Overview
overview
10Static
static
3000.exe
windows7-x64
000.exe
windows10-2004-x64
Ana.exe
windows7-x64
8Ana.exe
windows10-2004-x64
8Bad Rabit.exe
windows7-x64
10Bad Rabit.exe
windows10-2004-x64
10Desktop Puzzle.exe
windows7-x64
1Desktop Puzzle.exe
windows10-2004-x64
1Memz.exe
windows7-x64
6Memz.exe
windows10-2004-x64
7NoEscape.exe
windows7-x64
1NoEscape.exe
windows10-2004-x64
WannaCrypt0r.exe
windows7-x64
10WannaCrypt0r.exe
windows10-2004-x64
10Resubmissions
08-06-2024 08:50
240608-krvyesae91 1008-05-2024 16:15
240508-tqnx6ach3w 1008-05-2024 16:07
240508-tkr3mafa54 1001-05-2024 18:02
240501-wmf49acg3s 627-04-2024 08:46
240427-kpfeysff8s 1025-04-2024 21:25
240425-z9y55afb7v 1025-04-2024 21:16
240425-z4pphafa97 1025-04-2024 18:27
240425-w3929sde33 1025-04-2024 18:17
240425-ww4a5sdc8x 10Analysis
-
max time kernel
150s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
25-04-2024 18:01
Static task
static1
Behavioral task
behavioral1
Sample
000.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
000.exe
Resource
win10v2004-20240412-en
Behavioral task
behavioral3
Sample
Ana.exe
Resource
win7-20240220-en
Behavioral task
behavioral4
Sample
Ana.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
Bad Rabit.exe
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
Bad Rabit.exe
Resource
win10v2004-20240412-en
Behavioral task
behavioral7
Sample
Desktop Puzzle.exe
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
Desktop Puzzle.exe
Resource
win10v2004-20240412-en
Behavioral task
behavioral9
Sample
Memz.exe
Resource
win7-20231129-en
Behavioral task
behavioral10
Sample
Memz.exe
Resource
win10v2004-20240412-en
Behavioral task
behavioral11
Sample
NoEscape.exe
Resource
win7-20240220-en
Behavioral task
behavioral12
Sample
NoEscape.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral13
Sample
WannaCrypt0r.exe
Resource
win7-20240221-en
Behavioral task
behavioral14
Sample
WannaCrypt0r.exe
Resource
win10v2004-20240412-en
General
-
Target
Memz.exe
-
Size
14KB
-
MD5
19dbec50735b5f2a72d4199c4e184960
-
SHA1
6fed7732f7cb6f59743795b2ab154a3676f4c822
-
SHA256
a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d
-
SHA512
aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d
-
SSDEEP
192:sIvxdXSQeWSg9JJS/lcIEiwqZKBkDFR43xWTM3LHn8f26gyr6yfFCj3r:sMVSaSEglcIqq3agmLc+6gyWqFCj
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation Memz.exe Key value queried \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation Memz.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 Memz.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 852 Memz.exe 852 Memz.exe 852 Memz.exe 852 Memz.exe 2908 Memz.exe 852 Memz.exe 852 Memz.exe 2908 Memz.exe 4132 Memz.exe 4208 Memz.exe 4132 Memz.exe 4208 Memz.exe 4132 Memz.exe 4132 Memz.exe 4208 Memz.exe 4208 Memz.exe 4288 Memz.exe 4288 Memz.exe 2908 Memz.exe 2908 Memz.exe 852 Memz.exe 852 Memz.exe 852 Memz.exe 852 Memz.exe 2908 Memz.exe 2908 Memz.exe 4288 Memz.exe 4288 Memz.exe 4132 Memz.exe 4132 Memz.exe 4208 Memz.exe 4208 Memz.exe 4288 Memz.exe 4208 Memz.exe 4288 Memz.exe 4208 Memz.exe 4132 Memz.exe 4132 Memz.exe 2908 Memz.exe 2908 Memz.exe 852 Memz.exe 852 Memz.exe 2908 Memz.exe 2908 Memz.exe 852 Memz.exe 852 Memz.exe 4132 Memz.exe 4132 Memz.exe 4208 Memz.exe 4208 Memz.exe 4288 Memz.exe 4288 Memz.exe 4288 Memz.exe 4288 Memz.exe 4208 Memz.exe 4208 Memz.exe 4132 Memz.exe 4132 Memz.exe 852 Memz.exe 852 Memz.exe 2908 Memz.exe 2908 Memz.exe 2908 Memz.exe 2908 Memz.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs
pid Process 3648 msedge.exe 3648 msedge.exe 3648 msedge.exe 3648 msedge.exe 3648 msedge.exe 3648 msedge.exe 3648 msedge.exe 3648 msedge.exe 3648 msedge.exe 3648 msedge.exe 3648 msedge.exe 3648 msedge.exe 3648 msedge.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: 33 5172 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 5172 AUDIODG.EXE -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 3648 msedge.exe 3648 msedge.exe 3648 msedge.exe 3648 msedge.exe 3648 msedge.exe 3648 msedge.exe 3648 msedge.exe 3648 msedge.exe 3648 msedge.exe 3648 msedge.exe 3648 msedge.exe 3648 msedge.exe 3648 msedge.exe 3648 msedge.exe 3648 msedge.exe 3648 msedge.exe 3648 msedge.exe 3648 msedge.exe 3648 msedge.exe 3648 msedge.exe 3648 msedge.exe 3648 msedge.exe 3648 msedge.exe 3648 msedge.exe 3648 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 3648 msedge.exe 3648 msedge.exe 3648 msedge.exe 3648 msedge.exe 3648 msedge.exe 3648 msedge.exe 3648 msedge.exe 3648 msedge.exe 3648 msedge.exe 3648 msedge.exe 3648 msedge.exe 3648 msedge.exe 3648 msedge.exe 3648 msedge.exe 3648 msedge.exe 3648 msedge.exe 3648 msedge.exe 3648 msedge.exe 3648 msedge.exe 3648 msedge.exe 3648 msedge.exe 3648 msedge.exe 3648 msedge.exe 3648 msedge.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2832 Memz.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1764 wrote to memory of 852 1764 Memz.exe 97 PID 1764 wrote to memory of 852 1764 Memz.exe 97 PID 1764 wrote to memory of 852 1764 Memz.exe 97 PID 1764 wrote to memory of 4208 1764 Memz.exe 98 PID 1764 wrote to memory of 4208 1764 Memz.exe 98 PID 1764 wrote to memory of 4208 1764 Memz.exe 98 PID 1764 wrote to memory of 4132 1764 Memz.exe 99 PID 1764 wrote to memory of 4132 1764 Memz.exe 99 PID 1764 wrote to memory of 4132 1764 Memz.exe 99 PID 1764 wrote to memory of 2908 1764 Memz.exe 100 PID 1764 wrote to memory of 2908 1764 Memz.exe 100 PID 1764 wrote to memory of 2908 1764 Memz.exe 100 PID 1764 wrote to memory of 4288 1764 Memz.exe 101 PID 1764 wrote to memory of 4288 1764 Memz.exe 101 PID 1764 wrote to memory of 4288 1764 Memz.exe 101 PID 1764 wrote to memory of 2832 1764 Memz.exe 102 PID 1764 wrote to memory of 2832 1764 Memz.exe 102 PID 1764 wrote to memory of 2832 1764 Memz.exe 102 PID 2832 wrote to memory of 916 2832 Memz.exe 104 PID 2832 wrote to memory of 916 2832 Memz.exe 104 PID 2832 wrote to memory of 916 2832 Memz.exe 104 PID 2832 wrote to memory of 3648 2832 Memz.exe 107 PID 2832 wrote to memory of 3648 2832 Memz.exe 107 PID 3648 wrote to memory of 4456 3648 msedge.exe 108 PID 3648 wrote to memory of 4456 3648 msedge.exe 108 PID 3648 wrote to memory of 4324 3648 msedge.exe 109 PID 3648 wrote to memory of 4324 3648 msedge.exe 109 PID 3648 wrote to memory of 4324 3648 msedge.exe 109 PID 3648 wrote to memory of 4324 3648 msedge.exe 109 PID 3648 wrote to memory of 4324 3648 msedge.exe 109 PID 3648 wrote to memory of 4324 3648 msedge.exe 109 PID 3648 wrote to memory of 4324 3648 msedge.exe 109 PID 3648 wrote to memory of 4324 3648 msedge.exe 109 PID 3648 wrote to memory of 4324 3648 msedge.exe 109 PID 3648 wrote to memory of 4324 3648 msedge.exe 109 PID 3648 wrote to memory of 4324 3648 msedge.exe 109 PID 3648 wrote to memory of 4324 3648 msedge.exe 109 PID 3648 wrote to memory of 4324 3648 msedge.exe 109 PID 3648 wrote to memory of 4324 3648 msedge.exe 109 PID 3648 wrote to memory of 4324 3648 msedge.exe 109 PID 3648 wrote to memory of 4324 3648 msedge.exe 109 PID 3648 wrote to memory of 4324 3648 msedge.exe 109 PID 3648 wrote to memory of 4324 3648 msedge.exe 109 PID 3648 wrote to memory of 4324 3648 msedge.exe 109 PID 3648 wrote to memory of 4324 3648 msedge.exe 109 PID 3648 wrote to memory of 4324 3648 msedge.exe 109 PID 3648 wrote to memory of 4324 3648 msedge.exe 109 PID 3648 wrote to memory of 4324 3648 msedge.exe 109 PID 3648 wrote to memory of 4324 3648 msedge.exe 109 PID 3648 wrote to memory of 4324 3648 msedge.exe 109 PID 3648 wrote to memory of 4324 3648 msedge.exe 109 PID 3648 wrote to memory of 4324 3648 msedge.exe 109 PID 3648 wrote to memory of 4324 3648 msedge.exe 109 PID 3648 wrote to memory of 4324 3648 msedge.exe 109 PID 3648 wrote to memory of 4324 3648 msedge.exe 109 PID 3648 wrote to memory of 4324 3648 msedge.exe 109 PID 3648 wrote to memory of 4324 3648 msedge.exe 109 PID 3648 wrote to memory of 4324 3648 msedge.exe 109 PID 3648 wrote to memory of 4324 3648 msedge.exe 109 PID 3648 wrote to memory of 4324 3648 msedge.exe 109 PID 3648 wrote to memory of 4324 3648 msedge.exe 109 PID 3648 wrote to memory of 4324 3648 msedge.exe 109 PID 3648 wrote to memory of 4324 3648 msedge.exe 109 PID 3648 wrote to memory of 4324 3648 msedge.exe 109
Processes
-
C:\Users\Admin\AppData\Local\Temp\Memz.exe"C:\Users\Admin\AppData\Local\Temp\Memz.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1764 -
C:\Users\Admin\AppData\Local\Temp\Memz.exe"C:\Users\Admin\AppData\Local\Temp\Memz.exe" /watchdog2⤵
- Suspicious behavior: EnumeratesProcesses
PID:852
-
-
C:\Users\Admin\AppData\Local\Temp\Memz.exe"C:\Users\Admin\AppData\Local\Temp\Memz.exe" /watchdog2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4208
-
-
C:\Users\Admin\AppData\Local\Temp\Memz.exe"C:\Users\Admin\AppData\Local\Temp\Memz.exe" /watchdog2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4132
-
-
C:\Users\Admin\AppData\Local\Temp\Memz.exe"C:\Users\Admin\AppData\Local\Temp\Memz.exe" /watchdog2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2908
-
-
C:\Users\Admin\AppData\Local\Temp\Memz.exe"C:\Users\Admin\AppData\Local\Temp\Memz.exe" /watchdog2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4288
-
-
C:\Users\Admin\AppData\Local\Temp\Memz.exe"C:\Users\Admin\AppData\Local\Temp\Memz.exe" /main2⤵
- Checks computer location settings
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Windows\SysWOW64\notepad.exe"C:\Windows\System32\notepad.exe" \note.txt3⤵PID:916
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=minecraft+hax+download+no+virus3⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3648 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0x100,0x12c,0x7ff817d846f8,0x7ff817d84708,0x7ff817d847184⤵PID:4456
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,8970628763008645868,16516889451432800894,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:24⤵PID:4324
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,8970628763008645868,16516889451432800894,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2248 /prefetch:34⤵PID:4856
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,8970628763008645868,16516889451432800894,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2768 /prefetch:84⤵PID:1576
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,8970628763008645868,16516889451432800894,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:14⤵PID:924
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,8970628763008645868,16516889451432800894,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:14⤵PID:4408
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,8970628763008645868,16516889451432800894,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5068 /prefetch:14⤵PID:1748
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,8970628763008645868,16516889451432800894,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3648 /prefetch:84⤵PID:2040
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,8970628763008645868,16516889451432800894,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3648 /prefetch:84⤵PID:2764
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,8970628763008645868,16516889451432800894,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5344 /prefetch:14⤵PID:1544
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,8970628763008645868,16516889451432800894,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5356 /prefetch:14⤵PID:3512
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,8970628763008645868,16516889451432800894,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5604 /prefetch:14⤵PID:5296
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,8970628763008645868,16516889451432800894,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5708 /prefetch:14⤵PID:5304
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,8970628763008645868,16516889451432800894,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5640 /prefetch:14⤵PID:1628
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,8970628763008645868,16516889451432800894,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5692 /prefetch:14⤵PID:5460
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,8970628763008645868,16516889451432800894,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1960 /prefetch:14⤵PID:5560
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,8970628763008645868,16516889451432800894,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5624 /prefetch:14⤵PID:4260
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,8970628763008645868,16516889451432800894,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4228 /prefetch:14⤵PID:6036
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,8970628763008645868,16516889451432800894,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6236 /prefetch:14⤵PID:6068
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=best+way+to+kill+yourself3⤵PID:4860
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ff817d846f8,0x7ff817d84708,0x7ff817d847184⤵PID:4640
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=john+cena+midi+legit+not+converted3⤵PID:4188
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ff817d846f8,0x7ff817d84708,0x7ff817d847184⤵PID:4220
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=dank+memz3⤵PID:5912
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ff817d846f8,0x7ff817d84708,0x7ff817d847184⤵PID:5768
-
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1048
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3964
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x29c 0x5101⤵
- Suspicious use of AdjustPrivilegeToken
PID:5172
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD5b92d045331a47a3bac3223ef1cee3e67
SHA17658e9bd4e943e8ab5ff66e707dad9bb92ef9a3b
SHA256aa86452e8565872f95c06dbb0522c7e09bbe9938f15eab0079057cbeb4da5878
SHA512f53b7ee831944e24e3b97bfe02eadad48dc673fc15898c56bc8a1e9d35a6561a66b47e16270c54c53c0e8cc31062cb14bf267b0af77f6b5cb4d896c8caef99e9
-
Filesize
152B
MD5cff358b013d6f9f633bc1587f6f54ffa
SHA16cb7852e096be24695ff1bc213abde42d35bb376
SHA25639205cdf989e3a86822b3f473c5fc223d7290b98c2a3fb7f75e366fc8e3ecbe9
SHA5128831c223a1f0cf5f71fa851cdd82f4a9f03e5f267513e05b936756c116997f749ffa563623b4724de921d049de34a8f277cc539f58997cda4d178ea205be2259
-
Filesize
152B
MD5dc629a750e345390344524fe0ea7dcd7
SHA15f9f00a358caaef0321707c4f6f38d52bd7e0399
SHA25638b634f3fedcf2a9dc3280aa76bd1ea93e192200b8a48904664fac5c9944636a
SHA5122a941fe90b748d0326e011258fa9b494dc2f47ac047767455ed16a41d523f04370f818316503a5bad0ff5c5699e92a0aaf3952748b09287c5328354bfa6cc902
-
Filesize
69KB
MD586862d3b5609f6ca70783528d7962690
SHA1886d4b35290775ceadf576b3bb5654f3a481baf3
SHA25619e1a1ad6c54fc29a402c10c551fa6e70022cefca6162a10640ee7d9b85783ed
SHA512f0746c23a06effd14e1e31b0ea7d12156ff92b1f80445aa46e1a4c65cf5df4bc94f6dabe7aead01f1bd6a6c7b851b577a11697a186426a2c8dca897c48515ef0
-
Filesize
24KB
MD587c2b09a983584b04a63f3ff44064d64
SHA18796d5ef1ad1196309ef582cecef3ab95db27043
SHA256d4a4a801c412a8324a19f21511a7880815b373628e66016bc1785a5a85e0afb0
SHA512df1f0d6f5f53306887b0b16364651bda9cdc28b8ea74b2d46b2530c6772a724422b33bbdcd7c33d724d2fd4a973e1e9dbc4b654c9c53981386c341620c337067
-
Filesize
72B
MD5ec0dbecd45c4b52a19460027bc751a8b
SHA138b9081c77baffd7b1dca9c1d6fe998c09ccde34
SHA2563dbf88586f8d6fcce82ede57e84d0b3d165472b592a9006b569a5e992ed22e2a
SHA5129db067578a15f0abf5ec48d75afeb47ef5e84299adcae878bd8eeeea5d5725bf9558c404d406ddee705407c5a65c536d5e1b5c90d68ba437d61e872a13090242
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize96B
MD5de25e7319e278df1c1f9fb1a793e4c7f
SHA11fdbda913dac3af38a6180a2624881d0ebcd3c87
SHA2568247384525fd4a1eec531f58f59b9fa982dcda39ec0b16d8a25404b4bb64249f
SHA5124baaefc98d93cef06c8d433bec777cf7e3e210ebdbe39ed322e0fd2e88fc274129967f293c2a06564fa9efd27b5622daeec0bbd26b85b7e3a3f6a298498149f2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize96B
MD5bb194fe94b9886bac2b2946c286f4586
SHA1d7479f2679d9666a0cd798b67eb2bf09dd87ae07
SHA256cda7454b23a8d99c095e21063722fe3ce67b228b46b4e64b7f30b5ff16a7671d
SHA512be60c0e8a210c3c94fea52d0300dedc5e721304526b83d5524862ae38b8629488d919e0be273f24fde6efc60824ae6b99630b186bf1b3b6800429d37b88d0810
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize96B
MD59f3350467e1c949332cac6619399e0de
SHA1c5309e6424e22e7d22b15400511ad212931b91b6
SHA256d30068b6e21f5e39c91ea43d6b05abd3227d3d1d9914d0cecb1217be27e73161
SHA512d0cbf56b783179accac599bbcb0a9667558ac0acfbefd513139fee53a3fb9934ac57aecbf96ef57aaa7129dcc72f69a25d54f6cb9d0643742c0670bb1e517b53
-
Filesize
786B
MD59ed21920e34f5578b277d15992db29e8
SHA1d4bfb21d96e049a34c951b4cacd7a6ef7436532a
SHA256b98ca653a6cdcc0d85bda88a8eb13b16ac55fdebb2d93c9ac1faa20d5ac2a0c7
SHA5126c477e24b150421ac06405caf7ef1b9b14cf00ae66e7e02ea7ddc8f550cc1912f902457380eb2a93310b649d95b7dcaa8b43e520e16077991370041e806ea726
-
Filesize
6KB
MD51b631bdbe39d819584cba18bfef76106
SHA100e9036b5611c0b02237fe08bd22a74ecf43e29b
SHA256b123b145558426aa7a93f8fbb807d7809049b66b896cb0ca8face95c95394b3b
SHA512db04c1281ca45beea0ee19ba2de2003b0676f5222f822aad6459457fa5245ce14c68a2b2c5b187005e326d668c8f50c2c0412577661d1e066c6471353789335e
-
Filesize
5KB
MD57fbe89d91d297f32f6612833545eb81b
SHA1f41129b8824b35796b10a2718d6b1575b20960dc
SHA25620a55d3de2553a7ed9049fdc162f195ab0d41e9bf6f4c314d4e446badd99b000
SHA512dab1e693fa225ea03600e080dc860811bf1a3c9ed8fb39f691695602f56ba3ee33cb410716aaeb9d11dd17f4d5a6a53b63272860f0390300483a2766f0871f36
-
Filesize
6KB
MD5bd1d6f390b03f277a4604f409bb9eea9
SHA19ac027f217a9d801936a102f753d10118823df9c
SHA2560d69046acdd5cc3aee969950c40005b71b8c054758ed5abeb4e8e37574a826dc
SHA5120c65735689242dda53695c50ad4afb45f14aaa01798a6dd93d591185b311eae2c121847522370ca748d694065577705705e5d4610881af47ece3ddcc478db918
-
Filesize
6KB
MD52ba6eca326ef3df5b1460d1ed17ee2cc
SHA1651b321525bbb0d21e8828c539ac49b2ec0c75bd
SHA256131daa8683ec6846fe4cf37969b86d3750b8a2882f97bb081e7802a199f6775c
SHA51281415dcfeabfa30df8ccda4c5db60699879113700a2bd6b03cbf2e0bb821b8d63cfd62b9b29a85d667a3a5dd6775672efb1258fd3d66147c3aa88a0d7d209334
-
Filesize
6KB
MD50f561984ebed71fefaf518afa0d64bb2
SHA1c25dd7329c1d34ffe7b9454402e7c47c0aa4cdd4
SHA2562b8c7247f7b49c068a26e3b4785a51996468de279a522efeb9a5f6f0fe158197
SHA512c0d69a3b606e5d502f04f5f11c7b84930f009a5d2f18909d21abb56c1e58833ad9747c4cf2480b02c5bb8f67a51191ff3b807101ce1444f389a81f1dbde873cd
-
Filesize
204B
MD57da512e74bc3247f797bedc140fa4b4d
SHA17d84213ec4c093e6d21503eaf71be2d8f5432662
SHA256dbb5427a45f711635f1134ec643e704d3e0fe7df7b27ba83314c42b5b0d78b58
SHA512cc72a76c125c2c0bab82db6166dc50b67e07695239645490036ed4fe2ada28169a673fcb22a01b9c0c274ea7c4292d75283795bbcf3919865ac51535f3aa65a6
-
Filesize
204B
MD54a368f37f721cfcfe6e178c51a7bf5b7
SHA125188a1ef1ad30e770400b343d4852ed74c1cda1
SHA256f4dedd3685c858292d978d272e684c35277dcfa67e147594c610a6d37913d112
SHA51221fce5b52df965e9c2ab1d01a53a10646f518d1a6a5b4a13410263ff95407f76e4ca20523f486e4ebb7dd42906030d5f6a275b8820a2335ebb5e710ac456b610
-
Filesize
204B
MD5f53d061786ddadc4cd8c2fdf2fddf5aa
SHA133fc0bc6cc67f04449c2e84654f285a92d6a60fd
SHA25674a3cce2b5092545df089446111e0b383f14c9f4d4d4e2bc9c0220e2949494a8
SHA512f44fd79e0999b142deffd5c7c344a3c5cb86a982ca054fd0a4afd6e8912a078a063d1ce7f9a60487a2075abdaf2e1342a514490e5a87edf011f297c986a2d720
-
Filesize
204B
MD58cc14ff9127fc811e0151f55f34d4681
SHA17b6a38715c50dbe3656569aa3ca68e3c723349ee
SHA256aba0d8827e15281c3eff84ce54a563c725f419001362337943b40af3f7d91613
SHA5129449d6908aed8f29d19de3c0b6ba4b893864398dab8a7515187101544c3be71effd607852803fb8e5291db9e37535f1b64db8d5a61c312cfd99a05253b67337b
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
218B
MD5afa6955439b8d516721231029fb9ca1b
SHA1087a043cc123c0c0df2ffadcf8e71e3ac86bbae9
SHA2568e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270
SHA5125da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf