Overview
overview
10Static
static
10Malware-1-...30.exe
windows10-ltsc 2021-x64
10Malware-1-...40.exe
windows10-ltsc 2021-x64
10Malware-1-...32.exe
windows10-ltsc 2021-x64
10Malware-1-.../5.exe
windows10-ltsc 2021-x64
10Malware-1-...91.exe
windows10-ltsc 2021-x64
10Malware-1-...ey.exe
windows10-ltsc 2021-x64
7Malware-1-...ad.exe
windows10-ltsc 2021-x64
3Malware-1-...ti.exe
windows10-ltsc 2021-x64
5Malware-1-...an.bat
windows10-ltsc 2021-x64
7Malware-1-...an.exe
windows10-ltsc 2021-x64
7Malware-1-...ve.bat
windows10-ltsc 2021-x64
7Malware-1-...ve.exe
windows10-ltsc 2021-x64
7Malware-1-...ya.exe
windows10-ltsc 2021-x64
Malware-1-...re.exe
windows10-ltsc 2021-x64
10Malware-1-...ry.exe
windows10-ltsc 2021-x64
10Malware-1-...ck.exe
windows10-ltsc 2021-x64
3Malware-1-...he.exe
windows10-ltsc 2021-x64
10Malware-1-...op.exe
windows10-ltsc 2021-x64
7Malware-1-...rb.exe
windows10-ltsc 2021-x64
10Malware-1-...ue.exe
windows10-ltsc 2021-x64
1Malware-1-...ng.exe
windows10-ltsc 2021-x64
6Malware-1-...kt.bat
windows10-ltsc 2021-x64
7Malware-1-...o3.exe
windows10-ltsc 2021-x64
10Malware-1-...ey.exe
windows10-ltsc 2021-x64
10Malware-1-.../m.exe
windows10-ltsc 2021-x64
Malware-1-...o3.exe
windows10-ltsc 2021-x64
9Malware-1-...32.exe
windows10-ltsc 2021-x64
10Malware-1-...nf.exe
windows10-ltsc 2021-x64
10Malware-1-.../o.exe
windows10-ltsc 2021-x64
3Malware-1-...B8.exe
windows10-ltsc 2021-x64
10Malware-1-...ic.exe
windows10-ltsc 2021-x64
3Malware-1-...in.exe
windows10-ltsc 2021-x64
10Resubmissions
13/02/2025, 01:26
250213-btppra1pcz 1017/01/2025, 20:14
250117-yz7h3s1qfw 1017/01/2025, 20:12
250117-yy9l2sslcr 1017/01/2025, 17:25
250117-vy9p9sxpez 1017/01/2025, 17:21
250117-vw8eesyjfp 1017/01/2025, 14:16
250117-rk9ass1rhk 1017/01/2025, 14:12
250117-rhv1ds1lds 1016/01/2025, 12:52
250116-p4et7a1mez 10Analysis
-
max time kernel
150s -
max time network
146s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20250113-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20250113-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
17/01/2025, 20:14
Behavioral task
behavioral1
Sample
Malware-1-master/2530.exe
Resource
win10ltsc2021-20250113-en
Behavioral task
behavioral2
Sample
Malware-1-master/2887140.exe
Resource
win10ltsc2021-20250113-en
Behavioral task
behavioral3
Sample
Malware-1-master/32.exe
Resource
win10ltsc2021-20250113-en
Behavioral task
behavioral4
Sample
Malware-1-master/5.exe
Resource
win10ltsc2021-20250113-en
Behavioral task
behavioral5
Sample
Malware-1-master/96591.exe
Resource
win10ltsc2021-20250113-en
Behavioral task
behavioral6
Sample
Malware-1-master/Amadey.exe
Resource
win10ltsc2021-20250113-en
Behavioral task
behavioral7
Sample
Malware-1-master/Download.exe
Resource
win10ltsc2021-20250113-en
Behavioral task
behavioral8
Sample
Malware-1-master/Illuminati.exe
Resource
win10ltsc2021-20250113-en
Behavioral task
behavioral9
Sample
Malware-1-master/MEMZ-Clean.bat
Resource
win10ltsc2021-20250113-en
Behavioral task
behavioral10
Sample
Malware-1-master/MEMZ-Clean.exe
Resource
win10ltsc2021-20250113-en
Behavioral task
behavioral11
Sample
Malware-1-master/MEMZ-Destructive.bat
Resource
win10ltsc2021-20250113-en
Behavioral task
behavioral12
Sample
Malware-1-master/MEMZ-Destructive.exe
Resource
win10ltsc2021-20250113-en
Behavioral task
behavioral13
Sample
Malware-1-master/Petya.exe
Resource
win10ltsc2021-20250113-en
Behavioral task
behavioral14
Sample
Malware-1-master/Software.exe
Resource
win10ltsc2021-20250113-en
Behavioral task
behavioral15
Sample
Malware-1-master/WannaCry.exe
Resource
win10ltsc2021-20250113-en
Behavioral task
behavioral16
Sample
Malware-1-master/Win32.EvilClusterFuck.exe
Resource
win10ltsc2021-20250113-en
Behavioral task
behavioral17
Sample
Malware-1-master/apache.exe
Resource
win10ltsc2021-20250113-en
Behavioral task
behavioral18
Sample
Malware-1-master/butterflyondesktop.exe
Resource
win10ltsc2021-20250113-en
Behavioral task
behavioral19
Sample
Malware-1-master/crb.exe
Resource
win10ltsc2021-20250113-en
Behavioral task
behavioral20
Sample
Malware-1-master/eternalblue.exe
Resource
win10ltsc2021-20250113-en
Behavioral task
behavioral21
Sample
Malware-1-master/fear.png.exe
Resource
win10ltsc2021-20250113-en
Behavioral task
behavioral22
Sample
Malware-1-master/getr3kt.bat
Resource
win10ltsc2021-20250113-en
Behavioral task
behavioral23
Sample
Malware-1-master/iimo3.exe
Resource
win10ltsc2021-20250113-en
Behavioral task
behavioral24
Sample
Malware-1-master/jey.exe
Resource
win10ltsc2021-20250113-en
Behavioral task
behavioral25
Sample
Malware-1-master/m.exe
Resource
win10ltsc2021-20250113-en
Behavioral task
behavioral26
Sample
Malware-1-master/mo3.exe
Resource
win10ltsc2021-20250113-en
Behavioral task
behavioral27
Sample
Malware-1-master/mo332.exe
Resource
win10ltsc2021-20250113-en
Behavioral task
behavioral28
Sample
Malware-1-master/mysqlconf.exe
Resource
win10ltsc2021-20250113-en
Behavioral task
behavioral29
Sample
Malware-1-master/o.exe
Resource
win10ltsc2021-20250113-en
Behavioral task
behavioral30
Sample
Malware-1-master/qOA7iZJcoB8.exe
Resource
win10ltsc2021-20250113-en
Behavioral task
behavioral31
Sample
Malware-1-master/wintonic.exe
Resource
win10ltsc2021-20250113-en
General
-
Target
Malware-1-master/MEMZ-Clean.exe
-
Size
12KB
-
MD5
9c642c5b111ee85a6bccffc7af896a51
-
SHA1
eca8571b994fd40e2018f48c214fab6472a98bab
-
SHA256
4bbf7589615ebdb6c769d6d2e7bdcb26072bac0cda6e225a4133ba8819e688d5
-
SHA512
23cc74b5a7bdf70ba789d1730a0009414cfb9c780544e3d8d841be58782b9a9a089969c4295a0da25d07285505992386486d6ff0524e75605b96bb99cd3aaa1c
-
SSDEEP
192:BCMfc/GinpRBueYDw4+kEeN4FRrfMFFp3+f2dvGhT59uay:AMfceinpOeRENYhfOj+eGdKa
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000\Control Panel\International\Geo\Nation MEMZ-Clean.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20250117201724.pma setup.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\6e23f6c9-e02c-4d29-bee9-1c35dc70ae3f.tmp setup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MEMZ-Clean.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regedit.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Runs regedit.exe 1 IoCs
pid Process 760 regedit.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1380 msedge.exe 1380 msedge.exe 4768 msedge.exe 4768 msedge.exe 2536 identity_helper.exe 2536 identity_helper.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
pid Process 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: 33 1616 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1616 AUDIODG.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 4948 MEMZ-Clean.exe 4768 msedge.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 4948 MEMZ-Clean.exe 4948 MEMZ-Clean.exe 4948 MEMZ-Clean.exe 4948 MEMZ-Clean.exe 4948 MEMZ-Clean.exe 4948 MEMZ-Clean.exe 4948 MEMZ-Clean.exe 4948 MEMZ-Clean.exe 4948 MEMZ-Clean.exe 4948 MEMZ-Clean.exe 4948 MEMZ-Clean.exe 4948 MEMZ-Clean.exe 4948 MEMZ-Clean.exe 4948 MEMZ-Clean.exe 4948 MEMZ-Clean.exe 4948 MEMZ-Clean.exe 4948 MEMZ-Clean.exe 4948 MEMZ-Clean.exe 4948 MEMZ-Clean.exe 4948 MEMZ-Clean.exe 4948 MEMZ-Clean.exe 4948 MEMZ-Clean.exe 4948 MEMZ-Clean.exe 4948 MEMZ-Clean.exe 4948 MEMZ-Clean.exe 4948 MEMZ-Clean.exe 4948 MEMZ-Clean.exe 4948 MEMZ-Clean.exe 4948 MEMZ-Clean.exe 4948 MEMZ-Clean.exe 4948 MEMZ-Clean.exe 4948 MEMZ-Clean.exe 4948 MEMZ-Clean.exe 4948 MEMZ-Clean.exe 4948 MEMZ-Clean.exe 4948 MEMZ-Clean.exe 4948 MEMZ-Clean.exe 4948 MEMZ-Clean.exe 4948 MEMZ-Clean.exe 4948 MEMZ-Clean.exe 4948 MEMZ-Clean.exe 4948 MEMZ-Clean.exe 4948 MEMZ-Clean.exe 4948 MEMZ-Clean.exe 4948 MEMZ-Clean.exe 4948 MEMZ-Clean.exe 4948 MEMZ-Clean.exe 4948 MEMZ-Clean.exe 4948 MEMZ-Clean.exe 4948 MEMZ-Clean.exe 4948 MEMZ-Clean.exe 4948 MEMZ-Clean.exe 4948 MEMZ-Clean.exe 4948 MEMZ-Clean.exe 4948 MEMZ-Clean.exe 4948 MEMZ-Clean.exe 4948 MEMZ-Clean.exe 4948 MEMZ-Clean.exe 4948 MEMZ-Clean.exe 4948 MEMZ-Clean.exe 4948 MEMZ-Clean.exe 4948 MEMZ-Clean.exe 4948 MEMZ-Clean.exe 4948 MEMZ-Clean.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 4948 MEMZ-Clean.exe 4948 MEMZ-Clean.exe 4948 MEMZ-Clean.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4948 wrote to memory of 2128 4948 MEMZ-Clean.exe 83 PID 4948 wrote to memory of 2128 4948 MEMZ-Clean.exe 83 PID 4948 wrote to memory of 2128 4948 MEMZ-Clean.exe 83 PID 4948 wrote to memory of 4768 4948 MEMZ-Clean.exe 86 PID 4948 wrote to memory of 4768 4948 MEMZ-Clean.exe 86 PID 4768 wrote to memory of 4336 4768 msedge.exe 87 PID 4768 wrote to memory of 4336 4768 msedge.exe 87 PID 4768 wrote to memory of 4732 4768 msedge.exe 88 PID 4768 wrote to memory of 4732 4768 msedge.exe 88 PID 4768 wrote to memory of 4732 4768 msedge.exe 88 PID 4768 wrote to memory of 4732 4768 msedge.exe 88 PID 4768 wrote to memory of 4732 4768 msedge.exe 88 PID 4768 wrote to memory of 4732 4768 msedge.exe 88 PID 4768 wrote to memory of 4732 4768 msedge.exe 88 PID 4768 wrote to memory of 4732 4768 msedge.exe 88 PID 4768 wrote to memory of 4732 4768 msedge.exe 88 PID 4768 wrote to memory of 4732 4768 msedge.exe 88 PID 4768 wrote to memory of 4732 4768 msedge.exe 88 PID 4768 wrote to memory of 4732 4768 msedge.exe 88 PID 4768 wrote to memory of 4732 4768 msedge.exe 88 PID 4768 wrote to memory of 4732 4768 msedge.exe 88 PID 4768 wrote to memory of 4732 4768 msedge.exe 88 PID 4768 wrote to memory of 4732 4768 msedge.exe 88 PID 4768 wrote to memory of 4732 4768 msedge.exe 88 PID 4768 wrote to memory of 4732 4768 msedge.exe 88 PID 4768 wrote to memory of 4732 4768 msedge.exe 88 PID 4768 wrote to memory of 4732 4768 msedge.exe 88 PID 4768 wrote to memory of 4732 4768 msedge.exe 88 PID 4768 wrote to memory of 4732 4768 msedge.exe 88 PID 4768 wrote to memory of 4732 4768 msedge.exe 88 PID 4768 wrote to memory of 4732 4768 msedge.exe 88 PID 4768 wrote to memory of 4732 4768 msedge.exe 88 PID 4768 wrote to memory of 4732 4768 msedge.exe 88 PID 4768 wrote to memory of 4732 4768 msedge.exe 88 PID 4768 wrote to memory of 4732 4768 msedge.exe 88 PID 4768 wrote to memory of 4732 4768 msedge.exe 88 PID 4768 wrote to memory of 4732 4768 msedge.exe 88 PID 4768 wrote to memory of 4732 4768 msedge.exe 88 PID 4768 wrote to memory of 4732 4768 msedge.exe 88 PID 4768 wrote to memory of 4732 4768 msedge.exe 88 PID 4768 wrote to memory of 4732 4768 msedge.exe 88 PID 4768 wrote to memory of 4732 4768 msedge.exe 88 PID 4768 wrote to memory of 4732 4768 msedge.exe 88 PID 4768 wrote to memory of 4732 4768 msedge.exe 88 PID 4768 wrote to memory of 4732 4768 msedge.exe 88 PID 4768 wrote to memory of 4732 4768 msedge.exe 88 PID 4768 wrote to memory of 4732 4768 msedge.exe 88 PID 4768 wrote to memory of 1380 4768 msedge.exe 89 PID 4768 wrote to memory of 1380 4768 msedge.exe 89 PID 4768 wrote to memory of 400 4768 msedge.exe 90 PID 4768 wrote to memory of 400 4768 msedge.exe 90 PID 4768 wrote to memory of 400 4768 msedge.exe 90 PID 4768 wrote to memory of 400 4768 msedge.exe 90 PID 4768 wrote to memory of 400 4768 msedge.exe 90 PID 4768 wrote to memory of 400 4768 msedge.exe 90 PID 4768 wrote to memory of 400 4768 msedge.exe 90 PID 4768 wrote to memory of 400 4768 msedge.exe 90 PID 4768 wrote to memory of 400 4768 msedge.exe 90 PID 4768 wrote to memory of 400 4768 msedge.exe 90 PID 4768 wrote to memory of 400 4768 msedge.exe 90 PID 4768 wrote to memory of 400 4768 msedge.exe 90 PID 4768 wrote to memory of 400 4768 msedge.exe 90 PID 4768 wrote to memory of 400 4768 msedge.exe 90 PID 4768 wrote to memory of 400 4768 msedge.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\Malware-1-master\MEMZ-Clean.exe"C:\Users\Admin\AppData\Local\Temp\Malware-1-master\MEMZ-Clean.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4948 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"2⤵
- System Location Discovery: System Language Discovery
PID:2128
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=how+to+create+your+own+ransomware2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4768 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ffb2c7e46f8,0x7ffb2c7e4708,0x7ffb2c7e47183⤵PID:4336
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,10353969941883384035,12571179666247200910,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:23⤵PID:4732
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,10353969941883384035,12571179666247200910,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2244 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
PID:1380
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,10353969941883384035,12571179666247200910,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2796 /prefetch:83⤵PID:400
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,10353969941883384035,12571179666247200910,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:13⤵PID:3640
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,10353969941883384035,12571179666247200910,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:13⤵PID:2692
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,10353969941883384035,12571179666247200910,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5448 /prefetch:13⤵PID:1460
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,10353969941883384035,12571179666247200910,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5400 /prefetch:13⤵PID:1108
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,10353969941883384035,12571179666247200910,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5820 /prefetch:83⤵PID:3620
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings3⤵
- Drops file in Program Files directory
PID:4760 -
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x26c,0x270,0x274,0x244,0x278,0x7ff661145460,0x7ff661145470,0x7ff6611454804⤵PID:4680
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,10353969941883384035,12571179666247200910,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5820 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
PID:2536
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,10353969941883384035,12571179666247200910,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5888 /prefetch:13⤵PID:4692
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,10353969941883384035,12571179666247200910,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5904 /prefetch:13⤵PID:2664
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,10353969941883384035,12571179666247200910,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4156 /prefetch:13⤵PID:3408
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,10353969941883384035,12571179666247200910,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6160 /prefetch:13⤵PID:4508
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,10353969941883384035,12571179666247200910,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6592 /prefetch:13⤵PID:2068
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,10353969941883384035,12571179666247200910,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6504 /prefetch:13⤵PID:4716
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=bonzi+buddy+download+free2⤵PID:4256
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x128,0x12c,0x130,0x104,0x134,0x7ffb2c7e46f8,0x7ffb2c7e4708,0x7ffb2c7e47183⤵PID:1852
-
-
-
C:\Windows\SysWOW64\regedit.exe"C:\Windows\System32\regedit.exe"2⤵
- System Location Discovery: System Language Discovery
- Runs regedit.exe
PID:760
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x520 0x5041⤵
- Suspicious use of AdjustPrivilegeToken
PID:1616
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2492
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3116
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD55c6e737e2bdd88e612b154988c766840
SHA18f958e9b305298bb9885906729268badd6fc6e7b
SHA256436526d1765c814e2e83859bab221115960840c3d4148397b50f33b1303312e2
SHA512cb2c27b62726cf0b51ce1fd2449ae5160ae533d61af1014e4e829b24fd7e04c578f5c7c14535bfcd2d6302c120c2eb3ab1f5a4547fc31c86256a39bd8b4135b0
-
Filesize
152B
MD5254fc2a9d1a15f391d493bff79f66f08
SHA16165d5a9de512bb33a82d99d141a2562aa1aabfb
SHA2562bf9282b87bdef746d298cff0734b9a82cd9c24656cb167b24a84c30fb6a1fd0
SHA512484a1c99ee3c3d1ebf0af5ec9e73c9a2ca3cf8918f0ba2a4b543b75fa587ec6b432866b74bcd6b5cdd9372532c882da438d44653bd5bccdbc94ebc27852ff9e2
-
Filesize
152B
MD55408de1548eb3231accfb9f086f2b9db
SHA1f2d8c7e9f3e26cd49ee0a7a4fecd70b2bf2b7e8a
SHA2563052d0885e0ef0d71562958b851db519cfed36fd8e667b57a65374ee1a13a670
SHA512783254d067de3ac40df618665be7f76a6a8acb7e63b875bffc3c0c73b68d138c8a98c437e6267a1eb33f04be976a14b081a528598b1e517cdd9ad2293501acc8
-
Filesize
41KB
MD53bc2b6052ff1b9feff010ae9d919c002
SHA1dd7da7b896641e71dca655640357522f8112c078
SHA256483a3494759a05772019e091d3d8e5dc429d098c30007d430639926c3ffa16e5
SHA5120b1632b73fd87e8e634922b730f83b7950e9a39697a46a3429f0bebb3f1ebd14c815a4651ee8f663a437d00ecbeb6ddaa47b2fcad719777edf1b1de8a7cad0f1
-
Filesize
215KB
MD5d474ec7f8d58a66420b6daa0893a4874
SHA14314642571493ba983748556d0e76ec6704da211
SHA256553a19b6f44f125d9594c02231e4217e9d74d92b7065dc996d92f1e53f6bcb69
SHA512344062d1be40db095abb7392b047b16f33ea3043158690cf66a2fa554aa2db79c4aa68de1308f1eddf6b9140b9ac5de70aad960b4e8e8b91f105213c4aace348
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize168B
MD593681ce2c21fa744460027c76c129e95
SHA1f6ad698c5b05aa3c8d7f9dde392315519f811f51
SHA25653c0a45912e5ac2f64b519272c1d417fe70d899af144abf043a11de4ba1f12eb
SHA5127e30f8888843ea2310c1a8f85709e276146e339e1b2860f12b5332fcb5f6f6cab649a75039b9db098ba51fd60d95b66686f3c83b3cf1cdaa45bebfb4d45e4d9e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize48B
MD571dcd6493b1e0ff56e28736fd6bea951
SHA198a67808d8a88bc86fbecb490fdc9a0dd99b68dc
SHA256b59d31bbee2871f1ab39270238fa3204ccd8adc7c437bd85b54a7cbf3b77d927
SHA5123d9442b72b0188a4c3f406e3b385c3c7cfedc69c6cd3591a6ff2ab127831c01ce9c08e020b7d6880d4de983a993c36441ed05edb0962fee2ada1ce56e7628d80
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize144B
MD509075f7eb4d5ef9efef36a1426b7c722
SHA1abc252262ecd166e85e8ec65830068d9500340be
SHA2569a6091daab2ab097d2b0d482fa7b916dfd3763429ad99f17906b16d7344166b9
SHA512cf617595b2bf3f0f62998421292e17da26016f2899fbe2210f886e9cdefbcf18df43393987c5036c815e52a33c543d414827015ae383c295f947cd5e506d7655
-
Filesize
70KB
MD5e5e3377341056643b0494b6842c0b544
SHA1d53fd8e256ec9d5cef8ef5387872e544a2df9108
SHA256e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25
SHA51283f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef
-
Filesize
5KB
MD5a17a9d7e6c46f85689ca518b1ff82f95
SHA15cdb695640093f4d3d0b96baf9f4c4ae5a56e2a1
SHA256947761976111d4529bdec523278262ae44d9ae69b6b4a16ccd281fdf38f2e8d2
SHA512920fa966ca6fe7becc18239ef50bfe2d47ffa9f84434d2176482f3c680a1ffc68d17be1b9e2c8d71e0903314993c7e3d363f8d542768ae14c2080018bfef35c0
-
Filesize
5KB
MD531730b04d7919a8c99282547a61c2868
SHA1cf6ad3f2c31797bdf4a5f9c8038e886d1551374d
SHA256dcd0ed8d0c65fbacc2418b6fbbfad31a9485ddc84bf55618a39eaf56c100ad87
SHA512e50c6696c574cb1df0279f02bab2749dee12330185ef7f4a19a8c04b775e13e8b81b238d24b9967a412f7dc1d7a87c7a66826696f67a337c136101fbf5a8768b
-
Filesize
6KB
MD513c7ecc53573d8995f5b22601545cdd8
SHA196f1ca93a0f9dd724f3265e30988c725acbe8e6c
SHA25621ad1b85ca8f0ee36d22babc0b8f4d420d0b1b07c652d0cdb9cbc2c7e32a19f2
SHA512b88b9b4090c0698fc89e484172bb3bd55885acea57bcdc113e4a0a6b0149c70f519e3be19c7b11a982306b4f99d07bc29af1879b3090891f9389e77bb278728f
-
Filesize
6KB
MD59e3f960bc79c52ee993874268313cac9
SHA1610b5ec74ff2d2e9d5b1ff5953823098fb3da396
SHA25676d17ec3532702f4b5496985c9d79c819c3b81f61c88e7d54072789d132ca131
SHA5124970289d909558a06f963c799b0baa42089bc7aa01bf6a904874f1ad489ac6ea624138b7710b27b889b10591897d5b9ab4b34c5724b7565daccb99be40d7b1a8
-
Filesize
24KB
MD548febe0b0625901956573dfb2378e7ed
SHA1c324173a8f8fd7a6a7398f6bb24dd2ee11d3cf24
SHA256f0fae7ad33efdd05845d0d631ce8341ea4b6dfd4c45be844f0c117738df9c0d0
SHA512fc38a0c64e67e3b5d43f787fe86f700e6f753d8e90bcebc446d4a8c631b9e4362a74fa862a5b2ffc74f3f5236d3ecf006b341042b5469d1cc24f2c325a607a91
-
Filesize
24KB
MD5bc3a0ca62cfef580ff9ebbb7afc92b9b
SHA1fde9832ce521fcd53850d0701a543ef75b772e3b
SHA256b0203fb7c3812937e92ac04ad6065a2129bc165a36a60a4d2fdb0accc4499464
SHA512fc1f3a5bd2106d9b6ed5a678c2f4978550a0d7414172b0ce6954a835b0da01ac28c177955a48c2ef56ea3d517a6672474a9cab873aeccae3f22a45ccf2d070de
-
Filesize
41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
10KB
MD52e2c8186c5d86403a96f4ef210b5b38f
SHA1fbfcead681dfc8aec4725f7dabc3a7f32ea00e87
SHA256c8852770ab6df58926b769bad4bf3236b20fd4f6e15f51caa6a151662962149b
SHA5126f55260b4d5e80cb756c97061b250b7354ae8c5d27ee87671b738f9e17f8f1e33108188c014a372e69169ee56585d9470d77a3ab3914ad6ada0016bd346aa27a
-
Filesize
10KB
MD515030554643b1011f8788f0b81a9b3f1
SHA1b7d85f096079027f55a2b4077bf8277c75be7dac
SHA2562105b07804581f055750bf0d685a6e284165a5a638e858f545047cb88e3ab3c4
SHA5125a5b76b0502f21d922820cc5bd9b554d1771a93acf4a7833c91c1beeacb86b016d6fb573d0a1929faf61a77ba5588c8cbf94c8f071b95f38128c3cd91197a35d
-
Filesize
8KB
MD592eb7246929068e9eb19e49c49f65a9d
SHA1182128a400db81243b9c7f87c33bea9b1a1b1712
SHA256d4dabf103483a90e998380ccba8c1d37ddee59e833613cecd9a2b0bfb04b68d6
SHA512649adef2d017211ce52d7fa84bed4c4a68b411fe3d72ad2af963e4c7cdc5e039b4dd4b460e58581e01f87016c497e33ba49153e2b69f98a2dbeac5acd3ee9e99
-
Filesize
10KB
MD5d07dff1accca665c551e85822bc79a06
SHA1f1d769de3637e5a9a3cb9baac05f86e421d8031e
SHA256167c2be77836d76ba1e6c83975c59b36da7b69b804d2b4c2a711c852226167f3
SHA51260347fd83ceb00706425ef47fd95665ff30ee88a40d0ac94b61d4eea5160b5b95ce550fd217f22ccf0e8f4d8e078de4f7539bf42165e8f97ed9b019589048914
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
Filesize3KB
MD515df7b0e0024719f4c8eddda37c66661
SHA1a9fa05f669120b7a8c305d4f04456928873b6952
SHA25635fef9f6292645f94d96c575f8fa6af8bcbf5dc9a606f02a6639a0d0b866be17
SHA512cb3003eddb9f7dfbaac20ba5bda1bf18fdfafd3b0d9c8a0f3cae2fb7a47d1eafb8e8f58f40f8769957ca0755cbe423bda2832478912ca829cc8b84677c60881a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
Filesize3KB
MD58a840be0574794457da9ed7351feac0b
SHA13d0378a4b46da759a64158de0828efa834879170
SHA2567a616f693316d196967076438d995eaca62c6fc119cbca3b6ca37da093b34331
SHA5127d8bfa7b1404697b92aaea0f495740890c80e9256fabad839ccac392faa168a5ed0b52af67b06a8cb0779ae41e03b049497b4e84836c8804a820981f5076b23a