2ca4803498d7d375a61bfab2a3a4cf7e0eec41d116e50a838791a55b164e0f8c

Resubmissions

17-01-2025 20:14

250117-yz7h3s1qfw 10

17-01-2025 20:12

17-01-2025 17:25

17-01-2025 17:21

17-01-2025 14:16

17-01-2025 14:12

16-01-2025 12:52

16-01-2025 12:50

Analysis

max time kernel
98s
max time network
100s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17-01-2025 14:16

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

Malware-1-master/getr3kt.bat
Size

13KB
MD5

4e2a7f369378a76d1df4d8c448f712af
SHA1

1192b4d01254a8704e6d6ae17dc2ec28a7ad5a49
SHA256

5e2cd213ff47b7657abd9167c38ffd8b53c13261fe22adddea92b5a2d9e320ad
SHA512

90e6eedca424e2ee37c78e0c0380db490c049b0378541812734c134510c40c6e4c48c4e213f395339ed99ff337ef087b6056ac5aafb246c1789ca6082dcabd2e
SSDEEP

192:AOyUySl0UaDz2gWsIzlmj+BxZ3yqueWQx0lZicyC8Sh31xcjBzyxwn7AVhllz3:AVODaDSHMql3yqlxy5L1xcjwrlz3

Score

7^/10

bootkit discovery execution persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	MEMZ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	MEMZ.exe

Executes dropped EXE 7 IoCs

pid	Process
1916	MEMZ.exe
4312	MEMZ.exe
1932	MEMZ.exe
2660	MEMZ.exe
4068	MEMZ.exe
960	MEMZ.exe
4100	MEMZ.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	MEMZ.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4312	MEMZ.exe
4312	MEMZ.exe
4312	MEMZ.exe
4312	MEMZ.exe
2660	MEMZ.exe
2660	MEMZ.exe
4312	MEMZ.exe
4312	MEMZ.exe
1932	MEMZ.exe
1932	MEMZ.exe
1932	MEMZ.exe
4312	MEMZ.exe
1932	MEMZ.exe
4312	MEMZ.exe
2660	MEMZ.exe
2660	MEMZ.exe
2660	MEMZ.exe
2660	MEMZ.exe
4312	MEMZ.exe
4312	MEMZ.exe
1932	MEMZ.exe
1932	MEMZ.exe
4068	MEMZ.exe
4068	MEMZ.exe
1932	MEMZ.exe
1932	MEMZ.exe
4312	MEMZ.exe
4312	MEMZ.exe
2660	MEMZ.exe
2660	MEMZ.exe
960	MEMZ.exe
960	MEMZ.exe
960	MEMZ.exe
2660	MEMZ.exe
960	MEMZ.exe
2660	MEMZ.exe
4312	MEMZ.exe
1932	MEMZ.exe
4312	MEMZ.exe
1932	MEMZ.exe
4068	MEMZ.exe
4068	MEMZ.exe
1932	MEMZ.exe
1932	MEMZ.exe
4312	MEMZ.exe
4312	MEMZ.exe
2660	MEMZ.exe
2660	MEMZ.exe
960	MEMZ.exe
960	MEMZ.exe
960	MEMZ.exe
960	MEMZ.exe
2660	MEMZ.exe
2660	MEMZ.exe
4312	MEMZ.exe
4312	MEMZ.exe
1932	MEMZ.exe
1932	MEMZ.exe
4068	MEMZ.exe
4068	MEMZ.exe
960	MEMZ.exe
960	MEMZ.exe
1932	MEMZ.exe
1932	MEMZ.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4868	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	4868	taskmgr.exe
Token: SeSystemProfilePrivilege	4868	taskmgr.exe
Token: SeCreateGlobalPrivilege	4868	taskmgr.exe
Token: SeShutdownPrivilege	4068	MEMZ.exe
Token: SeShutdownPrivilege	960	MEMZ.exe
Token: SeShutdownPrivilege	2660	MEMZ.exe
Token: SeShutdownPrivilege	4312	MEMZ.exe

Suspicious use of FindShellTrayWindow 49 IoCs

pid	Process
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
4868	taskmgr.exe
4868	taskmgr.exe
4868	taskmgr.exe
4868	taskmgr.exe
4868	taskmgr.exe
4868	taskmgr.exe
4868	taskmgr.exe
4868	taskmgr.exe
4868	taskmgr.exe
4868	taskmgr.exe
4868	taskmgr.exe
4868	taskmgr.exe
4868	taskmgr.exe
4868	taskmgr.exe
4868	taskmgr.exe
4868	taskmgr.exe
4868	taskmgr.exe
4868	taskmgr.exe
4868	taskmgr.exe
4868	taskmgr.exe
4868	taskmgr.exe
4868	taskmgr.exe
4868	taskmgr.exe
4868	taskmgr.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
4868	taskmgr.exe
4868	taskmgr.exe
4868	taskmgr.exe
4868	taskmgr.exe
4868	taskmgr.exe
4868	taskmgr.exe
4868	taskmgr.exe
4868	taskmgr.exe
4868	taskmgr.exe
4868	taskmgr.exe
4868	taskmgr.exe
4868	taskmgr.exe
4868	taskmgr.exe
4868	taskmgr.exe
4868	taskmgr.exe
4868	taskmgr.exe
4868	taskmgr.exe
4868	taskmgr.exe
4868	taskmgr.exe
4868	taskmgr.exe
4868	taskmgr.exe
4868	taskmgr.exe
4868	taskmgr.exe
4868	taskmgr.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
4100	MEMZ.exe
2660	MEMZ.exe
4068	MEMZ.exe
960	MEMZ.exe
4312	MEMZ.exe
4068	MEMZ.exe
2660	MEMZ.exe
960	MEMZ.exe
4312	MEMZ.exe
2660	MEMZ.exe
960	MEMZ.exe
4068	MEMZ.exe
4312	MEMZ.exe
4068	MEMZ.exe
2660	MEMZ.exe
960	MEMZ.exe
4312	MEMZ.exe
4068	MEMZ.exe
960	MEMZ.exe
2660	MEMZ.exe
4312	MEMZ.exe
960	MEMZ.exe
4068	MEMZ.exe
2660	MEMZ.exe
4312	MEMZ.exe
960	MEMZ.exe
4068	MEMZ.exe
4312	MEMZ.exe
2660	MEMZ.exe
4068	MEMZ.exe
960	MEMZ.exe
4312	MEMZ.exe
2660	MEMZ.exe
4068	MEMZ.exe
960	MEMZ.exe
2660	MEMZ.exe
4312	MEMZ.exe
960	MEMZ.exe
4068	MEMZ.exe
4312	MEMZ.exe
2660	MEMZ.exe
960	MEMZ.exe
4068	MEMZ.exe
2660	MEMZ.exe
4312	MEMZ.exe
4068	MEMZ.exe
960	MEMZ.exe
2660	MEMZ.exe
4312	MEMZ.exe
4068	MEMZ.exe
960	MEMZ.exe
2660	MEMZ.exe
4312	MEMZ.exe
4068	MEMZ.exe
960	MEMZ.exe
4312	MEMZ.exe
2660	MEMZ.exe
4068	MEMZ.exe
2660	MEMZ.exe
960	MEMZ.exe
4312	MEMZ.exe
4312	MEMZ.exe
2660	MEMZ.exe
960	MEMZ.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3028 wrote to memory of 1132	3028	cmd.exe	83
PID 3028 wrote to memory of 1132	3028	cmd.exe	83
PID 3028 wrote to memory of 1916	3028	cmd.exe	84
PID 3028 wrote to memory of 1916	3028	cmd.exe	84
PID 3028 wrote to memory of 1916	3028	cmd.exe	84
PID 1916 wrote to memory of 4312	1916	MEMZ.exe	98
PID 1916 wrote to memory of 4312	1916	MEMZ.exe	98
PID 1916 wrote to memory of 4312	1916	MEMZ.exe	98
PID 1916 wrote to memory of 1932	1916	MEMZ.exe	99
PID 1916 wrote to memory of 1932	1916	MEMZ.exe	99
PID 1916 wrote to memory of 1932	1916	MEMZ.exe	99
PID 1916 wrote to memory of 2660	1916	MEMZ.exe	100
PID 1916 wrote to memory of 2660	1916	MEMZ.exe	100
PID 1916 wrote to memory of 2660	1916	MEMZ.exe	100
PID 1916 wrote to memory of 4068	1916	MEMZ.exe	101
PID 1916 wrote to memory of 4068	1916	MEMZ.exe	101
PID 1916 wrote to memory of 4068	1916	MEMZ.exe	101
PID 1916 wrote to memory of 960	1916	MEMZ.exe	102
PID 1916 wrote to memory of 960	1916	MEMZ.exe	102
PID 1916 wrote to memory of 960	1916	MEMZ.exe	102
PID 1916 wrote to memory of 4100	1916	MEMZ.exe	103
PID 1916 wrote to memory of 4100	1916	MEMZ.exe	103
PID 1916 wrote to memory of 4100	1916	MEMZ.exe	103
PID 4100 wrote to memory of 3812	4100	MEMZ.exe	106
PID 4100 wrote to memory of 3812	4100	MEMZ.exe	106
PID 4100 wrote to memory of 3812	4100	MEMZ.exe	106
PID 4100 wrote to memory of 2496	4100	MEMZ.exe	110
PID 4100 wrote to memory of 2496	4100	MEMZ.exe	110
PID 2496 wrote to memory of 1220	2496	msedge.exe	111
PID 2496 wrote to memory of 1220	2496	msedge.exe	111
PID 2496 wrote to memory of 2500	2496	msedge.exe	112
PID 2496 wrote to memory of 2500	2496	msedge.exe	112
PID 2496 wrote to memory of 2500	2496	msedge.exe	112
PID 2496 wrote to memory of 2500	2496	msedge.exe	112
PID 2496 wrote to memory of 2500	2496	msedge.exe	112
PID 2496 wrote to memory of 2500	2496	msedge.exe	112
PID 2496 wrote to memory of 2500	2496	msedge.exe	112
PID 2496 wrote to memory of 2500	2496	msedge.exe	112
PID 2496 wrote to memory of 2500	2496	msedge.exe	112
PID 2496 wrote to memory of 2500	2496	msedge.exe	112
PID 2496 wrote to memory of 2500	2496	msedge.exe	112
PID 2496 wrote to memory of 2500	2496	msedge.exe	112
PID 2496 wrote to memory of 2500	2496	msedge.exe	112
PID 2496 wrote to memory of 2500	2496	msedge.exe	112
PID 2496 wrote to memory of 2500	2496	msedge.exe	112
PID 2496 wrote to memory of 2500	2496	msedge.exe	112
PID 2496 wrote to memory of 2500	2496	msedge.exe	112
PID 2496 wrote to memory of 2500	2496	msedge.exe	112
PID 2496 wrote to memory of 2500	2496	msedge.exe	112
PID 2496 wrote to memory of 2500	2496	msedge.exe	112
PID 2496 wrote to memory of 2500	2496	msedge.exe	112
PID 2496 wrote to memory of 2500	2496	msedge.exe	112
PID 2496 wrote to memory of 2500	2496	msedge.exe	112
PID 2496 wrote to memory of 2500	2496	msedge.exe	112
PID 2496 wrote to memory of 2500	2496	msedge.exe	112
PID 2496 wrote to memory of 2500	2496	msedge.exe	112
PID 2496 wrote to memory of 2500	2496	msedge.exe	112
PID 2496 wrote to memory of 2500	2496	msedge.exe	112
PID 2496 wrote to memory of 2500	2496	msedge.exe	112
PID 2496 wrote to memory of 2500	2496	msedge.exe	112
PID 2496 wrote to memory of 2500	2496	msedge.exe	112
PID 2496 wrote to memory of 2500	2496	msedge.exe	112
PID 2496 wrote to memory of 2500	2496	msedge.exe	112
PID 2496 wrote to memory of 2500	2496	msedge.exe	112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Malware-1-master\getr3kt.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3028
- C:\Windows\system32\cscript.exe
  cscript x.js
  2⤵
  PID:1132
- C:\Users\Admin\AppData\Roaming\MEMZ.exe
  "C:\Users\Admin\AppData\Roaming\MEMZ.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1916
- - C:\Users\Admin\AppData\Roaming\MEMZ.exe
    "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:4312
- - C:\Users\Admin\AppData\Roaming\MEMZ.exe
    "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1932
- - C:\Users\Admin\AppData\Roaming\MEMZ.exe
    "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2660
- - C:\Users\Admin\AppData\Roaming\MEMZ.exe
    "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:4068
- - C:\Users\Admin\AppData\Roaming\MEMZ.exe
    "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:960
- - C:\Users\Admin\AppData\Roaming\MEMZ.exe
    "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /main
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4100
  - - C:\Windows\SysWOW64\notepad.exe
      "C:\Windows\System32\notepad.exe" \note.txt
      4⤵
      System Location Discovery: System Language Discovery
      PID:3812
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=facebook+hacking+tool+free+download+no+virus+working+2016
      4⤵
      Enumerates system info in registry
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:2496
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffb7fea46f8,0x7ffb7fea4708,0x7ffb7fea4718
        5⤵
        
        PID:1220
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,6451470719575919449,11313599152937415180,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:2
        5⤵
        
        PID:2500
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,6451470719575919449,11313599152937415180,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 /prefetch:3
        5⤵
        
        PID:2268
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2080,6451470719575919449,11313599152937415180,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2724 /prefetch:8
        5⤵
        
        PID:1468
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,6451470719575919449,11313599152937415180,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
        5⤵
        
        PID:4604
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,6451470719575919449,11313599152937415180,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
        5⤵
        
        PID:2748
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,6451470719575919449,11313599152937415180,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4580 /prefetch:1
        5⤵
        
        PID:5016
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,6451470719575919449,11313599152937415180,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3504 /prefetch:1
        5⤵
        
        PID:3636
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,6451470719575919449,11313599152937415180,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5252 /prefetch:1
        5⤵
        
        PID:2848
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,6451470719575919449,11313599152937415180,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5264 /prefetch:1
        5⤵
        
        PID:2772
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,6451470719575919449,11313599152937415180,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3504 /prefetch:8
        5⤵
        
        PID:3064
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,6451470719575919449,11313599152937415180,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3504 /prefetch:8
        5⤵
        
        PID:4072
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,6451470719575919449,11313599152937415180,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3880 /prefetch:1
        5⤵
        
        PID:696
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,6451470719575919449,11313599152937415180,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
        5⤵
        
        PID:660
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,6451470719575919449,11313599152937415180,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5948 /prefetch:1
        5⤵
        
        PID:2392
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,6451470719575919449,11313599152937415180,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5892 /prefetch:1
        5⤵
        
        PID:1632
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=half+life+3+release+date
      4⤵
      PID:2848
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffb7fea46f8,0x7ffb7fea4708,0x7ffb7fea4718
        5⤵
        
        PID:4292

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:696

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3164

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7de1bbdc1f9cf1a58ae1de4951ce8cb9

SHA1
010da169e15457c25bd80ef02d76a940c1210301

SHA256
6e390bbc0d03a652516705775e8e9a7b7936312a8a5bea407f9d7d9fa99d957e

SHA512
e4a33f2128883e71ab41e803e8b55d0ac17cbc51be3bde42bed157df24f10f34ad264f74ef3254dbe30d253aca03158fde21518c2b78aaa05dae8308b1c5f30c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
85ba073d7015b6ce7da19235a275f6da

SHA1
a23c8c2125e45a0788bac14423ae1f3eab92cf00

SHA256
5ad04b8c19bf43b550ad725202f79086168ecccabe791100fba203d9aa27e617

SHA512
eb4fd72d7030ea1a25af2b59769b671a5760735fb95d18145f036a8d9e6f42c903b34a7e606046c740c644fab0bb9f5b7335c1869b098f121579e71f10f5a9c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
215KB

MD5
d474ec7f8d58a66420b6daa0893a4874

SHA1
4314642571493ba983748556d0e76ec6704da211

SHA256
553a19b6f44f125d9594c02231e4217e9d74d92b7065dc996d92f1e53f6bcb69

SHA512
344062d1be40db095abb7392b047b16f33ea3043158690cf66a2fa554aa2db79c4aa68de1308f1eddf6b9140b9ac5de70aad960b4e8e8b91f105213c4aace348

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\temp-index

Filesize
144B

MD5
fe410a62307809c05b4a2e15207bd920

SHA1
c4ff255eac8b184083b73a072a57e07d6dad0f75

SHA256
b19ede9d386f2b15355fb582555703cb1301a41d95fd4a04d169c1c6df2b72ab

SHA512
17c1123f6c059d2463756de6f9bd771b59d43598d6c4be9074e0258e1212d4fb54b46b7a599ed5d887942c8586a036b723a0e0b8c39ba8a62b47c7ea36629cec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
f23c78497bb11ed96d53d02c24412bff

SHA1
0d822e89f0580d75e97c86336b343b0bc79e4565

SHA256
bffe1ae9d9ab25598f686e09b9b0cbc1101eec827fba0e17b101e1a7e513fbc8

SHA512
a9c97f392985f9fda36b706d4e9aec365cd6034b8b20b35601a893b32318223e9810829b15940bf2faed8701aae791896a62be3083d357431ff5f789c476d6c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
02776cfcd05c478239b0cfe3a6a5efed

SHA1
abda8ccde2cd5fbcd834abdf9bc343132155f952

SHA256
b2f8ce875708e13df09df8b353b112c4ed14bb48618d43ac699936d2cd786a33

SHA512
757cf892106abce06eb55c0ec103d099f2b1d30988bf22d7dc2cc388857821b2363f4d0691cdbe980ca955f25c5addded581403106eb4f1df91276a8a84f5bee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
8a4cd12463ddc3770566f48c6de1eccf

SHA1
11965356a65a0c76b78ea7e582b714be77d69d3d

SHA256
67175026f7d8e365ca12a1019dd09ff9a343380b4b892cb7d9a90f76097469db

SHA512
17b98be1bff184ac682a3e8cb171bc79ee8eb6d7623c55dde7730ed0db0030554c92e86e90907186178e28b2d69a338b6c438644412ea369c7ee32a78f578df8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d5a24c5406fc562cf81cfcfb05b49db3

SHA1
ae3f6e1bb4b85d39bc6ed65885062d3d9d98011c

SHA256
b5de22ca58e6729730049200968cc88eca5b0b3e86f158b7ac99719e181742a4

SHA512
0fe45b884eccfb6956516332c75ccb826b0ce1513f00922d6b550dae5d52408f9e8c49fa93f13f0e07b4080916db049a8f96df9e565b321cfe7500968427ea1e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
c29b0f444eefc3dc7d8c8182302f9f3e

SHA1
e46439ff795849b84deef998941f2c5ed5befaf2

SHA256
f0c931f0b83499476af79b0cde97f3ba8aa5f29b64fba266e33622be0f4f7cdc

SHA512
7a46ae364bf73d8a8a0f189fb16cdbdc7e58b15106806642892cd1e8502a2e08d78e2e0dac8e9130ef1ab9dd284c0a654cb1d0e7f7acf8a6935b2aefbfb91e05

Download Submit
C:\Users\Admin\AppData\Local\Temp\Malware-1-master\x

Filesize
11KB

MD5
1882f3dd051e401349f1af58d55b0a37

SHA1
6b0875f9e3164f3a9f21c1ec36748a7243515b47

SHA256
3c8cea1a86f07b018e637a1ea2649d907573f78c7e4025ef7e514362d09ff6c0

SHA512
fec96d873997b5c6c82a94f8796c88fc2dd38739277c517b8129277dcbda02576851f1e27bdb2fbb7255281077d5b9ba867f6dfe66bedfc859c59fdd3bbffacf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Malware-1-master\x

Filesize
4KB

MD5
214f98cb6a54654a4ca5c456f16aed0a

SHA1
2229090d2f6a1814ba648e5b5a5ae26389cba5a0

SHA256
45f18ccd8df88c127304a7855a608661b52b0ca813e87e06d87da15259c45037

SHA512
5f058b05f166e2688df7b3960e135ada25bbcdfbb62a11da3cf9e70c08c51e5589a1e6ca2250318a694d27197f2c5ba1028c443831c43fba2171ca8e072e9873

Download Submit
C:\Users\Admin\AppData\Local\Temp\Malware-1-master\x.js

Filesize
448B

MD5
8eec8704d2a7bc80b95b7460c06f4854

SHA1
1b34585c1fa7ec0bd0505478ac9dbb8b8d19f326

SHA256
aa01b8864b43e92077a106ed3d4656a511f3ba1910fba40c78a32ee6a621d596

SHA512
e274b92810e9a30627a65f87448d784967a2fcfbf49858cbe6ccb841f09e0f53fde253ecc1ea0c7de491d8cc56a6cf8c79d1b7c657e72928cfb0479d11035210

Download Submit
C:\Users\Admin\AppData\Local\Temp\Malware-1-master\z.zip

Filesize
8KB

MD5
63ee4412b95d7ad64c54b4ba673470a7

SHA1
1cf423c6c2c6299e68e1927305a3057af9b3ce06

SHA256
44c1857b1c4894b3dfbaccbe04905652e634283dcf6b06c25a74b17021e2a268

SHA512
7ff153826bd5fed0a410f6d15a54787b79eba927d5b573c8a7f23f4ecef7bb223d79fd29fe8c2754fbf5b4c77ab7c41598f2989b6f4c7b2aa2f579ef4af06ee7

Download Submit
C:\Users\Admin\AppData\Roaming\MEMZ.exe

Filesize
14KB

MD5
19dbec50735b5f2a72d4199c4e184960

SHA1
6fed7732f7cb6f59743795b2ab154a3676f4c822

SHA256
a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d

SHA512
aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d

Download Submit
C:\note.txt

Filesize
218B

MD5
afa6955439b8d516721231029fb9ca1b

SHA1
087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

SHA256
8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

SHA512
5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

Download Submit
memory/4868-305-0x0000023B12010000-0x0000023B12011000-memory.dmp

Filesize
4KB

Download
memory/4868-306-0x0000023B12010000-0x0000023B12011000-memory.dmp

Filesize
4KB

Download
memory/4868-317-0x0000023B12010000-0x0000023B12011000-memory.dmp

Filesize
4KB

Download
memory/4868-316-0x0000023B12010000-0x0000023B12011000-memory.dmp

Filesize
4KB

Download
memory/4868-315-0x0000023B12010000-0x0000023B12011000-memory.dmp

Filesize
4KB

Download
memory/4868-314-0x0000023B12010000-0x0000023B12011000-memory.dmp

Filesize
4KB

Download
memory/4868-313-0x0000023B12010000-0x0000023B12011000-memory.dmp

Filesize
4KB

Download
memory/4868-312-0x0000023B12010000-0x0000023B12011000-memory.dmp

Filesize
4KB

Download
memory/4868-311-0x0000023B12010000-0x0000023B12011000-memory.dmp

Filesize
4KB

Download
memory/4868-307-0x0000023B12010000-0x0000023B12011000-memory.dmp

Filesize
4KB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads