Resubmissions
02/03/2024, 22:47
240302-2qrcaaab3z 8Analysis
-
max time kernel
146s -
max time network
148s -
platform
windows11-21h2_x64 -
resource
win11-20240221-en -
resource tags
arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system -
submitted
02/03/2024, 22:47
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://github.com/Dfmaaa/MEMZ-virus
Resource
win11-20240221-en
General
-
Target
https://github.com/Dfmaaa/MEMZ-virus
Malware Config
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 7 IoCs
pid Process 4968 MEMZ.exe 2944 MEMZ.exe 1620 MEMZ.exe 2036 MEMZ.exe 2420 MEMZ.exe 1340 MEMZ.exe 3372 MEMZ.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 17 raw.githubusercontent.com 32 raw.githubusercontent.com -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 MEMZ.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\MuiCache MiniSearchHost.exe -
NTFS ADS 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 959619.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\MEMZ.exe:Zone.Identifier msedge.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1356 msedge.exe 1356 msedge.exe 3696 msedge.exe 3696 msedge.exe 4208 msedge.exe 4208 msedge.exe 5088 identity_helper.exe 5088 identity_helper.exe 4332 msedge.exe 4332 msedge.exe 3024 msedge.exe 3024 msedge.exe 3024 msedge.exe 3024 msedge.exe 2944 MEMZ.exe 2944 MEMZ.exe 2944 MEMZ.exe 2944 MEMZ.exe 2944 MEMZ.exe 2944 MEMZ.exe 2944 MEMZ.exe 2944 MEMZ.exe 2944 MEMZ.exe 2944 MEMZ.exe 2944 MEMZ.exe 2944 MEMZ.exe 2944 MEMZ.exe 2944 MEMZ.exe 2944 MEMZ.exe 2944 MEMZ.exe 2944 MEMZ.exe 2944 MEMZ.exe 2944 MEMZ.exe 2944 MEMZ.exe 2944 MEMZ.exe 2944 MEMZ.exe 2944 MEMZ.exe 2944 MEMZ.exe 2944 MEMZ.exe 2944 MEMZ.exe 2944 MEMZ.exe 2944 MEMZ.exe 2944 MEMZ.exe 2944 MEMZ.exe 2944 MEMZ.exe 2944 MEMZ.exe 2944 MEMZ.exe 2944 MEMZ.exe 2944 MEMZ.exe 2944 MEMZ.exe 2944 MEMZ.exe 2944 MEMZ.exe 2944 MEMZ.exe 2944 MEMZ.exe 2944 MEMZ.exe 2944 MEMZ.exe 2944 MEMZ.exe 2944 MEMZ.exe 2944 MEMZ.exe 2944 MEMZ.exe 2944 MEMZ.exe 2944 MEMZ.exe 2944 MEMZ.exe 2944 MEMZ.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
pid Process 3696 msedge.exe 3696 msedge.exe 3696 msedge.exe 3696 msedge.exe 3696 msedge.exe 3696 msedge.exe 3696 msedge.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeShutdownPrivilege 2036 MEMZ.exe -
Suspicious use of FindShellTrayWindow 35 IoCs
pid Process 3696 msedge.exe 3696 msedge.exe 3696 msedge.exe 3696 msedge.exe 3696 msedge.exe 3696 msedge.exe 3696 msedge.exe 3696 msedge.exe 3696 msedge.exe 3696 msedge.exe 3696 msedge.exe 3696 msedge.exe 3696 msedge.exe 3696 msedge.exe 3696 msedge.exe 3696 msedge.exe 3696 msedge.exe 3696 msedge.exe 3696 msedge.exe 3696 msedge.exe 3696 msedge.exe 3696 msedge.exe 3696 msedge.exe 3696 msedge.exe 3696 msedge.exe 3696 msedge.exe 3696 msedge.exe 3696 msedge.exe 3696 msedge.exe 3696 msedge.exe 3696 msedge.exe 3696 msedge.exe 3696 msedge.exe 3696 msedge.exe 3696 msedge.exe -
Suspicious use of SendNotifyMessage 12 IoCs
pid Process 3696 msedge.exe 3696 msedge.exe 3696 msedge.exe 3696 msedge.exe 3696 msedge.exe 3696 msedge.exe 3696 msedge.exe 3696 msedge.exe 3696 msedge.exe 3696 msedge.exe 3696 msedge.exe 3696 msedge.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 3968 MiniSearchHost.exe 2036 MEMZ.exe 1620 MEMZ.exe 2420 MEMZ.exe 2944 MEMZ.exe 2036 MEMZ.exe 2944 MEMZ.exe 2420 MEMZ.exe 1620 MEMZ.exe 2036 MEMZ.exe 1620 MEMZ.exe 2944 MEMZ.exe 2420 MEMZ.exe 2036 MEMZ.exe 1620 MEMZ.exe 2944 MEMZ.exe 2420 MEMZ.exe 2036 MEMZ.exe 2944 MEMZ.exe 1620 MEMZ.exe 2420 MEMZ.exe 2036 MEMZ.exe 2944 MEMZ.exe 1620 MEMZ.exe 2420 MEMZ.exe 2036 MEMZ.exe 2944 MEMZ.exe 1620 MEMZ.exe 2420 MEMZ.exe 2036 MEMZ.exe 2944 MEMZ.exe 1620 MEMZ.exe 2420 MEMZ.exe 2036 MEMZ.exe 2944 MEMZ.exe 1620 MEMZ.exe 2420 MEMZ.exe 2036 MEMZ.exe 2944 MEMZ.exe 1620 MEMZ.exe 2420 MEMZ.exe 2036 MEMZ.exe 2944 MEMZ.exe 1620 MEMZ.exe 2420 MEMZ.exe 2036 MEMZ.exe 2944 MEMZ.exe 1620 MEMZ.exe 2420 MEMZ.exe 2036 MEMZ.exe 2944 MEMZ.exe 1620 MEMZ.exe 2420 MEMZ.exe 2036 MEMZ.exe 2944 MEMZ.exe 1620 MEMZ.exe 2420 MEMZ.exe 2036 MEMZ.exe 2944 MEMZ.exe 1620 MEMZ.exe 2420 MEMZ.exe 2036 MEMZ.exe 2944 MEMZ.exe 1620 MEMZ.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3696 wrote to memory of 4436 3696 msedge.exe 76 PID 3696 wrote to memory of 4436 3696 msedge.exe 76 PID 3696 wrote to memory of 2836 3696 msedge.exe 77 PID 3696 wrote to memory of 2836 3696 msedge.exe 77 PID 3696 wrote to memory of 2836 3696 msedge.exe 77 PID 3696 wrote to memory of 2836 3696 msedge.exe 77 PID 3696 wrote to memory of 2836 3696 msedge.exe 77 PID 3696 wrote to memory of 2836 3696 msedge.exe 77 PID 3696 wrote to memory of 2836 3696 msedge.exe 77 PID 3696 wrote to memory of 2836 3696 msedge.exe 77 PID 3696 wrote to memory of 2836 3696 msedge.exe 77 PID 3696 wrote to memory of 2836 3696 msedge.exe 77 PID 3696 wrote to memory of 2836 3696 msedge.exe 77 PID 3696 wrote to memory of 2836 3696 msedge.exe 77 PID 3696 wrote to memory of 2836 3696 msedge.exe 77 PID 3696 wrote to memory of 2836 3696 msedge.exe 77 PID 3696 wrote to memory of 2836 3696 msedge.exe 77 PID 3696 wrote to memory of 2836 3696 msedge.exe 77 PID 3696 wrote to memory of 2836 3696 msedge.exe 77 PID 3696 wrote to memory of 2836 3696 msedge.exe 77 PID 3696 wrote to memory of 2836 3696 msedge.exe 77 PID 3696 wrote to memory of 2836 3696 msedge.exe 77 PID 3696 wrote to memory of 2836 3696 msedge.exe 77 PID 3696 wrote to memory of 2836 3696 msedge.exe 77 PID 3696 wrote to memory of 2836 3696 msedge.exe 77 PID 3696 wrote to memory of 2836 3696 msedge.exe 77 PID 3696 wrote to memory of 2836 3696 msedge.exe 77 PID 3696 wrote to memory of 2836 3696 msedge.exe 77 PID 3696 wrote to memory of 2836 3696 msedge.exe 77 PID 3696 wrote to memory of 2836 3696 msedge.exe 77 PID 3696 wrote to memory of 2836 3696 msedge.exe 77 PID 3696 wrote to memory of 2836 3696 msedge.exe 77 PID 3696 wrote to memory of 2836 3696 msedge.exe 77 PID 3696 wrote to memory of 2836 3696 msedge.exe 77 PID 3696 wrote to memory of 2836 3696 msedge.exe 77 PID 3696 wrote to memory of 2836 3696 msedge.exe 77 PID 3696 wrote to memory of 2836 3696 msedge.exe 77 PID 3696 wrote to memory of 2836 3696 msedge.exe 77 PID 3696 wrote to memory of 2836 3696 msedge.exe 77 PID 3696 wrote to memory of 2836 3696 msedge.exe 77 PID 3696 wrote to memory of 2836 3696 msedge.exe 77 PID 3696 wrote to memory of 2836 3696 msedge.exe 77 PID 3696 wrote to memory of 1356 3696 msedge.exe 78 PID 3696 wrote to memory of 1356 3696 msedge.exe 78 PID 3696 wrote to memory of 3808 3696 msedge.exe 79 PID 3696 wrote to memory of 3808 3696 msedge.exe 79 PID 3696 wrote to memory of 3808 3696 msedge.exe 79 PID 3696 wrote to memory of 3808 3696 msedge.exe 79 PID 3696 wrote to memory of 3808 3696 msedge.exe 79 PID 3696 wrote to memory of 3808 3696 msedge.exe 79 PID 3696 wrote to memory of 3808 3696 msedge.exe 79 PID 3696 wrote to memory of 3808 3696 msedge.exe 79 PID 3696 wrote to memory of 3808 3696 msedge.exe 79 PID 3696 wrote to memory of 3808 3696 msedge.exe 79 PID 3696 wrote to memory of 3808 3696 msedge.exe 79 PID 3696 wrote to memory of 3808 3696 msedge.exe 79 PID 3696 wrote to memory of 3808 3696 msedge.exe 79 PID 3696 wrote to memory of 3808 3696 msedge.exe 79 PID 3696 wrote to memory of 3808 3696 msedge.exe 79 PID 3696 wrote to memory of 3808 3696 msedge.exe 79 PID 3696 wrote to memory of 3808 3696 msedge.exe 79 PID 3696 wrote to memory of 3808 3696 msedge.exe 79 PID 3696 wrote to memory of 3808 3696 msedge.exe 79 PID 3696 wrote to memory of 3808 3696 msedge.exe 79
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Dfmaaa/MEMZ-virus1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3696 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9ce8b3cb8,0x7ff9ce8b3cc8,0x7ff9ce8b3cd82⤵PID:4436
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1916,14773901998088581102,4310496988214132718,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1912 /prefetch:22⤵PID:2836
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1916,14773901998088581102,4310496988214132718,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2380 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:1356
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1916,14773901998088581102,4310496988214132718,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2740 /prefetch:82⤵PID:3808
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,14773901998088581102,4310496988214132718,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:12⤵PID:3104
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,14773901998088581102,4310496988214132718,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:12⤵PID:4984
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1916,14773901998088581102,4310496988214132718,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4700 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4208
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1916,14773901998088581102,4310496988214132718,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5680 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5088
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,14773901998088581102,4310496988214132718,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5176 /prefetch:12⤵PID:3700
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1916,14773901998088581102,4310496988214132718,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4696 /prefetch:82⤵PID:3832
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1916,14773901998088581102,4310496988214132718,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4644 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:4332
-
-
C:\Users\Admin\Downloads\MEMZ.exe"C:\Users\Admin\Downloads\MEMZ.exe"2⤵
- Executes dropped EXE
PID:4968 -
C:\Users\Admin\Downloads\MEMZ.exe"C:\Users\Admin\Downloads\MEMZ.exe" /watchdog3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2944
-
-
C:\Users\Admin\Downloads\MEMZ.exe"C:\Users\Admin\Downloads\MEMZ.exe" /watchdog3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1620
-
-
C:\Users\Admin\Downloads\MEMZ.exe"C:\Users\Admin\Downloads\MEMZ.exe" /watchdog3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2036
-
-
C:\Users\Admin\Downloads\MEMZ.exe"C:\Users\Admin\Downloads\MEMZ.exe" /watchdog3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2420
-
-
C:\Users\Admin\Downloads\MEMZ.exe"C:\Users\Admin\Downloads\MEMZ.exe" /watchdog3⤵
- Executes dropped EXE
PID:1340
-
-
C:\Users\Admin\Downloads\MEMZ.exe"C:\Users\Admin\Downloads\MEMZ.exe" /main3⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:3372 -
C:\Windows\SysWOW64\notepad.exe"C:\Windows\System32\notepad.exe" \note.txt4⤵PID:2380
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,14773901998088581102,4310496988214132718,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:12⤵PID:4432
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,14773901998088581102,4310496988214132718,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3480 /prefetch:12⤵PID:4184
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,14773901998088581102,4310496988214132718,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6156 /prefetch:12⤵PID:4064
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,14773901998088581102,4310496988214132718,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6196 /prefetch:12⤵PID:2580
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1916,14773901998088581102,4310496988214132718,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2908 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:3024
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4300
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2332
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3968
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5a0407c5de270b9ae0ceee6cb9b61bbf1
SHA1fb2bb8184c1b8e680bf873e5537e1260f057751e
SHA256a56989933628f6a677ad09f634fc9b7dd9cf7d06c72a76ddbb8221bc4a62ffcd
SHA51265162bf07705dfdd348d4eaf0a3feba08dc2c0942a3a052b4492d0675ab803b104c03c945f5608fac9544681e0fe8b81d1aaca859663e79aa87fcb591ddb8136
-
Filesize
152B
MD5ded21ddc295846e2b00e1fd766c807db
SHA1497eb7c9c09cb2a247b4a3663ce808869872b410
SHA25626025f86effef56caa2ee50a64e219c762944b1e50e465be3a6b454bc0ed7305
SHA512ddfaa73032590de904bba398331fdbf188741d96a17116ada50298b42d6eb7b20d6e50b0cfae8b17e2f145997b8ebce6c8196e6f46fbe11f133d3d82ce3656db
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\0d7ff94b-6e27-4ac7-a67e-c7af65daba89.tmp
Filesize1KB
MD5745439d01e6c68524c7f5b87f5df4744
SHA1160385f657cea1e3c2e32d8220beaffc678fbaf0
SHA25611a8a6bef59dad89b00bbe6300d3e40dd6227cbfc9efaf2a8d4af85288df754c
SHA512d00e0dd5d1a034c0799deacbd9ce3a9f92736299551a691bdc8adbcd280c2e1224f151b625157aa4f852dfe1fc58cd08b5ddb549045555ad1e12d5caf2b23de9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize2KB
MD53cb3bb9eafd8802a8bf7895744d2a3ca
SHA1102642e083d9bdf9f11a8cbb8b43e2c8776f7ceb
SHA25639e755030ea9bcfbb1ae781d82273c14ac2735191a73119bb6c39c86134ce7f5
SHA512ace304a0b71b3de554e89d74532c123cf5ba16641f68fdbb64246f07397891f459af79356f2ca47a584eee8cdb3cbb51ffec1f292d68004c64a2fcac932d099f
-
Filesize
5KB
MD54e45fcb9eab42b81adada9ffcc4a6fef
SHA15708d5f21b82261969504d9f0fe47a42e637a9c0
SHA256a7dfc5d2b4a5d5c5fd45d0aff8116cf45de5ea43e617a5c1b048d7fd2a5d66e8
SHA512a80ed3fdc3d37f817d09adb7b8fa20d9ef153f682b7f689dd6ac386db01f0959fec53d58887369f93cfd54809e14ce8cd00ba29cc5f1c75784f6a43afd626de8
-
Filesize
6KB
MD5bca95696d4d5383cd67888a0b5e8df88
SHA1d71e1ead28fac70a521f04fa79bc62004b5e11fa
SHA2567ae71f548f0d5ac2d4d2f1392bcbf8fa8da7ea03778f7fcb94ba3a2d150ca154
SHA512438d1251adc21e554ba2ada25e98882bdee1d6ac7e8d423cf7fcaaf32b10d1fb58b80e5b50ec118687a526561b5863dcc2691ecebf94e88699f17801f223f264
-
Filesize
6KB
MD520ea4725c3deed89767158b2e47141f5
SHA11abef9cd54ff7d857f6ce18351f81306f2ba3a58
SHA256eb3435134f1c7d057ab9ad065d87284d09e00c2cccf51b7321bc6e7c4fe0b874
SHA512f8b054443fe5f198bae444d655887b20145828f15334aec087f8187b9cd58a4a7d326d767ab2025e3df623baef7f0b14d722c8890efa48a582708635e801d9ee
-
Filesize
1KB
MD51d8d5e919c83ad2151a479ba9a2afc91
SHA1b0740daf02b84d151b084a2f247d5036200ffe9a
SHA256734d392b23c74d55e67cfcaca9f002f834bb0c0aa5e6b51544789c616eac7720
SHA512598dfd832457dcf609d004e24e744c21db9ad030aec5db4d23e9cb2d3ed8ac342d7d6c3b20cf0fb6b40b799719c06654567c519948a2253d17c213bbfe7f7386
-
Filesize
874B
MD59acc5c3d2c4cc5015eb8d8126f44adb8
SHA11c67c66d3923614ad47afcedbf881524295ce05b
SHA256a40616f296bfe5da821f49b00da367f16c6b3a33b310a3b2e635ab7488440c3c
SHA51291cea42e4abd09d851fc5ed59affc37420c70f60f15eeff1ea241f6c8b0c80b528ce740c8bc24af5c6f049330522d10d69bf6b33e3af73391894c35ba18d2d2f
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\e6a8da60-d2ca-4a25-b2ba-e76ba737820b.tmp
Filesize579B
MD546fa4f5f7344089589d117bd7599b3a9
SHA1b6cc1fe19e527d4a372c97e4d195ed94eee40030
SHA256223280d95a13f1af6af06459bbf230874500c212a2e16f63914eff3f22e8b57a
SHA5126b680aedde7e806802652aab9ab31cb21438bc8756b063955e6f03bbbdf1273f7d47c40ec1a19fe27537afeb8d6cc219a246d31f7c6822b481649fe296e2a45c
-
Filesize
11KB
MD5a6c94296aa85da14c8a6ba33bff0c3a1
SHA195b933d4a784756ccddd5b5afa6d0e6cfe80a410
SHA256b767dcc77ec65bf5e6082887cf0d39c056c70fdd117a42ea90d25d1c50398949
SHA512cf48671d50feaa5a40b3f7f81a431faa7bd3e0ead6d629fd45ec2595ac8fb3b0367258b73a78c55458bce34a84dee8dab500d643547c40dae46c9171d3134860
-
Filesize
11KB
MD5ef4ebdafec2c1004ae903399dd5031bb
SHA1e21f1b436d4f1bf08bc557dbda4f790e5a29b25f
SHA25685818f3e2dcda13e60d65fda67583c7fae47893ed65c2500b748c8d39ebabe2b
SHA51283044591e6e0258dd39dcf88edddf481005f1151615956dd8db7117d709739d9c5ba2f725aa0feb4e27f43475863c9720fa698d756fab37b130191b15f2e2dee
-
Filesize
11KB
MD578a3a046fc9cdbfa5a403cec96167255
SHA1bbbf3ba408db172605a94be02607615b946e639b
SHA256968679e158aaff8798c3dbaf80cea89b14761b1cae4cc09ced8172e8ff457cee
SHA512482538b31430822b3f524422b0f3cf82dc28c32ecbd20b286ac490f2bbedad5314638ac616d1b7af79a647a3464080cc09f720a4d6d4b0ae803b2d484a9a3648
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
Filesize11KB
MD5f2de638a4259125fdc63c3e174803714
SHA1c2dc76d32dbc368e8b576a5dd9e0a2a7a5d6fa66
SHA256c76921cb128864fa1ede8f5f96285a688474149a4d0ef6f15ae131250649a297
SHA512625a76f433d1b50172950eea73425706e5be7547d589f0b660d7ffab6440f9f1542acc1944d20d64ba493c15c420593b12b53e6ad8fe181c0134001581aa7b19
-
Filesize
16KB
MD51d5ad9c8d3fee874d0feb8bfac220a11
SHA1ca6d3f7e6c784155f664a9179ca64e4034df9595
SHA2563872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff
SHA512c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1
-
Filesize
55B
MD50f98a5550abe0fb880568b1480c96a1c
SHA1d2ce9f7057b201d31f79f3aee2225d89f36be07d
SHA2562dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1
SHA512dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6
-
Filesize
218B
MD5afa6955439b8d516721231029fb9ca1b
SHA1087a043cc123c0c0df2ffadcf8e71e3ac86bbae9
SHA2568e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270
SHA5125da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf