734403a96fad68cb2ef2b340adddd9cadd5894007aac703dcdb4a4cb8326c538

max time kernel
210s
max time network
209s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
15-09-2024 22:27

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

MEMZ 3.0/MEMZ.exe
Size

12KB
MD5

a7bcf7ea8e9f3f36ebfb85b823e39d91
SHA1

761168201520c199dba68add3a607922d8d4a86e
SHA256

3ff64f10603f0330fa2386ff99471ca789391ace969bd0ec1c1b8ce1b4a6db42
SHA512

89923b669d31e590189fd06619bf27e47c5a47e82be6ae71fdb1b9b3b30b06fb7ca8ffed6d5c41ac410a367f2eb07589291e95a2644877d6bffd52775a5b1523
SSDEEP

192:HMDLTxWDf/pl3cIEiwqZKBktLe3P+qf2jhP6B5b2yL3:H4IDH3cIqqvUWq+jhyT2yL

Score

6^/10

bootkit discovery persistence

Malware Config

Signatures

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

MEMZ.exe

description ioc process

File opened for modification \??\PhysicalDrive0 MEMZ.exe
Drops file in System32 directory 1 IoCs

Processes:

mmc.exe

description ioc process

File opened for modification C:\Windows\System32\devmgmt.msc mmc.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	MEMZ.exe

description	ioc	process
File opened for modification	C:\Windows\System32\devmgmt.msc	mmc.exe

Drops file in Windows directory 59 IoCs

Processes:

mmc.exe

description	ioc	process
File created	C:\Windows\INF\remoteposdrv.PNF	mmc.exe
File created	C:\Windows\INF\c_diskdrive.PNF	mmc.exe
File created	C:\Windows\INF\c_fssecurityenhancer.PNF	mmc.exe
File created	C:\Windows\INF\miradisp.PNF	mmc.exe
File created	C:\Windows\INF\c_volume.PNF	mmc.exe
File created	C:\Windows\INF\c_computeaccelerator.PNF	mmc.exe
File created	C:\Windows\INF\c_firmware.PNF	mmc.exe
File created	C:\Windows\INF\c_sslaccel.PNF	mmc.exe
File created	C:\Windows\INF\c_fssystem.PNF	mmc.exe
File created	C:\Windows\INF\c_fscopyprotection.PNF	mmc.exe
File created	C:\Windows\INF\c_fscompression.PNF	mmc.exe
File created	C:\Windows\INF\c_scmdisk.PNF	mmc.exe
File created	C:\Windows\INF\c_fsphysicalquotamgmt.PNF	mmc.exe
File created	C:\Windows\INF\ts_generic.PNF	mmc.exe
File created	C:\Windows\INF\c_fsactivitymonitor.PNF	mmc.exe
File created	C:\Windows\INF\xusb22.PNF	mmc.exe
File created	C:\Windows\INF\c_monitor.PNF	mmc.exe
File created	C:\Windows\INF\c_proximity.PNF	mmc.exe
File created	C:\Windows\INF\c_apo.PNF	mmc.exe
File created	C:\Windows\INF\PerceptionSimulationSixDof.PNF	mmc.exe
File created	C:\Windows\INF\c_fsencryption.PNF	mmc.exe
File created	C:\Windows\INF\c_scmvolume.PNF	mmc.exe
File created	C:\Windows\INF\c_primitive.PNF	mmc.exe
File created	C:\Windows\INF\oposdrv.PNF	mmc.exe
File created	C:\Windows\INF\c_holographic.PNF	mmc.exe
File created	C:\Windows\INF\c_fssystemrecovery.PNF	mmc.exe
File created	C:\Windows\INF\c_fshsm.PNF	mmc.exe
File created	C:\Windows\INF\c_swcomponent.PNF	mmc.exe
File created	C:\Windows\INF\c_camera.PNF	mmc.exe
File created	C:\Windows\INF\c_fsvirtualization.PNF	mmc.exe
File created	C:\Windows\INF\c_mcx.PNF	mmc.exe
File created	C:\Windows\INF\c_fsreplication.PNF	mmc.exe
File created	C:\Windows\INF\c_linedisplay.PNF	mmc.exe
File created	C:\Windows\INF\c_smrvolume.PNF	mmc.exe
File created	C:\Windows\INF\c_fscontinuousbackup.PNF	mmc.exe
File created	C:\Windows\INF\c_netdriver.PNF	mmc.exe
File created	C:\Windows\INF\wsdprint.PNF	mmc.exe
File created	C:\Windows\INF\c_extension.PNF	mmc.exe
File created	C:\Windows\INF\c_fsinfrastructure.PNF	mmc.exe
File created	C:\Windows\INF\dc1-controller.PNF	mmc.exe
File created	C:\Windows\INF\c_processor.PNF	mmc.exe
File created	C:\Windows\INF\rawsilo.PNF	mmc.exe
File created	C:\Windows\INF\rdcameradriver.PNF	mmc.exe
File created	C:\Windows\INF\c_cashdrawer.PNF	mmc.exe
File created	C:\Windows\INF\c_fsantivirus.PNF	mmc.exe
File created	C:\Windows\INF\c_barcodescanner.PNF	mmc.exe
File created	C:\Windows\INF\c_magneticstripereader.PNF	mmc.exe
File created	C:\Windows\INF\c_receiptprinter.PNF	mmc.exe
File created	C:\Windows\INF\c_ucm.PNF	mmc.exe
File created	C:\Windows\INF\c_fsopenfilebackup.PNF	mmc.exe
File created	C:\Windows\INF\c_media.PNF	mmc.exe
File created	C:\Windows\INF\c_nvmedisk.PNF	mmc.exe
File created	C:\Windows\INF\c_fsquotamgmt.PNF	mmc.exe
File created	C:\Windows\INF\c_fscfsmetadataserver.PNF	mmc.exe
File created	C:\Windows\INF\c_fsundelete.PNF	mmc.exe
File created	C:\Windows\INF\digitalmediadevice.PNF	mmc.exe
File created	C:\Windows\INF\c_fscontentscreener.PNF	mmc.exe
File created	C:\Windows\INF\c_display.PNF	mmc.exe
File created	C:\Windows\INF\c_smrdisk.PNF	mmc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

notepad.exeexplorer.execmd.exemmc.exeMEMZ.exeMEMZ.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe

Checks SCSI registry key(s) 3 TTPs 32 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

mmc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0014	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005\	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005\	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0014	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005\	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0014	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005\	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0014	mmc.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 15 IoCs

Processes:

LogonUI.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "225"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe

Modifies registry class 2 IoCs

Processes:

explorer.exeMEMZ.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Local Settings	MEMZ.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

MEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exe

pid	process
3116	MEMZ.exe
4960	MEMZ.exe
3116	MEMZ.exe
4960	MEMZ.exe
4960	MEMZ.exe
4960	MEMZ.exe
3756	MEMZ.exe
3756	MEMZ.exe
3116	MEMZ.exe
3116	MEMZ.exe
1484	MEMZ.exe
1484	MEMZ.exe
3116	MEMZ.exe
1484	MEMZ.exe
1484	MEMZ.exe
3116	MEMZ.exe
3756	MEMZ.exe
4960	MEMZ.exe
3756	MEMZ.exe
4960	MEMZ.exe
2740	MEMZ.exe
2740	MEMZ.exe
4960	MEMZ.exe
4960	MEMZ.exe
2740	MEMZ.exe
2740	MEMZ.exe
3756	MEMZ.exe
3756	MEMZ.exe
3116	MEMZ.exe
3116	MEMZ.exe
1484	MEMZ.exe
1484	MEMZ.exe
1484	MEMZ.exe
1484	MEMZ.exe
3116	MEMZ.exe
3116	MEMZ.exe
3756	MEMZ.exe
3756	MEMZ.exe
4960	MEMZ.exe
2740	MEMZ.exe
4960	MEMZ.exe
2740	MEMZ.exe
4960	MEMZ.exe
4960	MEMZ.exe
2740	MEMZ.exe
2740	MEMZ.exe
3756	MEMZ.exe
3756	MEMZ.exe
3116	MEMZ.exe
3116	MEMZ.exe
1484	MEMZ.exe
1484	MEMZ.exe
4960	MEMZ.exe
2740	MEMZ.exe
2740	MEMZ.exe
4960	MEMZ.exe
1484	MEMZ.exe
3116	MEMZ.exe
1484	MEMZ.exe
3116	MEMZ.exe
3756	MEMZ.exe
3756	MEMZ.exe
3756	MEMZ.exe
3756	MEMZ.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

mmc.exe

pid process

3568 mmc.exe

pid	process
3568	mmc.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

Processes:

msedge.exe

pid	process
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

AUDIODG.EXEmmc.exe

description	pid	process
Token: 33	3144	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3144	AUDIODG.EXE
Token: 33	3568	mmc.exe
Token: SeIncBasePriorityPrivilege	3568	mmc.exe
Token: 33	3568	mmc.exe
Token: SeIncBasePriorityPrivilege	3568	mmc.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

Processes:

msedge.exe

pid	process
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

MEMZ.exeidentity_helper.exemmc.exemmc.exeLogonUI.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exe

pid	process
2772	MEMZ.exe
4592	identity_helper.exe
2772	MEMZ.exe
1560	mmc.exe
3568	mmc.exe
3568	mmc.exe
1144	LogonUI.exe
2740	MEMZ.exe
3756	MEMZ.exe
4960	MEMZ.exe
1484	MEMZ.exe
3116	MEMZ.exe
3116	MEMZ.exe
4960	MEMZ.exe
3756	MEMZ.exe
2740	MEMZ.exe
1484	MEMZ.exe
3116	MEMZ.exe
1484	MEMZ.exe
2740	MEMZ.exe
4960	MEMZ.exe
3756	MEMZ.exe
3756	MEMZ.exe
4960	MEMZ.exe
3116	MEMZ.exe
2740	MEMZ.exe
1484	MEMZ.exe
2740	MEMZ.exe
3756	MEMZ.exe
4960	MEMZ.exe
1484	MEMZ.exe
3116	MEMZ.exe
3116	MEMZ.exe
4960	MEMZ.exe
3756	MEMZ.exe
2740	MEMZ.exe
1484	MEMZ.exe
4960	MEMZ.exe
3116	MEMZ.exe
2740	MEMZ.exe
3756	MEMZ.exe
1484	MEMZ.exe
2740	MEMZ.exe
3756	MEMZ.exe
4960	MEMZ.exe
3116	MEMZ.exe
1484	MEMZ.exe
1484	MEMZ.exe
3116	MEMZ.exe
4960	MEMZ.exe
3116	MEMZ.exe
2740	MEMZ.exe
2740	MEMZ.exe
3756	MEMZ.exe
3756	MEMZ.exe
4960	MEMZ.exe
1484	MEMZ.exe
3116	MEMZ.exe
1484	MEMZ.exe
2740	MEMZ.exe
3116	MEMZ.exe
3756	MEMZ.exe
4960	MEMZ.exe
4960	MEMZ.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

MEMZ.exeMEMZ.exemsedge.exe

description	pid	process	target process
PID 2992 wrote to memory of 4960	2992	MEMZ.exe	MEMZ.exe
PID 2992 wrote to memory of 4960	2992	MEMZ.exe	MEMZ.exe
PID 2992 wrote to memory of 4960	2992	MEMZ.exe	MEMZ.exe
PID 2992 wrote to memory of 3116	2992	MEMZ.exe	MEMZ.exe
PID 2992 wrote to memory of 3116	2992	MEMZ.exe	MEMZ.exe
PID 2992 wrote to memory of 3116	2992	MEMZ.exe	MEMZ.exe
PID 2992 wrote to memory of 1484	2992	MEMZ.exe	MEMZ.exe
PID 2992 wrote to memory of 1484	2992	MEMZ.exe	MEMZ.exe
PID 2992 wrote to memory of 1484	2992	MEMZ.exe	MEMZ.exe
PID 2992 wrote to memory of 3756	2992	MEMZ.exe	MEMZ.exe
PID 2992 wrote to memory of 3756	2992	MEMZ.exe	MEMZ.exe
PID 2992 wrote to memory of 3756	2992	MEMZ.exe	MEMZ.exe
PID 2992 wrote to memory of 2740	2992	MEMZ.exe	MEMZ.exe
PID 2992 wrote to memory of 2740	2992	MEMZ.exe	MEMZ.exe
PID 2992 wrote to memory of 2740	2992	MEMZ.exe	MEMZ.exe
PID 2992 wrote to memory of 2772	2992	MEMZ.exe	MEMZ.exe
PID 2992 wrote to memory of 2772	2992	MEMZ.exe	MEMZ.exe
PID 2992 wrote to memory of 2772	2992	MEMZ.exe	MEMZ.exe
PID 2772 wrote to memory of 4888	2772	MEMZ.exe	notepad.exe
PID 2772 wrote to memory of 4888	2772	MEMZ.exe	notepad.exe
PID 2772 wrote to memory of 4888	2772	MEMZ.exe	notepad.exe
PID 2772 wrote to memory of 3772	2772	MEMZ.exe	msedge.exe
PID 2772 wrote to memory of 3772	2772	MEMZ.exe	msedge.exe
PID 3772 wrote to memory of 3148	3772	msedge.exe	msedge.exe
PID 3772 wrote to memory of 3148	3772	msedge.exe	msedge.exe
PID 3772 wrote to memory of 1824	3772	msedge.exe	msedge.exe
PID 3772 wrote to memory of 1824	3772	msedge.exe	msedge.exe
PID 3772 wrote to memory of 1824	3772	msedge.exe	msedge.exe
PID 3772 wrote to memory of 1824	3772	msedge.exe	msedge.exe
PID 3772 wrote to memory of 1824	3772	msedge.exe	msedge.exe
PID 3772 wrote to memory of 1824	3772	msedge.exe	msedge.exe
PID 3772 wrote to memory of 1824	3772	msedge.exe	msedge.exe
PID 3772 wrote to memory of 1824	3772	msedge.exe	msedge.exe
PID 3772 wrote to memory of 1824	3772	msedge.exe	msedge.exe
PID 3772 wrote to memory of 1824	3772	msedge.exe	msedge.exe
PID 3772 wrote to memory of 1824	3772	msedge.exe	msedge.exe
PID 3772 wrote to memory of 1824	3772	msedge.exe	msedge.exe
PID 3772 wrote to memory of 1824	3772	msedge.exe	msedge.exe
PID 3772 wrote to memory of 1824	3772	msedge.exe	msedge.exe
PID 3772 wrote to memory of 1824	3772	msedge.exe	msedge.exe
PID 3772 wrote to memory of 1824	3772	msedge.exe	msedge.exe
PID 3772 wrote to memory of 1824	3772	msedge.exe	msedge.exe
PID 3772 wrote to memory of 1824	3772	msedge.exe	msedge.exe
PID 3772 wrote to memory of 1824	3772	msedge.exe	msedge.exe
PID 3772 wrote to memory of 1824	3772	msedge.exe	msedge.exe
PID 3772 wrote to memory of 1824	3772	msedge.exe	msedge.exe
PID 3772 wrote to memory of 1824	3772	msedge.exe	msedge.exe
PID 3772 wrote to memory of 1824	3772	msedge.exe	msedge.exe
PID 3772 wrote to memory of 1824	3772	msedge.exe	msedge.exe
PID 3772 wrote to memory of 1824	3772	msedge.exe	msedge.exe
PID 3772 wrote to memory of 1824	3772	msedge.exe	msedge.exe
PID 3772 wrote to memory of 1824	3772	msedge.exe	msedge.exe
PID 3772 wrote to memory of 1824	3772	msedge.exe	msedge.exe
PID 3772 wrote to memory of 1824	3772	msedge.exe	msedge.exe
PID 3772 wrote to memory of 1824	3772	msedge.exe	msedge.exe
PID 3772 wrote to memory of 1824	3772	msedge.exe	msedge.exe
PID 3772 wrote to memory of 1824	3772	msedge.exe	msedge.exe
PID 3772 wrote to memory of 1824	3772	msedge.exe	msedge.exe
PID 3772 wrote to memory of 1824	3772	msedge.exe	msedge.exe
PID 3772 wrote to memory of 1824	3772	msedge.exe	msedge.exe
PID 3772 wrote to memory of 1824	3772	msedge.exe	msedge.exe
PID 3772 wrote to memory of 1824	3772	msedge.exe	msedge.exe
PID 3772 wrote to memory of 1824	3772	msedge.exe	msedge.exe
PID 3772 wrote to memory of 1824	3772	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\MEMZ.exe
"C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\MEMZ.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2992

C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\MEMZ.exe
"C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\MEMZ.exe" /watchdog
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4960

C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\MEMZ.exe
"C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\MEMZ.exe" /watchdog
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3116

C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\MEMZ.exe
"C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\MEMZ.exe" /watchdog
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1484

C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\MEMZ.exe
"C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\MEMZ.exe" /watchdog
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3756

C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\MEMZ.exe
"C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\MEMZ.exe" /watchdog
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2740

C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\MEMZ.exe
"C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\MEMZ.exe" /main
2⤵
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2772

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\System32\notepad.exe" \note.txt
3⤵
- System Location Discovery: System Language Discovery
PID:4888

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://google.co.ck/search?q=g3t+r3kt
3⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3772

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffb0c313cb8,0x7ffb0c313cc8,0x7ffb0c313cd8
4⤵
PID:3148

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1836,1275369899946323067,4366694578572698301,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1864 /prefetch:2
4⤵
PID:1824

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1836,1275369899946323067,4366694578572698301,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2292 /prefetch:3
4⤵
PID:1092

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1836,1275369899946323067,4366694578572698301,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2580 /prefetch:8
4⤵
PID:1804

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,1275369899946323067,4366694578572698301,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
4⤵
PID:3620

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,1275369899946323067,4366694578572698301,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
4⤵
PID:1188

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,1275369899946323067,4366694578572698301,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4960 /prefetch:1
4⤵
PID:1380

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,1275369899946323067,4366694578572698301,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5224 /prefetch:1
4⤵
PID:1108

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,1275369899946323067,4366694578572698301,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5244 /prefetch:1
4⤵
PID:2508

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1836,1275369899946323067,4366694578572698301,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5008 /prefetch:8
4⤵
PID:4656

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,1275369899946323067,4366694578572698301,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5084 /prefetch:1
4⤵
PID:4336

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,1275369899946323067,4366694578572698301,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5072 /prefetch:1
4⤵
PID:4744

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1836,1275369899946323067,4366694578572698301,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5496 /prefetch:8
4⤵
- Suspicious use of SetWindowsHookEx
PID:4592

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,1275369899946323067,4366694578572698301,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2540 /prefetch:1
4⤵
PID:4684

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,1275369899946323067,4366694578572698301,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5224 /prefetch:1
4⤵
PID:1032

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,1275369899946323067,4366694578572698301,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3544 /prefetch:1
4⤵
PID:2892

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,1275369899946323067,4366694578572698301,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6240 /prefetch:1
4⤵
PID:4660

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1836,1275369899946323067,4366694578572698301,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5212 /prefetch:2
4⤵
PID:4852

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\System32\explorer.exe"
3⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3320

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://google.co.ck/search?q=g3t+r3kt
3⤵
PID:4468

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffb0c313cb8,0x7ffb0c313cc8,0x7ffb0c313cd8
4⤵
PID:1780

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://google.co.ck/search?q=facebook+hacking+tool+free+download+no+virus+working+2016
3⤵
PID:3280

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffb0c313cb8,0x7ffb0c313cc8,0x7ffb0c313cd8
4⤵
PID:748

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
- System Location Discovery: System Language Discovery
PID:4940

C:\Windows\SysWOW64\mmc.exe
"C:\Windows\system32\mmc.exe" "C:\Windows\System32\devmgmt.msc"
3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1560

C:\Windows\system32\mmc.exe
"C:\Windows\System32\devmgmt.msc" "C:\Windows\System32\devmgmt.msc"
4⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3568

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4940

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3320

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x000000000000047C 0x0000000000000494
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3144

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3944055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\02fd9e57-f048-4d8d-811c-af5489a4d2f2.tmp

Filesize
10KB

MD5
2d9630cd7be0bff7f4ff60da4e3c4d6a

SHA1
47a04ed5dd64e24bc3074af24a4ca4e21e2f0d23

SHA256
3a8490b3a6712d171d1ea88176f2b6c1a458866a6c4f53e01204fbb35c87329a

SHA512
8b61d366a1ea4ef3ed09a63a3eb24d3f7001c0755d931c885232271eda1c2cc1f3e2b531add0dc42c74cf6a780d5026ffdebd8f643c7662a711bbecc1d8153e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b4ae6009e2df12ce252d03722e8f4288

SHA1
44de96f65d69cbae416767040f887f68f8035928

SHA256
7778069a1493fdb62e6326ba673f03d9a8f46bc0eea949aabbbbc00dcdaddf9d

SHA512
bb810721e52c77793993470692bb2aab0466f13ed4576e4f4cfa6bc5fcfc59c13552299feb6dfd9642ea07b19a5513d90d0698d09ca1d15e0598133929c05fe1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4bf4b59c3deb1688a480f8e56aab059d

SHA1
612c83e7027b3bfb0e9d2c9efad43c5318e731bb

SHA256
867ab488aa793057395e9c10f237603cfb180689298871cdf0511132f9628c82

SHA512
2ec6c89f9653f810e9f80f532abaff2a3c0276f6d299dce1b1eadf6a59e8072ed601a4f9835db25d4d2610482a00dd5a0852d0ef828678f5c5ed33fe64dddca9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000001

Filesize
212KB

MD5
08ec57068db9971e917b9046f90d0e49

SHA1
28b80d73a861f88735d89e301fa98f2ae502e94b

SHA256
7a68efe41e5d8408eed6e9d91a7b7b965a3062e4e28eeffeefb8cdba6391f4d1

SHA512
b154142173145122bc49ddd7f9530149100f6f3c5fd2f2e7503b13f7b160147b8b876344f6faae5e8616208c51311633df4c578802ac5d34c005bb154e9057cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

Filesize
24KB

MD5
c594a826934b9505d591d0f7a7df80b7

SHA1
c04b8637e686f71f3fc46a29a86346ba9b04ae18

SHA256
e664eef3d68ac6336a28be033165d4780e8a5ab28f0d90df1b148ef86babb610

SHA512
04a1dfdb8ee2f5fefa101d5e3ff36e87659fd774e96aa8c5941d3353ccc268a125822cf01533c74839e5f1c54725da9cc437d3d69b88e5bf3f99caccd4d75961

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\03ae0658db22f33f_0

Filesize
289B

MD5
1cfe31f543dbac7d6ae94d7aee015585

SHA1
b5201ed99ea86e8a175694aa687402e557240df0

SHA256
f2eb6eeb6d739ea40fa9b76a44d28743873d3279e7c37616de8ca7ba84ba8d57

SHA512
9dcfa13471706a0d6979a0ff1c7e3fe780e2f143811fdd54c9722f9b4d2bdd0694f765f8c30f37f2c869f6058a8dcf41ed87b269fa9409186e89f3d996ba897e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\0fb124e1fbf7179f_0

Filesize
339KB

MD5
a92a228d1e1f8242e00de942f724a987

SHA1
052da73c65d4bdad4944ac8297ea8f1f11e9ee37

SHA256
c4a8ee7813119a70578606a24f2b07056efa87a4d6b27f2fe513fd170b75974b

SHA512
f39a780bc8df25be15098b1046b0cec5e626b8b62f88a65790d38eede6d5e2fa6a4cbdb006ad0ea9d2120f4e5660bb3025960dda21f844124bf4802f63d0242c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
120B

MD5
1d14c07585a813c05fd9a8e528db5515

SHA1
a943ce5126e8def63e89a0c9eac98a6bc97f94ae

SHA256
663a2e7359d580650c2daea88ce4dd9ed85fb53f3a4286875628f80f8be02871

SHA512
1e3aa25d3ef5b52301411339fb8c2d9f65dbe2aa7063e2031cba5af14b240e396c97a585e7f404d5dbe85eac20b414ddd88e481fcf3164956b2cfd31b4e78a08

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
120B

MD5
2dcb53978ee46f4d74c74681bedcb41a

SHA1
8833e63e2da8dfdbdb1b011165ffbc99042b7940

SHA256
85c167aa465ec633ac623a37caef855eb1eea352047a99477797d7de825ac5dc

SHA512
80fb8af5a3505d52963aa112a31ac40fc64a428fbfdff39574955429958705184d32bec3566dd63a519af771040ad08fc7d3e1cd31d66e7b28a96c2f286911da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
120B

MD5
adcd4413dfdbcd57dad4a0ac7ec20bbc

SHA1
6c671b094ee36d2a73f0d4e34d8a9cc3a818276c

SHA256
18ffda39a2fb11e4dce280ba8ead0583ad700773ce62314362708eb4a8fd88c4

SHA512
c7e5648ee0839696f84a1360262a51ad949fbe571289d17ea91e864a0044223599cc49fd0d2a2ef7c52d0af19615cec06b720a0d62b498b08f7647ff29c8571d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
4a96265c9f978339ecc057b1e40a23c2

SHA1
6393dd3ec9bf16c641985041ba1e143a2a459448

SHA256
f2df909dfe04c469ffeb0d036ce6d61d9e8a45a3d5a12e113265bbd1f71f4701

SHA512
1fa98cef40ab1c71f6c6a811127efdfac3236057dafb1a5f3d139cbb12cc9d4fd7724d60ea8acc22d5dd2b54d5b22be07ec58ebd50460146a1182750ed8910b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1005B

MD5
1eaebe04dee5fe80cb574452456f2246

SHA1
f9cb8cd0248a2947b1c925633234fd0e92e6323a

SHA256
8836beee5cc2ecc19621bf68ebc03743a98de973a4037e499b0769ac3767eb9b

SHA512
85aca738853e186d41a9c35190d879e7bb1c71d82abfeea191a6e860421ce618b77f4f1bcfb5803b3e3da1505cac6077bed46b860ecabe990b4e4f03427da092

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
54e4b7872472dfb6b2f3b86d2e8fa8f7

SHA1
cb705f010de1c00f61309196e0ec1c5052b94097

SHA256
882a756245bdb4dc445512e99e593fc28652d19c61cd5fe57f88d9cb21440dfe

SHA512
36f7da0a59d4cb1a68056c45e592a410a79b3be346c28b7eba0f7cabb9f5172421259b59f038bad24506b8a8e7322960e7b9700481ba07d1dc4201c6a2d01d6d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f07f8a2d0614510227795d111fdd62f2

SHA1
2fbd0d16a9fa9f8de1ecae94598422ea01b5c86f

SHA256
65b3d76c376cc1b7d0d3274fe313f76dcebe33fb34778513391d35cc03c2ed8c

SHA512
4e9ac0015368a5a306811855df223cb0172898a704a05c0e6368bdd62605cf5459dfd9258890166a0eb57392fed3db6cbeb53febef97c1e4685bee2791493e9e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0ee439bee65a8022f3c8a6eee2bd6043

SHA1
4cef94c9ee2a20b16dc48461a6775dc35c7bb23d

SHA256
4a22fbd960f25db983ed31927f3f702c927a032219af2c7d1f756e4f45fbe1bf

SHA512
000382564c5e8bc729e85925dce36f6464f3ea51f3d23022a74e2e62f69737f730174bb48f3c63ba6382feee319039f816e2b50be961e41a1ea73c23fd5edaba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ef4e01c614f6a0c0797601bbc4d65061

SHA1
a6695aba2905238e87c279921b9f85a1930bdabb

SHA256
175119754311c51fbaa774deafe3f7b898716fbec20ee8fdcbb04efdb03157ae

SHA512
72ba668786909df7cd7afd33f74bc16d0f923c30aaf476491fc0e492d8c820ccd4abd56d5dc148f6f5111f061288b33ddc19c0284ddca47b0ef792508277f784

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
34ecd8e2cd032e5aab5055056aa5bd29

SHA1
5ced1ff0f525f787ce1115865e93de242a0543d4

SHA256
fe87db74472280e8992ee54aa2b529a7a1a15494de363a1747d90dff0e4355a5

SHA512
969a160d46efe978c01aff4e175d279097f3e52f59a7a9c194705e6f040c6aebe9231c7fa6ae9389f97ee0947b826bdef374bd56b0477de58d3218f3e3c41529

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
6649ce18e0a544959e918f1664880355

SHA1
f865af864c7161ab50c14fe5d6ea6205baf5cbb8

SHA256
3cd1c4c887c2eecb8ec8fed4112a38e529a9b7dfbc90c8458ac85fbcd0de2a90

SHA512
74ff905c0f3a025fcb02d56d9f41ba8cd1ab2e1c3084306097e345ff3dfc03d9827879849b097e30fec0011a86f2b70db2714aba96ab0a717b59dabae4187f93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
4d8e2297c2d2a19e55aee6b22d2d98b8

SHA1
4bf67634d7dc3cdf3e944eab43445fc6122a65f2

SHA256
6452f5469396a400f5f32a40bee2ca00b05b6b4123417c6766fec1688431422b

SHA512
253bc1bb14bf89a4e4da7661326e65adab6b2d424033d47f8e6ae323f95a5e713e42c1cf285fc617cd639c1437e40ce2f54545ddc22817f126c058c0da7e2e62

Download Submit
C:\note.txt

Filesize
218B

MD5
afa6955439b8d516721231029fb9ca1b

SHA1
087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

SHA256
8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

SHA512
5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

Download Submit
\??\pipe\LOCAL\crashpad_3772_JBZKIBOHRNKDJAVZ

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads