hxxps://pastebin[.]com/gU4Zj4SD

Resubmissions

07/05/2024, 19:43

240507-yfk6qsfa24 7

07/05/2024, 19:40

07/05/2024, 19:35

07/05/2024, 19:31

07/05/2024, 19:26

07/05/2024, 19:21

07/05/2024, 19:16

07/05/2024, 19:14

Analysis

max time kernel
261s
max time network
258s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
07/05/2024, 19:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://pastebin.com/gU4Zj4SD

Score

6^/10

bootkit persistence

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
1	pastebin.com
2	raw.githubusercontent.com
4	pastebin.com
55	raw.githubusercontent.com

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	Bromine.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2994005945-4089876968-1367784197-1000\{978FBD97-F620-464F-885B-AF6CA692EE2A}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000_Classes\Local Settings	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Bromine.zip:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
3352	msedge.exe
3352	msedge.exe
1928	msedge.exe
1928	msedge.exe
4688	identity_helper.exe
4688	identity_helper.exe
1484	msedge.exe
1484	msedge.exe
1752	msedge.exe
1752	msedge.exe
3292	msedge.exe
3292	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs

pid	Process
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	3916	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3916	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 42 IoCs

pid	Process
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe

Suspicious use of SendNotifyMessage 16 IoCs

pid	Process
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1928	msedge.exe
1928	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1928 wrote to memory of 4384	1928	msedge.exe	80
PID 1928 wrote to memory of 4384	1928	msedge.exe	80
PID 1928 wrote to memory of 3668	1928	msedge.exe	82
PID 1928 wrote to memory of 3668	1928	msedge.exe	82
PID 1928 wrote to memory of 3668	1928	msedge.exe	82
PID 1928 wrote to memory of 3668	1928	msedge.exe	82
PID 1928 wrote to memory of 3668	1928	msedge.exe	82
PID 1928 wrote to memory of 3668	1928	msedge.exe	82
PID 1928 wrote to memory of 3668	1928	msedge.exe	82
PID 1928 wrote to memory of 3668	1928	msedge.exe	82
PID 1928 wrote to memory of 3668	1928	msedge.exe	82
PID 1928 wrote to memory of 3668	1928	msedge.exe	82
PID 1928 wrote to memory of 3668	1928	msedge.exe	82
PID 1928 wrote to memory of 3668	1928	msedge.exe	82
PID 1928 wrote to memory of 3668	1928	msedge.exe	82
PID 1928 wrote to memory of 3668	1928	msedge.exe	82
PID 1928 wrote to memory of 3668	1928	msedge.exe	82
PID 1928 wrote to memory of 3668	1928	msedge.exe	82
PID 1928 wrote to memory of 3668	1928	msedge.exe	82
PID 1928 wrote to memory of 3668	1928	msedge.exe	82
PID 1928 wrote to memory of 3668	1928	msedge.exe	82
PID 1928 wrote to memory of 3668	1928	msedge.exe	82
PID 1928 wrote to memory of 3668	1928	msedge.exe	82
PID 1928 wrote to memory of 3668	1928	msedge.exe	82
PID 1928 wrote to memory of 3668	1928	msedge.exe	82
PID 1928 wrote to memory of 3668	1928	msedge.exe	82
PID 1928 wrote to memory of 3668	1928	msedge.exe	82
PID 1928 wrote to memory of 3668	1928	msedge.exe	82
PID 1928 wrote to memory of 3668	1928	msedge.exe	82
PID 1928 wrote to memory of 3668	1928	msedge.exe	82
PID 1928 wrote to memory of 3668	1928	msedge.exe	82
PID 1928 wrote to memory of 3668	1928	msedge.exe	82
PID 1928 wrote to memory of 3668	1928	msedge.exe	82
PID 1928 wrote to memory of 3668	1928	msedge.exe	82
PID 1928 wrote to memory of 3668	1928	msedge.exe	82
PID 1928 wrote to memory of 3668	1928	msedge.exe	82
PID 1928 wrote to memory of 3668	1928	msedge.exe	82
PID 1928 wrote to memory of 3668	1928	msedge.exe	82
PID 1928 wrote to memory of 3668	1928	msedge.exe	82
PID 1928 wrote to memory of 3668	1928	msedge.exe	82
PID 1928 wrote to memory of 3668	1928	msedge.exe	82
PID 1928 wrote to memory of 3668	1928	msedge.exe	82
PID 1928 wrote to memory of 3352	1928	msedge.exe	83
PID 1928 wrote to memory of 3352	1928	msedge.exe	83
PID 1928 wrote to memory of 4928	1928	msedge.exe	84
PID 1928 wrote to memory of 4928	1928	msedge.exe	84
PID 1928 wrote to memory of 4928	1928	msedge.exe	84
PID 1928 wrote to memory of 4928	1928	msedge.exe	84
PID 1928 wrote to memory of 4928	1928	msedge.exe	84
PID 1928 wrote to memory of 4928	1928	msedge.exe	84
PID 1928 wrote to memory of 4928	1928	msedge.exe	84
PID 1928 wrote to memory of 4928	1928	msedge.exe	84
PID 1928 wrote to memory of 4928	1928	msedge.exe	84
PID 1928 wrote to memory of 4928	1928	msedge.exe	84
PID 1928 wrote to memory of 4928	1928	msedge.exe	84
PID 1928 wrote to memory of 4928	1928	msedge.exe	84
PID 1928 wrote to memory of 4928	1928	msedge.exe	84
PID 1928 wrote to memory of 4928	1928	msedge.exe	84
PID 1928 wrote to memory of 4928	1928	msedge.exe	84
PID 1928 wrote to memory of 4928	1928	msedge.exe	84
PID 1928 wrote to memory of 4928	1928	msedge.exe	84
PID 1928 wrote to memory of 4928	1928	msedge.exe	84
PID 1928 wrote to memory of 4928	1928	msedge.exe	84
PID 1928 wrote to memory of 4928	1928	msedge.exe	84

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pastebin.com/gU4Zj4SD
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0x84,0x10c,0x7ffd82603cb8,0x7ffd82603cc8,0x7ffd82603cd8
  2⤵
  PID:4384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1916,3926494614251224144,11123617114950611022,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1944 /prefetch:2
  2⤵
  PID:3668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1916,3926494614251224144,11123617114950611022,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2360 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1916,3926494614251224144,11123617114950611022,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2660 /prefetch:8
  2⤵
  PID:4928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,3926494614251224144,11123617114950611022,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
  2⤵
  PID:3380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,3926494614251224144,11123617114950611022,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
  2⤵
  PID:736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,3926494614251224144,11123617114950611022,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5028 /prefetch:1
  2⤵
  PID:5044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,3926494614251224144,11123617114950611022,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4764 /prefetch:1
  2⤵
  PID:476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,3926494614251224144,11123617114950611022,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3700 /prefetch:1
  2⤵
  PID:1692
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1916,3926494614251224144,11123617114950611022,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5484 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1916,3926494614251224144,11123617114950611022,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5100 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,3926494614251224144,11123617114950611022,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5012 /prefetch:1
  2⤵
  PID:2396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,3926494614251224144,11123617114950611022,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3932 /prefetch:1
  2⤵
  PID:4740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,3926494614251224144,11123617114950611022,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5820 /prefetch:1
  2⤵
  PID:1208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,3926494614251224144,11123617114950611022,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5616 /prefetch:1
  2⤵
  PID:1320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,3926494614251224144,11123617114950611022,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5572 /prefetch:1
  2⤵
  PID:4492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1916,3926494614251224144,11123617114950611022,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5072 /prefetch:8
  2⤵
  PID:1608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1916,3926494614251224144,11123617114950611022,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5824 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:1752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,3926494614251224144,11123617114950611022,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5696 /prefetch:1
  2⤵
  PID:2992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,3926494614251224144,11123617114950611022,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2812 /prefetch:1
  2⤵
  PID:1728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,3926494614251224144,11123617114950611022,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5676 /prefetch:1
  2⤵
  PID:424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,3926494614251224144,11123617114950611022,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6260 /prefetch:1
  2⤵
  PID:240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1916,3926494614251224144,11123617114950611022,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6596 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:3292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1916,3926494614251224144,11123617114950611022,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4816 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3856

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2164

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3888

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:340

C:\Users\Admin\Downloads\Bromine\Bromine.exe
"C:\Users\Admin\Downloads\Bromine\Bromine.exe"
1⤵
- Writes to the Master Boot Record (MBR)
PID:4040

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004DC 0x00000000000004E8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
5e027def9b55f3d49cde9fb82beba238

SHA1
64baabd8454c210162cbc3a90d6a2daaf87d856a

SHA256
9816e980b04f1fe7efaa4b9c83ff6a0fdd485ee65a884c001b43a0cad7c39d83

SHA512
a315e1336c5ec70cbb002969e539068ba92f3ec681b6d863db95227fd1808a778fd994e2fb03f28f0e401677aa5f7c66813e315b6b99a5065384c49586f9782e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0c5042350ee7871ccbfdc856bde96f3f

SHA1
90222f176bc96ec17d1bdad2d31bc994c000900c

SHA256
b8b1cb139d4d19a85adce0152fa3c4f6adfb73a322d7253820e848c6f82afc1b

SHA512
2efdb535fa6a06c4f9702b2129f2dd07c330e37fd10b492f2236007c660c1707773c22005d1e1fa580dbf633dc1a700ada3b7b611ef9accd9555a17a244f61ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\9116da7d-8d5a-436a-b8a2-eabd303755bb.tmp

Filesize
6KB

MD5
1e02c49857a6744449add016e17b7aa2

SHA1
f5b707fcd7cddbb07c6a9e79618d13c34b5b75d4

SHA256
4b9ff8c86ff71d953efe2ec01becf68f9a04344288809b6c4485f254dd00d689

SHA512
e6b3e307588617d23b8888c218de4f7b6f9d1ef43caf95ce13aa14f777dd094b7f0e9d3c795910b6450078532d2aee164da9d47acc59ccfe71a60d8593549a11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008

Filesize
62KB

MD5
c3c0eb5e044497577bec91b5970f6d30

SHA1
d833f81cf21f68d43ba64a6c28892945adc317a6

SHA256
eb48be34490ec9c4f9402b882166cd82cd317b51b2a49aae75cdf9ee035035eb

SHA512
83d3545a4ed9eed2d25f98c4c9f100ae0ac5e4bc8828dccadee38553b7633bb63222132df8ec09d32eb37d960accb76e7aab5719fc08cc0a4ef07b053f30cf38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000009

Filesize
67KB

MD5
d2d55f8057f8b03c94a81f3839b348b9

SHA1
37c399584539734ff679e3c66309498c8b2dd4d9

SHA256
6e273f3491917d37f4dbb6c3f4d3f862cada25c20a36b245ea7c6bd860fb400c

SHA512
7bcdbb9e8d005a532ec12485a9c4b777ddec4aee66333757cdae3f84811099a574e719d45eb4487072d0162fa4654349dd73705a8d1913834535b1a3e2247dc6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000a

Filesize
37KB

MD5
c912655c8d691e1a190dbec03d14e653

SHA1
a90a6ea007e121441a0d9c48ea4073a635085f6b

SHA256
35e5f055ba3fc9eb6c89884d533f5484fcb335d0e226145d7ea7a6a1e2da6fae

SHA512
c606bf2711a2be266c69a702d60bbc0d66dc6655c88dd669932f9c3954941a44d6a09e25bf60272ba5e0ba09ee65f4a3d8bd33a215ed2eb76ed601f06fa984d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000c

Filesize
63KB

MD5
710d7637cc7e21b62fd3efe6aba1fd27

SHA1
8645d6b137064c7b38e10c736724e17787db6cf3

SHA256
c0997474b99524325dfedb5c020436e7ea9f9c9a1a759ed6daf7bdd4890bdc2b

SHA512
19aa77bed3c441228789cf8f931ca6194cc8d4bc7bb85d892faf5eaeda67d22c8c3b066f8ceda8169177da95a1fe111bd3436ceeaf4c784bd2bf96617f4d0c44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000d

Filesize
19KB

MD5
2e86a72f4e82614cd4842950d2e0a716

SHA1
d7b4ee0c9af735d098bff474632fc2c0113e0b9c

SHA256
c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f

SHA512
7a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000e

Filesize
84KB

MD5
74e33b4b54f4d1f3da06ab47c5936a13

SHA1
6e5976d593b6ee3dca3c4dbbb90071b76e1cd85c

SHA256
535fc48679c38decd459ad656bdd6914e539754265244d0cc7b1da6bddf3e287

SHA512
79218e8ee50484af968480ff9b211815c97c3f3035414e685aa5d15d9b4152682d87b66202339f212bf3b463a074bf7a4431107b50303f28e2eb4b17843991c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000f

Filesize
1.2MB

MD5
25a7f8dea0207366b4b9d77569ff6f78

SHA1
57a20ac66704e6b2766c6946fafdec22f47ee79d

SHA256
502a9f82d39ef6fca4b4fc1bfd046b9736d8e232c8b1562eed0ca62d149bbfed

SHA512
db300662a1a49ae8417fb013462fc62ab20351c9c458cb60b0b22ec89c1cba410ae03301cefa6464dc58ed332ceb8a2d67eb6b8078c7f2127729594126133024

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
2deed3d25012140d804ee166ab841325

SHA1
c0502903571d1e0b2b9c3c52e79a22674887603a

SHA256
745dc4411e8c832d880eeb2a84822f2d9d4e34949fd7c5c6dfaa61a45fecd23a

SHA512
f3039153230578fba2118617c3e28a1c7c840760f710c121e7d123c60e35fda283f26420897a7487217e8b55ed06f521b43036cb4dfe4980e9a87b70b7a937f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
1d1a9ac6a9474cd94eeb2cb87e695530

SHA1
ed06e913314211cd124aa431f658c0bd3d45241c

SHA256
d5c13d9148d4bee5508b3398b44afbf59bd61f213f857b58f4fe0405b2647bd3

SHA512
65cfba7b7ec27dcd284a0b22f494462fe2c62c6cf37a8e47ec1bb26aef96e8fed30bd78c1e4d64978a1f4165bd46e5c4c7725b148a6ef87318f878ca7e30278d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
b092e7950401c66e5c6ae1327d28fe6b

SHA1
6c8db074a773479db12e6c897afe3d421f99f493

SHA256
b841f75ac35b9b3489ea3a598f1a4b865c21c4c00a5c41ec4213d4bc8b5f9351

SHA512
e600a30eaf15aff44e7ad86e70ed979edc1cd42d632b763c81c5d2cd1e6c277eb3ed92e65d47ef28ee72cca484643440afa1ba48ce27c5d1f0043bc59c7e3754

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
c71911736e517ec5d95838c8cc0aed6d

SHA1
fc515277d2c158bced6fe3afe1cc7157169ca093

SHA256
5b0eee81dbcbefa898e2b4b01b883e78f18321f38aff0802c2ccb4ded4faef1d

SHA512
5b73b13ca818e47e1ebd92d51a2d5adf4e41a0a5781710ab471169d4793ac0e019882d5860af31f6a92a408d1890fb101a6d1095ab8abfaf9362f7e946318a3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
733776b4874db233993ddfa7569bde45

SHA1
97955e19f7d8bf1b50b14f61efbe92f1a643e288

SHA256
05a1732a5dc1e396814dc99099e0d90cda7dce9914f09f35f7e4a6bc37411d9d

SHA512
974c49cb5bfe083d3a922412e51597cd9b73924f6dd2868530fe8b3b9472e31406ecda20e595089dd08ae99ea5887424bc62501345bd3f4ba8a480d4b91175ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
34093f3f9b028114576b8caf3914f7bf

SHA1
d00deced7c73549ab9f8941b7bd28b70924f2320

SHA256
c5a8b505f11f00d34a7874f0408fbf6057a192dc1b8f58f0098a785b475db823

SHA512
4a22ece57cbcbc7a9a755079eac316e59a2aedbd9be700547816e06e846e04441cea53b48cb00fc2a01fc3a19df8241decd30504eb27ccf77a71757fd70793ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
872f7ab94e83e444d1024efd4c7eedf1

SHA1
d18a42638ea6ee11eef6eaa6293f170a3818ec00

SHA256
4df424c553793511ca650ecb0974c455a0711957d4870ce1165010ccc34a10c5

SHA512
87bf59b4e7c607dd2ba28b2c99c553221142288ba41a75751433f4fa7dea7c07f61ae829ffa947252429e7a78eafe1fac64d11701d166a7cff16ff4c854b294b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6818612b3fae9104a4d98c600d560981

SHA1
c8d64f8624dddfc05ef1dcfe258d510924b3d6be

SHA256
4da2fa4203800132451e9c894fda12f0fabd7bee1fdf740e45cadaca17cc5c56

SHA512
239c3f081ada01950311e9e98b6ac2779c894bd00eba79a504481b5f4aae4685058248505945c36017dbfc3d7bbb8e784ff5395e8730772dab2d27d036c79d60

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
6a70fb48bc3a19fdd44e3311ac6b9e73

SHA1
acd22443a6f25e1a17cbd50d3f32bac143e67dec

SHA256
4c6c6deef774b0ce63de1d219c7561dbf61cc2e7fc809b4108fe9f6b00517610

SHA512
13d800e37afd5287837c445da0b472f61f6f96090c28ba6a021f635aef65ea7a854384220674c99fe09c2cc031cdc16a293a7a202646693daa2861e235b9071d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
705B

MD5
c8fc2379cdda3b9b369a2e8b5f14b67c

SHA1
51227c9f424ff4553cbe1e4f4a981e70a23a71e9

SHA256
94fb8b566b0036edb68ed06f9c9333c9266b34f32b5dd8e242b3d8862354216c

SHA512
3672a3ad598c89cd3c4d4e29b4fa4646fc9c23735fb17f848237f0f81bc08356ea0dcc3d1c42dbba3a18d9a661237faa010f216a31a25e4a7d91829bebda80ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
e10d233d6edfed329c0a1b225051191c

SHA1
8a24b0c9c56b9d48d35e4ede9127458039199dec

SHA256
725191d839a32b56a4ca89b3fe3a93e0b478600a3c653fdda33fc2aedffa08ea

SHA512
aa71d2fe2e6829651ee6f8bc41ee40fdab1a971779b4d28565d4bac84cca3788c7f88dd76e528198e461b674035184ebefd950cb6758ff89b7cc9080aaa82265

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
3e7a835f9250fd74f3acb2dc2723fd89

SHA1
69fefa1de7cb5f44eeeefd7c7856ce6aa33fc329

SHA256
e5d0bafec784862f1bf1db5b609399bbfb899adf05d73290e7d62d3cf8c3a14d

SHA512
059807ada202cd9513ee5e03c1f03d11b7049d057072b288936f55a10abd563a1fa012469de26b8cd0e532d8dacbab43800f0acdc01eda05a8e8b19b5af151a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
90f9cbca4626eb0c56b9ce300c4e7aa3

SHA1
f015012f29b2e2b5375e34f02a0f087cc0b64f40

SHA256
9824be50262a3ef7e5ffe9781a52469c4d87b3283b1910e609b800307bf2b0e9

SHA512
c5462014ebaf9469db16280ff1cf3a12c1f4e554f3f18d0da9fa61bcf81949d28abe29a10e2449f252de419469bcfcb257dc5d123c87c1e9bf5adbcfac63fdb2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57e985.TMP

Filesize
203B

MD5
a5ff9d8f472661e1a29e2371b779e879

SHA1
3f3b671198dd5606c8fd1c29d04e9f810c5fe0ff

SHA256
a6c91ad82492268443e15cc5daef7330825efd213a3c7855dc4199a8a257f04e

SHA512
f06fe12926ced74650c978b006eac096c414fd5471dc9528b40b86106386d89db335b69558a0a05a5e2089a9f5e4bdd98b075ced3daa7f09657aa08b65da3dbb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
c61cc02550ffbbb59a5279cc1829dba6

SHA1
86b6e143294263400181286897f18625fd39e5b8

SHA256
819f410205d0f4524004a73f8713f83eb686fe90f2bde30f9f20ab79e106ea7c

SHA512
c4d6a988d396e02f209ab2f4a9a845e4bafafeceff7ff806b028bcd812f1539f5fbb205444be863cc9ea0a06371d5d7337df3af01769a3bea87a79e655f2efc4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
68d786648e51a04fc141ad16e566e387

SHA1
b83b3ae4bb659a6ef527108a1109860f49241256

SHA256
cd36c403b9924948f27ccecad23a8db6a6e02291ad5e9a8467c71d8cf1c0efef

SHA512
cbe2eb34b303b335d79cfa5b0a294e0fc762a498d25d03afab8dc0fa3a0698821c67d6c11da5acc92ea60f0fb07433439b2624ebe03e4a33ea7d6d76dbc07c61

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
92c0e3e38e7202e6797c0b89ccd3a122

SHA1
72e1f123e0a181cb97de5c75ec8b31c4df693da2

SHA256
197827220a9018d31329e3a5fedd7f1dcccedbf244b94cfb693d4d7b4ac96f96

SHA512
b920452bd593e377addd60bde888ba4f712fede67767fb925a88f0755e4be0eb407828ea00e37e724b0d0bfc13271ba3a96dc95131833eb6c28f97020d8f545d

Download Submit
C:\Users\Admin\Downloads\Bromine.zip

Filesize
1.1MB

MD5
9eb092da74453fb30dd4baf25d038fc0

SHA1
c2eaab9115929f841f1c60a641a1987d04ada92e

SHA256
471ffe0849ddef6a32aa39d2f3045da9d4a28e27bedf5d0793008d633ee97983

SHA512
e3aba3d9aac0f872efb721adad85f8376e3b5039de4620e886e01a50d6f248d5fdb7b5b186eaa9142157b6da482779c983690a3467ecdee98fbf76ff809afd44

Download Submit
C:\Users\Admin\Downloads\Bromine.zip:Zone.Identifier

Filesize
55B

MD5
0f98a5550abe0fb880568b1480c96a1c

SHA1
d2ce9f7057b201d31f79f3aee2225d89f36be07d

SHA256
2dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1

SHA512
dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6

Download Submit
memory/4040-728-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download