782e849a5a94ae4c8c93d6447dfaa0d36d596bc2727015a6f44044033581f385

Analysis

max time kernel
719s
max time network
713s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
29/10/2023, 06:47

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

curl-8.4.0_6-win64-mingw/docs/INSTALL.vbs
Size

24KB
MD5

802994b0d7b7eb3d67a82c9d839fd692
SHA1

b4246cbdb6861e2adf02c4fc8d51cc9f849ee3d3
SHA256

d8261f283471d59c70f25d94970005529543ebaa5976ac440bc5a967a69038a7
SHA512

98582cad269c51f0d5ef296a7190d1e2af539316f0cffbec231ab9cfba52dd7799a02082805e882c6e88ba5e41a7c7ce97347eadb12ecae4ba9dff550fa16b02
SSDEEP

768:OWSWUW4Rz+FGWf4EirdaLWBcW9cWGcWU0XMf/iy1d:OWSWUWO+FwqWOWyWHWA/iy1d

Score

8^/10

bootkit persistence

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation	MEMZ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation	MEMZ.exe

Executes dropped EXE 7 IoCs

pid	Process
5036	MEMZ.exe
1860	MEMZ.exe
1240	MEMZ.exe
4480	MEMZ.exe
2360	MEMZ.exe
660	MEMZ.exe
3928	MEMZ.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	MEMZ.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1873812795-1433807462-1429862679-1000\{0F446E42-0480-44B5-9CB9-5F24CABBCD55}	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 740057.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1552	msedge.exe
1552	msedge.exe
4968	msedge.exe
4968	msedge.exe
4376	identity_helper.exe
4376	identity_helper.exe
1556	msedge.exe
1556	msedge.exe
4128	msedge.exe
4128	msedge.exe
1240	MEMZ.exe
1240	MEMZ.exe
1860	MEMZ.exe
1860	MEMZ.exe
1860	MEMZ.exe
1860	MEMZ.exe
1240	MEMZ.exe
1240	MEMZ.exe
4480	MEMZ.exe
4480	MEMZ.exe
2360	MEMZ.exe
2360	MEMZ.exe
1240	MEMZ.exe
1240	MEMZ.exe
660	MEMZ.exe
660	MEMZ.exe
2360	MEMZ.exe
2360	MEMZ.exe
4480	MEMZ.exe
4480	MEMZ.exe
1860	MEMZ.exe
1860	MEMZ.exe
660	MEMZ.exe
660	MEMZ.exe
1240	MEMZ.exe
1240	MEMZ.exe
1240	MEMZ.exe
660	MEMZ.exe
1240	MEMZ.exe
660	MEMZ.exe
1860	MEMZ.exe
1860	MEMZ.exe
2360	MEMZ.exe
2360	MEMZ.exe
4480	MEMZ.exe
4480	MEMZ.exe
4480	MEMZ.exe
4480	MEMZ.exe
2360	MEMZ.exe
2360	MEMZ.exe
1860	MEMZ.exe
1860	MEMZ.exe
1240	MEMZ.exe
1240	MEMZ.exe
660	MEMZ.exe
660	MEMZ.exe
660	MEMZ.exe
660	MEMZ.exe
1240	MEMZ.exe
1240	MEMZ.exe
2360	MEMZ.exe
2360	MEMZ.exe
1860	MEMZ.exe
1860	MEMZ.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs

pid	Process
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4968 wrote to memory of 4192	4968	msedge.exe	112
PID 4968 wrote to memory of 4192	4968	msedge.exe	112
PID 4968 wrote to memory of 3792	4968	msedge.exe	113
PID 4968 wrote to memory of 3792	4968	msedge.exe	113
PID 4968 wrote to memory of 3792	4968	msedge.exe	113
PID 4968 wrote to memory of 3792	4968	msedge.exe	113
PID 4968 wrote to memory of 3792	4968	msedge.exe	113
PID 4968 wrote to memory of 3792	4968	msedge.exe	113
PID 4968 wrote to memory of 3792	4968	msedge.exe	113
PID 4968 wrote to memory of 3792	4968	msedge.exe	113
PID 4968 wrote to memory of 3792	4968	msedge.exe	113
PID 4968 wrote to memory of 3792	4968	msedge.exe	113
PID 4968 wrote to memory of 3792	4968	msedge.exe	113
PID 4968 wrote to memory of 3792	4968	msedge.exe	113
PID 4968 wrote to memory of 3792	4968	msedge.exe	113
PID 4968 wrote to memory of 3792	4968	msedge.exe	113
PID 4968 wrote to memory of 3792	4968	msedge.exe	113
PID 4968 wrote to memory of 3792	4968	msedge.exe	113
PID 4968 wrote to memory of 3792	4968	msedge.exe	113
PID 4968 wrote to memory of 3792	4968	msedge.exe	113
PID 4968 wrote to memory of 3792	4968	msedge.exe	113
PID 4968 wrote to memory of 3792	4968	msedge.exe	113
PID 4968 wrote to memory of 3792	4968	msedge.exe	113
PID 4968 wrote to memory of 3792	4968	msedge.exe	113
PID 4968 wrote to memory of 3792	4968	msedge.exe	113
PID 4968 wrote to memory of 3792	4968	msedge.exe	113
PID 4968 wrote to memory of 3792	4968	msedge.exe	113
PID 4968 wrote to memory of 3792	4968	msedge.exe	113
PID 4968 wrote to memory of 3792	4968	msedge.exe	113
PID 4968 wrote to memory of 3792	4968	msedge.exe	113
PID 4968 wrote to memory of 3792	4968	msedge.exe	113
PID 4968 wrote to memory of 3792	4968	msedge.exe	113
PID 4968 wrote to memory of 3792	4968	msedge.exe	113
PID 4968 wrote to memory of 3792	4968	msedge.exe	113
PID 4968 wrote to memory of 3792	4968	msedge.exe	113
PID 4968 wrote to memory of 3792	4968	msedge.exe	113
PID 4968 wrote to memory of 3792	4968	msedge.exe	113
PID 4968 wrote to memory of 3792	4968	msedge.exe	113
PID 4968 wrote to memory of 3792	4968	msedge.exe	113
PID 4968 wrote to memory of 3792	4968	msedge.exe	113
PID 4968 wrote to memory of 3792	4968	msedge.exe	113
PID 4968 wrote to memory of 3792	4968	msedge.exe	113
PID 4968 wrote to memory of 1552	4968	msedge.exe	114
PID 4968 wrote to memory of 1552	4968	msedge.exe	114
PID 4968 wrote to memory of 2996	4968	msedge.exe	115
PID 4968 wrote to memory of 2996	4968	msedge.exe	115
PID 4968 wrote to memory of 2996	4968	msedge.exe	115
PID 4968 wrote to memory of 2996	4968	msedge.exe	115
PID 4968 wrote to memory of 2996	4968	msedge.exe	115
PID 4968 wrote to memory of 2996	4968	msedge.exe	115
PID 4968 wrote to memory of 2996	4968	msedge.exe	115
PID 4968 wrote to memory of 2996	4968	msedge.exe	115
PID 4968 wrote to memory of 2996	4968	msedge.exe	115
PID 4968 wrote to memory of 2996	4968	msedge.exe	115
PID 4968 wrote to memory of 2996	4968	msedge.exe	115
PID 4968 wrote to memory of 2996	4968	msedge.exe	115
PID 4968 wrote to memory of 2996	4968	msedge.exe	115
PID 4968 wrote to memory of 2996	4968	msedge.exe	115
PID 4968 wrote to memory of 2996	4968	msedge.exe	115
PID 4968 wrote to memory of 2996	4968	msedge.exe	115
PID 4968 wrote to memory of 2996	4968	msedge.exe	115
PID 4968 wrote to memory of 2996	4968	msedge.exe	115
PID 4968 wrote to memory of 2996	4968	msedge.exe	115
PID 4968 wrote to memory of 2996	4968	msedge.exe	115

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\curl-8.4.0_6-win64-mingw\docs\INSTALL.vbs"
1⤵
PID:2104

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffdfec546f8,0x7ffdfec54708,0x7ffdfec54718
  2⤵
  PID:4192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2260,10620073127082508050,2287812814972573459,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2284 /prefetch:2
  2⤵
  PID:3792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2260,10620073127082508050,2287812814972573459,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2388 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2260,10620073127082508050,2287812814972573459,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2736 /prefetch:8
  2⤵
  PID:2996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2260,10620073127082508050,2287812814972573459,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3440 /prefetch:1
  2⤵
  PID:5096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2260,10620073127082508050,2287812814972573459,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2348 /prefetch:1
  2⤵
  PID:4412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2260,10620073127082508050,2287812814972573459,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4292 /prefetch:1
  2⤵
  PID:1784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2260,10620073127082508050,2287812814972573459,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4340 /prefetch:1
  2⤵
  PID:1020
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2260,10620073127082508050,2287812814972573459,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5424 /prefetch:8
  2⤵
  PID:4760
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2260,10620073127082508050,2287812814972573459,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5424 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2260,10620073127082508050,2287812814972573459,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5520 /prefetch:1
  2⤵
  PID:2868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2260,10620073127082508050,2287812814972573459,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3624 /prefetch:1
  2⤵
  PID:2604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2260,10620073127082508050,2287812814972573459,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5328 /prefetch:1
  2⤵
  PID:5040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2260,10620073127082508050,2287812814972573459,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5672 /prefetch:1
  2⤵
  PID:4248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2260,10620073127082508050,2287812814972573459,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5836 /prefetch:1
  2⤵
  PID:1976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2260,10620073127082508050,2287812814972573459,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5688 /prefetch:1
  2⤵
  PID:3328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2260,10620073127082508050,2287812814972573459,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5980 /prefetch:1
  2⤵
  PID:4936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2260,10620073127082508050,2287812814972573459,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3760 /prefetch:8
  2⤵
  PID:1756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2260,10620073127082508050,2287812814972573459,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=3708 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:1556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2260,10620073127082508050,2287812814972573459,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5828 /prefetch:1
  2⤵
  PID:2720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2260,10620073127082508050,2287812814972573459,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6552 /prefetch:1
  2⤵
  PID:4696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2260,10620073127082508050,2287812814972573459,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6344 /prefetch:8
  2⤵
  PID:3572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2260,10620073127082508050,2287812814972573459,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6512 /prefetch:8
  2⤵
  PID:3288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2260,10620073127082508050,2287812814972573459,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6504 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4128
- C:\Users\Admin\Downloads\MEMZ.exe
  "C:\Users\Admin\Downloads\MEMZ.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:5036
- - C:\Users\Admin\Downloads\MEMZ.exe
    "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1860
- - C:\Users\Admin\Downloads\MEMZ.exe
    "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1240
- - C:\Users\Admin\Downloads\MEMZ.exe
    "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:4480
- - C:\Users\Admin\Downloads\MEMZ.exe
    "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2360
- - C:\Users\Admin\Downloads\MEMZ.exe
    "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:660
- - C:\Users\Admin\Downloads\MEMZ.exe
    "C:\Users\Admin\Downloads\MEMZ.exe" /main
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    PID:3928
  - - C:\Windows\SysWOW64\notepad.exe
      "C:\Windows\System32\notepad.exe" \note.txt
      4⤵
      PID:4440
  - - C:\Windows\SysWOW64\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:1004

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1596

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6dded92ec95cf9f22410bdeac841a00d

SHA1
83c32c23d53c59d654868f0b2a5c6be0a46249c2

SHA256
1840d5c60c79874359414677662439087173c575d814c07ebe661ae1cebb639e

SHA512
e13df653c0364be2b61619fe3d46799e10a565b41f33d3ce15e50397f8f9aa328e8c821212efe10cfe3b8283c1e8c7e9eb15f9674fc456837d6ee8c38bc8b0d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\4e026ba5-249d-45df-a78f-a9d83b60926f.tmp

Filesize
5KB

MD5
cd9a3aa4a94a6eb1c03074221fd15a24

SHA1
3cd67673ba44f2f0107c6c6b9882549bf5ae20dd

SHA256
4705a4512142c53417dd5b2fdd4b0836355371141cca72b1c77320cc9eafa14c

SHA512
e974283a3c38352302ae880af7434849a3fb2a24f4b098ea21f7d6f5af1caa6d500fb275a0694bc099364e14727a5981cf36bde6c1cda560b15c452c026d0e08

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
c6b9115ac02e4176b0d6535dd898bed2

SHA1
ead646a59b610fd76b65f2471f9b64d2977ccc99

SHA256
2d94e458bfbca28a2019c1e324bdc71fa82cc7ad4a88c9509b9667234a2aa991

SHA512
bdee8751e796e0ec41265d319e149bf1a16a6758e483da423761a26235d25ffeb7e4797178e68d9c306ce205f51855542debf7bb2244869f64c91b362331f963

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
865B

MD5
f9d31bd10b71e04c048c40771f1f9db3

SHA1
7a2136386a344e2e959a571a141f52b8c1da96d3

SHA256
042f9c1c28b6e85ae3f7197594785bc54e1684b545415e47991b2f5553d7f884

SHA512
8f7a25abae34939caec0e27cf4fae8a9aa0b61b2bbe3a9068a5b43c60398e60e3a881f63e74535885c71bdfea2d2b1d7dc486feccbe972adc294c0de692a03bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
2ca046dc3eefb14a280c669affe60496

SHA1
a99b524ffce2dcc9aee26905b83538a916efeffe

SHA256
a533c0c6f6984169c05fc4f8f8d71f80ceb6b461d8e33abcefc9ee13d170958a

SHA512
9bdfe8fd44eda5f9a9ff23be721fde161cb8032cbe4f184462c3cdb6e9b8d0359c87ffd409d3415e7da67ac92f675e97c38d98b34f13b40c681c89aee17cd215

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
2c6f6144ab8a3ee96fcb2c47fbe974e3

SHA1
0420bae3994027a7606e19708f7427e3a78e4340

SHA256
882e5976b7901ae133ffa57417d4cd1809236823e01bf4419efebd9056e926d5

SHA512
12d8e14e88482ad5be5df79cf6a1f45dd3b01688dcf79ef737da9556368f778ae9eaf6f4bd5d77969458d6c3353f42f8e6a953244d6ab4a5fe21c0acd1b81760

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4563c31b5ce44acef7ddc799e858a337

SHA1
6698115a9927788375038693f9fd41d8ef73aa02

SHA256
d93a3eec37891899e0e0aa7ee207d436b7a281d9e620944c3e1c1121fdc3c863

SHA512
de3919544cf55d0baccbfe792d6127035c6878012c3b45bc9f11a84c86eaa8cde2065b9a03985838fa61c0146bbab84df203283e8af9392d208bf32f5d0092ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
e05436aebb117e9919978ca32bbcefd9

SHA1
97b2af055317952ce42308ea69b82301320eb962

SHA256
cc9bd0953e70356e31a957ad9a9b1926f5e2a9f6a297cdef303ac693a2a86b7f

SHA512
11328e9514ffaa3c1eab84fae06595d75c8503bd5601adfd806182d46065752885a871b738439b356d1bb2c1ac71fc81e9d46bd2d0daa1b2ba0f40543bf952b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
2d74ab14443f8c4f56a92d9af75f0dca

SHA1
2a71eee6b56fb35cb4839dd44343041e2ddf10b0

SHA256
a4f6c6e8ab7c2aaca1d9b897cee82eefe41941740a1d6f72bcaebf5d1afe8d8e

SHA512
38492b206eb082d128efd6cb249d7cbe2c03d14f8dd6e95eb498151e24e89b2542e3eef892654d4ddfbf6f8ed4962cbb218f966d68d3efe980d9392a626a935f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
221af35326bda9c0217d5c1666c5775b

SHA1
18060a2854968cbf329aee978b8494db61065a9c

SHA256
c4d514a3e09e89e445f070a730c1fbd973fc4149a8274471583c6ad1e95b594c

SHA512
72266b0361b97e8cdf695b4508ebf82b4a1b816de390e43029dac17b253694820eca11492d2b61ea847febbc4e5101c1a952f7aa0083fa68bac36bae0b3a7974

Download Submit
C:\Users\Admin\Downloads\MEMZ.exe

Filesize
16KB

MD5
1d5ad9c8d3fee874d0feb8bfac220a11

SHA1
ca6d3f7e6c784155f664a9179ca64e4034df9595

SHA256
3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff

SHA512
c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1

Download Submit
C:\Users\Admin\Downloads\MEMZ.exe

Filesize
16KB

MD5
1d5ad9c8d3fee874d0feb8bfac220a11

SHA1
ca6d3f7e6c784155f664a9179ca64e4034df9595

SHA256
3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff

SHA512
c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1

Download Submit
C:\Users\Admin\Downloads\MEMZ.exe

Filesize
16KB

MD5
1d5ad9c8d3fee874d0feb8bfac220a11

SHA1
ca6d3f7e6c784155f664a9179ca64e4034df9595

SHA256
3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff

SHA512
c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1

Download Submit
C:\Users\Admin\Downloads\MEMZ.exe

Filesize
16KB

MD5
1d5ad9c8d3fee874d0feb8bfac220a11

SHA1
ca6d3f7e6c784155f664a9179ca64e4034df9595

SHA256
3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff

SHA512
c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1

Download Submit
C:\Users\Admin\Downloads\MEMZ.exe

Filesize
16KB

MD5
1d5ad9c8d3fee874d0feb8bfac220a11

SHA1
ca6d3f7e6c784155f664a9179ca64e4034df9595

SHA256
3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff

SHA512
c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1

Download Submit
C:\Users\Admin\Downloads\MEMZ.exe

Filesize
16KB

MD5
1d5ad9c8d3fee874d0feb8bfac220a11

SHA1
ca6d3f7e6c784155f664a9179ca64e4034df9595

SHA256
3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff

SHA512
c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1

Download Submit
C:\Users\Admin\Downloads\MEMZ.exe

Filesize
16KB

MD5
1d5ad9c8d3fee874d0feb8bfac220a11

SHA1
ca6d3f7e6c784155f664a9179ca64e4034df9595

SHA256
3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff

SHA512
c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1

Download Submit
C:\Users\Admin\Downloads\MEMZ.exe

Filesize
16KB

MD5
1d5ad9c8d3fee874d0feb8bfac220a11

SHA1
ca6d3f7e6c784155f664a9179ca64e4034df9595

SHA256
3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff

SHA512
c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1

Download Submit
C:\Users\Admin\Downloads\MEMZ.exe

Filesize
16KB

MD5
1d5ad9c8d3fee874d0feb8bfac220a11

SHA1
ca6d3f7e6c784155f664a9179ca64e4034df9595

SHA256
3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff

SHA512
c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1

Download Submit
C:\note.txt

Filesize
218B

MD5
afa6955439b8d516721231029fb9ca1b

SHA1
087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

SHA256
8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

SHA512
5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

Download Submit