3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff

Analysis

max time kernel
65s
max time network
63s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
08/08/2024, 14:48

Sharing

Copy URL Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

MEMZ.exe
Size

16KB
MD5

1d5ad9c8d3fee874d0feb8bfac220a11
SHA1

ca6d3f7e6c784155f664a9179ca64e4034df9595
SHA256

3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff
SHA512

c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1
SSDEEP

192:M2WgyvSW8gRc6olcIEiwqZKBkDFR43xWTM3LHf26gFrcx3sNq:JWgnSmFlcIqq3agmLH+6gF23sN

Score

6^/10

bootkit discovery persistence

Malware Config

Signatures

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	MEMZ.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3156	MEMZ.exe
124	MEMZ.exe
124	MEMZ.exe
3156	MEMZ.exe
124	MEMZ.exe
3156	MEMZ.exe
124	MEMZ.exe
3156	MEMZ.exe
3744	MEMZ.exe
3744	MEMZ.exe
3744	MEMZ.exe
3744	MEMZ.exe
3156	MEMZ.exe
3156	MEMZ.exe
124	MEMZ.exe
124	MEMZ.exe
2112	MEMZ.exe
2112	MEMZ.exe
4820	MEMZ.exe
4820	MEMZ.exe
124	MEMZ.exe
3156	MEMZ.exe
124	MEMZ.exe
3156	MEMZ.exe
3744	MEMZ.exe
3744	MEMZ.exe
124	MEMZ.exe
124	MEMZ.exe
3156	MEMZ.exe
3156	MEMZ.exe
4820	MEMZ.exe
4820	MEMZ.exe
2112	MEMZ.exe
2112	MEMZ.exe
3744	MEMZ.exe
3744	MEMZ.exe
2112	MEMZ.exe
4820	MEMZ.exe
4820	MEMZ.exe
2112	MEMZ.exe
3156	MEMZ.exe
124	MEMZ.exe
3156	MEMZ.exe
124	MEMZ.exe
3744	MEMZ.exe
3744	MEMZ.exe
124	MEMZ.exe
124	MEMZ.exe
3156	MEMZ.exe
2112	MEMZ.exe
2112	MEMZ.exe
3156	MEMZ.exe
4820	MEMZ.exe
4820	MEMZ.exe
2112	MEMZ.exe
2112	MEMZ.exe
124	MEMZ.exe
124	MEMZ.exe
3744	MEMZ.exe
3744	MEMZ.exe
3744	MEMZ.exe
3744	MEMZ.exe
124	MEMZ.exe
124	MEMZ.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	2024	taskmgr.exe
Token: SeSystemProfilePrivilege	2024	taskmgr.exe
Token: SeCreateGlobalPrivilege	2024	taskmgr.exe
Token: SeShutdownPrivilege	2112	MEMZ.exe
Token: SeShutdownPrivilege	3156	MEMZ.exe
Token: SeShutdownPrivilege	124	MEMZ.exe
Token: SeShutdownPrivilege	3744	MEMZ.exe

Suspicious use of FindShellTrayWindow 57 IoCs

pid	Process
2024	taskmgr.exe
2024	taskmgr.exe
2024	taskmgr.exe
2024	taskmgr.exe
2024	taskmgr.exe
2024	taskmgr.exe
2024	taskmgr.exe
2024	taskmgr.exe
2024	taskmgr.exe
2024	taskmgr.exe
2024	taskmgr.exe
2024	taskmgr.exe
2024	taskmgr.exe
2024	taskmgr.exe
2024	taskmgr.exe
2024	taskmgr.exe
2024	taskmgr.exe
2024	taskmgr.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
2024	taskmgr.exe
2024	taskmgr.exe
2024	taskmgr.exe
2024	taskmgr.exe
2024	taskmgr.exe
2024	taskmgr.exe
2024	taskmgr.exe
3288	msedge.exe
2024	taskmgr.exe
2024	taskmgr.exe
2024	taskmgr.exe
2024	taskmgr.exe
2024	taskmgr.exe
2024	taskmgr.exe

Suspicious use of SendNotifyMessage 43 IoCs

pid	Process
2024	taskmgr.exe
2024	taskmgr.exe
2024	taskmgr.exe
2024	taskmgr.exe
2024	taskmgr.exe
2024	taskmgr.exe
2024	taskmgr.exe
2024	taskmgr.exe
2024	taskmgr.exe
2024	taskmgr.exe
2024	taskmgr.exe
2024	taskmgr.exe
2024	taskmgr.exe
2024	taskmgr.exe
2024	taskmgr.exe
2024	taskmgr.exe
2024	taskmgr.exe
2024	taskmgr.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
2024	taskmgr.exe
2024	taskmgr.exe
2024	taskmgr.exe
2024	taskmgr.exe
2024	taskmgr.exe
2024	taskmgr.exe
2024	taskmgr.exe
2024	taskmgr.exe
2024	taskmgr.exe
2024	taskmgr.exe
2024	taskmgr.exe
2024	taskmgr.exe
2024	taskmgr.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2112	MEMZ.exe
3744	MEMZ.exe
124	MEMZ.exe
3156	MEMZ.exe
4820	MEMZ.exe
3156	MEMZ.exe
3744	MEMZ.exe
124	MEMZ.exe
2112	MEMZ.exe
4820	MEMZ.exe
2112	MEMZ.exe
3744	MEMZ.exe
124	MEMZ.exe
3156	MEMZ.exe
4820	MEMZ.exe
3156	MEMZ.exe
124	MEMZ.exe
2112	MEMZ.exe
3744	MEMZ.exe
4820	MEMZ.exe
2112	MEMZ.exe
124	MEMZ.exe
3744	MEMZ.exe
3156	MEMZ.exe
4820	MEMZ.exe
124	MEMZ.exe
3156	MEMZ.exe
3744	MEMZ.exe
2112	MEMZ.exe
4820	MEMZ.exe
2112	MEMZ.exe
124	MEMZ.exe
3744	MEMZ.exe
3156	MEMZ.exe
4820	MEMZ.exe
3156	MEMZ.exe
124	MEMZ.exe
3744	MEMZ.exe
2112	MEMZ.exe
4820	MEMZ.exe
2112	MEMZ.exe
3744	MEMZ.exe
124	MEMZ.exe
3156	MEMZ.exe
4820	MEMZ.exe
3156	MEMZ.exe
124	MEMZ.exe
3744	MEMZ.exe
2112	MEMZ.exe
4820	MEMZ.exe
3744	MEMZ.exe
124	MEMZ.exe
3156	MEMZ.exe
2112	MEMZ.exe
4820	MEMZ.exe
3156	MEMZ.exe
124	MEMZ.exe
2112	MEMZ.exe
3744	MEMZ.exe
4820	MEMZ.exe
3744	MEMZ.exe
2112	MEMZ.exe
3156	MEMZ.exe
124	MEMZ.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3080 wrote to memory of 124	3080	MEMZ.exe	82
PID 3080 wrote to memory of 124	3080	MEMZ.exe	82
PID 3080 wrote to memory of 124	3080	MEMZ.exe	82
PID 3080 wrote to memory of 3156	3080	MEMZ.exe	83
PID 3080 wrote to memory of 3156	3080	MEMZ.exe	83
PID 3080 wrote to memory of 3156	3080	MEMZ.exe	83
PID 3080 wrote to memory of 4820	3080	MEMZ.exe	84
PID 3080 wrote to memory of 4820	3080	MEMZ.exe	84
PID 3080 wrote to memory of 4820	3080	MEMZ.exe	84
PID 3080 wrote to memory of 3744	3080	MEMZ.exe	85
PID 3080 wrote to memory of 3744	3080	MEMZ.exe	85
PID 3080 wrote to memory of 3744	3080	MEMZ.exe	85
PID 3080 wrote to memory of 2112	3080	MEMZ.exe	86
PID 3080 wrote to memory of 2112	3080	MEMZ.exe	86
PID 3080 wrote to memory of 2112	3080	MEMZ.exe	86
PID 3080 wrote to memory of 2300	3080	MEMZ.exe	87
PID 3080 wrote to memory of 2300	3080	MEMZ.exe	87
PID 3080 wrote to memory of 2300	3080	MEMZ.exe	87
PID 2300 wrote to memory of 4492	2300	MEMZ.exe	90
PID 2300 wrote to memory of 4492	2300	MEMZ.exe	90
PID 2300 wrote to memory of 4492	2300	MEMZ.exe	90
PID 2300 wrote to memory of 3288	2300	MEMZ.exe	99
PID 2300 wrote to memory of 3288	2300	MEMZ.exe	99
PID 3288 wrote to memory of 2360	3288	msedge.exe	100
PID 3288 wrote to memory of 2360	3288	msedge.exe	100
PID 3288 wrote to memory of 4068	3288	msedge.exe	101
PID 3288 wrote to memory of 4068	3288	msedge.exe	101
PID 3288 wrote to memory of 4068	3288	msedge.exe	101
PID 3288 wrote to memory of 4068	3288	msedge.exe	101
PID 3288 wrote to memory of 4068	3288	msedge.exe	101
PID 3288 wrote to memory of 4068	3288	msedge.exe	101
PID 3288 wrote to memory of 4068	3288	msedge.exe	101
PID 3288 wrote to memory of 4068	3288	msedge.exe	101
PID 3288 wrote to memory of 4068	3288	msedge.exe	101
PID 3288 wrote to memory of 4068	3288	msedge.exe	101
PID 3288 wrote to memory of 4068	3288	msedge.exe	101
PID 3288 wrote to memory of 4068	3288	msedge.exe	101
PID 3288 wrote to memory of 4068	3288	msedge.exe	101
PID 3288 wrote to memory of 4068	3288	msedge.exe	101
PID 3288 wrote to memory of 4068	3288	msedge.exe	101
PID 3288 wrote to memory of 4068	3288	msedge.exe	101
PID 3288 wrote to memory of 4068	3288	msedge.exe	101
PID 3288 wrote to memory of 4068	3288	msedge.exe	101
PID 3288 wrote to memory of 4068	3288	msedge.exe	101
PID 3288 wrote to memory of 4068	3288	msedge.exe	101
PID 3288 wrote to memory of 4068	3288	msedge.exe	101
PID 3288 wrote to memory of 4068	3288	msedge.exe	101
PID 3288 wrote to memory of 4068	3288	msedge.exe	101
PID 3288 wrote to memory of 4068	3288	msedge.exe	101
PID 3288 wrote to memory of 4068	3288	msedge.exe	101
PID 3288 wrote to memory of 4068	3288	msedge.exe	101
PID 3288 wrote to memory of 4068	3288	msedge.exe	101
PID 3288 wrote to memory of 4068	3288	msedge.exe	101
PID 3288 wrote to memory of 4068	3288	msedge.exe	101
PID 3288 wrote to memory of 4068	3288	msedge.exe	101
PID 3288 wrote to memory of 4068	3288	msedge.exe	101
PID 3288 wrote to memory of 4068	3288	msedge.exe	101
PID 3288 wrote to memory of 4068	3288	msedge.exe	101
PID 3288 wrote to memory of 4068	3288	msedge.exe	101
PID 3288 wrote to memory of 4068	3288	msedge.exe	101
PID 3288 wrote to memory of 4068	3288	msedge.exe	101
PID 3288 wrote to memory of 4068	3288	msedge.exe	101
PID 3288 wrote to memory of 4068	3288	msedge.exe	101
PID 3288 wrote to memory of 4068	3288	msedge.exe	101

C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
"C:\Users\Admin\AppData\Local\Temp\MEMZ.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3080
- C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
  "C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:124
- C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
  "C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3156
- C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
  "C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:4820
- C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
  "C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3744
- C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
  "C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2112
- C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
  "C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /main
  2⤵
  - Writes to the Master Boot Record (MBR)
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2300
- - C:\Windows\SysWOW64\notepad.exe
    "C:\Windows\System32\notepad.exe" \note.txt
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4492
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://motherboard.vice.com/read/watch-this-malware-turn-a-computer-into-a-digital-hellscape
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:3288
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffbd9bf3cb8,0x7ffbd9bf3cc8,0x7ffbd9bf3cd8
      4⤵
      PID:2360
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1852,13007143077859388705,2188932068823027537,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1864 /prefetch:2
      4⤵
      PID:4068
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1852,13007143077859388705,2188932068823027537,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2308 /prefetch:3
      4⤵
      PID:2324
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1852,13007143077859388705,2188932068823027537,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2724 /prefetch:8
      4⤵
      PID:1492
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,13007143077859388705,2188932068823027537,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
      4⤵
      PID:1132
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,13007143077859388705,2188932068823027537,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
      4⤵
      PID:2192
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,13007143077859388705,2188932068823027537,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4168 /prefetch:1
      4⤵
      PID:4800
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,13007143077859388705,2188932068823027537,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3616 /prefetch:1
      4⤵
      PID:4772
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,13007143077859388705,2188932068823027537,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5676 /prefetch:1
      4⤵
      PID:2136
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,13007143077859388705,2188932068823027537,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5780 /prefetch:1
      4⤵
      PID:5160
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1852,13007143077859388705,2188932068823027537,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5280 /prefetch:8
      4⤵
      PID:5464
  - - C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1852,13007143077859388705,2188932068823027537,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6336 /prefetch:8
      4⤵
      PID:5760

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:3132

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2024

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4292

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6fdbe80e9fe20761b59e8f32398f4b14

SHA1
049b1f0c6fc4e93a4ba6b3c992f1d6cecf3ada1f

SHA256
b7f0d9ece2307bdc4f05a2d814c947451b007067ff8af977f77f06c3d5706942

SHA512
cf25c7fd0d6eccc46e7b58949c16d17ebeefb7edd6c76aa62f7ab5da52d1c6fc88bde620be40396d336789bd0d62b2162209a947d7ab69389e8c03682e880234

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9828ffacf3deee7f4c1300366ec22fab

SHA1
9aff54b57502b0fc2be1b0b4b3380256fb785602

SHA256
a3d21f0fb6563a5c9d0f7a6e9c125ec3faaa86ff43f37cb85a8778abc87950f7

SHA512
2e73ea4d2fcd7c8d52487816110f5f4a808ed636ae87dd119702d1cd1ae315cbb25c8094a9dddf18f07472b4deaed3e7e26c9b499334b26bdb70d4fa7f84168d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
960B

MD5
1ebe853400d2faf59437d28a3dfe7173

SHA1
d6afcdb180fcbdadffe5e8e66bb483cb9f9adbdc

SHA256
061767ea1e850b8aa2081edd09618d8401147daf38874af983beba84c89e6cd5

SHA512
614c57cc8401fa4827e7045296a98945957389bbd132268a4e0564c1688f7d00554218c4b4931eedd4b04d0cc2a3b2247fab26f2dedf9e9e5382caa21d026a31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\000\t\Paths\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
ca7c59d1a1139cc50da6a15cd8f1d582

SHA1
2be21a97e4d8434dadba6300e62e595954cbedeb

SHA256
5df392c145473738dea8fc9691db0c3567d152fc18f2eb8e071f5c6dd51c69b7

SHA512
12b6bfa18d817fb0522ac787421d27604426d1f1e735bf2829559a2f8b41fccf8efeaa5c30f5ea75f52b7aeef823b52f5312a41c5abbc9e0291f7f74591211f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
1df177c8094a4d40b61581f5d9785a78

SHA1
08d09dbb6a02b41148e1af87950c11a946cc12c7

SHA256
83addbdd9d8226a3553fff46c252eacf9f8b44b6444ba9e193fda53552554efc

SHA512
605cfd80d0d066ff97dfe264d7294e31b7a1f6dd230bd9892bdb7ef561d11d26484d98e328327c09349e34d264618bb37666fef4320c6f1646b86c515a8c587e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
43261b3d187a8d60a67b836920ea5764

SHA1
176ae7fe6084005cc69339d56d4b723b0c7325b6

SHA256
93aedd9c870f474f889aa71a365f369385ac4f04f9d972d03c24ae6d2149a61f

SHA512
14a8e2620f02da2ba91a3024af57e251169c0bfade64e8555f4797e1ea8a5754bb16f27d0552a5b13a4bc597e3e06ad2de0257417a2016086a83f9426289f855

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
fe7f92f3876b2d9bde8f9a9c675d0b28

SHA1
cc6b64301cee66664eac025c3825a29db13bae65

SHA256
49128e5e98381154250e4ee2f8e555712ab2288c1d3eb7f76a03c34f34f35dbc

SHA512
ab5af36588d7fd3d1c61056dd550bfb188a894303a43cdd67e77fa82f289ea9200e653b814e0e77e656fe1f5e829e91b31978a0dcce6088eacbcc9b8e068c4e3

Download Submit
C:\note.txt

Filesize
218B

MD5
afa6955439b8d516721231029fb9ca1b

SHA1
087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

SHA256
8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

SHA512
5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

Download Submit
memory/2024-13-0x0000016EE8A50000-0x0000016EE8A51000-memory.dmp

Filesize
4KB

Download
memory/2024-8-0x0000016EE8A50000-0x0000016EE8A51000-memory.dmp

Filesize
4KB

Download
memory/2024-9-0x0000016EE8A50000-0x0000016EE8A51000-memory.dmp

Filesize
4KB

Download
memory/2024-10-0x0000016EE8A50000-0x0000016EE8A51000-memory.dmp

Filesize
4KB

Download
memory/2024-11-0x0000016EE8A50000-0x0000016EE8A51000-memory.dmp

Filesize
4KB

Download
memory/2024-12-0x0000016EE8A50000-0x0000016EE8A51000-memory.dmp

Filesize
4KB

Download
memory/2024-14-0x0000016EE8A50000-0x0000016EE8A51000-memory.dmp

Filesize
4KB

Download
memory/2024-2-0x0000016EE8A50000-0x0000016EE8A51000-memory.dmp

Filesize
4KB

Download
memory/2024-3-0x0000016EE8A50000-0x0000016EE8A51000-memory.dmp

Filesize
4KB

Download
memory/2024-4-0x0000016EE8A50000-0x0000016EE8A51000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads