3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff

Resubmissions

25-05-2024 19:39

240525-ydcftagc26 10

25-05-2024 19:31

240525-x8n8esfh98 10

25-05-2024 19:28

240525-x64kbsfd8z 7

Analysis

max time kernel
120s
max time network
112s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
25-05-2024 19:28

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

MEMZ.exe
Size

16KB
MD5

1d5ad9c8d3fee874d0feb8bfac220a11
SHA1

ca6d3f7e6c784155f664a9179ca64e4034df9595
SHA256

3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff
SHA512

c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1
SSDEEP

192:M2WgyvSW8gRc6olcIEiwqZKBkDFR43xWTM3LHf26gFrcx3sNq:JWgnSmFlcIqq3agmLH+6gF23sN

Score

7^/10

bootkit persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

MEMZ.exeMEMZ.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	MEMZ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	MEMZ.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

MEMZ.exe

description ioc process

File opened for modification \??\PhysicalDrive0 MEMZ.exe
Drops file in System32 directory 1 IoCs

Processes:

mmc.exe

description ioc process

File opened for modification C:\Windows\System32\devmgmt.msc mmc.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	MEMZ.exe

description	ioc	process
File opened for modification	C:\Windows\System32\devmgmt.msc	mmc.exe

Drops file in Windows directory 57 IoCs

Processes:

mmc.exe

description	ioc	process
File created	C:\Windows\INF\c_diskdrive.PNF	mmc.exe
File created	C:\Windows\INF\c_monitor.PNF	mmc.exe
File created	C:\Windows\INF\c_receiptprinter.PNF	mmc.exe
File created	C:\Windows\INF\c_camera.PNF	mmc.exe
File created	C:\Windows\INF\c_fssecurityenhancer.PNF	mmc.exe
File created	C:\Windows\INF\PerceptionSimulationSixDof.PNF	mmc.exe
File created	C:\Windows\INF\rdcameradriver.PNF	mmc.exe
File created	C:\Windows\INF\xusb22.PNF	mmc.exe
File created	C:\Windows\INF\c_fscompression.PNF	mmc.exe
File created	C:\Windows\INF\remoteposdrv.PNF	mmc.exe
File created	C:\Windows\INF\c_smrdisk.PNF	mmc.exe
File created	C:\Windows\INF\c_netdriver.PNF	mmc.exe
File created	C:\Windows\INF\c_fsvirtualization.PNF	mmc.exe
File created	C:\Windows\INF\c_linedisplay.PNF	mmc.exe
File created	C:\Windows\INF\c_scmdisk.PNF	mmc.exe
File created	C:\Windows\INF\c_fsantivirus.PNF	mmc.exe
File created	C:\Windows\INF\c_media.PNF	mmc.exe
File created	C:\Windows\INF\rawsilo.PNF	mmc.exe
File created	C:\Windows\INF\c_fshsm.PNF	mmc.exe
File created	C:\Windows\INF\c_fsopenfilebackup.PNF	mmc.exe
File created	C:\Windows\INF\c_smrvolume.PNF	mmc.exe
File created	C:\Windows\INF\c_fsphysicalquotamgmt.PNF	mmc.exe
File created	C:\Windows\INF\c_fsquotamgmt.PNF	mmc.exe
File created	C:\Windows\INF\c_fsinfrastructure.PNF	mmc.exe
File created	C:\Windows\INF\c_firmware.PNF	mmc.exe
File created	C:\Windows\INF\c_swcomponent.PNF	mmc.exe
File created	C:\Windows\INF\c_holographic.PNF	mmc.exe
File created	C:\Windows\INF\c_scmvolume.PNF	mmc.exe
File created	C:\Windows\INF\c_apo.PNF	mmc.exe
File created	C:\Windows\INF\c_volume.PNF	mmc.exe
File created	C:\Windows\INF\c_fscontinuousbackup.PNF	mmc.exe
File created	C:\Windows\INF\wsdprint.PNF	mmc.exe
File created	C:\Windows\INF\c_ucm.PNF	mmc.exe
File created	C:\Windows\INF\c_computeaccelerator.PNF	mmc.exe
File created	C:\Windows\INF\c_fssystemrecovery.PNF	mmc.exe
File created	C:\Windows\INF\oposdrv.PNF	mmc.exe
File created	C:\Windows\INF\c_fssystem.PNF	mmc.exe
File created	C:\Windows\INF\c_cashdrawer.PNF	mmc.exe
File created	C:\Windows\INF\ts_generic.PNF	mmc.exe
File created	C:\Windows\INF\c_fscopyprotection.PNF	mmc.exe
File created	C:\Windows\INF\miradisp.PNF	mmc.exe
File created	C:\Windows\INF\c_mcx.PNF	mmc.exe
File created	C:\Windows\INF\c_extension.PNF	mmc.exe
File created	C:\Windows\INF\c_fscfsmetadataserver.PNF	mmc.exe
File created	C:\Windows\INF\dc1-controller.PNF	mmc.exe
File created	C:\Windows\INF\digitalmediadevice.PNF	mmc.exe
File created	C:\Windows\INF\c_fscontentscreener.PNF	mmc.exe
File created	C:\Windows\INF\c_fsundelete.PNF	mmc.exe
File created	C:\Windows\INF\c_sslaccel.PNF	mmc.exe
File created	C:\Windows\INF\c_proximity.PNF	mmc.exe
File created	C:\Windows\INF\c_magneticstripereader.PNF	mmc.exe
File created	C:\Windows\INF\c_fsreplication.PNF	mmc.exe
File created	C:\Windows\INF\c_display.PNF	mmc.exe
File created	C:\Windows\INF\c_processor.PNF	mmc.exe
File created	C:\Windows\INF\c_fsencryption.PNF	mmc.exe
File created	C:\Windows\INF\c_fsactivitymonitor.PNF	mmc.exe
File created	C:\Windows\INF\c_barcodescanner.PNF	mmc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 20 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

mmc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	mmc.exe

Checks processor information in registry 2 TTPs 10 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exefirefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 15 IoCs

Processes:

LogonUI.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "156"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe

Modifies registry class 2 IoCs

Processes:

firefox.exeMEMZ.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings	MEMZ.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

MEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exe

pid	process
4732	MEMZ.exe
4732	MEMZ.exe
4732	MEMZ.exe
3992	MEMZ.exe
4732	MEMZ.exe
3992	MEMZ.exe
3992	MEMZ.exe
4732	MEMZ.exe
3992	MEMZ.exe
4732	MEMZ.exe
2332	MEMZ.exe
2332	MEMZ.exe
3992	MEMZ.exe
2332	MEMZ.exe
2332	MEMZ.exe
3992	MEMZ.exe
4732	MEMZ.exe
1836	MEMZ.exe
4732	MEMZ.exe
1836	MEMZ.exe
1436	MEMZ.exe
1436	MEMZ.exe
1836	MEMZ.exe
4732	MEMZ.exe
4732	MEMZ.exe
1836	MEMZ.exe
2332	MEMZ.exe
3992	MEMZ.exe
2332	MEMZ.exe
3992	MEMZ.exe
3992	MEMZ.exe
2332	MEMZ.exe
3992	MEMZ.exe
2332	MEMZ.exe
1836	MEMZ.exe
1836	MEMZ.exe
4732	MEMZ.exe
4732	MEMZ.exe
1436	MEMZ.exe
1436	MEMZ.exe
1836	MEMZ.exe
4732	MEMZ.exe
1836	MEMZ.exe
4732	MEMZ.exe
3992	MEMZ.exe
3992	MEMZ.exe
2332	MEMZ.exe
2332	MEMZ.exe
3992	MEMZ.exe
2332	MEMZ.exe
2332	MEMZ.exe
3992	MEMZ.exe
4732	MEMZ.exe
4732	MEMZ.exe
1836	MEMZ.exe
1836	MEMZ.exe
1436	MEMZ.exe
1436	MEMZ.exe
1436	MEMZ.exe
1836	MEMZ.exe
1436	MEMZ.exe
1836	MEMZ.exe
4732	MEMZ.exe
4732	MEMZ.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

mmc.exe

pid process

6660 mmc.exe

pid	process
6660	mmc.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

Processes:

msedge.exe

pid	process
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

firefox.exemmc.exe

description	pid	process
Token: SeDebugPrivilege	5660	firefox.exe
Token: SeDebugPrivilege	5660	firefox.exe
Token: 33	6660	mmc.exe
Token: SeIncBasePriorityPrivilege	6660	mmc.exe
Token: 33	6660	mmc.exe
Token: SeIncBasePriorityPrivilege	6660	mmc.exe

Suspicious use of FindShellTrayWindow 30 IoCs

Processes:

msedge.exefirefox.exe

pid	process
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
5660	firefox.exe
5660	firefox.exe
5660	firefox.exe
5660	firefox.exe
1536	msedge.exe

Suspicious use of SendNotifyMessage 27 IoCs

Processes:

msedge.exefirefox.exe

pid	process
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
5660	firefox.exe
5660	firefox.exe
5660	firefox.exe

Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

firefox.exemmc.exemmc.exeLogonUI.exeMEMZ.exeMEMZ.exe

pid process

5660 firefox.exe
6600 mmc.exe
6660 mmc.exe
6660 mmc.exe
4308 LogonUI.exe
3992 MEMZ.exe
2332 MEMZ.exe

pid	process
5660	firefox.exe
6600	mmc.exe
6660	mmc.exe
6660	mmc.exe
4308	LogonUI.exe
3992	MEMZ.exe
2332	MEMZ.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

MEMZ.exeMEMZ.exemsedge.exe

description	pid	process	target process
PID 1972 wrote to memory of 4732	1972	MEMZ.exe	MEMZ.exe
PID 1972 wrote to memory of 4732	1972	MEMZ.exe	MEMZ.exe
PID 1972 wrote to memory of 4732	1972	MEMZ.exe	MEMZ.exe
PID 1972 wrote to memory of 3992	1972	MEMZ.exe	MEMZ.exe
PID 1972 wrote to memory of 3992	1972	MEMZ.exe	MEMZ.exe
PID 1972 wrote to memory of 3992	1972	MEMZ.exe	MEMZ.exe
PID 1972 wrote to memory of 2332	1972	MEMZ.exe	MEMZ.exe
PID 1972 wrote to memory of 2332	1972	MEMZ.exe	MEMZ.exe
PID 1972 wrote to memory of 2332	1972	MEMZ.exe	MEMZ.exe
PID 1972 wrote to memory of 1436	1972	MEMZ.exe	MEMZ.exe
PID 1972 wrote to memory of 1436	1972	MEMZ.exe	MEMZ.exe
PID 1972 wrote to memory of 1436	1972	MEMZ.exe	MEMZ.exe
PID 1972 wrote to memory of 1836	1972	MEMZ.exe	MEMZ.exe
PID 1972 wrote to memory of 1836	1972	MEMZ.exe	MEMZ.exe
PID 1972 wrote to memory of 1836	1972	MEMZ.exe	MEMZ.exe
PID 1972 wrote to memory of 4984	1972	MEMZ.exe	MEMZ.exe
PID 1972 wrote to memory of 4984	1972	MEMZ.exe	MEMZ.exe
PID 1972 wrote to memory of 4984	1972	MEMZ.exe	MEMZ.exe
PID 4984 wrote to memory of 1180	4984	MEMZ.exe	notepad.exe
PID 4984 wrote to memory of 1180	4984	MEMZ.exe	notepad.exe
PID 4984 wrote to memory of 1180	4984	MEMZ.exe	notepad.exe
PID 4984 wrote to memory of 1536	4984	MEMZ.exe	msedge.exe
PID 4984 wrote to memory of 1536	4984	MEMZ.exe	msedge.exe
PID 1536 wrote to memory of 5044	1536	msedge.exe	msedge.exe
PID 1536 wrote to memory of 5044	1536	msedge.exe	msedge.exe
PID 1536 wrote to memory of 3348	1536	msedge.exe	msedge.exe
PID 1536 wrote to memory of 3348	1536	msedge.exe	msedge.exe
PID 1536 wrote to memory of 3348	1536	msedge.exe	msedge.exe
PID 1536 wrote to memory of 3348	1536	msedge.exe	msedge.exe
PID 1536 wrote to memory of 3348	1536	msedge.exe	msedge.exe
PID 1536 wrote to memory of 3348	1536	msedge.exe	msedge.exe
PID 1536 wrote to memory of 3348	1536	msedge.exe	msedge.exe
PID 1536 wrote to memory of 3348	1536	msedge.exe	msedge.exe
PID 1536 wrote to memory of 3348	1536	msedge.exe	msedge.exe
PID 1536 wrote to memory of 3348	1536	msedge.exe	msedge.exe
PID 1536 wrote to memory of 3348	1536	msedge.exe	msedge.exe
PID 1536 wrote to memory of 3348	1536	msedge.exe	msedge.exe
PID 1536 wrote to memory of 3348	1536	msedge.exe	msedge.exe
PID 1536 wrote to memory of 3348	1536	msedge.exe	msedge.exe
PID 1536 wrote to memory of 3348	1536	msedge.exe	msedge.exe
PID 1536 wrote to memory of 3348	1536	msedge.exe	msedge.exe
PID 1536 wrote to memory of 3348	1536	msedge.exe	msedge.exe
PID 1536 wrote to memory of 3348	1536	msedge.exe	msedge.exe
PID 1536 wrote to memory of 3348	1536	msedge.exe	msedge.exe
PID 1536 wrote to memory of 3348	1536	msedge.exe	msedge.exe
PID 1536 wrote to memory of 3348	1536	msedge.exe	msedge.exe
PID 1536 wrote to memory of 3348	1536	msedge.exe	msedge.exe
PID 1536 wrote to memory of 3348	1536	msedge.exe	msedge.exe
PID 1536 wrote to memory of 3348	1536	msedge.exe	msedge.exe
PID 1536 wrote to memory of 3348	1536	msedge.exe	msedge.exe
PID 1536 wrote to memory of 3348	1536	msedge.exe	msedge.exe
PID 1536 wrote to memory of 3348	1536	msedge.exe	msedge.exe
PID 1536 wrote to memory of 3348	1536	msedge.exe	msedge.exe
PID 1536 wrote to memory of 3348	1536	msedge.exe	msedge.exe
PID 1536 wrote to memory of 3348	1536	msedge.exe	msedge.exe
PID 1536 wrote to memory of 3348	1536	msedge.exe	msedge.exe
PID 1536 wrote to memory of 3348	1536	msedge.exe	msedge.exe
PID 1536 wrote to memory of 3348	1536	msedge.exe	msedge.exe
PID 1536 wrote to memory of 3348	1536	msedge.exe	msedge.exe
PID 1536 wrote to memory of 3348	1536	msedge.exe	msedge.exe
PID 1536 wrote to memory of 3348	1536	msedge.exe	msedge.exe
PID 1536 wrote to memory of 3348	1536	msedge.exe	msedge.exe
PID 1536 wrote to memory of 3348	1536	msedge.exe	msedge.exe
PID 1536 wrote to memory of 3348	1536	msedge.exe	msedge.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
"C:\Users\Admin\AppData\Local\Temp\MEMZ.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1972

C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
"C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4732

C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
"C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3992

C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
"C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2332

C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
"C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1436

C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
"C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1836

C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
"C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /main
2⤵
- Checks computer location settings
- Writes to the Master Boot Record (MBR)
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4984

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\System32\notepad.exe" \note.txt
3⤵
PID:1180

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://play.clubpenguin.com/
3⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1536

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff98e1b46f8,0x7ff98e1b4708,0x7ff98e1b4718
4⤵
PID:5044

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,14562866965674807626,12515228228670731678,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:2
4⤵
PID:3348

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,14562866965674807626,12515228228670731678,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:3
4⤵
PID:3660

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2144,14562866965674807626,12515228228670731678,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2876 /prefetch:8
4⤵
PID:3200

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,14562866965674807626,12515228228670731678,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
4⤵
PID:2600

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,14562866965674807626,12515228228670731678,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
4⤵
PID:524

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,14562866965674807626,12515228228670731678,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4256 /prefetch:1
4⤵
PID:64

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,14562866965674807626,12515228228670731678,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3572 /prefetch:1
4⤵
PID:4604

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,14562866965674807626,12515228228670731678,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5448 /prefetch:8
4⤵
PID:1008

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,14562866965674807626,12515228228670731678,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5448 /prefetch:8
4⤵
PID:1896

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,14562866965674807626,12515228228670731678,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4252 /prefetch:1
4⤵
PID:4320

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,14562866965674807626,12515228228670731678,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4256 /prefetch:1
4⤵
PID:1532

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,14562866965674807626,12515228228670731678,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5580 /prefetch:1
4⤵
PID:1540

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,14562866965674807626,12515228228670731678,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5020 /prefetch:1
4⤵
PID:2732

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,14562866965674807626,12515228228670731678,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4252 /prefetch:1
4⤵
PID:2328

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,14562866965674807626,12515228228670731678,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5764 /prefetch:1
4⤵
PID:2504

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,14562866965674807626,12515228228670731678,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5020 /prefetch:1
4⤵
PID:5144

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=how+2+buy+weed
3⤵
PID:2776

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff98e1b46f8,0x7ff98e1b4708,0x7ff98e1b4718
4⤵
PID:1892

C:\Windows\SysWOW64\mmc.exe
"C:\Windows\system32\mmc.exe" "C:\Windows\System32\devmgmt.msc"
3⤵
- Suspicious use of SetWindowsHookEx
PID:6600

C:\Windows\system32\mmc.exe
"C:\Windows\System32\devmgmt.msc" "C:\Windows\System32\devmgmt.msc"
4⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:6660

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2980

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4320

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:5636

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:5660

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5660.0.1890839742\1546677477" -parentBuildID 20230214051806 -prefsHandle 1764 -prefMapHandle 1756 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4726d4c5-5b3f-4626-a939-44dde72ab0c7} 5660 "\\.\pipe\gecko-crash-server-pipe.5660" 1848 22d4070ec58 gpu
3⤵
PID:5876

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5660.1.306623089\85078832" -parentBuildID 20230214051806 -prefsHandle 2436 -prefMapHandle 2424 -prefsLen 22112 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1ead6002-3858-4585-b785-87043706f8c1} 5660 "\\.\pipe\gecko-crash-server-pipe.5660" 2464 22d33884158 socket
3⤵
- Checks processor information in registry
PID:5944

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5660.2.1560272154\869837098" -childID 1 -isForBrowser -prefsHandle 2972 -prefMapHandle 2968 -prefsLen 22150 -prefMapSize 235121 -jsInitHandle 1292 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c37bd58d-5b79-4622-9d9b-8527949f9724} 5660 "\\.\pipe\gecko-crash-server-pipe.5660" 2984 22d42dd6e58 tab
3⤵
PID:6092

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5660.3.170247166\138756940" -childID 2 -isForBrowser -prefsHandle 4228 -prefMapHandle 4224 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1292 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c1b61ac4-c8f7-4b3b-8009-1f0ca70f8085} 5660 "\\.\pipe\gecko-crash-server-pipe.5660" 4240 22d3383ee58 tab
3⤵
PID:3328

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5660.4.696323625\499854828" -childID 3 -isForBrowser -prefsHandle 5036 -prefMapHandle 5028 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1292 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ed13cc4d-953b-4dc9-9346-5966e0e138f7} 5660 "\\.\pipe\gecko-crash-server-pipe.5660" 5128 22d47961558 tab
3⤵
PID:6032

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5660.5.377209984\970821862" -childID 4 -isForBrowser -prefsHandle 5272 -prefMapHandle 5276 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1292 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7bbc07a4-d1c7-418f-9cad-9856323b42f5} 5660 "\\.\pipe\gecko-crash-server-pipe.5660" 5260 22d47963658 tab
3⤵
PID:6060

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5660.6.448210298\325103097" -childID 5 -isForBrowser -prefsHandle 5548 -prefMapHandle 5544 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1292 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {67985829-79dc-40e8-89ac-17fed160ee36} 5660 "\\.\pipe\gecko-crash-server-pipe.5660" 5556 22d47962158 tab
3⤵
PID:5484

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:6236

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa38f8855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4308

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
1ac52e2503cc26baee4322f02f5b8d9c

SHA1
38e0cee911f5f2a24888a64780ffdf6fa72207c8

SHA256
f65058c6f1a745b37a64d4c97a8e8ee940210273130cec97a67f568088b5d4d4

SHA512
7670d606bc5197ecb7db3ddaecd6f74a80e6decae92b94e0e8145a7f463fa099058e89f9dfa1c45b9197c36e5e21994698186a2ec970bbdb0937fe28ca46a834

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
b2a1398f937474c51a48b347387ee36a

SHA1
922a8567f09e68a04233e84e5919043034635949

SHA256
2dc0bf08246ddd5a32288c895d676017578d792349ca437b1b36e7b2f0ade6d6

SHA512
4a660c0549f7a850e07d8d36dab33121af02a7bd7e9b2f0137930b4c8cd89b6c5630e408f882684e6935dcb0d5cb5e01a854950eeda252a4881458cafcc7ef7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003
Filesize
206KB

MD5
f998b8f6765b4c57936ada0bb2eb4a5a

SHA1
13fb29dc0968838653b8414a125c124023c001df

SHA256
374db366966d7b48782f352c78a0b3670ffec33ed046d931415034d6f93dcfef

SHA512
d340ae61467332f99e4606ef022ff71c9495b9d138a40cc7c58b3206be0d080b25f4e877a811a55f4320db9a7f52e39f88f1aa426ba79fc5e78fc73dacf8c716

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
144B

MD5
d608e8bc2f940641952bd68662a9e834

SHA1
81577fc792d39e6a89e340d66570c215dec2f413

SHA256
750b7e7828bab11e716cd15547441e03c5fc07ecde173f523c5c8225afe6d945

SHA512
2db3cc193e0837b8e35e214046c4f02e4d21d52c7b660696a8bdcdcb8caa30e5d42a2305132ef7e7c8365fb0b67ae5378cd6125dbd339a1b6b84cdae1f2b4b57

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
815B

MD5
86fbaba6b24b4bd42ea9d515b8e43989

SHA1
893a38ca9924bf51a68daad80c11046cdec21b49

SHA256
8c46fa47727dd5759f9803be8dc32158ae879df7a88e6b2e9ac6dbad4d8f3880

SHA512
f30267f60de0e810f29960bc85197a58685865a87ccbbe4af0fe34e4d3a7f8669e40e8a8bdab513d88ef18c785f3a91d6eb3c26fd318866726d21eea2173bdc9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
7ab3c34cc3da10c3e0db87aecd335774

SHA1
3ce82f95ffcade58464a2dfb60a79e53108f2d06

SHA256
be081cd6cfe6fd175ade6c24277441f7bf575a20dad4e6351eaeed84f859c64d

SHA512
83e60feda724ec694b6fd5460593ec5fa46c2ada424cf459eba8bb717ce3640b35daae1825f26b144b05a4d3f2a08f25342cf7ce2c79ebe895e782ced4f97be2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
b0e15996cbdbd330e52fc2278481e4c1

SHA1
9b541d5cf8160a6d4a237853fda79622b5fb146a

SHA256
d1e47043ff054c329465c55c94e0d2212b8f3c9add6662cc1bc660a28601be71

SHA512
02667ea030c57161088ae8d9d93c959e4eaff04a03b1ac3b9e34720e1e809f8e5699bdc8a38ba4b98d477b9b542c2794186374e8f3f43b890e8382223d8b0026

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
aecc05022d44394ebcf34df92275af8b

SHA1
17959501094a875b8da5c0f1105d9fc609fb0cda

SHA256
e792f77e59681429321b4fd068f2de1dd02eb2525cae923c232f7977588f1b9f

SHA512
a881700975e0f336673d1ad71d7618996aa54606a100c271ca5be069dbc2be179e19c63b0d69cb4823f53dd8bbb98d481d14afa6748e0b4861165484a05d7671

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
d8a1a5c68e602f7559aaaa1de43d8088

SHA1
97c78a4b6f1beef8bd6b9eb0af43ebfbac5619df

SHA256
779bddefa3ee8155f081acbba429fb7f11f74e20e8d22953ad7e8d5f5f57a434

SHA512
2f0eb8a7ed0cd65e7a94b4a3f41568537e5afb836afc97c5c07a1bd72641114686ee22d729c48e228fce1ea74f3acdc96c5332971c3a12bcece534af91735518

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
d512fd324406320b44e0c78f0dd3e7f2

SHA1
e7690041691cb3e2853a81629f0d2b13d6595e05

SHA256
84f1de9a7af3d7f0519f1ad117c080354e57fd1f79137022e265b2336732c827

SHA512
7f159f9bed48554e64c8643e4946018d8a964aa70990415725693bd4ededc7afcbac30e0a152e85ba6614ed88bcb4c378bf7337193d3425e165d03c36d999dad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
4c179d1893d8de07dc1998029927de08

SHA1
af638097ce8ce51673db8ed11d377102c14f2c6d

SHA256
95db1a949897b7b625d1a212c6b6442c8950eb3fb1d78f2475eb8c86cb6ec9d3

SHA512
5c5b10d98203130342734acec39618806936d122f566b7f2758a7dd37ef9ecfbf8c76ea760a803d09bfb71bbe2af26b3ac8ca530d57c66d688a4613688744cec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
1be365f0b5066c169d11fb8723415759

SHA1
9ce0f0a132eeef316f6e2bedb2222b1ba265f5be

SHA256
e0cf320922dc5c0f3b9bdf15388b63d5e760e9c3a118efa6a47bdef227db465e

SHA512
de7c92e414790185f43868cf630c3953ffb63bab549e3918e097b1c0c93a4e58cf4b7c47558fa6723371dc919edf8f031f6cffda36738d1c4f40853778ce6a85

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\47kntzet.default-release\activity-stream.discovery_stream.json.tmp
Filesize
25KB

MD5
4a6175c2fb38c5c84781378a3c675a1a

SHA1
125e538b72afcaeed18b6b1220d3dc28c2225859

SHA256
64f6e996e3fedd01f6e753a0fcefcc2a0813ee8b46b9490f1763e6e0bfec4332

SHA512
3198d46af4c91ad4fdacffff92d19af362a583abfc1f24776b296188ce4212a619a0e6203215634499848a3504fe649f102c6576f093b0151336ecd56ada8fb1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\47kntzet.default-release\prefs-1.js
Filesize
6KB

MD5
7528000a8aaa8ae61b9acb42a5e3bfef

SHA1
f234fea8371e504dadfbeaa6c1e29e678ec89460

SHA256
84fb6de0c434013c496ea03b6945a145c2afb0fe96f991e711c085c96bf353b9

SHA512
f6ba1119553dbb3c2c907fa2c84e2af29e292dd6aa402918469c76d884bd8a4ab714da2305016899a823377a280b0508db91c3ddda7f77f29d0c3ea47de9d5f7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\47kntzet.default-release\prefs.js
Filesize
6KB

MD5
b3461e0a274131835e8633ebbf381411

SHA1
ce231f20de97602b7b98623b97bd36d6892bddcb

SHA256
28c16bbb0d7475dcba6a88aa9fe5111698458f5f02b8194dd8fe3afee75e6649

SHA512
9af2c7e687dca270a61c082842a44225a19e7d630dbc6b6e90a23d81bdccefdaaac0023708ac2c2bd48e379855ff7d212a66e51746eff18b93ee0c3fabce1292

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\47kntzet.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
1KB

MD5
e7717defccf2de895b127af893287661

SHA1
02b511d757a4627c387c6c15bb81a2806fc02a08

SHA256
15a813e51b0630302262418304c2a2a44f16de24101748806ec9eec1a7aade93

SHA512
071a14b5b19b020ceb2cb6a9b1c471f39e79537f14633687b0e29a462fc7691993dcb2bff0f63d76934e6ad249fc98cb42aa35c2814c4d0ed063675afd35fd75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\47kntzet.default-release\sessionstore.jsonlz4
Filesize
913B

MD5
d2347a1e1dc16048bd159f835840fc43

SHA1
5909676d5ddb4ce57d957faf9967d68375e0d1ef

SHA256
b2126a5d0f4ea7c23195a63eb22b4ee9d1e777e5f13e8df38d600dba788bba1e

SHA512
9bcfdbaa8041ed5c81062b06fa54ded7c26a1cad73548a91f50395438e9c09837f7f60d9aa1b0edaaebbcd3285e22642daaa1c74d44038163d09d6f205882071

Download Submit
C:\note.txt
Filesize
218B

MD5
afa6955439b8d516721231029fb9ca1b

SHA1
087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

SHA256
8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

SHA512
5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

Download Submit
\??\pipe\LOCAL\crashpad_1536_TIXDBHOHULLWSKYN
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads