3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff

Resubmissions

09-08-2024 22:09

240809-122fyswakd 7

09-08-2024 22:06

240809-11b5ns1fpj 7

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
09-08-2024 22:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MEMZ (1).exe
Size

16KB
MD5

1d5ad9c8d3fee874d0feb8bfac220a11
SHA1

ca6d3f7e6c784155f664a9179ca64e4034df9595
SHA256

3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff
SHA512

c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1
SSDEEP

192:M2WgyvSW8gRc6olcIEiwqZKBkDFR43xWTM3LHf26gFrcx3sNq:JWgnSmFlcIqq3agmLH+6gF23sN

Score

7^/10

bootkit discovery persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	MEMZ (1).exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	MEMZ (1).exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	MEMZ (1).exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ (1).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ (1).exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1488	MEMZ (1).exe
1488	MEMZ (1).exe
1488	MEMZ (1).exe
4764	MEMZ (1).exe
1488	MEMZ (1).exe
4764	MEMZ (1).exe
4764	MEMZ (1).exe
4764	MEMZ (1).exe
1488	MEMZ (1).exe
1488	MEMZ (1).exe
2664	MEMZ (1).exe
2664	MEMZ (1).exe
2664	MEMZ (1).exe
2664	MEMZ (1).exe
1488	MEMZ (1).exe
1488	MEMZ (1).exe
4764	MEMZ (1).exe
4764	MEMZ (1).exe
4544	MEMZ (1).exe
4544	MEMZ (1).exe
3640	MEMZ (1).exe
3640	MEMZ (1).exe
2664	MEMZ (1).exe
4544	MEMZ (1).exe
4544	MEMZ (1).exe
2664	MEMZ (1).exe
4764	MEMZ (1).exe
1488	MEMZ (1).exe
1488	MEMZ (1).exe
4764	MEMZ (1).exe
4764	MEMZ (1).exe
4764	MEMZ (1).exe
1488	MEMZ (1).exe
1488	MEMZ (1).exe
4544	MEMZ (1).exe
4544	MEMZ (1).exe
2664	MEMZ (1).exe
2664	MEMZ (1).exe
3640	MEMZ (1).exe
3640	MEMZ (1).exe
4544	MEMZ (1).exe
4544	MEMZ (1).exe
1488	MEMZ (1).exe
1488	MEMZ (1).exe
4764	MEMZ (1).exe
4764	MEMZ (1).exe
4764	MEMZ (1).exe
4764	MEMZ (1).exe
1488	MEMZ (1).exe
1488	MEMZ (1).exe
4544	MEMZ (1).exe
4544	MEMZ (1).exe
3640	MEMZ (1).exe
3640	MEMZ (1).exe
2664	MEMZ (1).exe
2664	MEMZ (1).exe
4544	MEMZ (1).exe
1488	MEMZ (1).exe
4544	MEMZ (1).exe
1488	MEMZ (1).exe
4764	MEMZ (1).exe
4764	MEMZ (1).exe
1488	MEMZ (1).exe
4764	MEMZ (1).exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs

pid	Process
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	3488	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3488	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3332 wrote to memory of 1488	3332	MEMZ (1).exe	94
PID 3332 wrote to memory of 1488	3332	MEMZ (1).exe	94
PID 3332 wrote to memory of 1488	3332	MEMZ (1).exe	94
PID 3332 wrote to memory of 4764	3332	MEMZ (1).exe	95
PID 3332 wrote to memory of 4764	3332	MEMZ (1).exe	95
PID 3332 wrote to memory of 4764	3332	MEMZ (1).exe	95
PID 3332 wrote to memory of 2664	3332	MEMZ (1).exe	96
PID 3332 wrote to memory of 2664	3332	MEMZ (1).exe	96
PID 3332 wrote to memory of 2664	3332	MEMZ (1).exe	96
PID 3332 wrote to memory of 3640	3332	MEMZ (1).exe	97
PID 3332 wrote to memory of 3640	3332	MEMZ (1).exe	97
PID 3332 wrote to memory of 3640	3332	MEMZ (1).exe	97
PID 3332 wrote to memory of 4544	3332	MEMZ (1).exe	98
PID 3332 wrote to memory of 4544	3332	MEMZ (1).exe	98
PID 3332 wrote to memory of 4544	3332	MEMZ (1).exe	98
PID 3332 wrote to memory of 1524	3332	MEMZ (1).exe	99
PID 3332 wrote to memory of 1524	3332	MEMZ (1).exe	99
PID 3332 wrote to memory of 1524	3332	MEMZ (1).exe	99
PID 1524 wrote to memory of 3088	1524	MEMZ (1).exe	101
PID 1524 wrote to memory of 3088	1524	MEMZ (1).exe	101
PID 1524 wrote to memory of 3088	1524	MEMZ (1).exe	101
PID 1524 wrote to memory of 4392	1524	MEMZ (1).exe	105
PID 1524 wrote to memory of 4392	1524	MEMZ (1).exe	105
PID 4392 wrote to memory of 1800	4392	msedge.exe	106
PID 4392 wrote to memory of 1800	4392	msedge.exe	106
PID 4392 wrote to memory of 1896	4392	msedge.exe	107
PID 4392 wrote to memory of 1896	4392	msedge.exe	107
PID 4392 wrote to memory of 1896	4392	msedge.exe	107
PID 4392 wrote to memory of 1896	4392	msedge.exe	107
PID 4392 wrote to memory of 1896	4392	msedge.exe	107
PID 4392 wrote to memory of 1896	4392	msedge.exe	107
PID 4392 wrote to memory of 1896	4392	msedge.exe	107
PID 4392 wrote to memory of 1896	4392	msedge.exe	107
PID 4392 wrote to memory of 1896	4392	msedge.exe	107
PID 4392 wrote to memory of 1896	4392	msedge.exe	107
PID 4392 wrote to memory of 1896	4392	msedge.exe	107
PID 4392 wrote to memory of 1896	4392	msedge.exe	107
PID 4392 wrote to memory of 1896	4392	msedge.exe	107
PID 4392 wrote to memory of 1896	4392	msedge.exe	107
PID 4392 wrote to memory of 1896	4392	msedge.exe	107
PID 4392 wrote to memory of 1896	4392	msedge.exe	107
PID 4392 wrote to memory of 1896	4392	msedge.exe	107
PID 4392 wrote to memory of 1896	4392	msedge.exe	107
PID 4392 wrote to memory of 1896	4392	msedge.exe	107
PID 4392 wrote to memory of 1896	4392	msedge.exe	107
PID 4392 wrote to memory of 1896	4392	msedge.exe	107
PID 4392 wrote to memory of 1896	4392	msedge.exe	107
PID 4392 wrote to memory of 1896	4392	msedge.exe	107
PID 4392 wrote to memory of 1896	4392	msedge.exe	107
PID 4392 wrote to memory of 1896	4392	msedge.exe	107
PID 4392 wrote to memory of 1896	4392	msedge.exe	107
PID 4392 wrote to memory of 1896	4392	msedge.exe	107
PID 4392 wrote to memory of 1896	4392	msedge.exe	107
PID 4392 wrote to memory of 1896	4392	msedge.exe	107
PID 4392 wrote to memory of 1896	4392	msedge.exe	107
PID 4392 wrote to memory of 1896	4392	msedge.exe	107
PID 4392 wrote to memory of 1896	4392	msedge.exe	107
PID 4392 wrote to memory of 1896	4392	msedge.exe	107
PID 4392 wrote to memory of 1896	4392	msedge.exe	107
PID 4392 wrote to memory of 1896	4392	msedge.exe	107
PID 4392 wrote to memory of 1896	4392	msedge.exe	107
PID 4392 wrote to memory of 1896	4392	msedge.exe	107
PID 4392 wrote to memory of 1896	4392	msedge.exe	107
PID 4392 wrote to memory of 1896	4392	msedge.exe	107

C:\Users\Admin\AppData\Local\Temp\MEMZ (1).exe
"C:\Users\Admin\AppData\Local\Temp\MEMZ (1).exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3332
- C:\Users\Admin\AppData\Local\Temp\MEMZ (1).exe
  "C:\Users\Admin\AppData\Local\Temp\MEMZ (1).exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1488
- C:\Users\Admin\AppData\Local\Temp\MEMZ (1).exe
  "C:\Users\Admin\AppData\Local\Temp\MEMZ (1).exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4764
- C:\Users\Admin\AppData\Local\Temp\MEMZ (1).exe
  "C:\Users\Admin\AppData\Local\Temp\MEMZ (1).exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2664
- C:\Users\Admin\AppData\Local\Temp\MEMZ (1).exe
  "C:\Users\Admin\AppData\Local\Temp\MEMZ (1).exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3640
- C:\Users\Admin\AppData\Local\Temp\MEMZ (1).exe
  "C:\Users\Admin\AppData\Local\Temp\MEMZ (1).exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4544
- C:\Users\Admin\AppData\Local\Temp\MEMZ (1).exe
  "C:\Users\Admin\AppData\Local\Temp\MEMZ (1).exe" /main
  2⤵
  - Checks computer location settings
  - Writes to the Master Boot Record (MBR)
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1524
- - C:\Windows\SysWOW64\notepad.exe
    "C:\Windows\System32\notepad.exe" \note.txt
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3088
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=best+way+to+kill+yourself
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:4392
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ffb951a46f8,0x7ffb951a4708,0x7ffb951a4718
      4⤵
      PID:1800
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1908,10781736714087482636,2152676644984975303,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1972 /prefetch:2
      4⤵
      PID:1896
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1908,10781736714087482636,2152676644984975303,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2280 /prefetch:3
      4⤵
      PID:1248
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1908,10781736714087482636,2152676644984975303,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2708 /prefetch:8
      4⤵
      PID:3596
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,10781736714087482636,2152676644984975303,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
      4⤵
      PID:4748
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,10781736714087482636,2152676644984975303,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
      4⤵
      PID:4572
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,10781736714087482636,2152676644984975303,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4632 /prefetch:1
      4⤵
      PID:3980
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,10781736714087482636,2152676644984975303,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3508 /prefetch:1
      4⤵
      PID:2120
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1908,10781736714087482636,2152676644984975303,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4848 /prefetch:8
      4⤵
      PID:3096
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1908,10781736714087482636,2152676644984975303,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4848 /prefetch:8
      4⤵
      PID:5048
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,10781736714087482636,2152676644984975303,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=220 /prefetch:1
      4⤵
      PID:4944
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,10781736714087482636,2152676644984975303,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5380 /prefetch:1
      4⤵
      PID:4328
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,10781736714087482636,2152676644984975303,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5184 /prefetch:1
      4⤵
      PID:3560
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,10781736714087482636,2152676644984975303,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3576 /prefetch:1
      4⤵
      PID:2460
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,10781736714087482636,2152676644984975303,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5540 /prefetch:1
      4⤵
      PID:3104
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,10781736714087482636,2152676644984975303,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5924 /prefetch:1
      4⤵
      PID:2252
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,10781736714087482636,2152676644984975303,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5640 /prefetch:1
      4⤵
      PID:5372
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,10781736714087482636,2152676644984975303,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6056 /prefetch:1
      4⤵
      PID:5508
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,10781736714087482636,2152676644984975303,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1844 /prefetch:1
      4⤵
      PID:5960
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,10781736714087482636,2152676644984975303,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6284 /prefetch:1
      4⤵
      PID:6044
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,10781736714087482636,2152676644984975303,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4884 /prefetch:1
      4⤵
      PID:4900
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,10781736714087482636,2152676644984975303,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5768 /prefetch:1
      4⤵
      PID:4420
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=g3t+r3kt
    3⤵
    PID:3608
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffb951a46f8,0x7ffb951a4708,0x7ffb951a4718
      4⤵
      PID:3204
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=how+to+create+your+own+ransomware
    3⤵
    PID:5296
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0x120,0x124,0x11c,0x128,0x7ffb951a46f8,0x7ffb951a4708,0x7ffb951a4718
      4⤵
      PID:5316
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=how+to+create+your+own+ransomware
    3⤵
    PID:5888
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffb951a46f8,0x7ffb951a4708,0x7ffb951a4718
      4⤵
      PID:5900
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=how+2+remove+a+virus
    3⤵
    PID:5816
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffb951a46f8,0x7ffb951a4708,0x7ffb951a4718
      4⤵
      PID:5836

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4676

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2764

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4c4 0x2f8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
53bc70ecb115bdbabe67620c416fe9b3

SHA1
af66ec51a13a59639eaf54d62ff3b4f092bb2fc1

SHA256
b36cad5c1f7bc7d07c7eaa2f3cad2959ddb5447d4d3adcb46eb6a99808e22771

SHA512
cad44933b94e17908c0eb8ac5feeb53d03a7720d97e7ccc8724a1ed3021a5bece09e1f9f3cec56ce0739176ebbbeb20729e650f8bca04e5060c986b75d8e4921

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e765f3d75e6b0e4a7119c8b14d47d8da

SHA1
cc9f7c7826c2e1a129e7d98884926076c3714fc0

SHA256
986443556d3878258b710d9d9efbf4f25f0d764c3f83dc54217f2b12a6eccd89

SHA512
a1872a849f27da78ebe9adb9beb260cb49ed5f4ca2d403f23379112bdfcd2482446a6708188100496e45db1517cdb43aba8bb93a75e605713c3f97cd716b1079

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
210KB

MD5
48d2860dd3168b6f06a4f27c6791bcaa

SHA1
f5f803efed91cd45a36c3d6acdffaaf0e863bf8c

SHA256
04d7bf7a6586ef00516bdb3f7b96c65e0b9c6b940f4b145121ed00f6116bbb77

SHA512
172da615b5b97a0c17f80ddd8d7406e278cd26afd1eb45a052cde0cb55b92febe49773b1e02cf9e9adca2f34abbaa6d7b83eaad4e08c828ef4bf26f23b95584e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
b7f99bf03f3416301ccfd67a607f11ae

SHA1
975ee6691ede97512daa6bae35e871c09a7a3fdf

SHA256
1a66988361a48b241f1b7c63b896469bc970fc4fff000c4fa348b4a204ed72b2

SHA512
a0a39a1cce102506ef370a96cf2a1a9d4c30af489d97453badb44b1fc7fb86c8dff41caa5fb745790b7255f28c4c5b34c85cba48d4ee3ee0d57a7b43f2c3f8c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
b90bd7853cbe5abae38d768e53d6d853

SHA1
16b26f7ef8fc602a5e6913a2792896d855c03013

SHA256
111ee4ee198512e5e63c5213a3cfc9f90ca3923837cf98bb9efa82147a966d1a

SHA512
808d2de8bf7ec731d7764d5ae31853e2efe38efc4a72ae82aa9b02c89ff5394e4e5e531d0d001deed96edc990b76ca7a1437798d3bd5e89b1dc90ba793b79e49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
389240f493fca59516ebb60cc8f079fb

SHA1
e2f6ad5e1ee1ffee3711f01ed6b7a231c4ec9a0a

SHA256
5b9510dcceaff7a648f978510914d94e52a3a7496e96ed42faa2e002f1490b40

SHA512
f3e03c1b4a49b4bc2903301d6ffd23f74ff63857b3bbfe7da8d55bb63fd64a4787e3e05b24cf689542c10dd98ce6e4739fe849a56ae3a77a455d81f9d4d18cc2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
2dfb1dbe200ea27788ef47570ca36582

SHA1
25e69f189ebe30b84bfafa30b6e163d35a5859df

SHA256
59cc3769917cdbca8057348edc191933a0e9ae2b041e26a696079d3320d1d7ee

SHA512
9f31f56d68d688b8cf8a6563b4028eabccb6ef58246305fcc251760f7ccfc2c6274bb701f4df593b4f683ccde38a780e2aaabbf4769bf3aa0b42f181cdd9ca6e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
783B

MD5
6028f5ec324436f09684cd17dc7beb50

SHA1
1662a8335a35e32939bb598fd8c90866d9376eb9

SHA256
69c38a768a2e3d5d5373f0a125eb8fc03927bbcb204afe008335d1886a56f545

SHA512
34507cd57bd314750075bf8884ca6310cb322b5d4e48a49985c07c19c5436db8b0595fce71dd3470caaed67e61a20d67ee22fba7c56b26f6b0d9bdba1b2ae51a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
406cc240a6060174838b85b190f4344c

SHA1
481a41e451325552ec3533b3e3a639f33403fd74

SHA256
cb244bf0422167f6a788a5bb9d8bfa6bbde489a1a88da5515823aeaf58fdba6a

SHA512
e55a75728d9f761c2acb705b6fc5dece96ddf7f14266bd1ce831a59151fe096127a7ca3877f8b38bb5e56c807bdde3c4d30b84e4a2d3ed59cfd9ba3bbee76762

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
a2646751c896c250ffabaa84f2ef792c

SHA1
0767af0aa9b68f1b81d15fe25f31386e61b5117b

SHA256
6bb458691fd5169689a9e8c61f0417e49c85a7acc4ec281c0d698bfa13f12d78

SHA512
3ba31f201a3b81ecc2f5bfc05dfdcb286e1099c9bd3909c456d1e39ad96047d413e8416f7100c9ba4b0f4fef23e4a4f6dd5e8e494a6e625b897a3a73e5f868ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6751e5593d2bfae16c7b070948e6a842

SHA1
0cd35167e6b17da11c736a1069bdfea122ae4692

SHA256
279cdc5be10c76c5d930c18a77c5666a3f9fdba9aefe273e983a301d79749567

SHA512
b7e87d97074f1e9c4b46d898d1cf8a3f09622c219299a0f9efa3005d87ce17bd7ed5f9ae7079ce151b38ed84878ea602785a4121ab47f6aa997ba6df61042647

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
efbbb48bc9044b65cc4560ccbd73879f

SHA1
dd7402079a8fc905c3b202bee9dcc095d11520b3

SHA256
a1fb5cf10271b7c1bb5c887515c52164c481b9d28b6861e24e4d4250ce02be65

SHA512
f0c6a40380b167be88d7bddb925c02ce9512a31f0db141235c9dbd71ea53cedb6ef29b28ed0abaf0636cc93d3a5ee7be0fcba00d4e486a77af8319f2a2cbcf1c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
6fa4012aeb7fcb35dcb77cb14169cd08

SHA1
73ab686e2fca28e86638d04f3f2e1dbadf137c96

SHA256
693e29346fb67bc38f9794ee5ba01a5219e3d625f4efd6309702bdfb7259e458

SHA512
a1da2ab93f1cd646f391ae0471c79b8e229089b29e4f73fea2c95f06a8aa034de254342134e879604fb9924010eb4ecfc77355b3f3b1682331d2b97b832957da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
1145b34af58b2431243d0875fca575cc

SHA1
a10af70900061008c002d66d0bdb5ec9002799ff

SHA256
dea7e90986cb49fbee87690b88e3131064a11a94231067a663bb526d10c13c68

SHA512
ea25a61681f295d239872561d44d26f907a0993fc8abb66e116783daf33504f9899dacfb39dc36eff78f3d94af3b094a3db4fe2700e96b79eb052c2b12445761

Download Submit
C:\note.txt

Filesize
218B

MD5
afa6955439b8d516721231029fb9ca1b

SHA1
087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

SHA256
8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

SHA512
5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

Download Submit