3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff

Resubmissions

13/03/2024, 03:37

240313-d6schsbh5x 7

13/03/2024, 03:34

240313-d44mrsbh3s 7

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
13/03/2024, 03:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MEMZ.exe
Size

16KB
MD5

1d5ad9c8d3fee874d0feb8bfac220a11
SHA1

ca6d3f7e6c784155f664a9179ca64e4034df9595
SHA256

3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff
SHA512

c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1
SSDEEP

192:M2WgyvSW8gRc6olcIEiwqZKBkDFR43xWTM3LHf26gFrcx3sNq:JWgnSmFlcIqq3agmLH+6gF23sN

Score

7^/10

bootkit persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	MEMZ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	MEMZ.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	MEMZ.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1497073144-2389943819-3385106915-1000\{F7B025F5-9F76-4031-87E4-A96265A86952}	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3236	MEMZ.exe
3236	MEMZ.exe
3236	MEMZ.exe
3236	MEMZ.exe
3236	MEMZ.exe
376	MEMZ.exe
376	MEMZ.exe
3236	MEMZ.exe
2168	MEMZ.exe
2168	MEMZ.exe
3236	MEMZ.exe
376	MEMZ.exe
3236	MEMZ.exe
376	MEMZ.exe
3504	MEMZ.exe
3504	MEMZ.exe
3496	MEMZ.exe
3496	MEMZ.exe
3504	MEMZ.exe
3496	MEMZ.exe
3504	MEMZ.exe
3496	MEMZ.exe
376	MEMZ.exe
3236	MEMZ.exe
376	MEMZ.exe
3236	MEMZ.exe
2168	MEMZ.exe
2168	MEMZ.exe
3236	MEMZ.exe
2168	MEMZ.exe
3236	MEMZ.exe
2168	MEMZ.exe
376	MEMZ.exe
376	MEMZ.exe
3496	MEMZ.exe
3496	MEMZ.exe
3504	MEMZ.exe
3504	MEMZ.exe
3504	MEMZ.exe
3496	MEMZ.exe
3504	MEMZ.exe
3496	MEMZ.exe
376	MEMZ.exe
376	MEMZ.exe
2168	MEMZ.exe
3236	MEMZ.exe
2168	MEMZ.exe
3236	MEMZ.exe
2168	MEMZ.exe
3236	MEMZ.exe
3236	MEMZ.exe
2168	MEMZ.exe
376	MEMZ.exe
376	MEMZ.exe
3496	MEMZ.exe
3496	MEMZ.exe
3504	MEMZ.exe
3504	MEMZ.exe
3496	MEMZ.exe
3504	MEMZ.exe
3496	MEMZ.exe
3504	MEMZ.exe
376	MEMZ.exe
3236	MEMZ.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1736	mmc.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 20 IoCs

pid	Process
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: 33	1736	mmc.exe
Token: SeIncBasePriorityPrivilege	1736	mmc.exe
Token: 33	1736	mmc.exe
Token: SeIncBasePriorityPrivilege	1736	mmc.exe
Token: 33	1736	mmc.exe
Token: SeIncBasePriorityPrivilege	1736	mmc.exe
Token: 33	2120	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2120	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe
884	msedge.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4768	mmc.exe
1736	mmc.exe
1736	mmc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3596 wrote to memory of 3236	3596	MEMZ.exe	89
PID 3596 wrote to memory of 3236	3596	MEMZ.exe	89
PID 3596 wrote to memory of 3236	3596	MEMZ.exe	89
PID 3596 wrote to memory of 2168	3596	MEMZ.exe	90
PID 3596 wrote to memory of 2168	3596	MEMZ.exe	90
PID 3596 wrote to memory of 2168	3596	MEMZ.exe	90
PID 3596 wrote to memory of 376	3596	MEMZ.exe	91
PID 3596 wrote to memory of 376	3596	MEMZ.exe	91
PID 3596 wrote to memory of 376	3596	MEMZ.exe	91
PID 3596 wrote to memory of 3504	3596	MEMZ.exe	92
PID 3596 wrote to memory of 3504	3596	MEMZ.exe	92
PID 3596 wrote to memory of 3504	3596	MEMZ.exe	92
PID 3596 wrote to memory of 3496	3596	MEMZ.exe	93
PID 3596 wrote to memory of 3496	3596	MEMZ.exe	93
PID 3596 wrote to memory of 3496	3596	MEMZ.exe	93
PID 3596 wrote to memory of 428	3596	MEMZ.exe	94
PID 3596 wrote to memory of 428	3596	MEMZ.exe	94
PID 3596 wrote to memory of 428	3596	MEMZ.exe	94
PID 428 wrote to memory of 960	428	MEMZ.exe	96
PID 428 wrote to memory of 960	428	MEMZ.exe	96
PID 428 wrote to memory of 960	428	MEMZ.exe	96
PID 428 wrote to memory of 4768	428	MEMZ.exe	100
PID 428 wrote to memory of 4768	428	MEMZ.exe	100
PID 428 wrote to memory of 4768	428	MEMZ.exe	100
PID 4768 wrote to memory of 1736	4768	mmc.exe	102
PID 4768 wrote to memory of 1736	4768	mmc.exe	102
PID 428 wrote to memory of 884	428	MEMZ.exe	105
PID 428 wrote to memory of 884	428	MEMZ.exe	105
PID 884 wrote to memory of 4136	884	msedge.exe	106
PID 884 wrote to memory of 4136	884	msedge.exe	106
PID 884 wrote to memory of 4124	884	msedge.exe	107
PID 884 wrote to memory of 4124	884	msedge.exe	107
PID 884 wrote to memory of 4124	884	msedge.exe	107
PID 884 wrote to memory of 4124	884	msedge.exe	107
PID 884 wrote to memory of 4124	884	msedge.exe	107
PID 884 wrote to memory of 4124	884	msedge.exe	107
PID 884 wrote to memory of 4124	884	msedge.exe	107
PID 884 wrote to memory of 4124	884	msedge.exe	107
PID 884 wrote to memory of 4124	884	msedge.exe	107
PID 884 wrote to memory of 4124	884	msedge.exe	107
PID 884 wrote to memory of 4124	884	msedge.exe	107
PID 884 wrote to memory of 4124	884	msedge.exe	107
PID 884 wrote to memory of 4124	884	msedge.exe	107
PID 884 wrote to memory of 4124	884	msedge.exe	107
PID 884 wrote to memory of 4124	884	msedge.exe	107
PID 884 wrote to memory of 4124	884	msedge.exe	107
PID 884 wrote to memory of 4124	884	msedge.exe	107
PID 884 wrote to memory of 4124	884	msedge.exe	107
PID 884 wrote to memory of 4124	884	msedge.exe	107
PID 884 wrote to memory of 4124	884	msedge.exe	107
PID 884 wrote to memory of 4124	884	msedge.exe	107
PID 884 wrote to memory of 4124	884	msedge.exe	107
PID 884 wrote to memory of 4124	884	msedge.exe	107
PID 884 wrote to memory of 4124	884	msedge.exe	107
PID 884 wrote to memory of 4124	884	msedge.exe	107
PID 884 wrote to memory of 4124	884	msedge.exe	107
PID 884 wrote to memory of 4124	884	msedge.exe	107
PID 884 wrote to memory of 4124	884	msedge.exe	107
PID 884 wrote to memory of 4124	884	msedge.exe	107
PID 884 wrote to memory of 4124	884	msedge.exe	107
PID 884 wrote to memory of 4124	884	msedge.exe	107
PID 884 wrote to memory of 4124	884	msedge.exe	107
PID 884 wrote to memory of 4124	884	msedge.exe	107
PID 884 wrote to memory of 4124	884	msedge.exe	107

C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
"C:\Users\Admin\AppData\Local\Temp\MEMZ.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3596
- C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
  "C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3236
- C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
  "C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2168
- C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
  "C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:376
- C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
  "C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3504
- C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
  "C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3496
- C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
  "C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /main
  2⤵
  - Checks computer location settings
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of WriteProcessMemory
  PID:428
- - C:\Windows\SysWOW64\notepad.exe
    "C:\Windows\System32\notepad.exe" \note.txt
    3⤵
    PID:960
- - C:\Windows\SysWOW64\mmc.exe
    "C:\Windows\System32\mmc.exe"
    3⤵
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4768
  - - C:\Windows\system32\mmc.exe
      "C:\Windows\system32\mmc.exe"
      4⤵
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:1736
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=virus+builder+legit+free+download
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:884
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd38e846f8,0x7ffd38e84708,0x7ffd38e84718
      4⤵
      PID:4136
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,15277551918268634761,1292507934702386284,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2096 /prefetch:2
      4⤵
      PID:4124
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,15277551918268634761,1292507934702386284,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 /prefetch:3
      4⤵
      PID:4988
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2084,15277551918268634761,1292507934702386284,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2808 /prefetch:8
      4⤵
      PID:4704
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,15277551918268634761,1292507934702386284,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3216 /prefetch:1
      4⤵
      PID:3224
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,15277551918268634761,1292507934702386284,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
      4⤵
      PID:2872
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,15277551918268634761,1292507934702386284,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4704 /prefetch:1
      4⤵
      PID:2280
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,15277551918268634761,1292507934702386284,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4748 /prefetch:1
      4⤵
      PID:2100
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,15277551918268634761,1292507934702386284,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5152 /prefetch:8
      4⤵
      PID:692
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,15277551918268634761,1292507934702386284,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5152 /prefetch:8
      4⤵
      PID:1492
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,15277551918268634761,1292507934702386284,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5340 /prefetch:1
      4⤵
      PID:2324
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,15277551918268634761,1292507934702386284,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5416 /prefetch:1
      4⤵
      PID:3140
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,15277551918268634761,1292507934702386284,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5268 /prefetch:1
      4⤵
      PID:4352
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,15277551918268634761,1292507934702386284,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3496 /prefetch:1
      4⤵
      PID:1944
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,15277551918268634761,1292507934702386284,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3956 /prefetch:1
      4⤵
      PID:4376
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,15277551918268634761,1292507934702386284,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5660 /prefetch:1
      4⤵
      PID:1200
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2084,15277551918268634761,1292507934702386284,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5440 /prefetch:8
      4⤵
      PID:3596
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2084,15277551918268634761,1292507934702386284,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=3552 /prefetch:8
      4⤵
      Modifies registry class
      PID:3592
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,15277551918268634761,1292507934702386284,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3448 /prefetch:1
      4⤵
      PID:4220
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,15277551918268634761,1292507934702386284,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5696 /prefetch:1
      4⤵
      PID:4772
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,15277551918268634761,1292507934702386284,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2660 /prefetch:1
      4⤵
      PID:4724
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,15277551918268634761,1292507934702386284,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4184 /prefetch:1
      4⤵
      PID:4636
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,15277551918268634761,1292507934702386284,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3976 /prefetch:1
      4⤵
      PID:4288
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,15277551918268634761,1292507934702386284,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6112 /prefetch:1
      4⤵
      PID:5016
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,15277551918268634761,1292507934702386284,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4808 /prefetch:1
      4⤵
      PID:4412
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,15277551918268634761,1292507934702386284,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5540 /prefetch:1
      4⤵
      PID:3264
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,15277551918268634761,1292507934702386284,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6236 /prefetch:1
      4⤵
      PID:2536
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,15277551918268634761,1292507934702386284,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6368 /prefetch:1
      4⤵
      PID:1108
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://softonic.com/
    3⤵
    PID:4304
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd38e846f8,0x7ffd38e84708,0x7ffd38e84718
      4⤵
      PID:4864
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=how+2+buy+weed
    3⤵
    PID:5020
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ffd38e846f8,0x7ffd38e84708,0x7ffd38e84718
      4⤵
      PID:972

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2f8 0x4f4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2120

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1492

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2124

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4d6e17218d9a99976d1a14c6f6944c96

SHA1
9e54a19d6c61d99ac8759c5f07b2f0d5faab447f

SHA256
32e343d2794af8bc6f2f7c905b5df11d53db4ad8922b92ad5e7cc9c856509d93

SHA512
3fa166b3e2d1236298d8dda7071a6fcf2bde283f181b8b0a07c0bb8ba756d6f55fa8a847ca5286d4dbabc6dace67e842a118866320ac01bd5f93cccd3a032e47

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\727c07a1-b0b0-4eec-9368-b41cadfdcd77.tmp

Filesize
5KB

MD5
b81cfaceba00ebda1e407b3c139a19d5

SHA1
5300cf4b37fd46e6990c0b111e6b508a236b6892

SHA256
d044a7998b153002600acb472e7d7b728862f1ee3ab60ea20cab0a80b24d768d

SHA512
7a15c7909d55df81514e91d0f22f7e0c162334f2a9e042a2ce4b01561b0ebdbf20af3ec8de60afd0d5cf606e3e83575a742c514432ad4f96f557ce91fcc07dd5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
194KB

MD5
f5b4137b040ec6bd884feee514f7c176

SHA1
7897677377a9ced759be35a66fdee34b391ab0ff

SHA256
845aa24ba38524f33f097b0d9bae7d9112b01fa35c443be5ec1f7b0da23513e6

SHA512
813b764a5650e4e3d1574172dd5d6a26f72c0ba5c8af7b0d676c62bc1b245e4563952bf33663bffc02089127b76a67f9977b0a8f18eaef22d9b4aa3abaaa7c40

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
003fe145d79eaa00a60732981d3e6809

SHA1
feb21d229723dfe2d1dc72f131aff68c79f6e69b

SHA256
e1b54a277afb6d25e3e73982671ec0126017b74beb0b7e69421c84bf854b2039

SHA512
de28a29619e6ca1e404d31f9643df507982fc6ee73544e59a2a13f48d0aabd53b21df181c171e5d47f35c384dd5b0315e0ed95c5dd22e4ac5d7dcaf875b96896

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
0e594c9ac1463333edfc79b33ac51da2

SHA1
45edca46a460a64d698732f32c1d926bedb91cf0

SHA256
3aaa379cfee986014e24271d5aa4b37f36f29e4fbf4fd46c07ebcdc613b3d4ff

SHA512
3f6a605cceb27c1327d0ae77c09815cc3e1f25f50c906a2b5ed10a40b95b162172aafa916b33296fca2b799a1323464f2d122f03f772868c42b9e0488b24fe97

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
30fd14cad737f90934ab5d17f3ac4d5a

SHA1
6e903ed0fd3797fb25ebce7fe017b7b660c31781

SHA256
4dd14dec7518ddcdf5af94baaa6d9989f29e71523b0ddc74fa3e93a701940260

SHA512
84138c8f527e78f280cff7eb37545938505211f2f14c5b2406f2c5f7ac6e73c80b469c52e8e1df02b5be6033f70c0dc717a3752d5395dc698cf9f35c86f16df3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
94312344720bf78c43308f13255e79be

SHA1
93bc593d55e04d530d843d8a6c42c51689dcb7fb

SHA256
78f4bef0a4c54a588841e5475e4ae8c91ab2edd7bc208739cad2771f38575759

SHA512
597192245c863e127ca74bf95bcfb623046757cf41e29d57bf0dcbf7e572e9bffed629877b39fb57888d807f12faecb1ed68aea483a10b4d439fc8211505c336

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c42bf6c0a49f76a50fd3751afbc258be

SHA1
939590560d3daeb5576b335dd5ff774b892b2f8c

SHA256
4d5d4f15a6cfb3e89c0bf1d1f32f094c7629ffa9ac74d740eff4e54c6300a2ff

SHA512
f338cf4f743c6c5aae22463cc260f7ff296466b7aba03307d4c6e2958655da0d292f152d10088878466ff299c46d23d13b3561d2110dee796adddc44257467ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
d7e8b930c6f42b17ab2581a45a41e5be

SHA1
00356f47c7ab720e403782fced844b26e549741e

SHA256
67d152c7382322a04db659bd6308d32b7cb35bda4cf4230b172bd8cd453d8a3b

SHA512
070ef6b4b0f78e28a1be906ec8f1fe49e81b108025dec72b10aceedfc9c395458ae979b9f81beb874a305c5491bb552e8d51f8b33ea15c09029debd807dcade7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
3fab1857744d4bfbdc12cbe05b8109ab

SHA1
dfe93ac7debfef8212ce4c0adb657526fd0312db

SHA256
6b46dfb088d99da4f47cce99ed6bb064f0a0e15cbbe43000499db7e7103d61c1

SHA512
56e1ae4d5d2d523f37f3750877b6bb7f3e34169e7905e8724977c6da9f0cfeaf903872a2ec138438e4c91110378ab105e218b7d8c9cffc9957d704c48e940bbd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
c2ef1d773c3f6f230cedf469f7e34059

SHA1
e410764405adcfead3338c8d0b29371fd1a3f292

SHA256
185450d538a894e4dcf55b428f506f3d7baa86664fbbc67afd6c255b65178521

SHA512
2ef93803da4d630916bed75d678382fd1c72bff1700a1a72e2612431c6d5e11410ced4eaf522b388028aeadb08e8a77513e16594e6ab081f6d6203e4caa7d549

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
efd5958f879ba7198d789eac9e4db1d7

SHA1
1b03fa0e4a3418107065f17a6a2c759c9fd72a4a

SHA256
c4f4579dccf928853f1d87e9b7a1bb23f0bb74f262708b6866bfeaf301cdf957

SHA512
e2f013635901b6d901aff3255c68fdbc64899fe02830050d3d9f6b1a7448faae1699899fae65ef20ba7a57ec9124d96548a384ac486b4819012adc90e26f9e69

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe595dd6.TMP

Filesize
538B

MD5
dd256c86e29398692f15bfc83b463488

SHA1
d816715916bd2081271640018f1d73fd5baa87f0

SHA256
904e719ab5d4536221ecc23600931b8ea14bc809458c1771e17724132f92c63e

SHA512
fd5df97e043f9a1049c32af88d8ac7a0019e5ce9f5147e4cb1e444fecd37ec34dbb8a807cb8f2cc59c2c72ef76865944838fca1e516622f76e83e5d9c76c7a24

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
2d955d7394c6ce0af3ff0d097c68c1c0

SHA1
f2eaf93e8fcf5a634a4520505dc2756528c8cda6

SHA256
6e54a03155529666b110be17ab985008556b3903156d934763db372723bb68f9

SHA512
7d9112531686261578338d080d44e0a1b6364ad7d5d79d389ad6709ae4fd7f4a353bed22df74dc1fac667482f004bcc39b8745ca078fcdc07ea51cb2a86d32d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\f270ab0f-f1b2-4e4c-bbd4-8d7d050420f5.tmp

Filesize
10KB

MD5
0fa0e59fc284f15df58ef3af4d5beeef

SHA1
160a5ea01e76db3f523a1425a9a4196d80354957

SHA256
d5a2a238d30b095aa75d13c75caeb61cce4aa1f7b8321d825f008b5da9908f8d

SHA512
89843e060f3fa042895cb878219364a7d8f794851418c4e149829a1f8e97cb174fd1387a76b39c6d52efdad4c345c19eb682a03dac5763d5fa63a9a0c629c3b5

Download Submit
C:\note.txt

Filesize
218B

MD5
afa6955439b8d516721231029fb9ca1b

SHA1
087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

SHA256
8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

SHA512
5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

Download Submit