2a45e44be359fba4c85591e7b13d1ec772ed181adc41254d8b00d31b2d15878e

max time kernel
85s
max time network
85s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
27-04-2024 08:46

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

Memz.exe
Size

14KB
MD5

19dbec50735b5f2a72d4199c4e184960
SHA1

6fed7732f7cb6f59743795b2ab154a3676f4c822
SHA256

a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d
SHA512

aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d
SSDEEP

192:sIvxdXSQeWSg9JJS/lcIEiwqZKBkDFR43xWTM3LHn8f26gyr6yfFCj3r:sMVSaSEglcIqq3agmLc+6gyWqFCj

Score

7^/10

bootkit persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Memz.exeMemz.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	Memz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	Memz.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

Processes:

Memz.exe

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	Memz.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Memz.exeMemz.exeMemz.exeMemz.exeMemz.exe

pid	Process
2312	Memz.exe
2312	Memz.exe
2312	Memz.exe
2312	Memz.exe
2312	Memz.exe
1840	Memz.exe
1840	Memz.exe
2312	Memz.exe
4896	Memz.exe
4896	Memz.exe
2016	Memz.exe
2016	Memz.exe
1084	Memz.exe
1084	Memz.exe
2016	Memz.exe
2016	Memz.exe
1084	Memz.exe
1084	Memz.exe
4896	Memz.exe
4896	Memz.exe
1840	Memz.exe
1840	Memz.exe
2312	Memz.exe
2312	Memz.exe
1840	Memz.exe
2312	Memz.exe
1840	Memz.exe
2312	Memz.exe
4896	Memz.exe
1084	Memz.exe
4896	Memz.exe
1084	Memz.exe
2016	Memz.exe
2016	Memz.exe
1084	Memz.exe
2016	Memz.exe
2016	Memz.exe
1084	Memz.exe
4896	Memz.exe
4896	Memz.exe
2312	Memz.exe
2312	Memz.exe
1840	Memz.exe
1840	Memz.exe
2312	Memz.exe
2312	Memz.exe
1840	Memz.exe
1840	Memz.exe
4896	Memz.exe
4896	Memz.exe
1084	Memz.exe
1084	Memz.exe
2016	Memz.exe
2016	Memz.exe
1084	Memz.exe
2016	Memz.exe
1084	Memz.exe
2016	Memz.exe
4896	Memz.exe
4896	Memz.exe
1840	Memz.exe
1840	Memz.exe
2312	Memz.exe
2312	Memz.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

Processes:

msedge.exe

pid	Process
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

taskmgr.exeMemz.exeMemz.exeMemz.exeMemz.exe

description	pid	Process
Token: SeDebugPrivilege	936	taskmgr.exe
Token: SeSystemProfilePrivilege	936	taskmgr.exe
Token: SeCreateGlobalPrivilege	936	taskmgr.exe
Token: SeShutdownPrivilege	1840	Memz.exe
Token: SeShutdownPrivilege	2016	Memz.exe
Token: SeShutdownPrivilege	4896	Memz.exe
Token: SeShutdownPrivilege	2312	Memz.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

msedge.exetaskmgr.exe

pid	Process
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
936	taskmgr.exe
936	taskmgr.exe
936	taskmgr.exe
936	taskmgr.exe
936	taskmgr.exe
936	taskmgr.exe
936	taskmgr.exe
936	taskmgr.exe
936	taskmgr.exe
936	taskmgr.exe
936	taskmgr.exe
936	taskmgr.exe
936	taskmgr.exe
936	taskmgr.exe
936	taskmgr.exe
936	taskmgr.exe
936	taskmgr.exe
936	taskmgr.exe
936	taskmgr.exe
936	taskmgr.exe
936	taskmgr.exe
936	taskmgr.exe
936	taskmgr.exe
936	taskmgr.exe
936	taskmgr.exe
936	taskmgr.exe
936	taskmgr.exe
936	taskmgr.exe
936	taskmgr.exe
936	taskmgr.exe
936	taskmgr.exe
936	taskmgr.exe
936	taskmgr.exe
936	taskmgr.exe
936	taskmgr.exe
936	taskmgr.exe
936	taskmgr.exe
936	taskmgr.exe
936	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

msedge.exetaskmgr.exe

pid	Process
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
936	taskmgr.exe
936	taskmgr.exe
936	taskmgr.exe
936	taskmgr.exe
936	taskmgr.exe
936	taskmgr.exe
936	taskmgr.exe
936	taskmgr.exe
936	taskmgr.exe
936	taskmgr.exe
936	taskmgr.exe
936	taskmgr.exe
936	taskmgr.exe
936	taskmgr.exe
936	taskmgr.exe
936	taskmgr.exe
936	taskmgr.exe
936	taskmgr.exe
936	taskmgr.exe
936	taskmgr.exe
936	taskmgr.exe
936	taskmgr.exe
936	taskmgr.exe
936	taskmgr.exe
936	taskmgr.exe
936	taskmgr.exe
936	taskmgr.exe
936	taskmgr.exe
936	taskmgr.exe
936	taskmgr.exe
936	taskmgr.exe
936	taskmgr.exe
936	taskmgr.exe
936	taskmgr.exe
936	taskmgr.exe
936	taskmgr.exe
936	taskmgr.exe
936	taskmgr.exe
936	taskmgr.exe
936	taskmgr.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

Memz.exeMemz.exeMemz.exeMemz.exeMemz.exe

pid	Process
848	Memz.exe
2312	Memz.exe
4896	Memz.exe
2016	Memz.exe
1840	Memz.exe
2016	Memz.exe
1840	Memz.exe
4896	Memz.exe
2312	Memz.exe
4896	Memz.exe
2312	Memz.exe
2016	Memz.exe
1840	Memz.exe
1840	Memz.exe
4896	Memz.exe
2016	Memz.exe
2312	Memz.exe
2312	Memz.exe
4896	Memz.exe
2016	Memz.exe
1840	Memz.exe
2312	Memz.exe
4896	Memz.exe
2016	Memz.exe
1840	Memz.exe
4896	Memz.exe
2016	Memz.exe
1840	Memz.exe
2312	Memz.exe
1840	Memz.exe
2016	Memz.exe
4896	Memz.exe
2312	Memz.exe
2312	Memz.exe
4896	Memz.exe
2016	Memz.exe
1840	Memz.exe
2016	Memz.exe
2312	Memz.exe
4896	Memz.exe
1840	Memz.exe
2312	Memz.exe
1840	Memz.exe
4896	Memz.exe
2016	Memz.exe
4896	Memz.exe
2312	Memz.exe
1840	Memz.exe
2016	Memz.exe
2312	Memz.exe
4896	Memz.exe
1840	Memz.exe
2016	Memz.exe
2016	Memz.exe
1840	Memz.exe
2312	Memz.exe
4896	Memz.exe
4896	Memz.exe
1840	Memz.exe
2312	Memz.exe
2016	Memz.exe
1840	Memz.exe
2312	Memz.exe
2016	Memz.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Memz.exeMemz.exemsedge.exe

description	pid	Process	procid_target
PID 5020 wrote to memory of 2312	5020	Memz.exe	86
PID 5020 wrote to memory of 2312	5020	Memz.exe	86
PID 5020 wrote to memory of 2312	5020	Memz.exe	86
PID 5020 wrote to memory of 1840	5020	Memz.exe	87
PID 5020 wrote to memory of 1840	5020	Memz.exe	87
PID 5020 wrote to memory of 1840	5020	Memz.exe	87
PID 5020 wrote to memory of 2016	5020	Memz.exe	88
PID 5020 wrote to memory of 2016	5020	Memz.exe	88
PID 5020 wrote to memory of 2016	5020	Memz.exe	88
PID 5020 wrote to memory of 1084	5020	Memz.exe	89
PID 5020 wrote to memory of 1084	5020	Memz.exe	89
PID 5020 wrote to memory of 1084	5020	Memz.exe	89
PID 5020 wrote to memory of 4896	5020	Memz.exe	90
PID 5020 wrote to memory of 4896	5020	Memz.exe	90
PID 5020 wrote to memory of 4896	5020	Memz.exe	90
PID 5020 wrote to memory of 848	5020	Memz.exe	91
PID 5020 wrote to memory of 848	5020	Memz.exe	91
PID 5020 wrote to memory of 848	5020	Memz.exe	91
PID 848 wrote to memory of 4272	848	Memz.exe	93
PID 848 wrote to memory of 4272	848	Memz.exe	93
PID 848 wrote to memory of 4272	848	Memz.exe	93
PID 848 wrote to memory of 2484	848	Memz.exe	100
PID 848 wrote to memory of 2484	848	Memz.exe	100
PID 2484 wrote to memory of 3748	2484	msedge.exe	101
PID 2484 wrote to memory of 3748	2484	msedge.exe	101
PID 2484 wrote to memory of 2336	2484	msedge.exe	102
PID 2484 wrote to memory of 2336	2484	msedge.exe	102
PID 2484 wrote to memory of 2336	2484	msedge.exe	102
PID 2484 wrote to memory of 2336	2484	msedge.exe	102
PID 2484 wrote to memory of 2336	2484	msedge.exe	102
PID 2484 wrote to memory of 2336	2484	msedge.exe	102
PID 2484 wrote to memory of 2336	2484	msedge.exe	102
PID 2484 wrote to memory of 2336	2484	msedge.exe	102
PID 2484 wrote to memory of 2336	2484	msedge.exe	102
PID 2484 wrote to memory of 2336	2484	msedge.exe	102
PID 2484 wrote to memory of 2336	2484	msedge.exe	102
PID 2484 wrote to memory of 2336	2484	msedge.exe	102
PID 2484 wrote to memory of 2336	2484	msedge.exe	102
PID 2484 wrote to memory of 2336	2484	msedge.exe	102
PID 2484 wrote to memory of 2336	2484	msedge.exe	102
PID 2484 wrote to memory of 2336	2484	msedge.exe	102
PID 2484 wrote to memory of 2336	2484	msedge.exe	102
PID 2484 wrote to memory of 2336	2484	msedge.exe	102
PID 2484 wrote to memory of 2336	2484	msedge.exe	102
PID 2484 wrote to memory of 2336	2484	msedge.exe	102
PID 2484 wrote to memory of 2336	2484	msedge.exe	102
PID 2484 wrote to memory of 2336	2484	msedge.exe	102
PID 2484 wrote to memory of 2336	2484	msedge.exe	102
PID 2484 wrote to memory of 2336	2484	msedge.exe	102
PID 2484 wrote to memory of 2336	2484	msedge.exe	102
PID 2484 wrote to memory of 2336	2484	msedge.exe	102
PID 2484 wrote to memory of 2336	2484	msedge.exe	102
PID 2484 wrote to memory of 2336	2484	msedge.exe	102
PID 2484 wrote to memory of 2336	2484	msedge.exe	102
PID 2484 wrote to memory of 2336	2484	msedge.exe	102
PID 2484 wrote to memory of 2336	2484	msedge.exe	102
PID 2484 wrote to memory of 2336	2484	msedge.exe	102
PID 2484 wrote to memory of 2336	2484	msedge.exe	102
PID 2484 wrote to memory of 2336	2484	msedge.exe	102
PID 2484 wrote to memory of 2336	2484	msedge.exe	102
PID 2484 wrote to memory of 2336	2484	msedge.exe	102
PID 2484 wrote to memory of 2336	2484	msedge.exe	102
PID 2484 wrote to memory of 2336	2484	msedge.exe	102
PID 2484 wrote to memory of 2336	2484	msedge.exe	102

C:\Users\Admin\AppData\Local\Temp\Memz.exe
"C:\Users\Admin\AppData\Local\Temp\Memz.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5020
- C:\Users\Admin\AppData\Local\Temp\Memz.exe
  "C:\Users\Admin\AppData\Local\Temp\Memz.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2312
- C:\Users\Admin\AppData\Local\Temp\Memz.exe
  "C:\Users\Admin\AppData\Local\Temp\Memz.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1840
- C:\Users\Admin\AppData\Local\Temp\Memz.exe
  "C:\Users\Admin\AppData\Local\Temp\Memz.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2016
- C:\Users\Admin\AppData\Local\Temp\Memz.exe
  "C:\Users\Admin\AppData\Local\Temp\Memz.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1084
- C:\Users\Admin\AppData\Local\Temp\Memz.exe
  "C:\Users\Admin\AppData\Local\Temp\Memz.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4896
- C:\Users\Admin\AppData\Local\Temp\Memz.exe
  "C:\Users\Admin\AppData\Local\Temp\Memz.exe" /main
  2⤵
  - Checks computer location settings
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:848
- - C:\Windows\SysWOW64\notepad.exe
    "C:\Windows\System32\notepad.exe" \note.txt
    3⤵
    PID:4272
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=how+to+send+a+virus+to+my+friend
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:2484
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffb12fe46f8,0x7ffb12fe4708,0x7ffb12fe4718
      4⤵
      PID:3748
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2016,13590628799089521639,7788479621958017133,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2012 /prefetch:2
      4⤵
      PID:2336
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2016,13590628799089521639,7788479621958017133,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:3
      4⤵
      PID:400
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2016,13590628799089521639,7788479621958017133,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2688 /prefetch:8
      4⤵
      PID:2044
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,13590628799089521639,7788479621958017133,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
      4⤵
      PID:692
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,13590628799089521639,7788479621958017133,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
      4⤵
      PID:4088
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,13590628799089521639,7788479621958017133,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4152 /prefetch:1
      4⤵
      PID:2408
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,13590628799089521639,7788479621958017133,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3876 /prefetch:1
      4⤵
      PID:740
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2016,13590628799089521639,7788479621958017133,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4208 /prefetch:8
      4⤵
      PID:4972
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2016,13590628799089521639,7788479621958017133,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4208 /prefetch:8
      4⤵
      PID:3632
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,13590628799089521639,7788479621958017133,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5000 /prefetch:1
      4⤵
      PID:2924
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,13590628799089521639,7788479621958017133,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4032 /prefetch:1
      4⤵
      PID:5256
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,13590628799089521639,7788479621958017133,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4060 /prefetch:1
      4⤵
      PID:5264
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,13590628799089521639,7788479621958017133,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4964 /prefetch:1
      4⤵
      PID:5452
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,13590628799089521639,7788479621958017133,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4708 /prefetch:1
      4⤵
      PID:5668
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=what+happens+if+you+delete+system32
    3⤵
    PID:5604
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffb12fe46f8,0x7ffb12fe4708,0x7ffb12fe4718
      4⤵
      PID:5616

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3744

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1360

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9dc60aef38e7832217e7fa02d6f0d9f6

SHA1
4f8539dc7d5739b36fe976a932338f459d066db6

SHA256
8a0ee0b6fafabb256571b691c2faf77c7244945faa749c72124d5eb43a197a32

SHA512
18371541811910992c2b84a8eae7e997e8627640bdb60b9e82751389e50931db9b3e206d31f4d9d2dc3ca25ea3a82c0be413ecb0ef3ac227a14e54f406eaa7e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7ac03b15b68af2d5cb5c8063057cc83e

SHA1
9b2d4db737f57322ff5c4bbddd765b3177f930ab

SHA256
b90d7596301470b389842eecb46bd3a8e614260b0d374d5c35a36afb9c71a700

SHA512
a5e9f40dd9040803046b0218fab6b058d49e5e2a3ada315e161fe9fc80ebb8d6d4442ccc1c98d19e561fc7c61bcf43d662fe2231cacacb447876a2113c2e3732

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
70c9f2ca7b331c25056b4c336f256cdb

SHA1
6b798d995bf9e139e9614913a96fcad788724e54

SHA256
238e28c3c1bc63c84dd409b4527aad8a701aa5cdd4edd665e6a5443f5abccac2

SHA512
93cd69f8369d16da3185021761b7f4dc719a1c36ed27480d32ffc8cb1a5a20e6a7193926640a398ffc01340f8b892a4b36417ca8b3ee6fc4968fb3f510e58865

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
eb9631e8d35487e3c11c014152583e8c

SHA1
7b50a16fe2bba62c31d403b133200dd21c89ecf8

SHA256
1e2597d7f255318b00342bae4d397a74ed93668e69a811ef6e9a72efbd7b6345

SHA512
2451884388dbd174d2d4b549894efa4d7cef9289789d4020e030552a9a1d4c4cdfe322a4be581006bded98c6ef7434bdf958c235bf13f25c2c02283d7680498a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
05836d7f80bc587e9afde68ae652595e

SHA1
182da39c9af6379aa206081b1a90fa2d67ee5d5f

SHA256
eac54c97544303400064db552ba0d5251d05e6e2c862d7a4fe7ff50c7f25f394

SHA512
fce8ea6c453cd213b6df2bed234cf6b3d93c69aa496d1b202bfa669be78f6bc8f18d7580553478d1df251728c856fb90da64173934209da0a19e02489aa57660

Download Submit
C:\note.txt

Filesize
218B

MD5
afa6955439b8d516721231029fb9ca1b

SHA1
087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

SHA256
8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

SHA512
5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

Download Submit
\??\pipe\LOCAL\crashpad_2484_MJAHWAMLRSORULKI

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/936-40-0x0000021273840000-0x0000021273841000-memory.dmp

Filesize
4KB

Download
memory/936-50-0x0000021273840000-0x0000021273841000-memory.dmp

Filesize
4KB

Download
memory/936-49-0x0000021273840000-0x0000021273841000-memory.dmp

Filesize
4KB

Download
memory/936-48-0x0000021273840000-0x0000021273841000-memory.dmp

Filesize
4KB

Download
memory/936-47-0x0000021273840000-0x0000021273841000-memory.dmp

Filesize
4KB

Download
memory/936-46-0x0000021273840000-0x0000021273841000-memory.dmp

Filesize
4KB

Download
memory/936-45-0x0000021273840000-0x0000021273841000-memory.dmp

Filesize
4KB

Download
memory/936-44-0x0000021273840000-0x0000021273841000-memory.dmp

Filesize
4KB

Download
memory/936-39-0x0000021273840000-0x0000021273841000-memory.dmp

Filesize
4KB

Download
memory/936-38-0x0000021273840000-0x0000021273841000-memory.dmp

Filesize
4KB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads