da6062107b3fa8e3e95c3fe0bf63e065a39e01016217ba841dac9e34b2cd4b64

Resubmissions

10-04-2024 19:06

240410-xsfaksca6t 10

10-04-2024 19:00

240410-xnz47agf92 6

10-04-2024 18:57

240410-xl4plabg51 7

10-04-2024 18:51

240410-xhvbrage44 7

Analysis

max time kernel
113s
max time network
136s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
10-04-2024 18:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sample.html
Size

18KB
MD5

b96c2023aecaedc1ef2eba00d10c2acd
SHA1

2db4028fb645c078655b1540747368e510a5ea77
SHA256

da6062107b3fa8e3e95c3fe0bf63e065a39e01016217ba841dac9e34b2cd4b64
SHA512

146dccb0a81099bd762c649cca97a866f1ba2b2bb7f5e909cbb83eaad92384c5fec36999a90bfb9e0a9c06d79e08eab6c933601bdc77e5945f20a9fdc1a1a361
SSDEEP

384:rGzDpmReVoOs4xN9ylKeGMGU8HhhbOtq7mS2LjFrSE3+OVJCBXQL:rGzBVoOs4xryI1MMBhbWM6FrSEpJQQL

Score

7^/10

bootkit persistence

Malware Config

Signatures

Executes dropped EXE 7 IoCs

Processes:

geometry dash auto speedhack.exegeometry dash auto speedhack.exegeometry dash auto speedhack.exegeometry dash auto speedhack.exegeometry dash auto speedhack.exegeometry dash auto speedhack.exegeometry dash auto speedhack.exe

pid	Process
4604	geometry dash auto speedhack.exe
3708	geometry dash auto speedhack.exe
2204	geometry dash auto speedhack.exe
4776	geometry dash auto speedhack.exe
4656	geometry dash auto speedhack.exe
4804	geometry dash auto speedhack.exe
3616	geometry dash auto speedhack.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

Processes:

geometry dash auto speedhack.exe

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	geometry dash auto speedhack.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 2 IoCs

Processes:

msedge.exemsedge.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-627134735-902745853-4257352768-1000\{6F20AEA9-C21E-40F5-B46D-DB5FE3A58989}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings	msedge.exe

NTFS ADS 2 IoCs

Processes:

msedge.exe7zFM.exe

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\memz.by.iTzDrK_.rar:Zone.Identifier	msedge.exe
File created	C:\Users\Admin\AppData\Local\Temp\7zO858781F8\geometry dash auto speedhack.exe:Zone.Identifier	7zFM.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exegeometry dash auto speedhack.exe

pid	Process
4532	msedge.exe
4532	msedge.exe
1972	msedge.exe
1972	msedge.exe
5004	identity_helper.exe
5004	identity_helper.exe
2280	msedge.exe
2280	msedge.exe
4376	msedge.exe
4376	msedge.exe
988	msedge.exe
988	msedge.exe
3708	geometry dash auto speedhack.exe
3708	geometry dash auto speedhack.exe
3708	geometry dash auto speedhack.exe
3708	geometry dash auto speedhack.exe
3708	geometry dash auto speedhack.exe
3708	geometry dash auto speedhack.exe
3708	geometry dash auto speedhack.exe
3708	geometry dash auto speedhack.exe
3708	geometry dash auto speedhack.exe
3708	geometry dash auto speedhack.exe
3708	geometry dash auto speedhack.exe
3708	geometry dash auto speedhack.exe
3708	geometry dash auto speedhack.exe
3708	geometry dash auto speedhack.exe
3708	geometry dash auto speedhack.exe
3708	geometry dash auto speedhack.exe
3708	geometry dash auto speedhack.exe
3708	geometry dash auto speedhack.exe
3708	geometry dash auto speedhack.exe
3708	geometry dash auto speedhack.exe
3708	geometry dash auto speedhack.exe
3708	geometry dash auto speedhack.exe
3708	geometry dash auto speedhack.exe
3708	geometry dash auto speedhack.exe
3708	geometry dash auto speedhack.exe
3708	geometry dash auto speedhack.exe
3708	geometry dash auto speedhack.exe
3708	geometry dash auto speedhack.exe
3708	geometry dash auto speedhack.exe
3708	geometry dash auto speedhack.exe
3708	geometry dash auto speedhack.exe
3708	geometry dash auto speedhack.exe
3708	geometry dash auto speedhack.exe
3708	geometry dash auto speedhack.exe
3708	geometry dash auto speedhack.exe
3708	geometry dash auto speedhack.exe
3708	geometry dash auto speedhack.exe
3708	geometry dash auto speedhack.exe
3708	geometry dash auto speedhack.exe
3708	geometry dash auto speedhack.exe
3708	geometry dash auto speedhack.exe
3708	geometry dash auto speedhack.exe
3708	geometry dash auto speedhack.exe
3708	geometry dash auto speedhack.exe
3708	geometry dash auto speedhack.exe
3708	geometry dash auto speedhack.exe
3708	geometry dash auto speedhack.exe
3708	geometry dash auto speedhack.exe
3708	geometry dash auto speedhack.exe
3708	geometry dash auto speedhack.exe
3708	geometry dash auto speedhack.exe
3708	geometry dash auto speedhack.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

7zFM.exe

pid	Process
2136	7zFM.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs

Processes:

msedge.exe

pid	Process
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

7zFM.exe

description	pid	Process
Token: SeRestorePrivilege	2136	7zFM.exe
Token: 35	2136	7zFM.exe
Token: SeSecurityPrivilege	2136	7zFM.exe

Suspicious use of FindShellTrayWindow 35 IoCs

Processes:

msedge.exe7zFM.exe

pid	Process
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
2136	7zFM.exe
2136	7zFM.exe

Suspicious use of SendNotifyMessage 12 IoCs

Processes:

msedge.exe

pid	Process
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	Process	procid_target
PID 1972 wrote to memory of 2264	1972	msedge.exe	80
PID 1972 wrote to memory of 2264	1972	msedge.exe	80
PID 1972 wrote to memory of 3180	1972	msedge.exe	81
PID 1972 wrote to memory of 3180	1972	msedge.exe	81
PID 1972 wrote to memory of 3180	1972	msedge.exe	81
PID 1972 wrote to memory of 3180	1972	msedge.exe	81
PID 1972 wrote to memory of 3180	1972	msedge.exe	81
PID 1972 wrote to memory of 3180	1972	msedge.exe	81
PID 1972 wrote to memory of 3180	1972	msedge.exe	81
PID 1972 wrote to memory of 3180	1972	msedge.exe	81
PID 1972 wrote to memory of 3180	1972	msedge.exe	81
PID 1972 wrote to memory of 3180	1972	msedge.exe	81
PID 1972 wrote to memory of 3180	1972	msedge.exe	81
PID 1972 wrote to memory of 3180	1972	msedge.exe	81
PID 1972 wrote to memory of 3180	1972	msedge.exe	81
PID 1972 wrote to memory of 3180	1972	msedge.exe	81
PID 1972 wrote to memory of 3180	1972	msedge.exe	81
PID 1972 wrote to memory of 3180	1972	msedge.exe	81
PID 1972 wrote to memory of 3180	1972	msedge.exe	81
PID 1972 wrote to memory of 3180	1972	msedge.exe	81
PID 1972 wrote to memory of 3180	1972	msedge.exe	81
PID 1972 wrote to memory of 3180	1972	msedge.exe	81
PID 1972 wrote to memory of 3180	1972	msedge.exe	81
PID 1972 wrote to memory of 3180	1972	msedge.exe	81
PID 1972 wrote to memory of 3180	1972	msedge.exe	81
PID 1972 wrote to memory of 3180	1972	msedge.exe	81
PID 1972 wrote to memory of 3180	1972	msedge.exe	81
PID 1972 wrote to memory of 3180	1972	msedge.exe	81
PID 1972 wrote to memory of 3180	1972	msedge.exe	81
PID 1972 wrote to memory of 3180	1972	msedge.exe	81
PID 1972 wrote to memory of 3180	1972	msedge.exe	81
PID 1972 wrote to memory of 3180	1972	msedge.exe	81
PID 1972 wrote to memory of 3180	1972	msedge.exe	81
PID 1972 wrote to memory of 3180	1972	msedge.exe	81
PID 1972 wrote to memory of 3180	1972	msedge.exe	81
PID 1972 wrote to memory of 3180	1972	msedge.exe	81
PID 1972 wrote to memory of 3180	1972	msedge.exe	81
PID 1972 wrote to memory of 3180	1972	msedge.exe	81
PID 1972 wrote to memory of 3180	1972	msedge.exe	81
PID 1972 wrote to memory of 3180	1972	msedge.exe	81
PID 1972 wrote to memory of 3180	1972	msedge.exe	81
PID 1972 wrote to memory of 3180	1972	msedge.exe	81
PID 1972 wrote to memory of 4532	1972	msedge.exe	82
PID 1972 wrote to memory of 4532	1972	msedge.exe	82
PID 1972 wrote to memory of 4052	1972	msedge.exe	83
PID 1972 wrote to memory of 4052	1972	msedge.exe	83
PID 1972 wrote to memory of 4052	1972	msedge.exe	83
PID 1972 wrote to memory of 4052	1972	msedge.exe	83
PID 1972 wrote to memory of 4052	1972	msedge.exe	83
PID 1972 wrote to memory of 4052	1972	msedge.exe	83
PID 1972 wrote to memory of 4052	1972	msedge.exe	83
PID 1972 wrote to memory of 4052	1972	msedge.exe	83
PID 1972 wrote to memory of 4052	1972	msedge.exe	83
PID 1972 wrote to memory of 4052	1972	msedge.exe	83
PID 1972 wrote to memory of 4052	1972	msedge.exe	83
PID 1972 wrote to memory of 4052	1972	msedge.exe	83
PID 1972 wrote to memory of 4052	1972	msedge.exe	83
PID 1972 wrote to memory of 4052	1972	msedge.exe	83
PID 1972 wrote to memory of 4052	1972	msedge.exe	83
PID 1972 wrote to memory of 4052	1972	msedge.exe	83
PID 1972 wrote to memory of 4052	1972	msedge.exe	83
PID 1972 wrote to memory of 4052	1972	msedge.exe	83
PID 1972 wrote to memory of 4052	1972	msedge.exe	83
PID 1972 wrote to memory of 4052	1972	msedge.exe	83

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\sample.html
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9e2bc3cb8,0x7ff9e2bc3cc8,0x7ff9e2bc3cd8
  2⤵
  PID:2264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1888,11922298610169799338,5146287682592996518,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1884 /prefetch:2
  2⤵
  PID:3180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1888,11922298610169799338,5146287682592996518,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2356 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1888,11922298610169799338,5146287682592996518,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2508 /prefetch:8
  2⤵
  PID:4052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,11922298610169799338,5146287682592996518,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3108 /prefetch:1
  2⤵
  PID:4236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,11922298610169799338,5146287682592996518,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
  2⤵
  PID:1480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,11922298610169799338,5146287682592996518,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3960 /prefetch:1
  2⤵
  PID:5108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,11922298610169799338,5146287682592996518,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4760 /prefetch:1
  2⤵
  PID:3496
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1888,11922298610169799338,5146287682592996518,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5612 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,11922298610169799338,5146287682592996518,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
  2⤵
  PID:2948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,11922298610169799338,5146287682592996518,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5252 /prefetch:1
  2⤵
  PID:4380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1888,11922298610169799338,5146287682592996518,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5192 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,11922298610169799338,5146287682592996518,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:1
  2⤵
  PID:1604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,11922298610169799338,5146287682592996518,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2968 /prefetch:1
  2⤵
  PID:1376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,11922298610169799338,5146287682592996518,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1636 /prefetch:1
  2⤵
  PID:944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,11922298610169799338,5146287682592996518,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5716 /prefetch:1
  2⤵
  PID:4324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,11922298610169799338,5146287682592996518,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3020 /prefetch:1
  2⤵
  PID:2976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,11922298610169799338,5146287682592996518,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1236 /prefetch:1
  2⤵
  PID:1736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1888,11922298610169799338,5146287682592996518,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=2080 /prefetch:8
  2⤵
  PID:4436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1888,11922298610169799338,5146287682592996518,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=4720 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:4376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,11922298610169799338,5146287682592996518,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5948 /prefetch:1
  2⤵
  PID:3520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,11922298610169799338,5146287682592996518,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3824 /prefetch:1
  2⤵
  PID:736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,11922298610169799338,5146287682592996518,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5844 /prefetch:1
  2⤵
  PID:3148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,11922298610169799338,5146287682592996518,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6152 /prefetch:1
  2⤵
  PID:2756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1888,11922298610169799338,5146287682592996518,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6164 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:988
- C:\Program Files\7-Zip\7zFM.exe
  "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\memz.by.iTzDrK_.rar"
  2⤵
  - NTFS ADS
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:2136
- - C:\Users\Admin\AppData\Local\Temp\7zO858781F8\geometry dash auto speedhack.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO858781F8\geometry dash auto speedhack.exe"
    3⤵
    - Executes dropped EXE
    PID:4604
  - - C:\Users\Admin\AppData\Local\Temp\7zO858781F8\geometry dash auto speedhack.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO858781F8\geometry dash auto speedhack.exe" /watchdog
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:3708
  - - C:\Users\Admin\AppData\Local\Temp\7zO858781F8\geometry dash auto speedhack.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO858781F8\geometry dash auto speedhack.exe" /watchdog
      4⤵
      Executes dropped EXE
      PID:2204
  - - C:\Users\Admin\AppData\Local\Temp\7zO858781F8\geometry dash auto speedhack.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO858781F8\geometry dash auto speedhack.exe" /watchdog
      4⤵
      Executes dropped EXE
      PID:4776
  - - C:\Users\Admin\AppData\Local\Temp\7zO858781F8\geometry dash auto speedhack.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO858781F8\geometry dash auto speedhack.exe" /watchdog
      4⤵
      Executes dropped EXE
      PID:4656
  - - C:\Users\Admin\AppData\Local\Temp\7zO858781F8\geometry dash auto speedhack.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO858781F8\geometry dash auto speedhack.exe" /watchdog
      4⤵
      Executes dropped EXE
      PID:4804
  - - C:\Users\Admin\AppData\Local\Temp\7zO858781F8\geometry dash auto speedhack.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO858781F8\geometry dash auto speedhack.exe" /main
      4⤵
      Executes dropped EXE
      Writes to the Master Boot Record (MBR)
      PID:3616
    - - C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\System32\notepad.exe" \note.txt
        5⤵
        
        PID:4872

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3844

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d4604cbec2768d84c36d8ab35dfed413

SHA1
a5b3db6d2a1fa5a8de9999966172239a9b1340c2

SHA256
4ea5e5f1ba02111bc2bc9320ae9a1ca7294d6b3afedc128717b4c6c9df70bde2

SHA512
c8004e23dc8a51948a2a582a8ce6ebe1d2546e4c1c60e40c6583f5de1e29c0df20650d5cb36e5d2db3fa6b29b958acc3afd307c66f48c168e68cbb6bcfc52855

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
577e1c0c1d7ab0053d280fcc67377478

SHA1
60032085bb950466bba9185ba965e228ec8915e5

SHA256
1d2022a0870c1a97ae10e8df444b8ba182536ed838a749ad1e972c0ded85e158

SHA512
39d3fd2d96aee014068f3fda389a40e3173c6ce5b200724c433c48ddffe864edfc6207bb0612b8a811ce41746b7771b81bce1b9cb71a28f07a251a607ce51ef5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
62c07b0701f3984f8205dbc554ad95de

SHA1
581cf6f6c14efc878b839c32bd72e5cc18b24350

SHA256
830609c8de08d21b533850d4c789ffd7e9a2c5f1e4cce69c4de41fe888b9e6a7

SHA512
9315959b42d808662225da8b598e30925a18d488966e5c7491470a74a19b3019ba4c6aff543a7f1d6e5ed1bd66397ebbcf3326ba60a7e24832533c54dc61dab3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
867B

MD5
8f267ab43fca56da277f0f4e2cc82f14

SHA1
4a59158f3d22654b01aaac99f7dd4267f789fec6

SHA256
7cad07dc2aac6df0405ecdca141d7da7b1eba7b13f168f384ca1aa203da57cba

SHA512
710dc148ee00d17de7bc272ad61d526ce12eadf1552cd2ae1c1fee2cc73fb6ef8ca0f95d00d6f46fdd1d0d38ba16d6160e7d3f534417ff01ee02990a7c862a30

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
839785517db92f460241c739c4ece495

SHA1
2b431b8a0e4f3780095b26c4f4790657a573636d

SHA256
26a4f2f57d16c6c351fbaf658d0647994156e9e832af96dad3964a4c0b7fa40f

SHA512
bb7308784abd10f1a8f5c3e1f21955da7f55d8a6bf5e2ef95ca8675d959ee8e44e634f34e734fe4060bd43672d2d2f79b775dcbfb8414a66ac8e76b5787d513e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
fe78834ddf307e298fa6f4c48806f515

SHA1
bd67f5b22998cda146a02376e4047c6453308a88

SHA256
93489ef6f4736274670197986c23166dbe1ad9d605c8fc8b1b15bcc27cc0925a

SHA512
b7714207bf22f6d3a66dfc9f644da0ba42b778cee02a3b510fda5d21f9eab65d2e62a523309f4d5577e50903d225043cd75bd7da3eade337d859bd151fc8c5a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
e1120e4d934409b44e6a5493e1009688

SHA1
c556025fbd11bcec90bb20a6e91bf2d32b319d7e

SHA256
a822ce0c54506407e79813ba0f693d1c5308c525ff72ebd16c2e611208e7733d

SHA512
64fcd4afbc18cfb964519d053d9ffb585f5453479b8e9131c0abd2d8975cc84b3681a57d788f6071913979d447f8f0ddfbd8c148b490c9a616ff7b698b2d791c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
16410cbd39674074fccb17f6c95aea5d

SHA1
da8c12de61d64f149a46891a4ca2735c9d3f6238

SHA256
bc9704ba30ccf1ad6eb01464befab0134ac6fb2fa591974fd6c57e52f8d28fb8

SHA512
d8b7aa55b7d20832d1163035b0cffec557b9a3badddf0e21d021b7ab294d89f6045e196056bb2dfa04be0650fa9856a2bd576cab704fe09dd052020220de4e8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
77ec441aa52461c2c0cc326b7041e1d8

SHA1
201ed740c96abfa880893cab6c75c399b374fde8

SHA256
231e3d844835c120a34727bc436cca4d522c60ff34a34e68cf50dca2750aac3e

SHA512
2155445e906d1d2644d0f81d6ff2f12e6b9f934c4ef8490ccc6faff62360630df7b7a89ad1e3bc74fa4edd2d3b44bf0a674cd0136db9c2abf53cce65737271c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
974e2da831278daef2215a7de4c3861d

SHA1
0da8020828ef42906fd4a74ffa18294df56b1253

SHA256
e79b302c6ec5252b379cd083856b0777af750c4b090618795356ebe4d48223dd

SHA512
ed4e4293a664eb5bd6c810f6dc4b450367108aaa29ea6f78999f3b4aaefb6cdedbed9b67b4db9d9199ce9e1def59a9c9fbd93a929fd1e1ad0cd5c0107ff60a8b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58560a.TMP

Filesize
538B

MD5
09f57c04ca6fc37d6b33bf0518c1c073

SHA1
5de95fe04e7fe0e3fdbf118107879e6f12c93f8f

SHA256
0667a7f21f72434f348a070ddc44ab6939edde78962c8027f4747fdeff4aff66

SHA512
e7da0e2473cc313a3964fe4cbd69b6f6df8d9059c1ba73dbafa4f1d6d0e11863c1fea03e9510cc36a5c3397dbd4bd02b002fc47603e5afce83a48b05b0cfe754

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
1f174d87211e9514a59efb7e7f9dfb01

SHA1
1e6fef1d5aa986578753a0cbcde12efcba19eb44

SHA256
4e299fb87fb36ffe67d045cb4b4cfe98b5392a3967083adff513efae9e095e07

SHA512
10ccad7a29b19e855b60a7c0af6be4e5919acf9b70937cd66fe02911ac2a72a18c019319ab5c16ed388423b3aad367c2c2b243adbfb942d3510af1fb91a67113

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
be48115a5f7771edebc6ffefd33fe6c2

SHA1
f68b034ebf23d39fe7df9efb978fb73255399f80

SHA256
7da67b58069e60cf94d42ff924439ac0dcd4b484b25759c7fe88fe4fa9e05be3

SHA512
341c793a59952c5ce7d892bb8b0c8b1ed23eed6f53934e51f47b11ca30b16e5daddf20fb016cd572b6d86f87316a0efc3fe241e8ffc05db2ed9c06df36799b40

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO858781F8\geometry dash auto speedhack.exe

Filesize
14KB

MD5
19dbec50735b5f2a72d4199c4e184960

SHA1
6fed7732f7cb6f59743795b2ab154a3676f4c822

SHA256
a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d

SHA512
aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d

Download Submit
C:\Users\Admin\Downloads\memz.by.iTzDrK_.rar

Filesize
17KB

MD5
352c9d71fa5ab9e8771ce9e1937d88e9

SHA1
7ef6ee09896dd5867cff056c58b889bb33706913

SHA256
3d5d9bc94be3d1b7566a652155b0b37006583868311f20ef00283c30314b5c61

SHA512
6c133aa0c0834bf3dbb3a4fb7ff163e3b17ae2500782d6bba72812b4e703fb3a4f939a799eeb17436ea24f225386479d3aa3b81fdf35975c4f104914f895ff23

Download Submit
C:\Users\Admin\Downloads\memz.by.iTzDrK_.rar:Zone.Identifier

Filesize
651B

MD5
37b9e027f5cd748e331c3cfce3cf18d4

SHA1
82ea172e2d9e68664c8c195829354a291166647f

SHA256
6ea648a190b17c72459b0f3b6494841e61c5eb56e45bfe928e75c8edae16556a

SHA512
563de2992a1d76b142422615803be4c5f0ed6543c96438de1beb7e68d973debda783a4cdf5b20fc0357910dc3a7734c140a9fac91d4e95ab2ae1a9c5eed5513c

Download Submit
C:\note.txt

Filesize
218B

MD5
afa6955439b8d516721231029fb9ca1b

SHA1
087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

SHA256
8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

SHA512
5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

Download Submit
\??\pipe\LOCAL\crashpad_1972_APGRRHEOTQTQOTTB

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit