3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff

Analysis

max time kernel
84s
max time network
85s
platform
windows11-21h2_x64
resource
win11-20240412-en
resource tags

arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system
submitted
22-04-2024 17:08

Sharing

Reason

Machine shutdown: "{\"level\":\"info\",\"time\":\"2024-04-22T17:10:12Z\",\"message\":\"Dirty snapshot: /var/lib/sandbox/hatchvm/win11-20240412-en/instance_3-dirty.qcow2\"}"

Report Analysis Logs

General

Target

MEMZ.exe
Size

16KB
MD5

1d5ad9c8d3fee874d0feb8bfac220a11
SHA1

ca6d3f7e6c784155f664a9179ca64e4034df9595
SHA256

3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff
SHA512

c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1
SSDEEP

192:M2WgyvSW8gRc6olcIEiwqZKBkDFR43xWTM3LHf26gFrcx3sNq:JWgnSmFlcIqq3agmLH+6gF23sN

Score

6^/10

bootkit persistence

Malware Config

Signatures

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	MEMZ.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2576	MEMZ.exe
2576	MEMZ.exe
2004	MEMZ.exe
2004	MEMZ.exe
1924	MEMZ.exe
1924	MEMZ.exe
2004	MEMZ.exe
2004	MEMZ.exe
2576	MEMZ.exe
2576	MEMZ.exe
2004	MEMZ.exe
2004	MEMZ.exe
1924	MEMZ.exe
1924	MEMZ.exe
3336	MEMZ.exe
3336	MEMZ.exe
3540	MEMZ.exe
3540	MEMZ.exe
2576	MEMZ.exe
2576	MEMZ.exe
2576	MEMZ.exe
3540	MEMZ.exe
2576	MEMZ.exe
3540	MEMZ.exe
3336	MEMZ.exe
1924	MEMZ.exe
3336	MEMZ.exe
1924	MEMZ.exe
2004	MEMZ.exe
2004	MEMZ.exe
2004	MEMZ.exe
2004	MEMZ.exe
1924	MEMZ.exe
1924	MEMZ.exe
3336	MEMZ.exe
3336	MEMZ.exe
3540	MEMZ.exe
3540	MEMZ.exe
2576	MEMZ.exe
2576	MEMZ.exe
2576	MEMZ.exe
2576	MEMZ.exe
3540	MEMZ.exe
3540	MEMZ.exe
1924	MEMZ.exe
1924	MEMZ.exe
3336	MEMZ.exe
3336	MEMZ.exe
2004	MEMZ.exe
2004	MEMZ.exe
1924	MEMZ.exe
1924	MEMZ.exe
3540	MEMZ.exe
3540	MEMZ.exe
2576	MEMZ.exe
2576	MEMZ.exe
3540	MEMZ.exe
3540	MEMZ.exe
1924	MEMZ.exe
1924	MEMZ.exe
2004	MEMZ.exe
2004	MEMZ.exe
3336	MEMZ.exe
3336	MEMZ.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4876	taskmgr.exe
Token: SeSystemProfilePrivilege	4876	taskmgr.exe
Token: SeCreateGlobalPrivilege	4876	taskmgr.exe

Suspicious use of FindShellTrayWindow 48 IoCs

pid	Process
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe

Suspicious use of SendNotifyMessage 35 IoCs

pid	Process
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1924	MEMZ.exe
2004	MEMZ.exe
3540	MEMZ.exe
3336	MEMZ.exe
2576	MEMZ.exe
3540	MEMZ.exe
2004	MEMZ.exe
1924	MEMZ.exe
3336	MEMZ.exe
2576	MEMZ.exe
1924	MEMZ.exe
2004	MEMZ.exe
3540	MEMZ.exe
3336	MEMZ.exe
2576	MEMZ.exe
3540	MEMZ.exe
1924	MEMZ.exe
2004	MEMZ.exe
3336	MEMZ.exe
2576	MEMZ.exe
1924	MEMZ.exe
2004	MEMZ.exe
3540	MEMZ.exe
3336	MEMZ.exe
2576	MEMZ.exe
3540	MEMZ.exe
2004	MEMZ.exe
1924	MEMZ.exe
3336	MEMZ.exe
2576	MEMZ.exe
1924	MEMZ.exe
3540	MEMZ.exe
2004	MEMZ.exe
2576	MEMZ.exe
3336	MEMZ.exe
2004	MEMZ.exe
3540	MEMZ.exe
1924	MEMZ.exe
2576	MEMZ.exe
3336	MEMZ.exe
3540	MEMZ.exe
1924	MEMZ.exe
2004	MEMZ.exe
3336	MEMZ.exe
2576	MEMZ.exe
2004	MEMZ.exe
1924	MEMZ.exe
3540	MEMZ.exe
2576	MEMZ.exe
3336	MEMZ.exe
3540	MEMZ.exe
2004	MEMZ.exe
1924	MEMZ.exe
3336	MEMZ.exe
2576	MEMZ.exe
2004	MEMZ.exe
1924	MEMZ.exe
3540	MEMZ.exe
2576	MEMZ.exe
3336	MEMZ.exe
3540	MEMZ.exe
2004	MEMZ.exe
1924	MEMZ.exe
3336	MEMZ.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1980 wrote to memory of 2004	1980	MEMZ.exe	81
PID 1980 wrote to memory of 2004	1980	MEMZ.exe	81
PID 1980 wrote to memory of 2004	1980	MEMZ.exe	81
PID 1980 wrote to memory of 2576	1980	MEMZ.exe	82
PID 1980 wrote to memory of 2576	1980	MEMZ.exe	82
PID 1980 wrote to memory of 2576	1980	MEMZ.exe	82
PID 1980 wrote to memory of 1924	1980	MEMZ.exe	83
PID 1980 wrote to memory of 1924	1980	MEMZ.exe	83
PID 1980 wrote to memory of 1924	1980	MEMZ.exe	83
PID 1980 wrote to memory of 3540	1980	MEMZ.exe	84
PID 1980 wrote to memory of 3540	1980	MEMZ.exe	84
PID 1980 wrote to memory of 3540	1980	MEMZ.exe	84
PID 1980 wrote to memory of 3336	1980	MEMZ.exe	85
PID 1980 wrote to memory of 3336	1980	MEMZ.exe	85
PID 1980 wrote to memory of 3336	1980	MEMZ.exe	85
PID 1980 wrote to memory of 3172	1980	MEMZ.exe	86
PID 1980 wrote to memory of 3172	1980	MEMZ.exe	86
PID 1980 wrote to memory of 3172	1980	MEMZ.exe	86
PID 3172 wrote to memory of 3548	3172	MEMZ.exe	89
PID 3172 wrote to memory of 3548	3172	MEMZ.exe	89
PID 3172 wrote to memory of 3548	3172	MEMZ.exe	89
PID 3172 wrote to memory of 4464	3172	MEMZ.exe	90
PID 3172 wrote to memory of 4464	3172	MEMZ.exe	90
PID 4464 wrote to memory of 748	4464	msedge.exe	91
PID 4464 wrote to memory of 748	4464	msedge.exe	91
PID 4464 wrote to memory of 1340	4464	msedge.exe	92
PID 4464 wrote to memory of 1340	4464	msedge.exe	92
PID 4464 wrote to memory of 1340	4464	msedge.exe	92
PID 4464 wrote to memory of 1340	4464	msedge.exe	92
PID 4464 wrote to memory of 1340	4464	msedge.exe	92
PID 4464 wrote to memory of 1340	4464	msedge.exe	92
PID 4464 wrote to memory of 1340	4464	msedge.exe	92
PID 4464 wrote to memory of 1340	4464	msedge.exe	92
PID 4464 wrote to memory of 1340	4464	msedge.exe	92
PID 4464 wrote to memory of 1340	4464	msedge.exe	92
PID 4464 wrote to memory of 1340	4464	msedge.exe	92
PID 4464 wrote to memory of 1340	4464	msedge.exe	92
PID 4464 wrote to memory of 1340	4464	msedge.exe	92
PID 4464 wrote to memory of 1340	4464	msedge.exe	92
PID 4464 wrote to memory of 1340	4464	msedge.exe	92
PID 4464 wrote to memory of 1340	4464	msedge.exe	92
PID 4464 wrote to memory of 1340	4464	msedge.exe	92
PID 4464 wrote to memory of 1340	4464	msedge.exe	92
PID 4464 wrote to memory of 1340	4464	msedge.exe	92
PID 4464 wrote to memory of 1340	4464	msedge.exe	92
PID 4464 wrote to memory of 1340	4464	msedge.exe	92
PID 4464 wrote to memory of 1340	4464	msedge.exe	92
PID 4464 wrote to memory of 1340	4464	msedge.exe	92
PID 4464 wrote to memory of 1340	4464	msedge.exe	92
PID 4464 wrote to memory of 1340	4464	msedge.exe	92
PID 4464 wrote to memory of 1340	4464	msedge.exe	92
PID 4464 wrote to memory of 1340	4464	msedge.exe	92
PID 4464 wrote to memory of 1340	4464	msedge.exe	92
PID 4464 wrote to memory of 1340	4464	msedge.exe	92
PID 4464 wrote to memory of 1340	4464	msedge.exe	92
PID 4464 wrote to memory of 1340	4464	msedge.exe	92
PID 4464 wrote to memory of 1340	4464	msedge.exe	92
PID 4464 wrote to memory of 1340	4464	msedge.exe	92
PID 4464 wrote to memory of 1340	4464	msedge.exe	92
PID 4464 wrote to memory of 1340	4464	msedge.exe	92
PID 4464 wrote to memory of 1340	4464	msedge.exe	92
PID 4464 wrote to memory of 1340	4464	msedge.exe	92
PID 4464 wrote to memory of 1340	4464	msedge.exe	92
PID 4464 wrote to memory of 1340	4464	msedge.exe	92

C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
"C:\Users\Admin\AppData\Local\Temp\MEMZ.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1980
- C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
  "C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2004
- C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
  "C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2576
- C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
  "C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1924
- C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
  "C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:3540
- C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
  "C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:3336
- C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
  "C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /main
  2⤵
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of WriteProcessMemory
  PID:3172
- - C:\Windows\SysWOW64\notepad.exe
    "C:\Windows\System32\notepad.exe" \note.txt
    3⤵
    PID:3548
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=how+to+send+a+virus+to+my+friend
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:4464
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffe6f4a3cb8,0x7ffe6f4a3cc8,0x7ffe6f4a3cd8
      4⤵
      PID:748
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1912,10244958297144460085,4473955216420848175,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1924 /prefetch:2
      4⤵
      PID:1340
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1912,10244958297144460085,4473955216420848175,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2392 /prefetch:3
      4⤵
      PID:1356
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1912,10244958297144460085,4473955216420848175,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2720 /prefetch:8
      4⤵
      PID:908
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,10244958297144460085,4473955216420848175,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3164 /prefetch:1
      4⤵
      PID:2212
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,10244958297144460085,4473955216420848175,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3180 /prefetch:1
      4⤵
      PID:2800
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,10244958297144460085,4473955216420848175,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5000 /prefetch:1
      4⤵
      PID:4512
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,10244958297144460085,4473955216420848175,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4700 /prefetch:1
      4⤵
      PID:4836
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1912,10244958297144460085,4473955216420848175,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5492 /prefetch:8
      4⤵
      PID:3156
  - - C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1912,10244958297144460085,4473955216420848175,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5760 /prefetch:8
      4⤵
      PID:2296
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,10244958297144460085,4473955216420848175,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5460 /prefetch:1
      4⤵
      PID:3932
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,10244958297144460085,4473955216420848175,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3488 /prefetch:1
      4⤵
      PID:2448
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,10244958297144460085,4473955216420848175,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4684 /prefetch:1
      4⤵
      PID:3616
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,10244958297144460085,4473955216420848175,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4948 /prefetch:1
      4⤵
      PID:684

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4732

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1104

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3796

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
57e5c5a9236321d336e2c8ce1eeff844

SHA1
8fd4288af72ba3f7a0ecc5583a9265723fefc096

SHA256
ae6496cf397848bf3139858deaf567e3df991bab5a7704a0fa7aae95474872d7

SHA512
bc3f24afe6ce0494022d8201a01a60239ac5cfee54e0650a337036817056424b418cb636d58d07e5034dffe2226906202b56509e4cc07562c0b60f618c420080

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
493e7e14aceba0ff1c0720920cccc4a2

SHA1
468f39cefbcf14a04388b72d4f02552649bf3101

SHA256
a0dd32ed60115f661a4ca537472e0d4e230ff844d56a3db766299cf4cd817842

SHA512
e16c748e4513ea10bf7124cef7b50dc5f3a1802205af9228e0c33fdbf3c24286739db08db4b813079ed7cc36be43d7457f4c26f00ae3126a2fafd77d2696107a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
552B

MD5
2f441a2dab10fd41a529c75ff98c4190

SHA1
33b88a085996d990d9098ba7234c55bd04675c35

SHA256
947232da86f293cf6895d95eb619b280b857bde7cc586d43177e420df3fa4044

SHA512
e2778cc8fff16715aff9fc49ef00b159394191ad8fba6c5a80b609e4ffc96176d85083b36b6a8c0c9382effa6a9813010af5569dfec8b7dc1be3deecec5f04b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
0a4da9297634aa32fdf4dc9997160cd8

SHA1
2e04231b0dbfe3898b7be6bea4b3ab4293b49202

SHA256
2999f699fcf9ed316a33c0ef69335938744a7f15dc2ccbef7c7c02ad68bef09c

SHA512
3022719caaa26d787857e4b6286d8879eed5c267a9d9c4cbae046b9174b7d692bf5f5c90ef45db77b221b7a574421419ed4064d91a34fefe3dfff90ddf7a74c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a76f4101249cfdf438d257713ebbc18b

SHA1
a407ac20f195a00471ec32626e8112c43b6b8473

SHA256
939f4a93521f5eb147dc5ee95e69885972e93cb8c3f0de2ae48a46dd29952f70

SHA512
d851c266af2ad9275ef7091b54e550c7f94b363fbab93d4102a5acbd7a213b2e4c04dafa31b7ded009a7206ddfebccb421ce51040ab85a77f050672e19636245

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1bc58e30cba968047ad871c97aa7015d

SHA1
dad41b81ce6708400f6708bbecd45efcf76a1c6c

SHA256
b9874e59e6090614b0fa37a4c2eade07265560a9e864cac62f751569d77597dc

SHA512
ad8dbf06d8231c044e3b04014e6fe57eb5391528d989d077a2093439271fcf81e4d23c02204d57e6e2aca525f22f7d07c930bee8dc4e812cff8e62c50c4cf2f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
90B

MD5
e76595fd72310467bf9f2981a5de88ed

SHA1
0e259feb85200d1cc82efe33cf5fd5f769180cba

SHA256
c1df1f64faecb63c509f09484c95390d77b34cb87a7e0edff35a3c32fb3cd2e3

SHA512
ffcf8ea722074336b84c55f8aa5143aff809a7964645fb905e880a0a79cc1f679a34d280ebc6fd014b26aab1b0b347640690fb30a5a76fd76df4c5ba62e3c7b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
26B

MD5
2892eee3e20e19a9ba77be6913508a54

SHA1
7c4ef82faa28393c739c517d706ac6919a8ffc49

SHA256
4f110831bb434c728a6895190323d159df6d531be8c4bb7109864eeb7c989ff2

SHA512
b13a336db33299ab3405e13811e3ed9e5a18542e5d835f2b7130a6ff4c22f74272002fc43e7d9f94ac3aa6a4d53518f87f25d90c29e0d286b6470667ea9336ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
4b77e3bcc9e4ef2052da172fab3a454d

SHA1
ec37191820f295e8fac4bc3c1298eab4ea201915

SHA256
4ec8feb2b63eca9c2c6ee6aa43420aef16f89be3046c089a71eb8a1260385791

SHA512
34cbee86bba4a46ad8dd9405b5ea908eba21dee19562f3277f3ee1c53c6c9d6f7d3c4fa437d8a0274fd581f202dc98d848109865de343ae0225e8fb3e3e9d6e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
fef1bef0d65b311d899639766ed17ecf

SHA1
f898885909b82948de739e59f56aa1ee0ef783d9

SHA256
fe83130b669fe2a048169960820f7eb1836c1185a1726dcfa072f6f2b255bc86

SHA512
0fae94cb7ec420628483e3b7c7efabed09e39995bb53ffb2d7d9f0323cbf2b50be16102806cf2e5d7455610f7930f3900ccffd74adbcb77003d696d41f6626e1

Download Submit
C:\note.txt

Filesize
218B

MD5
afa6955439b8d516721231029fb9ca1b

SHA1
087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

SHA256
8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

SHA512
5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

Download Submit
memory/4876-187-0x000001F1A9E30000-0x000001F1A9E31000-memory.dmp

Filesize
4KB

Download
memory/4876-185-0x000001F1A9E30000-0x000001F1A9E31000-memory.dmp

Filesize
4KB

Download
memory/4876-186-0x000001F1A9E30000-0x000001F1A9E31000-memory.dmp

Filesize
4KB

Download
memory/4876-191-0x000001F1A9E30000-0x000001F1A9E31000-memory.dmp

Filesize
4KB

Download
memory/4876-192-0x000001F1A9E30000-0x000001F1A9E31000-memory.dmp

Filesize
4KB

Download
memory/4876-193-0x000001F1A9E30000-0x000001F1A9E31000-memory.dmp

Filesize
4KB

Download
memory/4876-194-0x000001F1A9E30000-0x000001F1A9E31000-memory.dmp

Filesize
4KB

Download
memory/4876-195-0x000001F1A9E30000-0x000001F1A9E31000-memory.dmp

Filesize
4KB

Download
memory/4876-196-0x000001F1A9E30000-0x000001F1A9E31000-memory.dmp

Filesize
4KB

Download
memory/4876-197-0x000001F1A9E30000-0x000001F1A9E31000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads