8f1373d68141153fd199fe865bd31c8052798fbb46316fb30615c0e36ee67107

Resubmissions

22/08/2024, 12:33

240822-prdrcsxbph 3

22/08/2024, 12:31

240822-pqa9vazdqp 8

22/08/2024, 12:28

240822-pnejgsxamc 8

22/08/2024, 12:24

240822-plfzjawhld 3

Analysis

max time kernel
94s
max time network
119s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
22/08/2024, 12:28

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

IMG_20240403_100446.jpg
Size

151KB
MD5

c831ea5e71a02f0385cdfbb21a7f7a13
SHA1

4430b664552e60813b24df402bfd98e8e240bb15
SHA256

8f1373d68141153fd199fe865bd31c8052798fbb46316fb30615c0e36ee67107
SHA512

176f89f164e522c8585ccd50579089b77a1a6be5e02b6081289d25811ec39789710b24cced27384df2f6ceb35d53a2db5e361179581dce7888344cd6c51731e9
SSDEEP

3072:HIEGfnX3ag2n/nau9MhVAtIveKBzXEqbq5YZI8xX4tHG4xiN:HIBy/ausAt6egzXEqVe8OHGV

Score

8^/10

bootkit defense_evasion discovery evasion persistence

Malware Config

Signatures

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Mocq Epic.exe

Disables Task Manager via registry modification
evasion
Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
2872	Mocq Epic.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
25	raw.githubusercontent.com
43	raw.githubusercontent.com
57	raw.githubusercontent.com
58	raw.githubusercontent.com

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	Mocq Epic.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Mocq Epic.exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2227988167-2813779459-4240799794-1000\{CDF0DC95-0E99-4263-89C8-088D55E2A5C4}	msedge.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 212062.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Mocq Epic.exe:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
4672	msedge.exe
4672	msedge.exe
4316	msedge.exe
4316	msedge.exe
1608	identity_helper.exe
1608	identity_helper.exe
3464	msedge.exe
3464	msedge.exe
2224	msedge.exe
2224	msedge.exe
5028	msedge.exe
5028	msedge.exe
2872	Mocq Epic.exe
2872	Mocq Epic.exe
2872	Mocq Epic.exe
2872	Mocq Epic.exe
2872	Mocq Epic.exe
2872	Mocq Epic.exe
2872	Mocq Epic.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs

pid	Process
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2872	Mocq Epic.exe
Token: SeDebugPrivilege	2872	Mocq Epic.exe

Suspicious use of FindShellTrayWindow 44 IoCs

pid	Process
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
2872	Mocq Epic.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe

Suspicious use of SendNotifyMessage 16 IoCs

pid	Process
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2872	Mocq Epic.exe
2872	Mocq Epic.exe
2872	Mocq Epic.exe
2872	Mocq Epic.exe
2872	Mocq Epic.exe
2872	Mocq Epic.exe
2872	Mocq Epic.exe
2872	Mocq Epic.exe
2872	Mocq Epic.exe
2872	Mocq Epic.exe
2872	Mocq Epic.exe
2872	Mocq Epic.exe
2872	Mocq Epic.exe
2872	Mocq Epic.exe
2872	Mocq Epic.exe
2872	Mocq Epic.exe
2872	Mocq Epic.exe
2872	Mocq Epic.exe
2872	Mocq Epic.exe
2872	Mocq Epic.exe
2872	Mocq Epic.exe
2872	Mocq Epic.exe
2872	Mocq Epic.exe
2872	Mocq Epic.exe
2872	Mocq Epic.exe
2872	Mocq Epic.exe
2872	Mocq Epic.exe
2872	Mocq Epic.exe
2872	Mocq Epic.exe
2872	Mocq Epic.exe
2872	Mocq Epic.exe
2872	Mocq Epic.exe
2872	Mocq Epic.exe
2872	Mocq Epic.exe
2872	Mocq Epic.exe
2872	Mocq Epic.exe
2872	Mocq Epic.exe
2872	Mocq Epic.exe
2872	Mocq Epic.exe
2872	Mocq Epic.exe
2872	Mocq Epic.exe
2872	Mocq Epic.exe
2872	Mocq Epic.exe
2872	Mocq Epic.exe
2872	Mocq Epic.exe
2872	Mocq Epic.exe
2872	Mocq Epic.exe
2872	Mocq Epic.exe
2872	Mocq Epic.exe
2872	Mocq Epic.exe
2872	Mocq Epic.exe
2872	Mocq Epic.exe
2872	Mocq Epic.exe
2872	Mocq Epic.exe
2872	Mocq Epic.exe
2872	Mocq Epic.exe
2872	Mocq Epic.exe
2872	Mocq Epic.exe
2872	Mocq Epic.exe
2872	Mocq Epic.exe
2872	Mocq Epic.exe
2872	Mocq Epic.exe
2872	Mocq Epic.exe
2872	Mocq Epic.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4672 wrote to memory of 3744	4672	msedge.exe	87
PID 4672 wrote to memory of 3744	4672	msedge.exe	87
PID 4672 wrote to memory of 4768	4672	msedge.exe	88
PID 4672 wrote to memory of 4768	4672	msedge.exe	88
PID 4672 wrote to memory of 4768	4672	msedge.exe	88
PID 4672 wrote to memory of 4768	4672	msedge.exe	88
PID 4672 wrote to memory of 4768	4672	msedge.exe	88
PID 4672 wrote to memory of 4768	4672	msedge.exe	88
PID 4672 wrote to memory of 4768	4672	msedge.exe	88
PID 4672 wrote to memory of 4768	4672	msedge.exe	88
PID 4672 wrote to memory of 4768	4672	msedge.exe	88
PID 4672 wrote to memory of 4768	4672	msedge.exe	88
PID 4672 wrote to memory of 4768	4672	msedge.exe	88
PID 4672 wrote to memory of 4768	4672	msedge.exe	88
PID 4672 wrote to memory of 4768	4672	msedge.exe	88
PID 4672 wrote to memory of 4768	4672	msedge.exe	88
PID 4672 wrote to memory of 4768	4672	msedge.exe	88
PID 4672 wrote to memory of 4768	4672	msedge.exe	88
PID 4672 wrote to memory of 4768	4672	msedge.exe	88
PID 4672 wrote to memory of 4768	4672	msedge.exe	88
PID 4672 wrote to memory of 4768	4672	msedge.exe	88
PID 4672 wrote to memory of 4768	4672	msedge.exe	88
PID 4672 wrote to memory of 4768	4672	msedge.exe	88
PID 4672 wrote to memory of 4768	4672	msedge.exe	88
PID 4672 wrote to memory of 4768	4672	msedge.exe	88
PID 4672 wrote to memory of 4768	4672	msedge.exe	88
PID 4672 wrote to memory of 4768	4672	msedge.exe	88
PID 4672 wrote to memory of 4768	4672	msedge.exe	88
PID 4672 wrote to memory of 4768	4672	msedge.exe	88
PID 4672 wrote to memory of 4768	4672	msedge.exe	88
PID 4672 wrote to memory of 4768	4672	msedge.exe	88
PID 4672 wrote to memory of 4768	4672	msedge.exe	88
PID 4672 wrote to memory of 4768	4672	msedge.exe	88
PID 4672 wrote to memory of 4768	4672	msedge.exe	88
PID 4672 wrote to memory of 4768	4672	msedge.exe	88
PID 4672 wrote to memory of 4768	4672	msedge.exe	88
PID 4672 wrote to memory of 4768	4672	msedge.exe	88
PID 4672 wrote to memory of 4768	4672	msedge.exe	88
PID 4672 wrote to memory of 4768	4672	msedge.exe	88
PID 4672 wrote to memory of 4768	4672	msedge.exe	88
PID 4672 wrote to memory of 4768	4672	msedge.exe	88
PID 4672 wrote to memory of 4768	4672	msedge.exe	88
PID 4672 wrote to memory of 4316	4672	msedge.exe	89
PID 4672 wrote to memory of 4316	4672	msedge.exe	89
PID 4672 wrote to memory of 3752	4672	msedge.exe	90
PID 4672 wrote to memory of 3752	4672	msedge.exe	90
PID 4672 wrote to memory of 3752	4672	msedge.exe	90
PID 4672 wrote to memory of 3752	4672	msedge.exe	90
PID 4672 wrote to memory of 3752	4672	msedge.exe	90
PID 4672 wrote to memory of 3752	4672	msedge.exe	90
PID 4672 wrote to memory of 3752	4672	msedge.exe	90
PID 4672 wrote to memory of 3752	4672	msedge.exe	90
PID 4672 wrote to memory of 3752	4672	msedge.exe	90
PID 4672 wrote to memory of 3752	4672	msedge.exe	90
PID 4672 wrote to memory of 3752	4672	msedge.exe	90
PID 4672 wrote to memory of 3752	4672	msedge.exe	90
PID 4672 wrote to memory of 3752	4672	msedge.exe	90
PID 4672 wrote to memory of 3752	4672	msedge.exe	90
PID 4672 wrote to memory of 3752	4672	msedge.exe	90
PID 4672 wrote to memory of 3752	4672	msedge.exe	90
PID 4672 wrote to memory of 3752	4672	msedge.exe	90
PID 4672 wrote to memory of 3752	4672	msedge.exe	90
PID 4672 wrote to memory of 3752	4672	msedge.exe	90
PID 4672 wrote to memory of 3752	4672	msedge.exe	90

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\IMG_20240403_100446.jpg
1⤵
PID:5028

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffcece53cb8,0x7ffcece53cc8,0x7ffcece53cd8
  2⤵
  PID:3744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1836,5098232320821839201,765735405881555710,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1876 /prefetch:2
  2⤵
  PID:4768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1836,5098232320821839201,765735405881555710,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2304 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1836,5098232320821839201,765735405881555710,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2552 /prefetch:8
  2⤵
  PID:3752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,5098232320821839201,765735405881555710,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
  2⤵
  PID:1560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,5098232320821839201,765735405881555710,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
  2⤵
  PID:1880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,5098232320821839201,765735405881555710,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4048 /prefetch:1
  2⤵
  PID:3216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,5098232320821839201,765735405881555710,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4848 /prefetch:1
  2⤵
  PID:2140
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1836,5098232320821839201,765735405881555710,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3428 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,5098232320821839201,765735405881555710,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3412 /prefetch:1
  2⤵
  PID:1692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,5098232320821839201,765735405881555710,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3420 /prefetch:1
  2⤵
  PID:1240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1836,5098232320821839201,765735405881555710,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5092 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1836,5098232320821839201,765735405881555710,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4664 /prefetch:8
  2⤵
  PID:1068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1836,5098232320821839201,765735405881555710,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=3412 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:2224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,5098232320821839201,765735405881555710,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3548 /prefetch:1
  2⤵
  PID:2984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,5098232320821839201,765735405881555710,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5000 /prefetch:1
  2⤵
  PID:2464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,5098232320821839201,765735405881555710,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5528 /prefetch:1
  2⤵
  PID:4348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,5098232320821839201,765735405881555710,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3868 /prefetch:1
  2⤵
  PID:1836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,5098232320821839201,765735405881555710,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5456 /prefetch:1
  2⤵
  PID:3144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,5098232320821839201,765735405881555710,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3440 /prefetch:1
  2⤵
  PID:3408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,5098232320821839201,765735405881555710,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5644 /prefetch:1
  2⤵
  PID:3160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,5098232320821839201,765735405881555710,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5692 /prefetch:1
  2⤵
  PID:4928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1836,5098232320821839201,765735405881555710,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6480 /prefetch:8
  2⤵
  PID:3564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1836,5098232320821839201,765735405881555710,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6224 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:5028
- C:\Users\Admin\Downloads\Mocq Epic.exe
  "C:\Users\Admin\Downloads\Mocq Epic.exe"
  2⤵
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:2872
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" /C reg delete HKCR /f
    3⤵
    PID:4676
  - - C:\Windows\system32\reg.exe
      reg delete HKCR /f
      4⤵
      PID:1972
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" /C reg delete HKU /f
    3⤵
    PID:4712
  - - C:\Windows\system32\reg.exe
      reg delete HKU /f
      4⤵
      PID:1244
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" /C reg delete HKCC /f
    3⤵
    PID:3620
  - - C:\Windows\system32\reg.exe
      reg delete HKCC /f
      4⤵
      PID:2516
- - C:\Windows\System32\rdpclip.exe
    "C:\Windows\System32\rdpclip.exe"
    3⤵
    PID:1888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,5098232320821839201,765735405881555710,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5020 /prefetch:1
  2⤵
  PID:4548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,5098232320821839201,765735405881555710,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3420 /prefetch:1
  2⤵
  PID:3820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,5098232320821839201,765735405881555710,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6748 /prefetch:1
  2⤵
  PID:1620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,5098232320821839201,765735405881555710,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6036 /prefetch:1
  2⤵
  PID:4824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,5098232320821839201,765735405881555710,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7236 /prefetch:1
  2⤵
  PID:4188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,5098232320821839201,765735405881555710,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7260 /prefetch:1
  2⤵
  PID:5072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,5098232320821839201,765735405881555710,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7496 /prefetch:1
  2⤵
  PID:4512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,5098232320821839201,765735405881555710,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6164 /prefetch:1
  2⤵
  PID:720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,5098232320821839201,765735405881555710,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7716 /prefetch:1
  2⤵
  PID:2224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,5098232320821839201,765735405881555710,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7724 /prefetch:1
  2⤵
  PID:1648

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2092

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1972

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004AC 0x00000000000004B4
1⤵
PID:4852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3e2612636cf368bc811fdc8db09e037d

SHA1
d69e34379f97e35083f4c4ea1249e6f1a5f51d56

SHA256
2eecaacf3f2582e202689a16b0ac1715c628d32f54261671cf67ba6abbf6c9f9

SHA512
b3cc3bf967d014f522e6811448c4792eed730e72547f83eb4974e832e958deb7e7f4c3ce8e0ed6f9c110525d0b12f7fe7ab80a914c2fe492e1f2d321ef47f96d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e8115549491cca16e7bfdfec9db7f89a

SHA1
d1eb5c8263cbe146cd88953bb9886c3aeb262742

SHA256
dfa9a8b54936607a5250bec0ed3e2a24f96f4929ca550115a91d0d5d68e4d08e

SHA512
851207c15de3531bd230baf02a8a96550b81649ccbdd44ad74875d97a700271ef96e8be6e1c95b2a0119561aee24729cb55c29eb0b3455473688ef9132ed7f54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
1163caa4549a51dbb589a1e98f8d8c12

SHA1
4a10b0f620991f11dac4393b07965996a01f32df

SHA256
a976f2d0b66355d84cef41fd7f67abab857f600b34949738eb5f90be2bf2eca3

SHA512
798afd69bd0108d70cc7a3fd6771b1ac6ce21109c9413cf6d004a991e8377cb3e7cf6c61c4d22ee197f960a852053d21fa757ef81e1622e45baf5224529112be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
bdbb1124365bd9106ff6e9f63e5b5b42

SHA1
9526442283d123c8ff9d5ca589b1daffdb97f438

SHA256
3837dc1a95153b39a1fd12a73a9485e57606d54646c5d4367f9bfa647be524fe

SHA512
859706f320d982198e3d7563038a6e0b3e0428a26747c67786783fbce4c315cd1fc2e0ec8c3eba76828e855450029849c6810eace9008832e6b87d6f88981837

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
6908d37b04b1800c800cbd9a1c4c2aa9

SHA1
bdec92946b37d47d0620f9e224128567666afdb7

SHA256
157ca80310a19dab9060d7d2c563367a822fc08121703280f0ae8eae26c3d0e9

SHA512
fd3152ac70f1ba5e3f579e8a67dd609266bd4631758c6e3d0c355fdf16e5d300591c18a0e364ce7df6ba693577ba3ee1178e470b470bf520a318b92abbfeca0b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a836618c8036d286aadab705c23015fc

SHA1
6229618318c80048a2de3da60dd08c22c64f6eab

SHA256
5f9bd89d7aabb4fa29d2bffad7d0756a1eea1901b6c84daf028d8f7b86196f56

SHA512
fe5b7634497292f79eea76d4de08168857145488446c9630c8545be61b8b00c0af8c72a43f901aad98edab25f327cb3958a053ee8b9db56e268122892307ec86

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
0a6910160fe17a7d3aa3bc7861c27931

SHA1
e0d1dac538b94da8b768a32103b7922309b50d65

SHA256
b079a566965dbce267bf9fbadd2b8bf23a2c2fd32731548bfff151944590050b

SHA512
d7e9236e98ea93aaa9c70daa085c35eb23c49a17feab71be47447cce3939dd618e28fd099466e0253ef0ba9273994dbbcd736a051e9eca30c6ff85665251b234

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
c030d92f5656e010ec7d8a751718c9b3

SHA1
8ff65d350d38903310df69b44d69fecc32632aef

SHA256
b0ac5821615b89d88838ce97d3573087284da3a5cef23bb88b79bc01f110795f

SHA512
d7d83774bef432735a7973b559003ed3b91a81ea415027a5e2d5ce38733297239117b6d5ee5606a1650927534fe3bca7af0ac60b14d2f276f7bc48cdbf6d18cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
3642e24fa43fac1481b1f6ec44929d18

SHA1
4b1341aa2b9e547bc9eb1023e32a566b01bc4694

SHA256
efae01d34d9ab746d4be2314b3ef991e78b3aa4ca6c6324f8c8d209fd97d96d6

SHA512
60f4b9b4bbc03916d497edd34a08b3071c0c0f7485cee3e4282a732612a97c9a6fd0fb652f10770658360e48776a4897e5ffbe3329c3aacf91e1a736df12d727

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
2c9157cd32d18c28dd5564afe68ce6b8

SHA1
2cb08ddaf337c807be0a2c5a27b9c487e796368f

SHA256
3040a6761364bbfde616796df89766be8c1f21fd7d33526cd9f9c5f472f3d9cf

SHA512
5e2e45fe8c3f6ae0b33b3d3a854652a66243e9e0910cec17921415b5b4b861fcc52a2c2a30d830836ae51615010b051c9f30333e6f98927c222fa5ae0e3afd23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57fe65.TMP

Filesize
538B

MD5
aa9d42ebe47297736dcd396f0821f101

SHA1
c89cf2c152166dd54188c9f9c3a3045448b902f4

SHA256
3108ea63931cbd7fe32e006474812c86c0db237bb5cf8bbd217faf7c42acdfb9

SHA512
0fe1f22853317a6a75a788da0f9d8dcd01b6d2673012a42759dcf02e90ec2fac31ff56724b337d97f2ea52f06c19c7ace6abbcf0d7e447c2dc7a9218e74433d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\ea9ed429-8c1c-42fe-8d68-d4397c0f7dae.tmp

Filesize
6KB

MD5
2c8391b8aa50947aedd5cb7a585cdaf9

SHA1
7f899cc1da840b410982c5ae39ef25024038daa5

SHA256
1530ba6ac7e32edd349071c276c8c0db177a729d7a38805944378f3ed61f0635

SHA512
75b4224fd498c6fc52c3baea6f6cea4ae3ac15e2f78ea58b0f62b483e977ecc000ced37c65b367ce3e2d446887f8139b4d9f4d5185e442dd94c0c9139b63df56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
10fbb8eeee5aa290e4586344e3c3bd56

SHA1
6c5bd3bbfdb9c019d96b639a886860cf1c8bba29

SHA256
7f044d09ecbb18d8a02586afab12a17481717a668fb47f8befb60652b4efb42f

SHA512
36501566ced73c33ab72be3659f9c92fc60a2fada11e678354051808aa88def7864d5ef976aa9aeff6566ddaeb898da1d907ea0cac523b2d0d2d4b871167122a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
24e53f3e90246b6cb2cff0d2d6239dab

SHA1
916bd64a4ac20127a163ad8c2d990f0522f80873

SHA256
c81e9ada8ae66a7603cde345520c38b8c9c8e482d72ea8e0dd16ace723b710bf

SHA512
a81b877f6edf0cb811f96d1f05bc940624687dd464efd7fedf0dd872bf27f5f044e78b34aeff34bae659834ae137d9fae44108a515704294c5ee6882870889e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
d5d85481ec28fee6a5d052e028a6a3dc

SHA1
6d54a9f370030823c50221f36fd1e7a23e8ec8b9

SHA256
ee99a50a281f021269092188885bf0103a7e6a2afcd61f62637aab6da1527cb3

SHA512
1bc04883142d1460b6555b15e0e377b2616729af4ed952e6339783597acecb7281658cd46a6f5e6fc6ac2d6eda06cf9d8d90d4baf63011dd0cc08bc0ed016e9a

Download Submit
C:\Users\Admin\Downloads\Mocq Epic.exe:Zone.Identifier

Filesize
234B

MD5
0d0c24fc2ab78644b80e0b64c6a8ff29

SHA1
cbce4bfc7024a16e9c216dc8c70af904d2157b2e

SHA256
0ad6d8f91a016a5cf35ef7bede5beeb6a22af2af02f0f867f973113ca4687886

SHA512
52329eca2ca5ad7fd4f1b98a718761788b623bad08aac9fb5391f1a23a8d4ee66ae71f1a982d7a05b9a2a21a90ad77ab442ced02c968a4dcc618bba2f6d86fc1

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 212062.crdownload

Filesize
306KB

MD5
fa26fae9f733a63cfcdf6fcc3127bb84

SHA1
273e9e1928f10e1bbba028bd52ca21304a96f613

SHA256
0ffdb148ab9c816bf4a643a727e02640878e2c98d4ff2b059e1bb7c3a9dcb48a

SHA512
148d035f0eb05e5f5417ca92a0d7d136e3ad84f58971547757b058fcc7f948a77a6b6666818e5ab093106341688719e19385a5e0749798b8970df8af1be12f32

Download Submit
memory/2872-420-0x0000000000600000-0x0000000000654000-memory.dmp

Filesize
336KB

Download
memory/2872-421-0x0000000002720000-0x0000000002734000-memory.dmp

Filesize
80KB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads