3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff

Resubmissions

12/01/2024, 08:38

240112-kjzawaded8 7

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
12/01/2024, 08:38

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

MEMZ.exe
Size

16KB
MD5

1d5ad9c8d3fee874d0feb8bfac220a11
SHA1

ca6d3f7e6c784155f664a9179ca64e4034df9595
SHA256

3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff
SHA512

c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1
SSDEEP

192:M2WgyvSW8gRc6olcIEiwqZKBkDFR43xWTM3LHf26gFrcx3sNq:JWgnSmFlcIqq3agmLH+6gF23sN

Score

7^/10

bootkit persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	MEMZ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	MEMZ.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	MEMZ.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3244	MEMZ.exe
3244	MEMZ.exe
3244	MEMZ.exe
3824	MEMZ.exe
3244	MEMZ.exe
3824	MEMZ.exe
2280	MEMZ.exe
2280	MEMZ.exe
3244	MEMZ.exe
3824	MEMZ.exe
3824	MEMZ.exe
3244	MEMZ.exe
4468	MEMZ.exe
4468	MEMZ.exe
3244	MEMZ.exe
3824	MEMZ.exe
3824	MEMZ.exe
3244	MEMZ.exe
2280	MEMZ.exe
2280	MEMZ.exe
3244	MEMZ.exe
3824	MEMZ.exe
3824	MEMZ.exe
3244	MEMZ.exe
2300	MEMZ.exe
2300	MEMZ.exe
4468	MEMZ.exe
4468	MEMZ.exe
4468	MEMZ.exe
2300	MEMZ.exe
4468	MEMZ.exe
2300	MEMZ.exe
3244	MEMZ.exe
3824	MEMZ.exe
3244	MEMZ.exe
3824	MEMZ.exe
2280	MEMZ.exe
2280	MEMZ.exe
3824	MEMZ.exe
3824	MEMZ.exe
3244	MEMZ.exe
3244	MEMZ.exe
4468	MEMZ.exe
4468	MEMZ.exe
2300	MEMZ.exe
2300	MEMZ.exe
2280	MEMZ.exe
2300	MEMZ.exe
2280	MEMZ.exe
2300	MEMZ.exe
4468	MEMZ.exe
4468	MEMZ.exe
3824	MEMZ.exe
3824	MEMZ.exe
3244	MEMZ.exe
3244	MEMZ.exe
3824	MEMZ.exe
3244	MEMZ.exe
3824	MEMZ.exe
3244	MEMZ.exe
4468	MEMZ.exe
4468	MEMZ.exe
2280	MEMZ.exe
2280	MEMZ.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs

pid	Process
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	5368	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	5368	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4148 wrote to memory of 3244	4148	MEMZ.exe	100
PID 4148 wrote to memory of 3244	4148	MEMZ.exe	100
PID 4148 wrote to memory of 3244	4148	MEMZ.exe	100
PID 4148 wrote to memory of 2280	4148	MEMZ.exe	101
PID 4148 wrote to memory of 2280	4148	MEMZ.exe	101
PID 4148 wrote to memory of 2280	4148	MEMZ.exe	101
PID 4148 wrote to memory of 3824	4148	MEMZ.exe	102
PID 4148 wrote to memory of 3824	4148	MEMZ.exe	102
PID 4148 wrote to memory of 3824	4148	MEMZ.exe	102
PID 4148 wrote to memory of 4468	4148	MEMZ.exe	103
PID 4148 wrote to memory of 4468	4148	MEMZ.exe	103
PID 4148 wrote to memory of 4468	4148	MEMZ.exe	103
PID 4148 wrote to memory of 2300	4148	MEMZ.exe	104
PID 4148 wrote to memory of 2300	4148	MEMZ.exe	104
PID 4148 wrote to memory of 2300	4148	MEMZ.exe	104
PID 4148 wrote to memory of 4260	4148	MEMZ.exe	105
PID 4148 wrote to memory of 4260	4148	MEMZ.exe	105
PID 4148 wrote to memory of 4260	4148	MEMZ.exe	105
PID 4260 wrote to memory of 2400	4260	MEMZ.exe	107
PID 4260 wrote to memory of 2400	4260	MEMZ.exe	107
PID 4260 wrote to memory of 2400	4260	MEMZ.exe	107
PID 4260 wrote to memory of 3144	4260	MEMZ.exe	111
PID 4260 wrote to memory of 3144	4260	MEMZ.exe	111
PID 3144 wrote to memory of 4764	3144	msedge.exe	112
PID 3144 wrote to memory of 4764	3144	msedge.exe	112
PID 3144 wrote to memory of 5024	3144	msedge.exe	118
PID 3144 wrote to memory of 5024	3144	msedge.exe	118
PID 3144 wrote to memory of 5024	3144	msedge.exe	118
PID 3144 wrote to memory of 5024	3144	msedge.exe	118
PID 3144 wrote to memory of 5024	3144	msedge.exe	118
PID 3144 wrote to memory of 5024	3144	msedge.exe	118
PID 3144 wrote to memory of 5024	3144	msedge.exe	118
PID 3144 wrote to memory of 5024	3144	msedge.exe	118
PID 3144 wrote to memory of 5024	3144	msedge.exe	118
PID 3144 wrote to memory of 5024	3144	msedge.exe	118
PID 3144 wrote to memory of 5024	3144	msedge.exe	118
PID 3144 wrote to memory of 5024	3144	msedge.exe	118
PID 3144 wrote to memory of 5024	3144	msedge.exe	118
PID 3144 wrote to memory of 5024	3144	msedge.exe	118
PID 3144 wrote to memory of 5024	3144	msedge.exe	118
PID 3144 wrote to memory of 5024	3144	msedge.exe	118
PID 3144 wrote to memory of 5024	3144	msedge.exe	118
PID 3144 wrote to memory of 5024	3144	msedge.exe	118
PID 3144 wrote to memory of 5024	3144	msedge.exe	118
PID 3144 wrote to memory of 5024	3144	msedge.exe	118
PID 3144 wrote to memory of 5024	3144	msedge.exe	118
PID 3144 wrote to memory of 5024	3144	msedge.exe	118
PID 3144 wrote to memory of 5024	3144	msedge.exe	118
PID 3144 wrote to memory of 5024	3144	msedge.exe	118
PID 3144 wrote to memory of 5024	3144	msedge.exe	118
PID 3144 wrote to memory of 5024	3144	msedge.exe	118
PID 3144 wrote to memory of 5024	3144	msedge.exe	118
PID 3144 wrote to memory of 5024	3144	msedge.exe	118
PID 3144 wrote to memory of 5024	3144	msedge.exe	118
PID 3144 wrote to memory of 5024	3144	msedge.exe	118
PID 3144 wrote to memory of 5024	3144	msedge.exe	118
PID 3144 wrote to memory of 5024	3144	msedge.exe	118
PID 3144 wrote to memory of 5024	3144	msedge.exe	118
PID 3144 wrote to memory of 5024	3144	msedge.exe	118
PID 3144 wrote to memory of 5024	3144	msedge.exe	118
PID 3144 wrote to memory of 5024	3144	msedge.exe	118
PID 3144 wrote to memory of 5024	3144	msedge.exe	118
PID 3144 wrote to memory of 5024	3144	msedge.exe	118
PID 3144 wrote to memory of 5024	3144	msedge.exe	118

C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
"C:\Users\Admin\AppData\Local\Temp\MEMZ.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4148
- C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
  "C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3244
- C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
  "C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2280
- C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
  "C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3824
- C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
  "C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4468
- C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
  "C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2300
- C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
  "C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /main
  2⤵
  - Checks computer location settings
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of WriteProcessMemory
  PID:4260
- - C:\Windows\SysWOW64\notepad.exe
    "C:\Windows\System32\notepad.exe" \note.txt
    3⤵
    PID:2400
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=what+happens+if+you+delete+system32
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:3144
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd583e46f8,0x7ffd583e4708,0x7ffd583e4718
      4⤵
      PID:4764
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1856,6738169238088298441,13521780004829964731,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2852 /prefetch:8
      4⤵
      PID:1368
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1856,6738169238088298441,13521780004829964731,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2532 /prefetch:3
      4⤵
      PID:4196
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,6738169238088298441,13521780004829964731,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
      4⤵
      PID:2328
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,6738169238088298441,13521780004829964731,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
      4⤵
      PID:4056
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1856,6738169238088298441,13521780004829964731,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2060 /prefetch:2
      4⤵
      PID:5024
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,6738169238088298441,13521780004829964731,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4160 /prefetch:1
      4⤵
      PID:5472
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1856,6738169238088298441,13521780004829964731,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5192 /prefetch:8
      4⤵
      PID:5688
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1856,6738169238088298441,13521780004829964731,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5192 /prefetch:8
      4⤵
      PID:5704
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,6738169238088298441,13521780004829964731,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5408 /prefetch:1
      4⤵
      PID:5792
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,6738169238088298441,13521780004829964731,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5368 /prefetch:1
      4⤵
      PID:5784
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,6738169238088298441,13521780004829964731,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5648 /prefetch:1
      4⤵
      PID:5984
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,6738169238088298441,13521780004829964731,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5132 /prefetch:1
      4⤵
      PID:5976
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,6738169238088298441,13521780004829964731,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5556 /prefetch:1
      4⤵
      PID:5232
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,6738169238088298441,13521780004829964731,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5856 /prefetch:1
      4⤵
      PID:4156
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,6738169238088298441,13521780004829964731,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3148 /prefetch:1
      4⤵
      PID:5940
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,6738169238088298441,13521780004829964731,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3976 /prefetch:1
      4⤵
      PID:4644
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,6738169238088298441,13521780004829964731,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2724 /prefetch:1
      4⤵
      PID:5888
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,6738169238088298441,13521780004829964731,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4644 /prefetch:1
      4⤵
      PID:4660
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,6738169238088298441,13521780004829964731,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1708 /prefetch:1
      4⤵
      PID:4612
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,6738169238088298441,13521780004829964731,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6368 /prefetch:1
      4⤵
      PID:4280
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=half+life+3+release+date
    3⤵
    PID:5924
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd583e46f8,0x7ffd583e4708,0x7ffd583e4718
      4⤵
      PID:6136
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=skrillex+scay+onster+an+nice+sprites+midi
    3⤵
    PID:5644
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd583e46f8,0x7ffd583e4708,0x7ffd583e4718
      4⤵
      PID:5512
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://pcoptimizerpro.com/
    3⤵
    PID:856
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd583e46f8,0x7ffd583e4708,0x7ffd583e4718
      4⤵
      PID:5972
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=what+happens+if+you+delete+system32
    3⤵
    PID:2192
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd583e46f8,0x7ffd583e4708,0x7ffd583e4718
      4⤵
      PID:4792

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3880

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5312

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x33c 0x3c4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f246cc2c0e84109806d24fcf52bd0672

SHA1
8725d2b2477efe4f66c60e0f2028bf79d8b88e4e

SHA256
0c1014ae07c2077dd55d7386cc9cf9e0551be1d67fe05a6006957427ae09fec5

SHA512
dcf31357eb39a05213550a879941e2c039ec0ba41e4867d5d630807420f070289552d56d9f16c6d11edcdb0f9448bf51e7d2e460e88aa9c55a5bfe5d8d331640

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\73ee736d-fb54-4044-978f-45c8092c16bc.tmp

Filesize
204B

MD5
0313f1149958e570c5a5ae259deec5eb

SHA1
a712f7d02dd2b834fa7dcc2e9352ccb3dfa0da1d

SHA256
8e35e735618af6bd33960dee03e6e29123e8aed99ca68bd7a21b54b6299beb74

SHA512
0c7cb1107385381b1b4c1d0258e0b00c6cb21758484574d07f17f33e7fe6b9e6b1cbfccd81dea01cea28200ff3d021c5fbb81b1dae3f61c87db5bbe536738ae0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000001

Filesize
20KB

MD5
923a543cc619ea568f91b723d9fb1ef0

SHA1
6f4ade25559645c741d7327c6e16521e43d7e1f9

SHA256
bf7344209edb1be5a2886c425cf6334a102d76cbea1471fd50171e2ee92877cd

SHA512
a4153751761cd67465374828b0514d7773b8c4ed37779d1ecfd4f19be4faa171585c8ee0b4db59b556399d5d2b9809ba87e04d4715e9d090e1f488d02219d555

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
754B

MD5
9bca40a3099e7c3b114d1fd4beaa891f

SHA1
209a62021cbc465ce04951bf25a0246585c70636

SHA256
08da4e552c262d801304c9e88788d3740273156796cde2c22a8f68265cca4a0b

SHA512
e3fa5018e91b90f40da735c63406868ef476498d3a942d59542053a5f92640c5f3b7ec99f6a7a1ac14b251ab22dd0c73644b40d32bfc22067bf953956714ccb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
feb51dbf947cd83d4b10a2cd89cb9538

SHA1
131dde732fd0ec98e62a92aa3c4c06b0873f0939

SHA256
b76f67fe0317bf473ff37cb4d45f920790d4884064d7e97ddc0be9536ae9ff2e

SHA512
e8e09f1ac50fadbec9b556a9cb6a49860de52dc94287081885d0434c912c74eda01643ddf211eaecc6a603a9499af81e73f975636cd5bd3bda5de45299a4269c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
358cab886c835a1a81f19c0da35e2b28

SHA1
fb71038509015a829f2b1cc3233e8c4ff4f878b4

SHA256
828c0a119d13d3c8d0a358c6ce991837910701efad281f93cf279b64fcecf1aa

SHA512
ab753711d0bf53a4d5308591ccb5452a6a7152eb93180d65686bb7fe6ff97b87ed7a22b8cb428ccb516d57096c458ddb8f5a641da464189df39f7e2618b7f2c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6e0eb53b4baf98c5ba9f533c7f262b89

SHA1
88eac7a00faaba60c3876026d41da1709cda7d7b

SHA256
c87fbeadf7d519dbcf4edde57c597790214e4d90907df68ddfa3fcdc1afe76b7

SHA512
a1817af478f9ecbeefa58666f6996e4724163391e7bcd1c8067ab1cf3c2a0aafdf4a174df571de6e06ec8e04db70028190097f94fa9720e70ac0fdbc625d22d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
b6d3d7dad4e5f4f89b504d26e2959ef9

SHA1
d3e6ecb3e97dd3050ce00ad2cc2b57e5ea4e3dbf

SHA256
6d9ed5988e96e93e67505da6553ec9cf53b2c149e111242149aa560e1f65f253

SHA512
1dbe1d550c1b463b992dfd77584ebc9c49e86082cf15f39e81d35e99d6e57793e150736ab8d5e026ac1faac4ecc005e7789fe9819bd61a81c13b0ae422ee203a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
5e62a6848f50c5ca5f19380c1ea38156

SHA1
1f5e7db8c292a93ae4a94a912dd93fe899f1ea6a

SHA256
23b683118f90c909ce86f9be9123ff6ac1355adb098ffbb09b9e5ec18fc2b488

SHA512
ce00590890ed908c18c3ec56df5f79c6c800e3bea2ad4629b9788b19bd1d9e94215fb991275e6ec5a58ac31b193e1c0b9cbaa52ff534319a5e76ec4fc8d3ba54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
204B

MD5
d4b25d7c3f4e14f87f014a90671cba27

SHA1
bccdb6ba815551fa0cd966ccde966e644ba6daba

SHA256
7c9d008589b0dfdf06a50c241b2ddef2c28a9bdb201c6dcc683d739ad3522845

SHA512
935af3a5b6da4caf9c4192eb194702024c19668a552ee3924099eebbea4dd0eb5eb2eed8ddc93cd3dfe128b850919033614a4a6c3462e8fd91759578d9c46c1c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
2b15d4d856217f3f3a0a145a083b4cfb

SHA1
cbf18266cde85a5c963d06948e7f7f63e177fb6e

SHA256
d1096f417305f6afcb1c57b1675f59dbb9ec8253c99cec0e812e80b1abe9eac0

SHA512
2a6fa30e40b4b43b7fa9dfbc7a911a7b6176816e778e237171dc7245795aa7c8e2b499fb13d2896af34cab2faac32a7169b4f186a978c3b016e63b66a4c82669

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe588690.TMP

Filesize
204B

MD5
7ab19696a267b33cfc5252fc8307d060

SHA1
a2e90e611c41c41d939892be67366486b254d8b3

SHA256
c3802ee6f81b579ddb61d91811bf51eb9c260a334c0570210ee3917202a60006

SHA512
f29222298c0840fb3ef89fb1ae4c96d42d05083e40e31a58bb21bee74fa36041f88b944adbc88e11794b67c7e09ad96a1148519a58566a732cd12eca450f02cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
8a6e8319d08d5563012b7a6da73b5712

SHA1
aecfb55b53fd5e7a2f61bbc4dba375de0a01632d

SHA256
8a969b6fd50638cc6fe3f16cb724a3ea272810e60e78da7b6c7722a0566830d7

SHA512
1308f94346612d35414186d4d41ca3b159d93ba7d510213bfb9dae10cc37b2d7b447ef4c97b8a8e4e51767a83bd20cbabb6d243aa49911385401ffa67697ebfa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
ef16d58f4ee6b249ba4a185797d05c83

SHA1
227d62e10a6589a3b3a00cb2276c4fa6b980a077

SHA256
b081968391908d865c963e945b493ee72ce169d8311fd6992c7b47185838165e

SHA512
554a6b5ddcf305778ea72f863a489d504dfecdff6fff104de6eb4025b1d420f4a15ec71097faec036660658046b51ac3f038ba6aab571ee6b47fdd4ee46f77bb

Download Submit
C:\note.txt

Filesize
218B

MD5
afa6955439b8d516721231029fb9ca1b

SHA1
087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

SHA256
8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

SHA512
5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

Download Submit