b0fb3c54235cd95e9bc8a386f747164351dfc51138a448

SHA512
bc5938823d8f76a51424a22b21446e95d0a2e766257583ca498ac30a163edf662d89a169c9b0e7188a8dbcd4b5723b7fdd66edec7f4bf48293f0ad50ace47438

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
9f8e6edcc19eafbde3c3c35f35a746e2

SHA1
3645e7faa03c749e22e326d9f032a33d6acfdccb

SHA256
f09d71989b7874940a5df49fb65600da27fee9603976bb3460b5b4a00cbcf4b8

SHA512
501ab3ba7d0b40856ce40700deda896f03e35d5feb96251fff0fcae56234674012f001cf7bcddea85b787ddea4f84e00a76840de45a9f68b2d68357e7d2609ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
13KB

MD5
2e360a26363680ae0d97765b9f860b27

SHA1
53b20b92e2ca849837ded77c03a45f8f6e005967

SHA256
e79adeaa0c406f3f5a5a41a8e0d5ff6da34b6959555604c69323aac41e40ebc2

SHA512
1d259ccc5b0374b97a7612a8d9f203615e16fdb19c33ac7bb4faaeffb80ec91cc52d2547f0bea9baf8d7b84e83f2861bd75dd33b6dc7020a90a7e9c36f20d1a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
13KB

MD5
4f2572d8d1d5fae7b0c607973615286c

SHA1
517366339b7776caa4ca5523d118b4bd54139261

SHA256
a9e7972dbb9539eb09d1bb07709f66b6fb485f6e4e67cb61261f49573257a589

SHA512
67228c5473c3b56377c77d9216690fdc9778ef8dbfef78c2ef6cb873b17a356eceab833f02b1315932b698095c66ee94542f3ec5c7c8c0e8f8f3538027211775

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
Filesize
3KB

MD5
1955c1c9e2100d07b68a8aca7c0ac87e

SHA1
7b80c52e47fff73ca08808e9eb11c69d5d907bfb

SHA256
efdeb0ab9ecceec4fccb171ec9f0beabcdd16b79dd903df9735b0e82e96ed5a6

SHA512
9069b3546f3e1b6a38179f13e4513acc1b1aea2722d1eb0ae4c986a8858cd371d9e58b340bb685db7558c0c5940d75d53297aa7ed8dede7987b8a4031c90ca6f

Download Submit
C:\note.txt
Filesize
218B

MD5
afa6955439b8d516721231029fb9ca1b

SHA1
087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

SHA256
8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

SHA512
5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

Download Submit
\??\pipe\LOCAL\crashpad_996_YBWIWDYLAXZKXZTA
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit