hxxps://github[.]com/Dfmaaa/MEMZ-virus/archive/refs/heads/main[.]zip

Resubmissions

04-09-2024 09:48

240904-ls2b9sxgjl 4

04-09-2024 09:44

04-09-2024 09:41

04-09-2024 09:38

04-09-2024 09:36

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
04-09-2024 09:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Dfmaaa/MEMZ-virus/archive/refs/heads/main.zip

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
5992	vc_redist.x86.exe
2304	vc_redist.x86.exe

Loads dropped DLL 1 IoCs

pid	Process
2304	vc_redist.x86.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
76	camo.githubusercontent.com
77	camo.githubusercontent.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vc_redist.x86.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vc_redist.x86.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2412658365-3084825385-3340777666-1000\{2250B950-B61B-4F33-A79C-E37F4BB91F2E}	msedge.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
4032	msedge.exe
4032	msedge.exe
116	msedge.exe
116	msedge.exe
4996	identity_helper.exe
4996	identity_helper.exe
8	msedge.exe
8	msedge.exe
2144	msedge.exe
2144	msedge.exe
5584	msedge.exe
5584	msedge.exe
1840	msedge.exe
1840	msedge.exe
5532	msedge.exe
5532	msedge.exe
5532	msedge.exe
5532	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs

pid	Process
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeRestorePrivilege	2396	7zG.exe
Token: 35	2396	7zG.exe
Token: SeSecurityPrivilege	2396	7zG.exe
Token: SeSecurityPrivilege	2396	7zG.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe
116	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 116 wrote to memory of 1792	116	msedge.exe	83
PID 116 wrote to memory of 1792	116	msedge.exe	83
PID 116 wrote to memory of 4440	116	msedge.exe	84
PID 116 wrote to memory of 4440	116	msedge.exe	84
PID 116 wrote to memory of 4440	116	msedge.exe	84
PID 116 wrote to memory of 4440	116	msedge.exe	84
PID 116 wrote to memory of 4440	116	msedge.exe	84
PID 116 wrote to memory of 4440	116	msedge.exe	84
PID 116 wrote to memory of 4440	116	msedge.exe	84
PID 116 wrote to memory of 4440	116	msedge.exe	84
PID 116 wrote to memory of 4440	116	msedge.exe	84
PID 116 wrote to memory of 4440	116	msedge.exe	84
PID 116 wrote to memory of 4440	116	msedge.exe	84
PID 116 wrote to memory of 4440	116	msedge.exe	84
PID 116 wrote to memory of 4440	116	msedge.exe	84
PID 116 wrote to memory of 4440	116	msedge.exe	84
PID 116 wrote to memory of 4440	116	msedge.exe	84
PID 116 wrote to memory of 4440	116	msedge.exe	84
PID 116 wrote to memory of 4440	116	msedge.exe	84
PID 116 wrote to memory of 4440	116	msedge.exe	84
PID 116 wrote to memory of 4440	116	msedge.exe	84
PID 116 wrote to memory of 4440	116	msedge.exe	84
PID 116 wrote to memory of 4440	116	msedge.exe	84
PID 116 wrote to memory of 4440	116	msedge.exe	84
PID 116 wrote to memory of 4440	116	msedge.exe	84
PID 116 wrote to memory of 4440	116	msedge.exe	84
PID 116 wrote to memory of 4440	116	msedge.exe	84
PID 116 wrote to memory of 4440	116	msedge.exe	84
PID 116 wrote to memory of 4440	116	msedge.exe	84
PID 116 wrote to memory of 4440	116	msedge.exe	84
PID 116 wrote to memory of 4440	116	msedge.exe	84
PID 116 wrote to memory of 4440	116	msedge.exe	84
PID 116 wrote to memory of 4440	116	msedge.exe	84
PID 116 wrote to memory of 4440	116	msedge.exe	84
PID 116 wrote to memory of 4440	116	msedge.exe	84
PID 116 wrote to memory of 4440	116	msedge.exe	84
PID 116 wrote to memory of 4440	116	msedge.exe	84
PID 116 wrote to memory of 4440	116	msedge.exe	84
PID 116 wrote to memory of 4440	116	msedge.exe	84
PID 116 wrote to memory of 4440	116	msedge.exe	84
PID 116 wrote to memory of 4440	116	msedge.exe	84
PID 116 wrote to memory of 4440	116	msedge.exe	84
PID 116 wrote to memory of 4032	116	msedge.exe	85
PID 116 wrote to memory of 4032	116	msedge.exe	85
PID 116 wrote to memory of 1168	116	msedge.exe	86
PID 116 wrote to memory of 1168	116	msedge.exe	86
PID 116 wrote to memory of 1168	116	msedge.exe	86
PID 116 wrote to memory of 1168	116	msedge.exe	86
PID 116 wrote to memory of 1168	116	msedge.exe	86
PID 116 wrote to memory of 1168	116	msedge.exe	86
PID 116 wrote to memory of 1168	116	msedge.exe	86
PID 116 wrote to memory of 1168	116	msedge.exe	86
PID 116 wrote to memory of 1168	116	msedge.exe	86
PID 116 wrote to memory of 1168	116	msedge.exe	86
PID 116 wrote to memory of 1168	116	msedge.exe	86
PID 116 wrote to memory of 1168	116	msedge.exe	86
PID 116 wrote to memory of 1168	116	msedge.exe	86
PID 116 wrote to memory of 1168	116	msedge.exe	86
PID 116 wrote to memory of 1168	116	msedge.exe	86
PID 116 wrote to memory of 1168	116	msedge.exe	86
PID 116 wrote to memory of 1168	116	msedge.exe	86
PID 116 wrote to memory of 1168	116	msedge.exe	86
PID 116 wrote to memory of 1168	116	msedge.exe	86
PID 116 wrote to memory of 1168	116	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Dfmaaa/MEMZ-virus/archive/refs/heads/main.zip
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8931346f8,0x7ff893134708,0x7ff893134718
  2⤵
  PID:1792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,14886572562477961510,2287534180872107230,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2
  2⤵
  PID:4440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,14886572562477961510,2287534180872107230,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,14886572562477961510,2287534180872107230,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2812 /prefetch:8
  2⤵
  PID:1168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,14886572562477961510,2287534180872107230,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
  2⤵
  PID:4012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,14886572562477961510,2287534180872107230,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
  2⤵
  PID:3596
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,14886572562477961510,2287534180872107230,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5404 /prefetch:8
  2⤵
  PID:3892
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,14886572562477961510,2287534180872107230,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5404 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2100,14886572562477961510,2287534180872107230,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4984 /prefetch:8
  2⤵
  PID:2864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,14886572562477961510,2287534180872107230,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5028 /prefetch:1
  2⤵
  PID:2476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2100,14886572562477961510,2287534180872107230,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5204 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:8
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,14886572562477961510,2287534180872107230,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5992 /prefetch:1
  2⤵
  PID:1184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,14886572562477961510,2287534180872107230,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6092 /prefetch:1
  2⤵
  PID:4128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2100,14886572562477961510,2287534180872107230,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5992 /prefetch:8
  2⤵
  PID:5088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2100,14886572562477961510,2287534180872107230,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6032 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:2144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,14886572562477961510,2287534180872107230,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5928 /prefetch:1
  2⤵
  PID:2040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,14886572562477961510,2287534180872107230,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4040 /prefetch:1
  2⤵
  PID:3128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,14886572562477961510,2287534180872107230,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6136 /prefetch:1
  2⤵
  PID:4292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,14886572562477961510,2287534180872107230,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3604 /prefetch:1
  2⤵
  PID:1676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,14886572562477961510,2287534180872107230,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3696 /prefetch:1
  2⤵
  PID:3084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,14886572562477961510,2287534180872107230,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6176 /prefetch:1
  2⤵
  PID:5180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,14886572562477961510,2287534180872107230,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6396 /prefetch:1
  2⤵
  PID:5188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,14886572562477961510,2287534180872107230,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6680 /prefetch:1
  2⤵
  PID:5572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2100,14886572562477961510,2287534180872107230,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6368 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,14886572562477961510,2287534180872107230,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5512 /prefetch:1
  2⤵
  PID:3176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2100,14886572562477961510,2287534180872107230,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6616 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,14886572562477961510,2287534180872107230,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6236 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5532

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:408

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3516

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4d4 0x428
1⤵
PID:1660

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4016

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\*\" -spe -an -ai#7zMap15388:290:7zEvent30384
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2396

C:\Users\Admin\Downloads\NoEscape.exe-Download-main\NoEscape.exe\vc_redist.x86.exe
"C:\Users\Admin\Downloads\NoEscape.exe-Download-main\NoEscape.exe\vc_redist.x86.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5992
- C:\Users\Admin\Downloads\NoEscape.exe-Download-main\NoEscape.exe\vc_redist.x86.exe
  "C:\Users\Admin\Downloads\NoEscape.exe-Download-main\NoEscape.exe\vc_redist.x86.exe" -burn.unelevated BurnPipe.{A4056F18-200A-4A3E-A6AA-7A25F82624F2} {07D01414-0BA8-4E06-B417-92FE17D40FCB} 5992
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ff63763eedb406987ced076e36ec9acf

SHA1
16365aa97cd1a115412f8ae436d5d4e9be5f7b5d

SHA256
8f460e8b7a67f0c65b7248961a7c71146c9e7a19772b193972b486dbf05b8e4c

SHA512
ce90336169c8b2de249d4faea2519bf7c3df48ae9d77cdf471dd5dbd8e8542d47d9348080a098074aa63c255890850ee3b80ddb8eef8384919fdca3bb9371d9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2783c40400a8912a79cfd383da731086

SHA1
001a131fe399c30973089e18358818090ca81789

SHA256
331fa67da5f67bbb42794c3aeab8f7819f35347460ffb352ccc914e0373a22c5

SHA512
b7c7d3aa966ad39a86aae02479649d74dcbf29d9cb3a7ff8b9b2354ea60704da55f5c0df803fd0a7191170a8e72fdd5eacfa1a739d7a74e390a7b74bdced1685

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
e4e3118c5a2771c2d7a91ff4c0d0d0c3

SHA1
5e7531093a4da0da4b8b85b38f720ee33734e7ec

SHA256
b3f77f455d068da2270892299870543b77e62d22e583a807648d606ae626e82e

SHA512
05463c959a10d279997126f19c91d06970c017f1dc8dc1b914beb0baa94c6b9feb6158a2388c4c8e01e04132845e06f79fb9665fd286a5622747a31f25dc2079

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
23297ef96c1d96cd04e398a342e109cf

SHA1
d7907b6c03ea50c99807a3bd862530358ffeff9e

SHA256
fea6f32aa823ef8bc1b414617e866fbdf4c99014a2c366a1f133a9fec54401cd

SHA512
000683d51592be6469c5a0da83e0ebc96c240cf5170255738f3499dc5e5c3f851e98b3511d0ae3f4cf8410de7ef9c12c0cdf4ff2cf7dae5abe026aafa0fe25db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
8432a91ccd2a0d707c6a62916ade14bd

SHA1
fc561760db00f0a41e8a236db65ae29ac059b555

SHA256
2752d685bfbc2598abbe47fb8d7c53cf4001e0a71d133774d92d73e4815d59ca

SHA512
8796dafaf1cbee3d0b3556cd3e43abfe173077cd1b45cb508f07b28135efb5c862bb8ddd57811180c91eb7504bbdfd124d8a523dc74a965741ffe7576d1869be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
b1a5b924e66fe25664dd57a3a15ae7ae

SHA1
dd9d792874092ab284d71f5d41d5b932e36446e0

SHA256
53423829a3b0d281a272a56a3dada2858d33d462ba5d3acf80fffdc352fe9ae4

SHA512
870a8f3a81af931779d758390bff15e16bcaff133101a3bb7fca276896815241accb5dad22f4cbb930238b81a5d99e9e62f046b8a3ec07839346ae18174e5de4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6229ff0128a7fda1a9b6383dac736574

SHA1
af600dcbcdac5a572a760056c0f27fd049487563

SHA256
1c58ae54d218b481f33f8bfccea1902721cbb2fc6131defe7e2e0700c01cc6b0

SHA512
a6eacbfa4d5b3431c0a1f3566b593202dc4da7440ad26601845d355c14cb745415e755f25f24db89aa2b1ebe3f965c6b336b2d0e9a036d7a307e2e94ae5127c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
85886a3cc45258b8290bf794e2e599ce

SHA1
963159308649ddaeec5ca4ff072a4d1765894d8e

SHA256
adbe000745bf9535ba5d45d99bcd8f7f40b49967a68f5ce72c92b37f9fde7f23

SHA512
313d2154d734fa71222eead976b2700f0b688c0fcc91f0c9b11d8626bcaf6b72dda408b21e966ddb1abe99dae4418117c72f2739ae96cafff4961dfd8aef3846

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
ff2bb31bb05eba2017bfc30ebada9ece

SHA1
8c878c19dd77137af21a8361799e349ee3aad9ce

SHA256
0076bed8b0cf0b6339534733d0cd28761c00750507a50060ebf19506ebee7146

SHA512
c965ddd6bc610e4163374a0af1526f0a01b2ffefb469e5a1fd603e77a7d85028ec9b8baf90858b3ebb0ea227b1f0a86b2f500c7608def9e112710e156537c59c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
2f4d1572377917680fe755139e224b53

SHA1
dc474ae131e4eda77ba9a82f766e00e2d7d76076

SHA256
961f37e283aaf2714fd1b314a11681437682dc9aa44fc8ec96bc0f12fc5dc050

SHA512
b17478ff17f478d28e4d14d2e01cb56aef21d80a54d41a5d48e94d8b5e5c5c95f589b669bd4a8f3448c7b454e78d4feeabd4c17b5963687e570f7fe375afbcea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
07a88832aaa83e31425c1988463345ff

SHA1
ccd80bf41513c18ebe49a30d20f4d21e590efc2f

SHA256
a3761a1bde3e70b5dfa6c078b9404147073614ed4a89f59dd1cf1a153ab9abce

SHA512
1243c32d75972159a12d095d3b55b7b422dbe05df5089d74f13360ec53fa7d32276efb374ddaddbb59e13f82b2a43a4adbeebe35baa93575fc75d7f6f8db36c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
d0866403ec5b2732297451ee4befc385

SHA1
bd0491f40db8369d337a4946d58bad0859fbb075

SHA256
c7d8b6ab30b8c5bdd189f81c37dd32b9a075ab1ee683a3bc6cdba19efdf7c1e7

SHA512
b3d26adf77db4c230a4a53dcb51d9ca4a9fb35e0f032d47d5c00f612d82e13352d04ff85c775808c3ef6e0f71a2b6bf8f50474225db4e0927e5dda0e7d07a7f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57f339.TMP

Filesize
705B

MD5
9852bc6241ef127adf822298d43737ee

SHA1
ef0a2d5dd34e50360b0991d378a17868cb4a8c0e

SHA256
407d3f67bd4dff26302a306305c5bc9cdb5a679a4b9be599102a9645b510ead7

SHA512
9af606d982a849801aa200b829923cfe3de4ffc4662a023d95328d3365d94258b56a391e5ea56d06b46c3956054b7306d25c945e4763d4aba4b58a3183aefe5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\cb074e1c-62ad-44b4-8eca-b675e63da475.tmp

Filesize
1KB

MD5
45a196639a1f094433c3bafe0d3fcab9

SHA1
4e086b6b0cc3350b3de17c1ae42b317698bd1959

SHA256
e8421235a12e3105c6d97305c790bedf2db1c2d9ce1ef5be435b0e41df1308c3

SHA512
552a048fa27bc6e852b39750ab153b7289c3c524258fa9dd520aac9dfa1a413939167ed79b8b4f8e23bde979cdbb8b4259818907e93b4130216c11da6ba2bcc7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
b1e77f1c270b9456ff53cf1e15fe0068

SHA1
b99a1f2856f8def4c6d3743159d9433bbcf08ed3

SHA256
4341b406906f97e3e45347f8a04ba7d16bcc4db354b2b7870fbeb9e1ac5271bb

SHA512
73dfe79aba35d3b505a6cd8d6457add100f5bfbd93009d74a9573def4e95b65aefa0fe6563cf57edb960712bad86f0bd1afe79066c7b350400274ef41ea978aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
4abe3754c7ca3d7243d24c52e0beeda3

SHA1
41e9a3fc455fae738832c6374fe1e42947e480d9

SHA256
92cd41e561262f5876a9035ce8c95164a9fc5e340ca77815b68e1477b8c1121c

SHA512
359f7f8fe41f841e38af063d42a4b14a383cac90b71c985924e58d9ba809bd81e809d0d0ea5700340e614a93dec0bbf26c21f2eb26da4bc44cf11c4e73d192cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\.ba1\logo.png

Filesize
1KB

MD5
d6bd210f227442b3362493d046cea233

SHA1
ff286ac8370fc655aea0ef35e9cf0bfcb6d698de

SHA256
335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef

SHA512
464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\.ba1\wixstdba.dll

Filesize
118KB

MD5
4d20a950a3571d11236482754b4a8e76

SHA1
e68bd784ac143e206d52ecaf54a7e3b8d4d75c9c

SHA256
a9295ad4e909f979e2b6cb2b2495c3d35c8517e689cd64a918c690e17b49078b

SHA512
8b9243d1f9edbcbd6bdaf6874dc69c806bb29e909bd733781fde8ac80ca3fff574d786ca903871d1e856e73fd58403bebb58c9f23083ea7cd749ba3e890af3d2

Download Submit
C:\Users\Admin\Downloads\MEMZ-virus-main.zip

Filesize
8KB

MD5
a043dc5c624d091f7c2600dd18b300b7

SHA1
4682f79dabfc6da05441e2b6d820382ff02b4c58

SHA256
0acffde0f952b44d500cf2689d6c9ab87e66ac7fa29a51f3c3e36a43ea5e694a

SHA512
ee4f691a6c7b6c047bca49723b65e5980a8f83cbbc129ddfd578b855430b78acf3d0e461238739cd64c8a5c9071fe132c10da3ac28085fc978b6a19ee1ca3313

Download Submit
C:\Users\Admin\Downloads\NoEscape.exe-Download-main\NoEscape.exe\vc_redist.x86.exe

Filesize
13.1MB

MD5
1a15e6606bac9647e7ad3caa543377cf

SHA1
bfb74e498c44d3a103ca3aa2831763fb417134d1

SHA256
fdd1e1f0dcae2d0aa0720895eff33b927d13076e64464bb7c7e5843b7667cd14

SHA512
e8cb67fc8e0312da3cc98364b96dfa1a63150ab9de60069c4af60c1cf77d440b7dffe630b4784ba07ea9bf146bdbf6ad5282a900ffd6ab7d86433456a752b2fd

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 193671.crdownload

Filesize
13.5MB

MD5
6da84fd648c8811cc112f4fffe20a24d

SHA1
ba4f8d7fb51ee0a31b068cca51d5e5388c4b081b

SHA256
7b55dfab141eb69abbe47267e396fe8ee6bc4054fc8d4a5d91049b950c7d84aa

SHA512
0ba4c4379b77b465aa13af7ec295a9e7cc1421cff76e735890f46228af2f500202f879468322ad59b6d6ab06710828536ffcddee23093adf82498a365fee6bdb

Download Submit
C:\Users\Admin\Downloads\WannaCry-main.zip

Filesize
3.3MB

MD5
3c7861d067e5409eae5c08fd28a5bea2

SHA1
44e4b61278544a6a7b8094a0615d3339a8e75259

SHA256
07ecdced8cf2436c0bc886ee1e49ee4b8880a228aa173220103f35c535305635

SHA512
c2968e30212707acf8a146b25bb29c9f5d779792df88582b03431a0034dc82599f58d61fc9494324cc06873e5943f8c29bffd0272ca682d13c0bb10482d79fc5

Download Submit