LunaGrabber | 3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11-01-2025 14:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MEMZ.exe
Size

16KB
MD5

1d5ad9c8d3fee874d0feb8bfac220a11
SHA1

ca6d3f7e6c784155f664a9179ca64e4034df9595
SHA256

3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff
SHA512

c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1
SSDEEP

192:M2WgyvSW8gRc6olcIEiwqZKBkDFR43xWTM3LHf26gFrcx3sNq:JWgnSmFlcIqq3agmLH+6gF23sN

Score

10^/10

LunaGrabber redtiger bootkit discovery luna persistence stealer

Malware Config

Signatures

Detects RedTiger Stealer 49 IoCs

stealer

resource	yara_rule
behavioral2/files/0x0007000000023cd6-23.dat	redtigerv122
behavioral2/files/0x0007000000023cd6-23.dat	redtigerv22
behavioral2/files/0x0007000000023cd6-23.dat	redtiger_stealer_detection
behavioral2/files/0x0007000000023cd6-23.dat	redtiger_stealer_detection_v2
behavioral2/files/0x0007000000023cd6-23.dat	staticSred
behavioral2/files/0x0007000000023cd6-23.dat	staticred
behavioral2/files/0x0007000000023cd6-23.dat	redtiger_stealer_detection_v1
behavioral2/files/0x0007000000023cdb-37.dat	redtigerv122
behavioral2/files/0x0007000000023cdb-37.dat	redtigerv22
behavioral2/files/0x0007000000023cdb-37.dat	redtiger_stealer_detection
behavioral2/files/0x0007000000023cdb-37.dat	redtiger_stealer_detection_v2
behavioral2/files/0x0007000000023cdb-37.dat	staticSred
behavioral2/files/0x0007000000023cdb-37.dat	staticred
behavioral2/files/0x0007000000023cdb-37.dat	redtiger_stealer_detection_v1
behavioral2/files/0x0008000000023cfe-58.dat	redtigerv122
behavioral2/files/0x0008000000023cfe-58.dat	redtigerv22
behavioral2/files/0x0008000000023cfe-58.dat	redtiger_stealer_detection
behavioral2/files/0x0008000000023cfe-58.dat	redtiger_stealer_detection_v2
behavioral2/files/0x0008000000023cfe-58.dat	staticSred
behavioral2/files/0x0008000000023cfe-58.dat	staticred
behavioral2/files/0x0008000000023cfe-58.dat	redtiger_stealer_detection_v1
behavioral2/files/0x0009000000023c65-66.dat	redtigerv122
behavioral2/files/0x0009000000023c65-66.dat	redtigerv22
behavioral2/files/0x0009000000023c65-66.dat	redtiger_stealer_detection
behavioral2/files/0x0009000000023c65-66.dat	redtiger_stealer_detection_v2
behavioral2/files/0x0009000000023c65-66.dat	staticSred
behavioral2/files/0x0009000000023c65-66.dat	staticred
behavioral2/files/0x0009000000023c65-66.dat	redtiger_stealer_detection_v1
behavioral2/files/0x0008000000023c71-104.dat	redtigerv122
behavioral2/files/0x0008000000023c71-104.dat	redtigerv22
behavioral2/files/0x0008000000023c71-104.dat	redtiger_stealer_detection
behavioral2/files/0x0008000000023c71-104.dat	redtiger_stealer_detection_v2
behavioral2/files/0x0008000000023c71-104.dat	staticSred
behavioral2/files/0x0008000000023c71-104.dat	staticred
behavioral2/files/0x0008000000023c71-104.dat	redtiger_stealer_detection_v1
behavioral2/files/0x000400000001da4c-161.dat	redtigerv122
behavioral2/files/0x000400000001da4c-161.dat	redtigerv22
behavioral2/files/0x000400000001da4c-161.dat	redtiger_stealer_detection
behavioral2/files/0x000400000001da4c-161.dat	redtiger_stealer_detection_v2
behavioral2/files/0x000400000001da4c-161.dat	staticSred
behavioral2/files/0x000400000001da4c-161.dat	staticred
behavioral2/files/0x000400000001da4c-161.dat	redtiger_stealer_detection_v1
behavioral2/files/0x0003000000000713-206.dat	redtigerv122
behavioral2/files/0x0003000000000713-206.dat	redtigerv22
behavioral2/files/0x0003000000000713-206.dat	redtiger_stealer_detection
behavioral2/files/0x0003000000000713-206.dat	redtiger_stealer_detection_v2
behavioral2/files/0x0003000000000713-206.dat	staticSred
behavioral2/files/0x0003000000000713-206.dat	staticred
behavioral2/files/0x0003000000000713-206.dat	redtiger_stealer_detection_v1

Lunagrabber family
LunaGrabber

Matches Luna Grabber Rule For Entry 5 IoCs

Detects behavior indicative of Luna Grabber malware

stealer luna

resource	yara_rule
behavioral2/files/0x0007000000023cd6-23.dat	LunaGrabber
behavioral2/files/0x0009000000023c65-66.dat	LunaGrabber
behavioral2/files/0x0008000000023c71-104.dat	LunaGrabber
behavioral2/files/0x000400000001da4c-161.dat	LunaGrabber
behavioral2/files/0x0003000000000713-206.dat	LunaGrabber

Redtiger family
redtiger

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	MEMZ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	MEMZ.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	MEMZ.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2380	MEMZ.exe
2380	MEMZ.exe
2380	MEMZ.exe
2380	MEMZ.exe
2380	MEMZ.exe
2716	MEMZ.exe
2716	MEMZ.exe
2380	MEMZ.exe
2380	MEMZ.exe
2716	MEMZ.exe
2716	MEMZ.exe
2380	MEMZ.exe
3880	MEMZ.exe
3880	MEMZ.exe
3880	MEMZ.exe
4572	MEMZ.exe
3880	MEMZ.exe
4572	MEMZ.exe
2380	MEMZ.exe
2716	MEMZ.exe
2380	MEMZ.exe
2716	MEMZ.exe
1984	MEMZ.exe
1984	MEMZ.exe
2716	MEMZ.exe
2380	MEMZ.exe
2716	MEMZ.exe
2380	MEMZ.exe
4572	MEMZ.exe
3880	MEMZ.exe
4572	MEMZ.exe
3880	MEMZ.exe
3880	MEMZ.exe
3880	MEMZ.exe
4572	MEMZ.exe
4572	MEMZ.exe
2380	MEMZ.exe
2380	MEMZ.exe
2716	MEMZ.exe
2716	MEMZ.exe
1984	MEMZ.exe
1984	MEMZ.exe
2716	MEMZ.exe
2380	MEMZ.exe
2716	MEMZ.exe
2380	MEMZ.exe
4572	MEMZ.exe
4572	MEMZ.exe
3880	MEMZ.exe
3880	MEMZ.exe
4572	MEMZ.exe
4572	MEMZ.exe
2380	MEMZ.exe
2716	MEMZ.exe
2380	MEMZ.exe
2716	MEMZ.exe
1984	MEMZ.exe
1984	MEMZ.exe
4572	MEMZ.exe
3880	MEMZ.exe
3880	MEMZ.exe
4572	MEMZ.exe
1984	MEMZ.exe
2716	MEMZ.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs

pid	Process
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	1648	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1648	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2180 wrote to memory of 2380	2180	MEMZ.exe	95
PID 2180 wrote to memory of 2380	2180	MEMZ.exe	95
PID 2180 wrote to memory of 2380	2180	MEMZ.exe	95
PID 2180 wrote to memory of 2716	2180	MEMZ.exe	96
PID 2180 wrote to memory of 2716	2180	MEMZ.exe	96
PID 2180 wrote to memory of 2716	2180	MEMZ.exe	96
PID 2180 wrote to memory of 3880	2180	MEMZ.exe	97
PID 2180 wrote to memory of 3880	2180	MEMZ.exe	97
PID 2180 wrote to memory of 3880	2180	MEMZ.exe	97
PID 2180 wrote to memory of 1984	2180	MEMZ.exe	98
PID 2180 wrote to memory of 1984	2180	MEMZ.exe	98
PID 2180 wrote to memory of 1984	2180	MEMZ.exe	98
PID 2180 wrote to memory of 4572	2180	MEMZ.exe	99
PID 2180 wrote to memory of 4572	2180	MEMZ.exe	99
PID 2180 wrote to memory of 4572	2180	MEMZ.exe	99
PID 2180 wrote to memory of 1764	2180	MEMZ.exe	100
PID 2180 wrote to memory of 1764	2180	MEMZ.exe	100
PID 2180 wrote to memory of 1764	2180	MEMZ.exe	100
PID 1764 wrote to memory of 4164	1764	MEMZ.exe	103
PID 1764 wrote to memory of 4164	1764	MEMZ.exe	103
PID 1764 wrote to memory of 4164	1764	MEMZ.exe	103
PID 1764 wrote to memory of 3352	1764	MEMZ.exe	107
PID 1764 wrote to memory of 3352	1764	MEMZ.exe	107
PID 3352 wrote to memory of 1956	3352	msedge.exe	108
PID 3352 wrote to memory of 1956	3352	msedge.exe	108
PID 3352 wrote to memory of 1448	3352	msedge.exe	109
PID 3352 wrote to memory of 1448	3352	msedge.exe	109
PID 3352 wrote to memory of 1448	3352	msedge.exe	109
PID 3352 wrote to memory of 1448	3352	msedge.exe	109
PID 3352 wrote to memory of 1448	3352	msedge.exe	109
PID 3352 wrote to memory of 1448	3352	msedge.exe	109
PID 3352 wrote to memory of 1448	3352	msedge.exe	109
PID 3352 wrote to memory of 1448	3352	msedge.exe	109
PID 3352 wrote to memory of 1448	3352	msedge.exe	109
PID 3352 wrote to memory of 1448	3352	msedge.exe	109
PID 3352 wrote to memory of 1448	3352	msedge.exe	109
PID 3352 wrote to memory of 1448	3352	msedge.exe	109
PID 3352 wrote to memory of 1448	3352	msedge.exe	109
PID 3352 wrote to memory of 1448	3352	msedge.exe	109
PID 3352 wrote to memory of 1448	3352	msedge.exe	109
PID 3352 wrote to memory of 1448	3352	msedge.exe	109
PID 3352 wrote to memory of 1448	3352	msedge.exe	109
PID 3352 wrote to memory of 1448	3352	msedge.exe	109
PID 3352 wrote to memory of 1448	3352	msedge.exe	109
PID 3352 wrote to memory of 1448	3352	msedge.exe	109
PID 3352 wrote to memory of 1448	3352	msedge.exe	109
PID 3352 wrote to memory of 1448	3352	msedge.exe	109
PID 3352 wrote to memory of 1448	3352	msedge.exe	109
PID 3352 wrote to memory of 1448	3352	msedge.exe	109
PID 3352 wrote to memory of 1448	3352	msedge.exe	109
PID 3352 wrote to memory of 1448	3352	msedge.exe	109
PID 3352 wrote to memory of 1448	3352	msedge.exe	109
PID 3352 wrote to memory of 1448	3352	msedge.exe	109
PID 3352 wrote to memory of 1448	3352	msedge.exe	109
PID 3352 wrote to memory of 1448	3352	msedge.exe	109
PID 3352 wrote to memory of 1448	3352	msedge.exe	109
PID 3352 wrote to memory of 1448	3352	msedge.exe	109
PID 3352 wrote to memory of 1448	3352	msedge.exe	109
PID 3352 wrote to memory of 1448	3352	msedge.exe	109
PID 3352 wrote to memory of 1448	3352	msedge.exe	109
PID 3352 wrote to memory of 1448	3352	msedge.exe	109
PID 3352 wrote to memory of 1448	3352	msedge.exe	109
PID 3352 wrote to memory of 1448	3352	msedge.exe	109
PID 3352 wrote to memory of 1448	3352	msedge.exe	109

C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
"C:\Users\Admin\AppData\Local\Temp\MEMZ.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2180
- C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
  "C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2380
- C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
  "C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2716
- C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
  "C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3880
- C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
  "C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1984
- C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
  "C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4572
- C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
  "C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /main
  2⤵
  - Checks computer location settings
  - Writes to the Master Boot Record (MBR)
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1764
- - C:\Windows\SysWOW64\notepad.exe
    "C:\Windows\System32\notepad.exe" \note.txt
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4164
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=how+to+remove+memz+trojan+virus
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:3352
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x128,0x12c,0x130,0x104,0x134,0x7ffa12c446f8,0x7ffa12c44708,0x7ffa12c44718
      4⤵
      PID:1956
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,8900911160325195308,8468208156337913482,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2
      4⤵
      PID:1448
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,8900911160325195308,8468208156337913482,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:3
      4⤵
      PID:3892
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2144,8900911160325195308,8468208156337913482,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2720 /prefetch:8
      4⤵
      PID:1464
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,8900911160325195308,8468208156337913482,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
      4⤵
      PID:3488
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,8900911160325195308,8468208156337913482,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
      4⤵
      PID:3516
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,8900911160325195308,8468208156337913482,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4712 /prefetch:1
      4⤵
      PID:3504
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,8900911160325195308,8468208156337913482,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3736 /prefetch:1
      4⤵
      PID:1004
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,8900911160325195308,8468208156337913482,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5432 /prefetch:1
      4⤵
      PID:1236
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,8900911160325195308,8468208156337913482,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5448 /prefetch:1
      4⤵
      PID:4372
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,8900911160325195308,8468208156337913482,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5772 /prefetch:8
      4⤵
      PID:456
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,8900911160325195308,8468208156337913482,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5772 /prefetch:8
      4⤵
      PID:2440
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,8900911160325195308,8468208156337913482,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4168 /prefetch:1
      4⤵
      PID:2428
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,8900911160325195308,8468208156337913482,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5216 /prefetch:1
      4⤵
      PID:4576
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,8900911160325195308,8468208156337913482,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5664 /prefetch:1
      4⤵
      PID:4912
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,8900911160325195308,8468208156337913482,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5996 /prefetch:1
      4⤵
      PID:1236
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,8900911160325195308,8468208156337913482,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2136 /prefetch:1
      4⤵
      PID:2400
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,8900911160325195308,8468208156337913482,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4000 /prefetch:1
      4⤵
      PID:4848
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,8900911160325195308,8468208156337913482,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6076 /prefetch:1
      4⤵
      PID:2132
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,8900911160325195308,8468208156337913482,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2228 /prefetch:1
      4⤵
      PID:4324
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,8900911160325195308,8468208156337913482,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5016 /prefetch:1
      4⤵
      PID:4596
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=dank+memz
    3⤵
    PID:2156
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffa12c446f8,0x7ffa12c44708,0x7ffa12c44718
      4⤵
      PID:1848
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=the+memz+are+real
    3⤵
    PID:4952
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffa12c446f8,0x7ffa12c44708,0x7ffa12c44718
      4⤵
      PID:4728
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=the+memz+are+real
    3⤵
    PID:3876
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffa12c446f8,0x7ffa12c44708,0x7ffa12c44718
      4⤵
      PID:2428
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=how+to+send+a+virus+to+my+friend
    3⤵
    PID:4988
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffa12c446f8,0x7ffa12c44708,0x7ffa12c44718
      4⤵
      PID:4520

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:212

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1384

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3f0 0x468
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
85ba073d7015b6ce7da19235a275f6da

SHA1
a23c8c2125e45a0788bac14423ae1f3eab92cf00

SHA256
5ad04b8c19bf43b550ad725202f79086168ecccabe791100fba203d9aa27e617

SHA512
eb4fd72d7030ea1a25af2b59769b671a5760735fb95d18145f036a8d9e6f42c903b34a7e606046c740c644fab0bb9f5b7335c1869b098f121579e71f10f5a9c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7de1bbdc1f9cf1a58ae1de4951ce8cb9

SHA1
010da169e15457c25bd80ef02d76a940c1210301

SHA256
6e390bbc0d03a652516705775e8e9a7b7936312a8a5bea407f9d7d9fa99d957e

SHA512
e4a33f2128883e71ab41e803e8b55d0ac17cbc51be3bde42bed157df24f10f34ad264f74ef3254dbe30d253aca03158fde21518c2b78aaa05dae8308b1c5f30c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
215KB

MD5
d79b35ccf8e6af6714eb612714349097

SHA1
eb3ccc9ed29830df42f3fd129951cb8b791aaf98

SHA256
c8459799169b81fdab64d028a9ebb058ea2d0ad5feb33a11f6a45a54a5ccc365

SHA512
f4be1c1e192a700139d7cff5059af81c0234ed5f032796036a1a4879b032ce4eedd16a121bbf776f17bc84a0012846f467ad48b46db4008841c25b779c7d8f5a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
8d4b8b713ab23a295223a83575364577

SHA1
86e2531af6b09611b617d024cd11509112f1d853

SHA256
56d521c47e649b1b70d69e881665db624ef50e5bfd0fc38ede438c506dffc367

SHA512
9ce3ecc0c1f173b3a636c431aba39473980e194ca95d8c1df9c776c4d208af5fad1b787ef9189de4f446aa69ea2d3e2650b92cc3ce49308af2e909620b08bc28

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
885ab43b5448bc76b000116426953921

SHA1
2cd52f31311920f25a06011babfe48e962ee2939

SHA256
366a2e1879d0d87d3ad1879ab78a82f6c06a20b564d2187f8926f0a4df940d30

SHA512
768c9b7293f5e38edb486e6ff7fdd23115f1bcebcd2c6739f20e9055a60f4f3800640e77856f157ff9bae0459e24d258249f3f8460a62310d5ff031f45d99aa5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
c11f049188293413bd9b9f520c34e680

SHA1
57ccf8f27b1efe38b1a29d4eb98bae7595b8c090

SHA256
801d74d50e41dbe96689dace2212b407843ce4a017e59d17eb3e21190a6fbec5

SHA512
89c07b0c3a194af0c7b45be439b4864ae7270b3348f4295cbec88fc0f20c58a59029c0a5f04b88e2004e6dafd34049edca9fab8483db03a6560a3ec067aee224

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
9c4d4513be860ab4768c9eb25ca473db

SHA1
fd4bb4c7683a1db1733618b1095a93081131ca83

SHA256
672b4b378622e826fb62649ae8cb6c7ae9d4564fa279a9f4920c5629122f13b9

SHA512
08109df50ab0626a13ca8640a1a6b6b5a337fc8511a8cd24c5caed97d81045e154828d72c5ba9ffafaae456f1c26743488b5921226e44b32bc7878fabe2f3f44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
784B

MD5
ba747b00ae2317fadc9fd5b021804d87

SHA1
9f28dad566049a51a92b7418ad9d01fd9d8a2bd1

SHA256
24f8e834ad51dfeb859d43dc6010edafec5ba9b647e8cc87a860fa95bd34bcf7

SHA512
9b8e3f248a168d3df15ec8b095c2e2afe24de9a6765b7c9b8a17b88d28fcd2849249fa5059507ffaa9bbc3e23aa19c1811cc29afb5123f9949c903eb778eea5d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0a12d3357c54517043ce6fc242eb8e58

SHA1
fe91d45629a0eed723c7d14c13f557d56263913b

SHA256
38e42384bfeb55555e883661df470246e1e8b0efa028085d018c3eb2bc05aa45

SHA512
8583b65f966ce5fae1eb0997d7916d4109e027d26b65b912df6bf39c986e6744d916abc2981cbd21d2da0f710ea7bec19df0b03580679392ab9dc6a87f295a91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a8ac37318974f02df9f4752e8b17a270

SHA1
ca1a5ec0dd9220d2032131cbe74ec867bc3b9690

SHA256
9283e54081f69fb2bbfd4ba8296affabec424486fc3d5aade935a18aaec8f982

SHA512
d9b2c8cb9506b563ea70699f0f479208f398723a815650fa43ab703af3d8abe8eb2e6b1640be34b92a37b0da415276667f8d9b9fb88ce473726bc4e8a0194f49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
98b31405c4dfcbf00a92bf8bbdee333a

SHA1
81d86c2d3da131bf96f8cf7bafeeff4d3fb2ee08

SHA256
ac6f9e76f4d0abd20ccb41e49ddf135e34569366067f1e5160ad69d10d94cb18

SHA512
71e670c83b7818c2ef810aa9e70a7c4122a8d8c5324d2153fdd2337def5cf4b026377c120af1ad908218a5c4bcbc5cf7615b0e5c8e7fec6a2da52c6a7d3e32c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
20c8cd0672697a5f25f626231f1daa1c

SHA1
944917832571cbcec20cd6531e9be9d55f81d0bd

SHA256
881e538a20677ba8492d8e60ffb02630075c9a2af59634e59248b3efc7913658

SHA512
4b22a33622a0203969bd9f8982dccd20e667ee7c4c29e5c867ccd0f25360ac9b6d3b77a76f06c835ab7ee092d73eeb19bd7e4f941764f36282c21854161f74fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
25c0925e3afb6d24a72c74baa24303e2

SHA1
37a762208067f345f9bf9f58a867fd0fa0f8c4e7

SHA256
4a3981b8942ce04fed97ce665a628287d603e68606e0d3a8a23fd7966cb1e390

SHA512
6af52ee5642836a6b78ee1e7e1d813c1068f783e8dc3d0228694f97daa4fda445291ceb0e954362d4061714fa64a10a43d1733c0b6256d30b3f03219af25b496

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
1c5dd1c44cd6d441b8c5ed4be7e20c0f

SHA1
11446c2bed08ed72aa42835da0cdf7d2afc10ab4

SHA256
4a9e1e3de760c8ce5717dda8ffd9cdcd495595e9767d001e3076e239f3744b34

SHA512
22e201054400c11657afc2aebe4fbbfc1975b3350e106c0a7bab1a86ef5e749320408408eaa87478e71436310b2f5d05d183951ae0866bcb70f2e22d674685f4

Download Submit
C:\note.txt

Filesize
218B

MD5
afa6955439b8d516721231029fb9ca1b

SHA1
087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

SHA256
8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

SHA512
5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

Download Submit