2a45e44be359fba4c85591e7b13d1ec772ed181adc41254d8b00d31b2d15878e

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
25-04-2024 17:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Memz.exe
Size

14KB
MD5

19dbec50735b5f2a72d4199c4e184960
SHA1

6fed7732f7cb6f59743795b2ab154a3676f4c822
SHA256

a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d
SHA512

aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d
SSDEEP

192:sIvxdXSQeWSg9JJS/lcIEiwqZKBkDFR43xWTM3LHn8f26gyr6yfFCj3r:sMVSaSEglcIqq3agmLc+6gyWqFCj

Score

7^/10

bootkit persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	Memz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	Memz.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	Memz.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings	calc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3648	Memz.exe
3648	Memz.exe
3648	Memz.exe
3872	Memz.exe
3648	Memz.exe
3872	Memz.exe
3648	Memz.exe
3872	Memz.exe
3872	Memz.exe
3648	Memz.exe
3872	Memz.exe
3648	Memz.exe
3872	Memz.exe
3648	Memz.exe
4356	Memz.exe
4356	Memz.exe
3872	Memz.exe
4356	Memz.exe
3872	Memz.exe
4356	Memz.exe
3648	Memz.exe
3936	Memz.exe
3648	Memz.exe
3936	Memz.exe
4528	Memz.exe
4528	Memz.exe
3936	Memz.exe
3936	Memz.exe
4528	Memz.exe
4528	Memz.exe
3648	Memz.exe
3648	Memz.exe
4356	Memz.exe
4356	Memz.exe
3872	Memz.exe
3872	Memz.exe
3936	Memz.exe
3648	Memz.exe
3648	Memz.exe
3936	Memz.exe
3872	Memz.exe
3872	Memz.exe
4356	Memz.exe
4356	Memz.exe
4528	Memz.exe
4528	Memz.exe
4528	Memz.exe
4356	Memz.exe
4528	Memz.exe
4356	Memz.exe
3872	Memz.exe
3936	Memz.exe
3872	Memz.exe
3936	Memz.exe
3648	Memz.exe
3648	Memz.exe
3872	Memz.exe
3936	Memz.exe
3872	Memz.exe
3936	Memz.exe
4356	Memz.exe
4528	Memz.exe
4356	Memz.exe
4528	Memz.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

pid	Process
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	5712	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	5712	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe
4992	msedge.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
3616	Memz.exe
5756	OpenWith.exe
4708	mspaint.exe
4708	mspaint.exe
4708	mspaint.exe
4708	mspaint.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1648 wrote to memory of 3648	1648	Memz.exe	96
PID 1648 wrote to memory of 3648	1648	Memz.exe	96
PID 1648 wrote to memory of 3648	1648	Memz.exe	96
PID 1648 wrote to memory of 3872	1648	Memz.exe	97
PID 1648 wrote to memory of 3872	1648	Memz.exe	97
PID 1648 wrote to memory of 3872	1648	Memz.exe	97
PID 1648 wrote to memory of 4356	1648	Memz.exe	98
PID 1648 wrote to memory of 4356	1648	Memz.exe	98
PID 1648 wrote to memory of 4356	1648	Memz.exe	98
PID 1648 wrote to memory of 4528	1648	Memz.exe	99
PID 1648 wrote to memory of 4528	1648	Memz.exe	99
PID 1648 wrote to memory of 4528	1648	Memz.exe	99
PID 1648 wrote to memory of 3936	1648	Memz.exe	100
PID 1648 wrote to memory of 3936	1648	Memz.exe	100
PID 1648 wrote to memory of 3936	1648	Memz.exe	100
PID 1648 wrote to memory of 3616	1648	Memz.exe	101
PID 1648 wrote to memory of 3616	1648	Memz.exe	101
PID 1648 wrote to memory of 3616	1648	Memz.exe	101
PID 3616 wrote to memory of 1644	3616	Memz.exe	104
PID 3616 wrote to memory of 1644	3616	Memz.exe	104
PID 3616 wrote to memory of 1644	3616	Memz.exe	104
PID 3616 wrote to memory of 4992	3616	Memz.exe	107
PID 3616 wrote to memory of 4992	3616	Memz.exe	107
PID 4992 wrote to memory of 4316	4992	msedge.exe	108
PID 4992 wrote to memory of 4316	4992	msedge.exe	108
PID 4992 wrote to memory of 4412	4992	msedge.exe	109
PID 4992 wrote to memory of 4412	4992	msedge.exe	109
PID 4992 wrote to memory of 4412	4992	msedge.exe	109
PID 4992 wrote to memory of 4412	4992	msedge.exe	109
PID 4992 wrote to memory of 4412	4992	msedge.exe	109
PID 4992 wrote to memory of 4412	4992	msedge.exe	109
PID 4992 wrote to memory of 4412	4992	msedge.exe	109
PID 4992 wrote to memory of 4412	4992	msedge.exe	109
PID 4992 wrote to memory of 4412	4992	msedge.exe	109
PID 4992 wrote to memory of 4412	4992	msedge.exe	109
PID 4992 wrote to memory of 4412	4992	msedge.exe	109
PID 4992 wrote to memory of 4412	4992	msedge.exe	109
PID 4992 wrote to memory of 4412	4992	msedge.exe	109
PID 4992 wrote to memory of 4412	4992	msedge.exe	109
PID 4992 wrote to memory of 4412	4992	msedge.exe	109
PID 4992 wrote to memory of 4412	4992	msedge.exe	109
PID 4992 wrote to memory of 4412	4992	msedge.exe	109
PID 4992 wrote to memory of 4412	4992	msedge.exe	109
PID 4992 wrote to memory of 4412	4992	msedge.exe	109
PID 4992 wrote to memory of 4412	4992	msedge.exe	109
PID 4992 wrote to memory of 4412	4992	msedge.exe	109
PID 4992 wrote to memory of 4412	4992	msedge.exe	109
PID 4992 wrote to memory of 4412	4992	msedge.exe	109
PID 4992 wrote to memory of 4412	4992	msedge.exe	109
PID 4992 wrote to memory of 4412	4992	msedge.exe	109
PID 4992 wrote to memory of 4412	4992	msedge.exe	109
PID 4992 wrote to memory of 4412	4992	msedge.exe	109
PID 4992 wrote to memory of 4412	4992	msedge.exe	109
PID 4992 wrote to memory of 4412	4992	msedge.exe	109
PID 4992 wrote to memory of 4412	4992	msedge.exe	109
PID 4992 wrote to memory of 4412	4992	msedge.exe	109
PID 4992 wrote to memory of 4412	4992	msedge.exe	109
PID 4992 wrote to memory of 4412	4992	msedge.exe	109
PID 4992 wrote to memory of 4412	4992	msedge.exe	109
PID 4992 wrote to memory of 4412	4992	msedge.exe	109
PID 4992 wrote to memory of 4412	4992	msedge.exe	109
PID 4992 wrote to memory of 4412	4992	msedge.exe	109
PID 4992 wrote to memory of 4412	4992	msedge.exe	109
PID 4992 wrote to memory of 4412	4992	msedge.exe	109

C:\Users\Admin\AppData\Local\Temp\Memz.exe
"C:\Users\Admin\AppData\Local\Temp\Memz.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1648
- C:\Users\Admin\AppData\Local\Temp\Memz.exe
  "C:\Users\Admin\AppData\Local\Temp\Memz.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3648
- C:\Users\Admin\AppData\Local\Temp\Memz.exe
  "C:\Users\Admin\AppData\Local\Temp\Memz.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3872
- C:\Users\Admin\AppData\Local\Temp\Memz.exe
  "C:\Users\Admin\AppData\Local\Temp\Memz.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4356
- C:\Users\Admin\AppData\Local\Temp\Memz.exe
  "C:\Users\Admin\AppData\Local\Temp\Memz.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4528
- C:\Users\Admin\AppData\Local\Temp\Memz.exe
  "C:\Users\Admin\AppData\Local\Temp\Memz.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3936
- C:\Users\Admin\AppData\Local\Temp\Memz.exe
  "C:\Users\Admin\AppData\Local\Temp\Memz.exe" /main
  2⤵
  - Checks computer location settings
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3616
- - C:\Windows\SysWOW64\notepad.exe
    "C:\Windows\System32\notepad.exe" \note.txt
    3⤵
    PID:1644
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=how+to+code+a+virus+in+visual+basic
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:4992
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffa10ef46f8,0x7ffa10ef4708,0x7ffa10ef4718
      4⤵
      PID:4316
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1948,5786417256586159583,12518675657982562076,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2072 /prefetch:2
      4⤵
      PID:4412
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1948,5786417256586159583,12518675657982562076,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2128 /prefetch:3
      4⤵
      PID:5004
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1948,5786417256586159583,12518675657982562076,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2696 /prefetch:8
      4⤵
      PID:2364
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,5786417256586159583,12518675657982562076,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
      4⤵
      PID:4544
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,5786417256586159583,12518675657982562076,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
      4⤵
      PID:1404
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,5786417256586159583,12518675657982562076,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5088 /prefetch:1
      4⤵
      PID:964
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1948,5786417256586159583,12518675657982562076,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5288 /prefetch:8
      4⤵
      PID:732
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1948,5786417256586159583,12518675657982562076,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5288 /prefetch:8
      4⤵
      PID:4276
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,5786417256586159583,12518675657982562076,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3208 /prefetch:1
      4⤵
      PID:4980
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,5786417256586159583,12518675657982562076,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4732 /prefetch:1
      4⤵
      PID:4684
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,5786417256586159583,12518675657982562076,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5068 /prefetch:1
      4⤵
      PID:5232
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,5786417256586159583,12518675657982562076,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5148 /prefetch:1
      4⤵
      PID:5240
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,5786417256586159583,12518675657982562076,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5432 /prefetch:1
      4⤵
      PID:6132
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,5786417256586159583,12518675657982562076,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5868 /prefetch:1
      4⤵
      PID:4868
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,5786417256586159583,12518675657982562076,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3060 /prefetch:1
      4⤵
      PID:5400
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,5786417256586159583,12518675657982562076,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3088 /prefetch:1
      4⤵
      PID:4620
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=how+to+download+memz
    3⤵
    PID:6068
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffa10ef46f8,0x7ffa10ef4708,0x7ffa10ef4718
      4⤵
      PID:6080
- - C:\Windows\SysWOW64\calc.exe
    "C:\Windows\System32\calc.exe"
    3⤵
    - Modifies registry class
    PID:5624
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=how+2+buy+weed
    3⤵
    PID:3060
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffa10ef46f8,0x7ffa10ef4708,0x7ffa10ef4718
      4⤵
      PID:2144
- - C:\Windows\SysWOW64\mspaint.exe
    "C:\Windows\System32\mspaint.exe"
    3⤵
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:4708

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1696

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4752

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:5756

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x428 0x4e8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5712

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
1⤵
PID:6116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7b56675b54840d86d49bde5a1ff8af6a

SHA1
fe70a1b85f88d60f3ba9fc7bb5f81fc41e150811

SHA256
86af7213f410df65d0937f4331f783160f30eaeb088e28a9eef461713b9a3929

SHA512
11fc61b83365391efee8084de5c2af7e064f0182b943a0db08d95a0f450d3877bde5b5e6a6b9f008e58b709bb1a34f7b50085c41927f091df1eea78f039402e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
48cff1baabb24706967de3b0d6869906

SHA1
b0cd54f587cd4c88e60556347930cb76991e6734

SHA256
f6b5fbc610a71b3914753feb2bd4475a7c77d0d785cc36255bf93b3fe3ccb775

SHA512
fd0c848f3f9de81aca81af999262f96ea4c1cd1d1f32d304f56c7382f3b1bb604e5fbe9f209ad6e4b38988d92357ef82e9668806d0727f2856c7dc1f07aae2b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000001

Filesize
20KB

MD5
923a543cc619ea568f91b723d9fb1ef0

SHA1
6f4ade25559645c741d7327c6e16521e43d7e1f9

SHA256
bf7344209edb1be5a2886c425cf6334a102d76cbea1471fd50171e2ee92877cd

SHA512
a4153751761cd67465374828b0514d7773b8c4ed37779d1ecfd4f19be4faa171585c8ee0b4db59b556399d5d2b9809ba87e04d4715e9d090e1f488d02219d555

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
69KB

MD5
86862d3b5609f6ca70783528d7962690

SHA1
886d4b35290775ceadf576b3bb5654f3a481baf3

SHA256
19e1a1ad6c54fc29a402c10c551fa6e70022cefca6162a10640ee7d9b85783ed

SHA512
f0746c23a06effd14e1e31b0ea7d12156ff92b1f80445aa46e1a4c65cf5df4bc94f6dabe7aead01f1bd6a6c7b851b577a11697a186426a2c8dca897c48515ef0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\temp-index

Filesize
72B

MD5
0e3fc4b6fa16ec2915a35a83acb70555

SHA1
40804216bc6b5149f8007fa6f71467355d62d250

SHA256
a6176bbb14ffb6d6291838c2c1bf4b58d67ef4ab422788a0800e0b380b176de7

SHA512
f514c4bcc795c54311958312e7973e6278da016907d69103ec6566011e76d94e18d9ce2fe8bd3f2449c654aa6d0ba220be258235a55052b5c58c44f5e750842d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
96B

MD5
cbbc5f614fa3da0bdfcf39e19b59126e

SHA1
fd5efab07b108b991b6aa9554117b76683834cbf

SHA256
31e0d65b145413d1e4984c506382039518089232cd8a65c28b2ea92f07cbeb7f

SHA512
1cceb862a52c282c70a268844f1c0b13ab91268cd808abe2221b0452ce64eee9f4abdb030c90241329232c5478677a450d9111c120d16a390414b5398f86045c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
96B

MD5
83b03799130ff0bd014fd5c1e492a0ff

SHA1
5195ae6b46a9cd68d0d216b6531fa4e082c0afbe

SHA256
3841438c14e97bc56bc7d4aba57f50b66d9eea5a8ab0e26db7780c1dcc3b051e

SHA512
42b29b4ba4fa163950563b9fb93b611413cc0437b40727d0b8ac426d9443fa91983a67b242bf8f083db5886bf635be88862db6a6aae0dd52f87dcd956c1f7714

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
786B

MD5
6d507f956b06dc757720304f9a6c7cbb

SHA1
d166ef6e5c4b1a4123016359df9e5e673d89141f

SHA256
cff2413c8af7089f665bb08473418b496d7a8d1bd70dbcab282514abd10c503d

SHA512
62e55ce5ae76c79fe953c3c1594d31037a3adb58d9ef39eae0c53a120dc803ac925fe3bb26dc89d036eb85656ba6e109f38df75f38253b8fe4b6ff0d56c2674e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
38c1436e209bb7ee44316e3f2d2e3263

SHA1
f2b9da9a0605038e1301b2a2dc2bade4fde94987

SHA256
95c7844c1dc9f0a98bed3a14cb45c0eac858974f1680676fcd9f093c40569993

SHA512
6ea63df8d0ca70cdef3d320daa0053c18e1ca46cc3b90ebb73a06de959345c6dcf184970cd110c4b50204cc95e95d15b6d0a6d41d4e96c32a82f662a6a9b8636

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
70cd915b2917338917c169dbd5e4a281

SHA1
1a916b4dd1ad672138c50d0ff7e5874d4e2e813c

SHA256
80fd9c41f42c5ff8bf813f394483a994b2415ca88c4333bd2c75d00a10c1868c

SHA512
4a9801bf0a4e7037096ad45fe89b9fbda2e15ab3ed22a65189bb5bfbb347ec031b2c788c06b0c1d554e2ea78c9972354e88098616b0023b78df7786cb8597efb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4602c3b7066f607650d0b3b98e78419a

SHA1
4ce784f8b3fe96aea71c7836f247c830b29a8537

SHA256
0fd100c5e72f7d9edfd4400b312c7b84a109e50cb48c92d027e502029495de90

SHA512
df1b661e6fb75f569e17316cc73551a807f3433e68c592786443e9c504a58b948a38a2f4f9fa087941dbcec8f2b9cc2b911bb096387c4fddc153acf23c88541e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
818942a5867c4352592b0cc16bc30a38

SHA1
c804b68c3a66e546405d260c62f6ecbb534c64cb

SHA256
71efa296b36d26cf20cc474e3dea4319dec314754ed38f3a58f57b9682737bbf

SHA512
45d6961f5f84b908ef5ae3e872fbac4695ef8a15196ce3320a5c4903a9c7542d34dc3a79911f55237c3c678737a2f84da1f546f6421a6b4930a5408f255cf3d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
204B

MD5
c64e558c2f463144531360b51f7ef4cd

SHA1
1c2af690b8668870f510050012891054cd0a7ab1

SHA256
f78b41a1851494e539e5eb81531d7f6e50aaccb7afc6cac0e2b15479965eefcd

SHA512
d8209a1c6530d4bb81ad221ee99a24677ba1ec63597936afdcc761c905492f9b2f8dc2bfcf0495980eeb7559b12056cba1d040291e1d198f93b80ac76508aa3d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
204B

MD5
78204a9e083951cdaed278bb0dbebca9

SHA1
c456d0e6257993435d73039e39bff06a1418a7f3

SHA256
c17e98dbd533fa2ad697522ce052aef82104a1843d93991119d845675a06322f

SHA512
311b8d7d8d8289f1105d8adddee07967693ee25e5babf9597f4564dafc4ea5f4bcdc358a332e9c8efe84f2f8607ab8ad73587aeff09d1066c7ada63ed9007768

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58725c.TMP

Filesize
204B

MD5
2e6764ae76a842477aba1ab0b0cda284

SHA1
7c7fa43588444f9d08789d13cc2bc704beb5c4c5

SHA256
bab305c69b062f67dc499782ef2ca3e8b3c1c74ad5a56e46dc051af98a3cfd5e

SHA512
05aa05c0fb3ac9474525371523ff6b2e9c13f0697de73b58a4ca88a9a3dd3ebf183b5554b8dbc9fb17f880be5747c75dfbde0006d8ff945683bfbac9280a7908

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
fe85408913b824ce926220d4442b1155

SHA1
d8661ef0300f46ad12e75725f8b70c698b4e3078

SHA256
aa0a25260f1a34604bcd878c2e1be061528480d79c93bfaef7021463ea036b9c

SHA512
bb1a00ae9bdfdce13d5d1e061a96d8e3a0b3a76c1291181b6b5a017a4cb22039c3e04f0b70d701aaaf5306009d1c3f9c0054e9e59f7999d76367b09bc74739c4

Download Submit
C:\note.txt

Filesize
218B

MD5
afa6955439b8d516721231029fb9ca1b

SHA1
087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

SHA256
8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

SHA512
5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

Download Submit