3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff

Resubmissions

23-08-2023 15:59

230823-tfk4hsfb4w 6

23-08-2023 15:56

230823-tde5gsfb2w 6

Analysis

max time kernel
148s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
23-08-2023 15:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MEMZ.exe
Size

16KB
MD5

1d5ad9c8d3fee874d0feb8bfac220a11
SHA1

ca6d3f7e6c784155f664a9179ca64e4034df9595
SHA256

3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff
SHA512

c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1
SSDEEP

192:M2WgyvSW8gRc6olcIEiwqZKBkDFR43xWTM3LHf26gFrcx3sNq:JWgnSmFlcIqq3agmLH+6gF23sN

Score

6^/10

bootkit persistence

Malware Config

Signatures

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	MEMZ.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4248	MEMZ.exe
4248	MEMZ.exe
3432	MEMZ.exe
3432	MEMZ.exe
428	MEMZ.exe
428	MEMZ.exe
4248	MEMZ.exe
4248	MEMZ.exe
3432	MEMZ.exe
3432	MEMZ.exe
1112	MEMZ.exe
4248	MEMZ.exe
4248	MEMZ.exe
428	MEMZ.exe
1112	MEMZ.exe
428	MEMZ.exe
4328	MEMZ.exe
3432	MEMZ.exe
3432	MEMZ.exe
4328	MEMZ.exe
428	MEMZ.exe
1112	MEMZ.exe
428	MEMZ.exe
1112	MEMZ.exe
4248	MEMZ.exe
4248	MEMZ.exe
1112	MEMZ.exe
1112	MEMZ.exe
428	MEMZ.exe
428	MEMZ.exe
4328	MEMZ.exe
4328	MEMZ.exe
3432	MEMZ.exe
3432	MEMZ.exe
4248	MEMZ.exe
4248	MEMZ.exe
4248	MEMZ.exe
4248	MEMZ.exe
3432	MEMZ.exe
3432	MEMZ.exe
4328	MEMZ.exe
4328	MEMZ.exe
428	MEMZ.exe
428	MEMZ.exe
1112	MEMZ.exe
1112	MEMZ.exe
4248	MEMZ.exe
4248	MEMZ.exe
4248	MEMZ.exe
4248	MEMZ.exe
1112	MEMZ.exe
1112	MEMZ.exe
4328	MEMZ.exe
4328	MEMZ.exe
428	MEMZ.exe
428	MEMZ.exe
3432	MEMZ.exe
3432	MEMZ.exe
3432	MEMZ.exe
3432	MEMZ.exe
428	MEMZ.exe
428	MEMZ.exe
1112	MEMZ.exe
4328	MEMZ.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs

pid	Process
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	3240	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3240	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1656 wrote to memory of 4248	1656	MEMZ.exe	88
PID 1656 wrote to memory of 4248	1656	MEMZ.exe	88
PID 1656 wrote to memory of 4248	1656	MEMZ.exe	88
PID 1656 wrote to memory of 3432	1656	MEMZ.exe	89
PID 1656 wrote to memory of 3432	1656	MEMZ.exe	89
PID 1656 wrote to memory of 3432	1656	MEMZ.exe	89
PID 1656 wrote to memory of 428	1656	MEMZ.exe	90
PID 1656 wrote to memory of 428	1656	MEMZ.exe	90
PID 1656 wrote to memory of 428	1656	MEMZ.exe	90
PID 1656 wrote to memory of 1112	1656	MEMZ.exe	91
PID 1656 wrote to memory of 1112	1656	MEMZ.exe	91
PID 1656 wrote to memory of 1112	1656	MEMZ.exe	91
PID 1656 wrote to memory of 4328	1656	MEMZ.exe	92
PID 1656 wrote to memory of 4328	1656	MEMZ.exe	92
PID 1656 wrote to memory of 4328	1656	MEMZ.exe	92
PID 1656 wrote to memory of 1192	1656	MEMZ.exe	93
PID 1656 wrote to memory of 1192	1656	MEMZ.exe	93
PID 1656 wrote to memory of 1192	1656	MEMZ.exe	93
PID 1192 wrote to memory of 1380	1192	MEMZ.exe	95
PID 1192 wrote to memory of 1380	1192	MEMZ.exe	95
PID 1192 wrote to memory of 1380	1192	MEMZ.exe	95
PID 1192 wrote to memory of 3932	1192	MEMZ.exe	97
PID 1192 wrote to memory of 3932	1192	MEMZ.exe	97
PID 3932 wrote to memory of 3844	3932	msedge.exe	98
PID 3932 wrote to memory of 3844	3932	msedge.exe	98
PID 3932 wrote to memory of 4244	3932	msedge.exe	99
PID 3932 wrote to memory of 4244	3932	msedge.exe	99
PID 3932 wrote to memory of 4244	3932	msedge.exe	99
PID 3932 wrote to memory of 4244	3932	msedge.exe	99
PID 3932 wrote to memory of 4244	3932	msedge.exe	99
PID 3932 wrote to memory of 4244	3932	msedge.exe	99
PID 3932 wrote to memory of 4244	3932	msedge.exe	99
PID 3932 wrote to memory of 4244	3932	msedge.exe	99
PID 3932 wrote to memory of 4244	3932	msedge.exe	99
PID 3932 wrote to memory of 4244	3932	msedge.exe	99
PID 3932 wrote to memory of 4244	3932	msedge.exe	99
PID 3932 wrote to memory of 4244	3932	msedge.exe	99
PID 3932 wrote to memory of 4244	3932	msedge.exe	99
PID 3932 wrote to memory of 4244	3932	msedge.exe	99
PID 3932 wrote to memory of 4244	3932	msedge.exe	99
PID 3932 wrote to memory of 4244	3932	msedge.exe	99
PID 3932 wrote to memory of 4244	3932	msedge.exe	99
PID 3932 wrote to memory of 4244	3932	msedge.exe	99
PID 3932 wrote to memory of 4244	3932	msedge.exe	99
PID 3932 wrote to memory of 4244	3932	msedge.exe	99
PID 3932 wrote to memory of 4244	3932	msedge.exe	99
PID 3932 wrote to memory of 4244	3932	msedge.exe	99
PID 3932 wrote to memory of 4244	3932	msedge.exe	99
PID 3932 wrote to memory of 4244	3932	msedge.exe	99
PID 3932 wrote to memory of 4244	3932	msedge.exe	99
PID 3932 wrote to memory of 4244	3932	msedge.exe	99
PID 3932 wrote to memory of 4244	3932	msedge.exe	99
PID 3932 wrote to memory of 4244	3932	msedge.exe	99
PID 3932 wrote to memory of 4244	3932	msedge.exe	99
PID 3932 wrote to memory of 4244	3932	msedge.exe	99
PID 3932 wrote to memory of 4244	3932	msedge.exe	99
PID 3932 wrote to memory of 4244	3932	msedge.exe	99
PID 3932 wrote to memory of 4244	3932	msedge.exe	99
PID 3932 wrote to memory of 4244	3932	msedge.exe	99
PID 3932 wrote to memory of 4244	3932	msedge.exe	99
PID 3932 wrote to memory of 4244	3932	msedge.exe	99
PID 3932 wrote to memory of 4244	3932	msedge.exe	99
PID 3932 wrote to memory of 4244	3932	msedge.exe	99
PID 3932 wrote to memory of 4244	3932	msedge.exe	99

C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
"C:\Users\Admin\AppData\Local\Temp\MEMZ.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1656
- C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
  "C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4248
- C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
  "C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3432
- C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
  "C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:428
- C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
  "C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1112
- C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
  "C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4328
- C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
  "C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /main
  2⤵
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of WriteProcessMemory
  PID:1192
- - C:\Windows\SysWOW64\notepad.exe
    "C:\Windows\System32\notepad.exe" \note.txt
    3⤵
    PID:1380
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=internet+explorer+is+the+best+browser
    3⤵
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:3932
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x128,0x12c,0x130,0x104,0x134,0x7ff8522f46f8,0x7ff8522f4708,0x7ff8522f4718
      4⤵
      PID:3844
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,17281992063705986344,9209253404032646309,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2
      4⤵
      PID:4244
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,17281992063705986344,9209253404032646309,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:3
      4⤵
      PID:3724
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,17281992063705986344,9209253404032646309,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2900 /prefetch:8
      4⤵
      PID:3908
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,17281992063705986344,9209253404032646309,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:1
      4⤵
      PID:688
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,17281992063705986344,9209253404032646309,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1
      4⤵
      PID:1468
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,17281992063705986344,9209253404032646309,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4448 /prefetch:8
      4⤵
      PID:4232
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,17281992063705986344,9209253404032646309,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4448 /prefetch:8
      4⤵
      PID:3324
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,17281992063705986344,9209253404032646309,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3060 /prefetch:1
      4⤵
      PID:1020
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,17281992063705986344,9209253404032646309,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4932 /prefetch:1
      4⤵
      PID:4564
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,17281992063705986344,9209253404032646309,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1
      4⤵
      PID:1656
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,17281992063705986344,9209253404032646309,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5508 /prefetch:1
      4⤵
      PID:3016
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,17281992063705986344,9209253404032646309,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2636 /prefetch:1
      4⤵
      PID:2756
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,17281992063705986344,9209253404032646309,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1
      4⤵
      PID:2792
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,17281992063705986344,9209253404032646309,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5940 /prefetch:1
      4⤵
      PID:4920
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,17281992063705986344,9209253404032646309,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5872 /prefetch:1
      4⤵
      PID:4340
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,17281992063705986344,9209253404032646309,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5428 /prefetch:1
      4⤵
      PID:752
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,17281992063705986344,9209253404032646309,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5996 /prefetch:1
      4⤵
      PID:3824
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,17281992063705986344,9209253404032646309,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2056 /prefetch:1
      4⤵
      PID:2108
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,17281992063705986344,9209253404032646309,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5688 /prefetch:1
      4⤵
      PID:5100
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://pcoptimizerpro.com/
    3⤵
    PID:3964
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ff8522f46f8,0x7ff8522f4708,0x7ff8522f4718
      4⤵
      PID:2540
- - C:\Windows\SysWOW64\mspaint.exe
    "C:\Windows\System32\mspaint.exe"
    3⤵
    PID:2788
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=vinesauce+meme+collection
    3⤵
    PID:1992
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff8522f46f8,0x7ff8522f4708,0x7ff8522f4718
      4⤵
      PID:1064

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3560

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3904

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1220

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
1⤵
PID:1196

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4a0 0x2cc
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a7ad9bb1054aa03e39b3554833d0c3ec

SHA1
cbd5b99ca100bc2f1292df23bf8e2a5a6f9640d9

SHA256
0c3eae39386b4117ad26187afc4933e254468cd12d813271f4b7420cee73c189

SHA512
d1d0b77e0bc412b4ee687e849531a7c9b70200d45d0bdbf38357b6fc59af835522e749b2fd8c2d4cde73518970568c38d73416c97381a11cc6029c14b1678276

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a7ad9bb1054aa03e39b3554833d0c3ec

SHA1
cbd5b99ca100bc2f1292df23bf8e2a5a6f9640d9

SHA256
0c3eae39386b4117ad26187afc4933e254468cd12d813271f4b7420cee73c189

SHA512
d1d0b77e0bc412b4ee687e849531a7c9b70200d45d0bdbf38357b6fc59af835522e749b2fd8c2d4cde73518970568c38d73416c97381a11cc6029c14b1678276

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a7ad9bb1054aa03e39b3554833d0c3ec

SHA1
cbd5b99ca100bc2f1292df23bf8e2a5a6f9640d9

SHA256
0c3eae39386b4117ad26187afc4933e254468cd12d813271f4b7420cee73c189

SHA512
d1d0b77e0bc412b4ee687e849531a7c9b70200d45d0bdbf38357b6fc59af835522e749b2fd8c2d4cde73518970568c38d73416c97381a11cc6029c14b1678276

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
744B

MD5
4927897d4a295fdb6af0baf6c6e44008

SHA1
935ba571a1c565c3d8431fb0177f2c48cb726e4f

SHA256
b47bf9b091620a8978fc47c47829ad81019049c2d9dcfa410e086cc5f52750d2

SHA512
65c3a73ba695f3e24396de66ba8ceecdd38d0e1c1c588b3cfe64448103c47135f771aa43b41652b91d0c41de5c4eaf7d06083de074e34f77882355fb28902081

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
bd6775b99e52c40c20ce48129bf48da7

SHA1
42e5a1d543a1cf549870d362c535af319ff9a62a

SHA256
6f3aac2e8b8dde46c7488dc9c92d3c5555abc09e1246b99dcc63ad5c7296971e

SHA512
a76cba837cb022eec75cf5fcbdeadb4367f78069c6a48fe783ae4c99f9c95b20d15f8acdb181d4d33694bd58018a1918c4ad95d8103e9ff534fc5902060d8157

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0c5a9f4c3227fc6b731538c5cedabfcb

SHA1
e2d6644cc445e371dc4b915f77c70d7722cc099e

SHA256
95bb12d66238af2a9fb7a2cc6105bdf1068b3f87d8bcf3d3190d5ea5743f8acf

SHA512
438586fa8eba69581036b182e8703d19037454d3526dbe1af433e73ad0edcf13e987477943996dcdb636a54c8a17b181cddf498d778e51d46be28173c2f79bd0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
5b42a534dafddf7719de40e17c042f74

SHA1
8a245a1d2b175e4ea563f1e35f5f2b488be6e4d0

SHA256
e6305fb503df38b50f7ae4888a4c734a5a683b958ad0c1b200c634ac11487e4b

SHA512
986407db8924c39dcf24a7e4efa72ed61f85d5fb7b9ebe5bb7516cb40ea0a1d8c5cd6635474daf839d8f24b1300a3367ddfa037a579bb59c78219a0a81a05506

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
a0fe0075f634c86f161b840af6838715

SHA1
e17fa6f4e9e87ecffa5a19b8792b6d8874abd0c1

SHA256
5e74fde082c37f880342c67eba77389f534bc151bb67ef5e465ecb1341d44cea

SHA512
d7a3f80049633e474fc4e7a407e1f30856f159b19d889c84f0490a0f3ef5c2f51d1bb708edc1d2160a4d2f4847a37035124bbe2eedf2b9a2d2989281365698a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
e62cc4051e1f8eaa0abda5d730a2496b

SHA1
d15346e40b196bc313cbfe5ac96b3c90b83345be

SHA256
ffb5b740b8777d010f0d32a120092084c3cd32eaceb937188d698ddc22df2fcb

SHA512
3e8f6d89c7c153177b2149d86cd8602ceafedf66f5335a86b19dfa46fc38c47f6ff9a272c3b71b4464a5921ebdf2461fba25692ca916b9715bac520bf1e81a22

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
26B

MD5
2892eee3e20e19a9ba77be6913508a54

SHA1
7c4ef82faa28393c739c517d706ac6919a8ffc49

SHA256
4f110831bb434c728a6895190323d159df6d531be8c4bb7109864eeb7c989ff2

SHA512
b13a336db33299ab3405e13811e3ed9e5a18542e5d835f2b7130a6ff4c22f74272002fc43e7d9f94ac3aa6a4d53518f87f25d90c29e0d286b6470667ea9336ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
90B

MD5
15dae05b9e5d2ef8898589fee55ed82c

SHA1
673d7e3eb94bfde27acfd6c2ceb98f5ea9ab6a27

SHA256
47f56247adb30b05a7d6202a5b791678cb118d9bce5c4d55f2e6cbf8acb683f5

SHA512
9cb4813724bf47e40c81382c2ee452474a80d4186232da895592921b8ffc545b923a87aad51a294d82369ca33b1bd3c380a0af44244ee4be8c60ebf8ec49f86f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
670bb63817281447cbe92f5b3106bfcc

SHA1
c39028e208ca735aadcd856a3b5d8600904ef5e7

SHA256
5cae07d88ab782d548e4c67dbc65551b4261d1d2dc6d58449c840c8ba204fa54

SHA512
772914af130f834922beb12c18fc138fd44b3287e04852b4e5360d04395158c9dd9700baa03eecf0f5834c4e17fc2e77e0a671034f07a2df0ad9ad90d7376e9c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe593b98.TMP

Filesize
368B

MD5
8972073c422f0e2f389a1690a713d903

SHA1
3d36a84d938d42743a79af1623a1e54f770cf04b

SHA256
558c97ae5c255a815e7270c43f4b941267ce7e443699566584904e68f4355076

SHA512
3eb371d62def199bf5d0f8b4a1d3da90ebc54d8ad0fda4a079dbd38795c2a1bd40409c2f77060582060b4b4c64a456fe73b17fa079a9ed9eb25e22c657bc7d1e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\efa578fc-0d36-4e5f-bb57-ef9f3de0273a.tmp

Filesize
7KB

MD5
307b00083f57b5d7b8cdedbb52a4a540

SHA1
4145411969e626582d08b846814793a4541b90ab

SHA256
9112449a6ec2d9ad284fcbe69dd03f754687f204c1b49016853aa85d779bca1a

SHA512
7583e39bb4fd0e4565e27d55085c18175de52a2e8406251da5aefddb8d67e5860c686a421e859be73593616b39f2b7a1748f82d0b69f62d03ccb108834853067

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
ce96f909dde8cee358cc6237e20aab49

SHA1
255709aece34f74f6b68d95034decca5c019e4d2

SHA256
c7a3fc5e68f10627903bfafe35be46e09da1051a199d7406789013933c854db4

SHA512
b83ed133ec5e8a14733ae03fdb8bce31e17450723f69f84a52c130f56af6233d75ecc4319eff7daee4fe3f0725e9ba23c761c54fe5e391eb9194e1ffc7a05cdb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
13KB

MD5
721e7a5602f9f43015e39833864224b4

SHA1
d6eb30d586be243a2f6a7040278f61064cd498bf

SHA256
54065eef8b60782a5d355bdcebe010d893c76b6be404c9689e7c546b55145f96

SHA512
d22fae1f336cf39277853344e6fecc45675da579615f0124e98021f478792cdb9eab707edf4a6d7426772ecf3d0a928ad8bdd8cd2442b42c471208724bee1630

Download Submit
C:\note.txt

Filesize
218B

MD5
afa6955439b8d516721231029fb9ca1b

SHA1
087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

SHA256
8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

SHA512
5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

Download Submit