3ff64f10603f0330fa2386ff99471ca789391ace969bd0ec1c1b8ce1b4a6db42

Analysis

max time kernel
144s
max time network
157s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
25/06/2024, 01:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MEMZ.exe
Size

12KB
MD5

a7bcf7ea8e9f3f36ebfb85b823e39d91
SHA1

761168201520c199dba68add3a607922d8d4a86e
SHA256

3ff64f10603f0330fa2386ff99471ca789391ace969bd0ec1c1b8ce1b4a6db42
SHA512

89923b669d31e590189fd06619bf27e47c5a47e82be6ae71fdb1b9b3b30b06fb7ca8ffed6d5c41ac410a367f2eb07589291e95a2644877d6bffd52775a5b1523
SSDEEP

192:HMDLTxWDf/pl3cIEiwqZKBktLe3P+qf2jhP6B5b2yL3:H4IDH3cIqqvUWq+jhyT2yL

Score

7^/10

bootkit persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\International\Geo\Nation	MEMZ.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	MEMZ.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\4183903823\2290032291.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\4183903823\2290032291.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\1601268389\715946058.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\1601268389\715946058.pri	taskmgr.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdgeCP.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\TreeView = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\LowMic	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-SubSysId = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Explorer	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History\CacheLimit = "1"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Cookies	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DXFeatureLevel = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\PrivacyAdvanced = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 21d7f8989fc6da01	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 84d7ea9d9fc6da01	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 9a185fac9fc6da01	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\FileNames	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Root\CTLs	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath\dummySetting = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\SyncIEFirstTimeFullScan = "1"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory\NextBrowserDataLogTime = 206854fed1c6da01	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\NextUpdateDate = "426092731"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate\Certificates	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active\{4E96E433-A7F7-43FA-A6C2-B7DB2BED92B5} = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\FileNames\	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\NextUpdateDate = "426044146"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\CA\CTLs	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionHigh = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Content	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\History\CacheLimit = "1"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OpenSearch	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed\Certificates	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI\IsSignedIn = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\FileNames\en-US = "en-US.1"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\""	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\JumpListInPrivateBrowsingAllowed = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing\NewTabPage	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IETld\LowMic	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VendorId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionLow = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\History	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing\NewTabPage\ProcessingFlag = 70b6c9c29fc6da01	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\trust\CRLs	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Explorer\Main	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Content\CacheLimit = "256000"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\MrtCache	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Root\CRLs	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3724	MEMZ.exe
620	MEMZ.exe
3724	MEMZ.exe
620	MEMZ.exe
4748	MEMZ.exe
4748	MEMZ.exe
4232	MEMZ.exe
4232	MEMZ.exe
4232	MEMZ.exe
2512	MEMZ.exe
4232	MEMZ.exe
2512	MEMZ.exe
4748	MEMZ.exe
4748	MEMZ.exe
620	MEMZ.exe
620	MEMZ.exe
3724	MEMZ.exe
3724	MEMZ.exe
620	MEMZ.exe
3724	MEMZ.exe
620	MEMZ.exe
3724	MEMZ.exe
4748	MEMZ.exe
2512	MEMZ.exe
4748	MEMZ.exe
2512	MEMZ.exe
4232	MEMZ.exe
4232	MEMZ.exe
4748	MEMZ.exe
4232	MEMZ.exe
4232	MEMZ.exe
4748	MEMZ.exe
2512	MEMZ.exe
620	MEMZ.exe
2512	MEMZ.exe
620	MEMZ.exe
3724	MEMZ.exe
3724	MEMZ.exe
3724	MEMZ.exe
4748	MEMZ.exe
4748	MEMZ.exe
3724	MEMZ.exe
620	MEMZ.exe
2512	MEMZ.exe
620	MEMZ.exe
2512	MEMZ.exe
4232	MEMZ.exe
4232	MEMZ.exe
3724	MEMZ.exe
3724	MEMZ.exe
4748	MEMZ.exe
4748	MEMZ.exe
4232	MEMZ.exe
4232	MEMZ.exe
2512	MEMZ.exe
2512	MEMZ.exe
620	MEMZ.exe
620	MEMZ.exe
3724	MEMZ.exe
3724	MEMZ.exe
4748	MEMZ.exe
4748	MEMZ.exe
2512	MEMZ.exe
2512	MEMZ.exe

Suspicious behavior: MapViewOfSection 7 IoCs

pid	Process
2072	MicrosoftEdgeCP.exe
2072	MicrosoftEdgeCP.exe
2072	MicrosoftEdgeCP.exe
2072	MicrosoftEdgeCP.exe
2072	MicrosoftEdgeCP.exe
2072	MicrosoftEdgeCP.exe
2072	MicrosoftEdgeCP.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	424	taskmgr.exe
Token: SeSystemProfilePrivilege	424	taskmgr.exe
Token: SeCreateGlobalPrivilege	424	taskmgr.exe
Token: 33	424	taskmgr.exe
Token: SeIncBasePriorityPrivilege	424	taskmgr.exe
Token: SeDebugPrivilege	4960	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4960	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4960	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4960	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	1372	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	1372	MicrosoftEdgeCP.exe
Token: 33	1484	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1484	AUDIODG.EXE
Token: SeDebugPrivilege	5092	taskmgr.exe
Token: SeSystemProfilePrivilege	5092	taskmgr.exe
Token: SeCreateGlobalPrivilege	5092	taskmgr.exe

Suspicious use of FindShellTrayWindow 56 IoCs

pid	Process
424	taskmgr.exe
424	taskmgr.exe
424	taskmgr.exe
424	taskmgr.exe
424	taskmgr.exe
424	taskmgr.exe
424	taskmgr.exe
424	taskmgr.exe
424	taskmgr.exe
424	taskmgr.exe
424	taskmgr.exe
424	taskmgr.exe
424	taskmgr.exe
424	taskmgr.exe
424	taskmgr.exe
424	taskmgr.exe
424	taskmgr.exe
424	taskmgr.exe
424	taskmgr.exe
424	taskmgr.exe
424	taskmgr.exe
424	taskmgr.exe
424	taskmgr.exe
424	taskmgr.exe
424	taskmgr.exe
424	taskmgr.exe
424	taskmgr.exe
424	taskmgr.exe
424	taskmgr.exe
424	taskmgr.exe
424	taskmgr.exe
424	taskmgr.exe
424	taskmgr.exe
424	taskmgr.exe
424	taskmgr.exe
5092	taskmgr.exe
5092	taskmgr.exe
5092	taskmgr.exe
5092	taskmgr.exe
5092	taskmgr.exe
5092	taskmgr.exe
5092	taskmgr.exe
5092	taskmgr.exe
5092	taskmgr.exe
5092	taskmgr.exe
5092	taskmgr.exe
5092	taskmgr.exe
5092	taskmgr.exe
5092	taskmgr.exe
5092	taskmgr.exe
5092	taskmgr.exe
5092	taskmgr.exe
5092	taskmgr.exe
5092	taskmgr.exe
5092	taskmgr.exe
5092	taskmgr.exe

Suspicious use of SendNotifyMessage 56 IoCs

pid	Process
424	taskmgr.exe
424	taskmgr.exe
424	taskmgr.exe
424	taskmgr.exe
424	taskmgr.exe
424	taskmgr.exe
424	taskmgr.exe
424	taskmgr.exe
424	taskmgr.exe
424	taskmgr.exe
424	taskmgr.exe
424	taskmgr.exe
424	taskmgr.exe
424	taskmgr.exe
424	taskmgr.exe
424	taskmgr.exe
424	taskmgr.exe
424	taskmgr.exe
424	taskmgr.exe
424	taskmgr.exe
424	taskmgr.exe
424	taskmgr.exe
424	taskmgr.exe
424	taskmgr.exe
424	taskmgr.exe
424	taskmgr.exe
424	taskmgr.exe
424	taskmgr.exe
424	taskmgr.exe
424	taskmgr.exe
424	taskmgr.exe
424	taskmgr.exe
424	taskmgr.exe
424	taskmgr.exe
424	taskmgr.exe
5092	taskmgr.exe
5092	taskmgr.exe
5092	taskmgr.exe
5092	taskmgr.exe
5092	taskmgr.exe
5092	taskmgr.exe
5092	taskmgr.exe
5092	taskmgr.exe
5092	taskmgr.exe
5092	taskmgr.exe
5092	taskmgr.exe
5092	taskmgr.exe
5092	taskmgr.exe
5092	taskmgr.exe
5092	taskmgr.exe
5092	taskmgr.exe
5092	taskmgr.exe
5092	taskmgr.exe
5092	taskmgr.exe
5092	taskmgr.exe
5092	taskmgr.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
4664	MEMZ.exe
1524	MicrosoftEdge.exe
2072	MicrosoftEdgeCP.exe
4960	MicrosoftEdgeCP.exe
2072	MicrosoftEdgeCP.exe
5076	OpenWith.exe
620	MEMZ.exe
4232	MEMZ.exe
2512	MEMZ.exe
4748	MEMZ.exe
4748	MEMZ.exe
2512	MEMZ.exe
4232	MEMZ.exe
620	MEMZ.exe
620	MEMZ.exe
4232	MEMZ.exe
2512	MEMZ.exe
4748	MEMZ.exe
4748	MEMZ.exe
2512	MEMZ.exe
620	MEMZ.exe
4232	MEMZ.exe
620	MEMZ.exe
4232	MEMZ.exe
2512	MEMZ.exe
4748	MEMZ.exe
2512	MEMZ.exe
4232	MEMZ.exe
620	MEMZ.exe
4748	MEMZ.exe
620	MEMZ.exe
4232	MEMZ.exe
4748	MEMZ.exe
2512	MEMZ.exe
2512	MEMZ.exe
4748	MEMZ.exe
620	MEMZ.exe
4232	MEMZ.exe
620	MEMZ.exe
4748	MEMZ.exe
4232	MEMZ.exe
2512	MEMZ.exe
2512	MEMZ.exe
4748	MEMZ.exe
620	MEMZ.exe
4232	MEMZ.exe
4232	MEMZ.exe
620	MEMZ.exe
2512	MEMZ.exe
4748	MEMZ.exe
2512	MEMZ.exe
4748	MEMZ.exe
4232	MEMZ.exe
620	MEMZ.exe
620	MEMZ.exe
4232	MEMZ.exe
4748	MEMZ.exe
2512	MEMZ.exe
2512	MEMZ.exe
4232	MEMZ.exe
4748	MEMZ.exe
620	MEMZ.exe
2512	MEMZ.exe
4748	MEMZ.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 3320 wrote to memory of 620	3320	MEMZ.exe	72
PID 3320 wrote to memory of 620	3320	MEMZ.exe	72
PID 3320 wrote to memory of 620	3320	MEMZ.exe	72
PID 3320 wrote to memory of 4232	3320	MEMZ.exe	73
PID 3320 wrote to memory of 4232	3320	MEMZ.exe	73
PID 3320 wrote to memory of 4232	3320	MEMZ.exe	73
PID 3320 wrote to memory of 4748	3320	MEMZ.exe	74
PID 3320 wrote to memory of 4748	3320	MEMZ.exe	74
PID 3320 wrote to memory of 4748	3320	MEMZ.exe	74
PID 3320 wrote to memory of 3724	3320	MEMZ.exe	75
PID 3320 wrote to memory of 3724	3320	MEMZ.exe	75
PID 3320 wrote to memory of 3724	3320	MEMZ.exe	75
PID 3320 wrote to memory of 2512	3320	MEMZ.exe	76
PID 3320 wrote to memory of 2512	3320	MEMZ.exe	76
PID 3320 wrote to memory of 2512	3320	MEMZ.exe	76
PID 3320 wrote to memory of 4664	3320	MEMZ.exe	77
PID 3320 wrote to memory of 4664	3320	MEMZ.exe	77
PID 3320 wrote to memory of 4664	3320	MEMZ.exe	77
PID 4664 wrote to memory of 4224	4664	MEMZ.exe	79
PID 4664 wrote to memory of 4224	4664	MEMZ.exe	79
PID 4664 wrote to memory of 4224	4664	MEMZ.exe	79
PID 4664 wrote to memory of 1968	4664	MEMZ.exe	81
PID 4664 wrote to memory of 1968	4664	MEMZ.exe	81
PID 4664 wrote to memory of 1968	4664	MEMZ.exe	81
PID 2072 wrote to memory of 2140	2072	MicrosoftEdgeCP.exe	87
PID 2072 wrote to memory of 2140	2072	MicrosoftEdgeCP.exe	87
PID 2072 wrote to memory of 2140	2072	MicrosoftEdgeCP.exe	87
PID 2072 wrote to memory of 2140	2072	MicrosoftEdgeCP.exe	87
PID 2072 wrote to memory of 2140	2072	MicrosoftEdgeCP.exe	87
PID 2072 wrote to memory of 2140	2072	MicrosoftEdgeCP.exe	87
PID 2072 wrote to memory of 772	2072	MicrosoftEdgeCP.exe	90
PID 2072 wrote to memory of 772	2072	MicrosoftEdgeCP.exe	90
PID 2072 wrote to memory of 772	2072	MicrosoftEdgeCP.exe	90
PID 2072 wrote to memory of 772	2072	MicrosoftEdgeCP.exe	90
PID 2072 wrote to memory of 772	2072	MicrosoftEdgeCP.exe	90
PID 2072 wrote to memory of 772	2072	MicrosoftEdgeCP.exe	90
PID 2072 wrote to memory of 772	2072	MicrosoftEdgeCP.exe	90
PID 2072 wrote to memory of 772	2072	MicrosoftEdgeCP.exe	90
PID 2072 wrote to memory of 772	2072	MicrosoftEdgeCP.exe	90
PID 2072 wrote to memory of 772	2072	MicrosoftEdgeCP.exe	90
PID 2072 wrote to memory of 772	2072	MicrosoftEdgeCP.exe	90
PID 2072 wrote to memory of 772	2072	MicrosoftEdgeCP.exe	90
PID 2072 wrote to memory of 772	2072	MicrosoftEdgeCP.exe	90
PID 2072 wrote to memory of 772	2072	MicrosoftEdgeCP.exe	90
PID 2072 wrote to memory of 772	2072	MicrosoftEdgeCP.exe	90
PID 2072 wrote to memory of 772	2072	MicrosoftEdgeCP.exe	90
PID 2072 wrote to memory of 772	2072	MicrosoftEdgeCP.exe	90
PID 2072 wrote to memory of 772	2072	MicrosoftEdgeCP.exe	90
PID 2072 wrote to memory of 772	2072	MicrosoftEdgeCP.exe	90
PID 2072 wrote to memory of 772	2072	MicrosoftEdgeCP.exe	90
PID 2072 wrote to memory of 2088	2072	MicrosoftEdgeCP.exe	92
PID 2072 wrote to memory of 2088	2072	MicrosoftEdgeCP.exe	92
PID 2072 wrote to memory of 2088	2072	MicrosoftEdgeCP.exe	92
PID 2072 wrote to memory of 2088	2072	MicrosoftEdgeCP.exe	92
PID 2072 wrote to memory of 2088	2072	MicrosoftEdgeCP.exe	92
PID 2072 wrote to memory of 2088	2072	MicrosoftEdgeCP.exe	92
PID 2072 wrote to memory of 2088	2072	MicrosoftEdgeCP.exe	92
PID 4664 wrote to memory of 1380	4664	MEMZ.exe	94
PID 4664 wrote to memory of 1380	4664	MEMZ.exe	94
PID 4664 wrote to memory of 1380	4664	MEMZ.exe	94

C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
"C:\Users\Admin\AppData\Local\Temp\MEMZ.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3320
- C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
  "C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:620
- C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
  "C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:4232
- C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
  "C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:4748
- C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
  "C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3724
- C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
  "C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2512
- C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
  "C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /main
  2⤵
  - Checks computer location settings
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4664
- - C:\Windows\SysWOW64\notepad.exe
    "C:\Windows\System32\notepad.exe" \note.txt
    3⤵
    PID:4224
- - C:\Windows\SysWOW64\control.exe
    "C:\Windows\System32\control.exe"
    3⤵
    PID:1968
- - C:\Windows\SysWOW64\calc.exe
    "C:\Windows\System32\calc.exe"
    3⤵
    PID:1380

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:424

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:4580

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1524

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:4656

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2072

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4960

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:2140

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1372

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:772

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:4556

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:2088

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3e0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1484

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:5076

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

Filesize
4KB

MD5
1bfe591a4fe3d91b03cdf26eaacd8f89

SHA1
719c37c320f518ac168c86723724891950911cea

SHA256
9cf94355051bf0f4a45724ca20d1cc02f76371b963ab7d1e38bd8997737b13d8

SHA512
02f88da4b610678c31664609bcfa9d61db8d0b0617649981af948f670f41a6207b4ec19fecce7385a24e0c609cbbf3f2b79a8acaf09a03c2c432cc4dce75e9db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

Filesize
14KB

MD5
078ccfd75bbefd0da9802ddbba81eff7

SHA1
f1f396504cfa6aa0445157eb43f6e1c1f5a465c7

SHA256
e821b68620e42e03ba21651edeb2d4f4a86773a387a0bbd046f9f8fe681c22f7

SHA512
485a76079b750d8a02ff575de0fcc819eae0f48d12e3a9c11f4db1b236ad01fa9a30c52704c76e97932344aaa44a852aaa914fab09e0f301ede591fa9bedfdd2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\V28C7N3J\edgecompatviewlist[1].xml

Filesize
74KB

MD5
d4fc49dc14f63895d997fa4940f24378

SHA1
3efb1437a7c5e46034147cbbc8db017c69d02c31

SHA256
853d2f4eb81c9fdcea2ee079f6faf98214b111b77cdf68709b38989d123890f1

SHA512
cc60d79b4afe5007634ac21dc4bc92081880be4c0d798a1735b63b27e936c02f399964f744dc73711987f01e8a1064b02a4867dd6cac27538e5fbe275cc61e0a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PRICache\1601268389\715946058.pri

Filesize
171KB

MD5
30ec43ce86e297c1ee42df6209f5b18f

SHA1
fe0a5ea6566502081cb23b2f0e91a3ab166aeed6

SHA256
8ccddf0c77743a42067782bc7782321330406a752f58fb15fb1cd446e1ef0ee4

SHA512
19e5a7197a92eeef0482142cfe0fb46f16ddfb5bf6d64e372e7258fa6d01cf9a1fac9f7258fd2fd73c0f8a064b8d79b51a1ec6d29bbb9b04cdbd926352388bae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PRICache\4183903823\2290032291.pri

Filesize
2KB

MD5
b8da5aac926bbaec818b15f56bb5d7f6

SHA1
2b5bf97cd59e82c7ea96c31cf9998fbbf4884dc5

SHA256
5be5216ae1d0aed64986299528f4d4fe629067d5f4097b8e4b9d1c6bcf4f3086

SHA512
c39a28d58fb03f4f491bf9122a86a5cbe7677ec2856cf588f6263fa1f84f9ffc1e21b9bcaa60d290356f9018fb84375db532c8b678cf95cc0a2cc6ed8da89436

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\DO1Z1BGH\favicon[1].ico

Filesize
5KB

MD5
f3418a443e7d841097c714d69ec4bcb8

SHA1
49263695f6b0cdd72f45cf1b775e660fdc36c606

SHA256
6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770

SHA512
82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\KD85L02F\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\FX2TZODS\checkmark2[1].png

Filesize
186B

MD5
4ed31cfd51e649f9e6ab8472e55b0ddc

SHA1
b966aeb36708d3e027e141e25aa28422832241f2

SHA256
b047fd79af92686dac83158af07940e09ec1d224374aaf28c76e3e6763c428e0

SHA512
53b25e0df68c9ac03fd32feb8dd0825e901bdec67f6443cf40f903efacc101a2b900b887f2b19dc40cfadc4d1e433a250566fcf8f1ffefc23808f45afb16f3b2

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\TN1O8NT7\googlelogo_color_68x28dp[1].png

Filesize
1KB

MD5
c4a931d597decd2553aac6634b766cf2

SHA1
6ec84fb4a2745b4b71520241be77db1fd1013830

SHA256
f56402b127698db4b4dc611a97a6f081d04c4691c60522c5912d189e37c94a9e

SHA512
4932e0f7f38085a7c52539bdd5c7f470740e560a4471bea30d12ef9e3efe77f6bbfac28d26c62a245c43d98ebf74c824b2b414843080a27edf1563a5f874ac84

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\05DDC6AA91765AACACDB0A5F96DF8199

Filesize
854B

MD5
8d1040b12a663ca4ec7277cfc1ce44f0

SHA1
b27fd6bbde79ebdaee158211a71493e21838756b

SHA256
3086094d4198a5bbd12938b0d2d5f696c4dfc77e1eae820added346a59aa8727

SHA512
610c72970856ef7a316152253f7025ac11635078f1aea7b84641715813792374d2447b1002f1967d62b24073ee291b3e4f3da777b71216a30488a5d7b6103ac1

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
81afc0bf5da0665d25a5dee7e2753370

SHA1
0c3be1f39d24b0244b10a55c1206a33e8f53212f

SHA256
5fccf1d8723d62ad01b16c8e53c63c38ebe68f68ec2e2218e2f0c697b9fa4f77

SHA512
81cc789f7a25a488524fbaaf46f930f03de79734d7c0497ee1ec800e5fd1f90e8e7124c55c6b8ba9d9defca243dfd6cfc237d969064cd44107bf738cdd585c58

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\6DA548C7E5915679F87E910D6581DEF1_4E4933C273AFD632077725BC7FF4B704

Filesize
472B

MD5
25ce815778d63cb630d153cfde4220b7

SHA1
692e55dabdc461f26cc9aa9c76198eccaffbce70

SHA256
1c06359fee6c60e885db94aef77a30aa53e51d412143b5cde7dfb2c7a7898e50

SHA512
b582ba1d48c8bd9678741a354adeac56bfc263d2ca1caab6978b7cb1f9ab0baf979b6db16418b3b148d2e4ca1af6612a4f270040cc81fe1891bf14fc982eb879

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\6DA548C7E5915679F87E910D6581DEF1_E9DE422BDD7495518DADF35C9B8A2C20

Filesize
471B

MD5
32b19f64e249b5749ce660c98fc71b01

SHA1
fad282d982956f8c783b69b9886258d9798cf636

SHA256
8a060daf610538e94365549c6d23d59411522e788f5dd62b63d8e91237eea517

SHA512
6c33d61dbdc4b516cb9753178458e6c8cd345ff91a86b0f07fea4652b31ea20d4db18741b2a0c7f3c406725f195d57c4cdf7e0811b45b027bfcf59bc90276f4b

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199

Filesize
170B

MD5
a58508a581883e5b31c83b83f3edd4f9

SHA1
185dc6c68307b18118e1550637ff27eab04e4ac9

SHA256
056e20fad9948bff2a749efea3b5c16b31da43bdf9c8cd3f043f18a157721673

SHA512
304543f7dd948c4d3afc224857ac03ca5356962642c0441b69722acc4641d42da33f88345e970f7ef6796ddb08161c98e286be2d67a38240aed6ce884d1193e1

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
91edf1e638092799dcea5138333d064f

SHA1
c97edee760257fc4c24a70eee369111e40ed8ecb

SHA256
0c6c98f9b41ac1661297edb2ea6c1077a956d01e3b9595e11a3744aba2df6e99

SHA512
6796479051912915b037eab462622f4fea4535778b691cf300dd48a26f56569e2f016793f72cf2e69bc8d39e168578e7b2f54efee8a2d2ec842686ef9e3c9bfb

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\6DA548C7E5915679F87E910D6581DEF1_4E4933C273AFD632077725BC7FF4B704

Filesize
406B

MD5
0965b1915e18ef5de7204e7a83b1d94a

SHA1
5368c09c0b308e76259f76fd164f5664ac64eb7e

SHA256
e37617bf9ab239febc7baa5f809e1ced012b0270089548c7f8d942ca5c213885

SHA512
840b0b950b94d646ca5e0df3cb5b648b35c8fa2bb281ad274aab2b53528ebaf16560e35304816bf62064d313b2d39b119dc2902664e45f52f982c517252ac542

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\6DA548C7E5915679F87E910D6581DEF1_E9DE422BDD7495518DADF35C9B8A2C20

Filesize
402B

MD5
c487a45bc819cfbfbba0c9e7f3ada5d6

SHA1
7a568ad0d8609a6c0a51ae5c75492200543f56ba

SHA256
84882e46d93628a93f27882c0f8a156bdb0fa28b96aa7783ab3102914e7b6f4c

SHA512
00d207be1768bd181e134b14869d4841588fba62899222c1cb0f5bab2c7620c3a3cbb9ddd76f4b084585e47912ff9dcc2dd808bb258405069394da3535c96631

Download Submit
C:\note.txt

Filesize
218B

MD5
afa6955439b8d516721231029fb9ca1b

SHA1
087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

SHA256
8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

SHA512
5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

Download Submit
memory/772-166-0x0000025232C50000-0x0000025232C52000-memory.dmp

Filesize
8KB

Download
memory/772-168-0x0000025232DC0000-0x0000025232DC2000-memory.dmp

Filesize
8KB

Download
memory/772-130-0x000002521FC00000-0x000002521FD00000-memory.dmp

Filesize
1024KB

Download
memory/772-161-0x0000025232EF0000-0x0000025232EF2000-memory.dmp

Filesize
8KB

Download
memory/772-174-0x00000252332E0000-0x0000025233300000-memory.dmp

Filesize
128KB

Download
memory/772-172-0x00000252332D0000-0x00000252332D2000-memory.dmp

Filesize
8KB

Download
memory/772-170-0x0000025232DE0000-0x0000025232DE2000-memory.dmp

Filesize
8KB

Download
memory/1524-109-0x00000249F9D40000-0x00000249F9D41000-memory.dmp

Filesize
4KB

Download
memory/1524-28-0x00000249F3730000-0x00000249F3740000-memory.dmp

Filesize
64KB

Download
memory/1524-11-0x00000249F3620000-0x00000249F3630000-memory.dmp

Filesize
64KB

Download
memory/1524-108-0x00000249F9D30000-0x00000249F9D31000-memory.dmp

Filesize
4KB

Download
memory/1524-46-0x00000249F2880000-0x00000249F2882000-memory.dmp

Filesize
8KB

Download
memory/2140-85-0x000001B649120000-0x000001B649122000-memory.dmp

Filesize
8KB

Download
memory/2140-87-0x000001B6491E0000-0x000001B6491E2000-memory.dmp

Filesize
8KB

Download
memory/2140-81-0x000001B648FE0000-0x000001B648FE2000-memory.dmp

Filesize
8KB

Download
memory/2140-75-0x000001B635D00000-0x000001B635E00000-memory.dmp

Filesize
1024KB

Download
memory/2140-76-0x000001B635D00000-0x000001B635E00000-memory.dmp

Filesize
1024KB

Download
memory/2140-89-0x000001B649200000-0x000001B649202000-memory.dmp

Filesize
8KB

Download
memory/2140-83-0x000001B649100000-0x000001B649102000-memory.dmp

Filesize
8KB

Download
memory/2140-78-0x000001B648FB0000-0x000001B648FB2000-memory.dmp

Filesize
8KB

Download
memory/4960-55-0x0000017DA4E10000-0x0000017DA4F10000-memory.dmp

Filesize
1024KB

Download