b4638274d58a3c074f76ea13eed0fcb0b5bf0aaeaf952dcbc75ce33c8558de62

Analysis

max time kernel
118s
max time network
151s
platform
windows11-21h2_x64
resource
win11-20231215-en
resource tags

arch:x64arch:x86image:win11-20231215-enlocale:en-usos:windows11-21h2-x64system
submitted
30/12/2023, 15:21

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

angeleen.exe
Size

3.6MB
MD5

0709bfc8fb705586e97166a1d276f91f
SHA1

b92d6ba6d97a4254b73e3f34b27d9b82eb510dda
SHA256

b4638274d58a3c074f76ea13eed0fcb0b5bf0aaeaf952dcbc75ce33c8558de62
SHA512

8914605e148b080053019dd84ba11b215952ab845dc1eb8cbb9f84027e7d96b8b4054cf2bf112e63f34eda4fc353881dde2decbb4848a0bda90d0e9a51f942e3
SSDEEP

49152:z6Ym6lbDYtwlcX92Fy5xx5M6hm2Oxl29IhbCSvbB6bqMCcDHSakgcYU9F3hZreJY:z6YJlbMwcBgv0Il7Bcrnc532R5Ms

Score

6^/10

bootkit persistence

Malware Config

Signatures

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	MEMZ.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1504	angeleen.exe
1504	angeleen.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "22"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-334598701-2770630493-3015612279-1000\{7C8EB8F7-10D3-48A2-9C99-927F39FB2576}	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1504	angeleen.exe
1504	angeleen.exe
1504	angeleen.exe
1504	angeleen.exe
1504	angeleen.exe
1504	angeleen.exe
1504	angeleen.exe
1504	angeleen.exe
1504	angeleen.exe
1504	angeleen.exe
1504	angeleen.exe
1504	angeleen.exe
1504	angeleen.exe
1504	angeleen.exe
1504	angeleen.exe
1504	angeleen.exe
1504	angeleen.exe
1504	angeleen.exe
1504	angeleen.exe
1504	angeleen.exe
1504	angeleen.exe
1504	angeleen.exe
1504	angeleen.exe
1504	angeleen.exe
1504	angeleen.exe
1504	angeleen.exe
1504	angeleen.exe
1504	angeleen.exe
1504	angeleen.exe
1504	angeleen.exe
1504	angeleen.exe
1504	angeleen.exe
1504	angeleen.exe
1504	angeleen.exe
1504	angeleen.exe
1504	angeleen.exe
1504	angeleen.exe
1504	angeleen.exe
1504	angeleen.exe
1504	angeleen.exe
1504	angeleen.exe
1504	angeleen.exe
1504	angeleen.exe
1504	angeleen.exe
1504	angeleen.exe
1504	angeleen.exe
1504	angeleen.exe
1504	angeleen.exe
1504	angeleen.exe
1504	angeleen.exe
1504	angeleen.exe
1504	angeleen.exe
1504	angeleen.exe
1504	angeleen.exe
1504	angeleen.exe
1504	angeleen.exe
1504	angeleen.exe
1504	angeleen.exe
1504	angeleen.exe
1504	angeleen.exe
1504	angeleen.exe
1504	angeleen.exe
1504	angeleen.exe
1504	angeleen.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs

pid	Process
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe
1508	msedge.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
4148	LogonUI.exe
3864	MEMZ.exe
956	MEMZ.exe
684	MEMZ.exe
2620	MEMZ.exe
4452	MEMZ.exe
684	MEMZ.exe
4452	MEMZ.exe
2620	MEMZ.exe
956	MEMZ.exe
3864	MEMZ.exe
4452	MEMZ.exe
2620	MEMZ.exe
956	MEMZ.exe
684	MEMZ.exe
3864	MEMZ.exe
2620	MEMZ.exe
3864	MEMZ.exe
956	MEMZ.exe
4452	MEMZ.exe
684	MEMZ.exe
956	MEMZ.exe
684	MEMZ.exe
2620	MEMZ.exe
3864	MEMZ.exe
4452	MEMZ.exe
956	MEMZ.exe
3864	MEMZ.exe
2620	MEMZ.exe
684	MEMZ.exe
4452	MEMZ.exe
3864	MEMZ.exe
4452	MEMZ.exe
956	MEMZ.exe
684	MEMZ.exe
2620	MEMZ.exe
3864	MEMZ.exe
956	MEMZ.exe
4452	MEMZ.exe
2620	MEMZ.exe
684	MEMZ.exe
2620	MEMZ.exe
684	MEMZ.exe
956	MEMZ.exe
3864	MEMZ.exe
4452	MEMZ.exe
956	MEMZ.exe
684	MEMZ.exe
4452	MEMZ.exe
2620	MEMZ.exe
3864	MEMZ.exe
4452	MEMZ.exe
3864	MEMZ.exe
956	MEMZ.exe
684	MEMZ.exe
2620	MEMZ.exe
3864	MEMZ.exe
956	MEMZ.exe
4452	MEMZ.exe
2620	MEMZ.exe
684	MEMZ.exe
2620	MEMZ.exe
684	MEMZ.exe
956	MEMZ.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1504 wrote to memory of 2424	1504	angeleen.exe	78
PID 1504 wrote to memory of 2424	1504	angeleen.exe	78
PID 1504 wrote to memory of 2288	1504	angeleen.exe	79
PID 1504 wrote to memory of 2288	1504	angeleen.exe	79
PID 1508 wrote to memory of 788	1508	msedge.exe	86
PID 1508 wrote to memory of 788	1508	msedge.exe	86
PID 1508 wrote to memory of 948	1508	msedge.exe	87
PID 1508 wrote to memory of 948	1508	msedge.exe	87
PID 1508 wrote to memory of 948	1508	msedge.exe	87
PID 1508 wrote to memory of 948	1508	msedge.exe	87
PID 1508 wrote to memory of 948	1508	msedge.exe	87
PID 1508 wrote to memory of 948	1508	msedge.exe	87
PID 1508 wrote to memory of 948	1508	msedge.exe	87
PID 1508 wrote to memory of 948	1508	msedge.exe	87
PID 1508 wrote to memory of 948	1508	msedge.exe	87
PID 1508 wrote to memory of 948	1508	msedge.exe	87
PID 1508 wrote to memory of 948	1508	msedge.exe	87
PID 1508 wrote to memory of 948	1508	msedge.exe	87
PID 1508 wrote to memory of 948	1508	msedge.exe	87
PID 1508 wrote to memory of 948	1508	msedge.exe	87
PID 1508 wrote to memory of 948	1508	msedge.exe	87
PID 1508 wrote to memory of 948	1508	msedge.exe	87
PID 1508 wrote to memory of 948	1508	msedge.exe	87
PID 1508 wrote to memory of 948	1508	msedge.exe	87
PID 1508 wrote to memory of 948	1508	msedge.exe	87
PID 1508 wrote to memory of 948	1508	msedge.exe	87
PID 1508 wrote to memory of 948	1508	msedge.exe	87
PID 1508 wrote to memory of 948	1508	msedge.exe	87
PID 1508 wrote to memory of 948	1508	msedge.exe	87
PID 1508 wrote to memory of 948	1508	msedge.exe	87
PID 1508 wrote to memory of 948	1508	msedge.exe	87
PID 1508 wrote to memory of 948	1508	msedge.exe	87
PID 1508 wrote to memory of 948	1508	msedge.exe	87
PID 1508 wrote to memory of 948	1508	msedge.exe	87
PID 1508 wrote to memory of 948	1508	msedge.exe	87
PID 1508 wrote to memory of 948	1508	msedge.exe	87
PID 1508 wrote to memory of 948	1508	msedge.exe	87
PID 1508 wrote to memory of 948	1508	msedge.exe	87
PID 1508 wrote to memory of 948	1508	msedge.exe	87
PID 1508 wrote to memory of 948	1508	msedge.exe	87
PID 1508 wrote to memory of 948	1508	msedge.exe	87
PID 1508 wrote to memory of 948	1508	msedge.exe	87
PID 1508 wrote to memory of 948	1508	msedge.exe	87
PID 1508 wrote to memory of 948	1508	msedge.exe	87
PID 1508 wrote to memory of 948	1508	msedge.exe	87
PID 1508 wrote to memory of 948	1508	msedge.exe	87
PID 1508 wrote to memory of 2272	1508	msedge.exe	91
PID 1508 wrote to memory of 2272	1508	msedge.exe	91
PID 1508 wrote to memory of 4124	1508	msedge.exe	88
PID 1508 wrote to memory of 4124	1508	msedge.exe	88
PID 1508 wrote to memory of 4124	1508	msedge.exe	88
PID 1508 wrote to memory of 4124	1508	msedge.exe	88
PID 1508 wrote to memory of 4124	1508	msedge.exe	88
PID 1508 wrote to memory of 4124	1508	msedge.exe	88
PID 1508 wrote to memory of 4124	1508	msedge.exe	88
PID 1508 wrote to memory of 4124	1508	msedge.exe	88
PID 1508 wrote to memory of 4124	1508	msedge.exe	88
PID 1508 wrote to memory of 4124	1508	msedge.exe	88
PID 1508 wrote to memory of 4124	1508	msedge.exe	88
PID 1508 wrote to memory of 4124	1508	msedge.exe	88
PID 1508 wrote to memory of 4124	1508	msedge.exe	88
PID 1508 wrote to memory of 4124	1508	msedge.exe	88
PID 1508 wrote to memory of 4124	1508	msedge.exe	88
PID 1508 wrote to memory of 4124	1508	msedge.exe	88

C:\Users\Admin\AppData\Local\Temp\angeleen.exe
"C:\Users\Admin\AppData\Local\Temp\angeleen.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1504
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2424
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2288

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffaf4363cb8,0x7ffaf4363cc8,0x7ffaf4363cd8
  2⤵
  PID:788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1860,8859746229335948040,18253610286108654367,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1904 /prefetch:2
  2⤵
  PID:948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1860,8859746229335948040,18253610286108654367,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2532 /prefetch:8
  2⤵
  PID:4124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,8859746229335948040,18253610286108654367,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1
  2⤵
  PID:4868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,8859746229335948040,18253610286108654367,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:1
  2⤵
  PID:1160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1860,8859746229335948040,18253610286108654367,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2284 /prefetch:3
  2⤵
  PID:2272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,8859746229335948040,18253610286108654367,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4944 /prefetch:1
  2⤵
  PID:248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,8859746229335948040,18253610286108654367,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4916 /prefetch:1
  2⤵
  PID:3200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1860,8859746229335948040,18253610286108654367,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3816 /prefetch:8
  2⤵
  PID:1596
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1860,8859746229335948040,18253610286108654367,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5508 /prefetch:8
  2⤵
  PID:1060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,8859746229335948040,18253610286108654367,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3852 /prefetch:1
  2⤵
  PID:2960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,8859746229335948040,18253610286108654367,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3464 /prefetch:1
  2⤵
  PID:3864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1860,8859746229335948040,18253610286108654367,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=3852 /prefetch:8
  2⤵
  - Modifies registry class
  PID:3100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1860,8859746229335948040,18253610286108654367,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3480 /prefetch:8
  2⤵
  PID:944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,8859746229335948040,18253610286108654367,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5612 /prefetch:1
  2⤵
  PID:1992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,8859746229335948040,18253610286108654367,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4596 /prefetch:1
  2⤵
  PID:3700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,8859746229335948040,18253610286108654367,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5760 /prefetch:1
  2⤵
  PID:3824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,8859746229335948040,18253610286108654367,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5904 /prefetch:1
  2⤵
  PID:1804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,8859746229335948040,18253610286108654367,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5212 /prefetch:1
  2⤵
  PID:1560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,8859746229335948040,18253610286108654367,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4884 /prefetch:1
  2⤵
  PID:380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,8859746229335948040,18253610286108654367,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5952 /prefetch:1
  2⤵
  PID:4828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,8859746229335948040,18253610286108654367,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:1
  2⤵
  PID:724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1860,8859746229335948040,18253610286108654367,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5084 /prefetch:8
  2⤵
  PID:3508

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1516

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3812

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3436

C:\Users\Admin\Downloads\MEMZ-master\MEMZ-master\MEMZ.exe
"C:\Users\Admin\Downloads\MEMZ-master\MEMZ-master\MEMZ.exe"
1⤵
PID:1172
- C:\Users\Admin\Downloads\MEMZ-master\MEMZ-master\MEMZ.exe
  "C:\Users\Admin\Downloads\MEMZ-master\MEMZ-master\MEMZ.exe" /watchdog
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:4452
- C:\Users\Admin\Downloads\MEMZ-master\MEMZ-master\MEMZ.exe
  "C:\Users\Admin\Downloads\MEMZ-master\MEMZ-master\MEMZ.exe" /watchdog
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2620
- C:\Users\Admin\Downloads\MEMZ-master\MEMZ-master\MEMZ.exe
  "C:\Users\Admin\Downloads\MEMZ-master\MEMZ-master\MEMZ.exe" /watchdog
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:684
- C:\Users\Admin\Downloads\MEMZ-master\MEMZ-master\MEMZ.exe
  "C:\Users\Admin\Downloads\MEMZ-master\MEMZ-master\MEMZ.exe" /watchdog
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:3864
- C:\Users\Admin\Downloads\MEMZ-master\MEMZ-master\MEMZ.exe
  "C:\Users\Admin\Downloads\MEMZ-master\MEMZ-master\MEMZ.exe" /watchdog
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:956
- C:\Users\Admin\Downloads\MEMZ-master\MEMZ-master\MEMZ.exe
  "C:\Users\Admin\Downloads\MEMZ-master\MEMZ-master\MEMZ.exe" /main
  2⤵
  - Writes to the Master Boot Record (MBR)
  PID:3452
- - C:\Windows\SysWOW64\notepad.exe
    "C:\Windows\System32\notepad.exe" \note.txt
    3⤵
    PID:2132

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3a2f855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
bb88128b6b2d63f04c36ce68ed52d0a1

SHA1
29cd0515976a9249fc96a9d77c9986238cd1c2da

SHA256
19341f9fde32349d43cf9951f118ebbff856499e0e6875101eaf2db37a7d7d8b

SHA512
ab3071e116a32fc105a868fe9f3cd11cb282fc6cdc1e101b09c7f6269502f98b34b2f0a2ec32eb2b537073e2b20bd22cefd2fdcd4be87f8b169e6eed3bed1ae7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
61ca2dc9f6accfd202ad303793051603

SHA1
705d5a45c7b766a72b72e02964b991a4a9e9e8fd

SHA256
473e0e0e4c8161060f302f0cd88473c6fc16a74c79db4b32b14e20caeab20a99

SHA512
aa7ec892e010c41f659a1a9e8ff8b4863ff2896c078ff5950c36f9befc03004a0d7274477200cf550df6c4fa17003807816ae38d61f6641e83a359b9a4899e4b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
930B

MD5
2074370b7f17cc48d116867a303e2241

SHA1
f8bb60b2214523c801cf94d1d896bec821167284

SHA256
e981a47ec98f9c93a202348c361f545c4fd35635cc3ac7e649c058cd7ccc582c

SHA512
be5688b4e636ea9f8727fe92ca37887fb76c31b3bb6a65d20cac1f07f445a7e434802c0bd933c3cdd29866eff05766c685e18439204ad3232f651966c52ba05e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
4KB

MD5
1b605251aa8dde6fce3d3f561b6d9c24

SHA1
356d1dc89dada73bc302882b5b1eb5ec674de182

SHA256
eb35f8c99745d779eb9261b29ef2f3e5f9a389c64e3704c21e89b43306c4200c

SHA512
e9cbbc830bb440cbbd8fcf18e056c2a6fbe8ad32b520e1c82ebb443eeb18d57c73ece893a3e693508848caeffbd394287219a4ce5314ee658fbcf6e027c24011

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
a39bcde44653bd6ecfd631238bb5207a

SHA1
7478e57f5420d74807080c6f925968f8e9cac414

SHA256
e203b7d22d1e523f286681745093aced41c4303f2a28e7c10ef16c91cd334a13

SHA512
50aa50618e9140cd3439ab2503a670aaf3f8968a412740ee3c269bfcadbd3cbb3f8ab09550bf567127e430ed4033a1908f38df4c6e5a1f3d3592c468847f649c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
38aeff0c1026f1143006bedbe386c2f6

SHA1
8411ee334b93d3a677a99deb5b7ea2670f56d542

SHA256
85d926ef03bb0ddd37e698e6d65d8f323ae5c845f4f2b007b3209337fdc928ea

SHA512
f5618a5566f6e3509e2ec85d0421b7c1b61b81a2cf1ffef374f12ee9353444476552a554cdb980d958fe747ec633d35d9dc4c18d137a1522ecadb9e45b71c4c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ece241f5591e61665841d95e7d88d0fe

SHA1
e2d18791c822b53580074481f346c002c1c1ec93

SHA256
fa5e67df3f2099921be7ce117e8a7be3fc876ef806bc4b8c0d29b79e712ee532

SHA512
6c453d38346a1f7b6cfffa209480acd1090d44e67b65f3f76355cada5b20cce30e96384d2adbe45f3785012371d06930ee8c61575fd55bd5be785ba8e014c21f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
25KB

MD5
87796f83a580ad1059639b7b6f48c978

SHA1
3aeb3452c1d42aa82dcc46fac0eff546266958ca

SHA256
ca9281ab005e47fe20e132b81ccfbf7a5f0e6d845cd3412129bcb07cacb1397d

SHA512
196d07ff37bf35b583ba80ef92e0277eee328925a77accb3dae1ca10a356a7924f49a7e6233db1b8b320eef6beeb9677ee7d642dd4bcdb2f1343cfe84fb186cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
56f5150a5553104c429c118e68752c8e

SHA1
0aa1cfbe31b950f27c362bf108a26075f80f4e9c

SHA256
3f06e22b989e0ea52e4316e3f8238dafc987b44128e7c098c42ced2a06bda0a5

SHA512
e141a5660fe06864e963da1b70675843e09f063cf071d61f53bcb1ea388307b3d96eba0e39e0a5e3fcdacd5c95ba3ac1f3f89f60c590ae7bc28bfe40f869b1c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe584cc3.TMP

Filesize
1KB

MD5
21d8d35a294798a46c9d7ebfbe06be92

SHA1
1d2faa153bf35f2d10e3d309778457c545bc7084

SHA256
e3f6b5512aaacd02bca076cc8da2a7c322818bd04776b2cc59ae79b9e28f9473

SHA512
c97cd8627ad0055613b8c9d1c237388b83c9127b036d5cb3e983401c0a2b07842ae938f0a8d753b9e66aa2bd0a3fdf447741c72a981fe7f52c92d7b8bed0d2dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
68c0edb5715f4640c49c20c4d76aa8ec

SHA1
29c571f53330a75b98e2561fc7ba2ecdca7bc4ba

SHA256
d0f9a24fc4789acff69625f178b33b4fb5f4a1c9545a35f5fe8d29c41ea67dbc

SHA512
15c64c6f8e0ebf37865fa7ce3d19f8f701663d4eed8eb3d12ee92e8dd68b5919b8e069597a40edce49c69f5debd4aca847c8e4b82fb60add24a9957a5c119c66

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
adc9bf04ef40589adc57809013fdbf6d

SHA1
91ce6fb4ab2afae51660ea64b4beb39b2387b678

SHA256
90f18f3144a35db31e639e704822cb9bd41944f91df6667360f4ce109d9c47b9

SHA512
acda0f2a05ce5bbb8a44318ef7ebe17b85263442e724d398f268a61d1fbe3745712971bd2721f0726459e398f353ca1c5ed0487c57cc2bfef1bdbe5ad9d5968c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
3be5edc3d7557c24aadbee2324133e5f

SHA1
0a51f99f8ab1d2af86e30dd6863da794d1297f95

SHA256
07f42e8e928ffa398feeee854082bff78c6a0095e899c3205e7ac1793c5eb4b9

SHA512
128cf8e6b675c96743d074bedc048c263921f5e0682a4e05d3122d5839f368ce30c25a61872643f571e4f4e5cf817af79f6e7bff78f99c30df210f69a1a2597b

Download Submit
C:\note.txt

Filesize
218B

MD5
afa6955439b8d516721231029fb9ca1b

SHA1
087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

SHA256
8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

SHA512
5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

Download Submit
memory/1504-1-0x00007FFB03C30000-0x00007FFB03C32000-memory.dmp

Filesize
8KB

Download
memory/1504-7-0x0000000140000000-0x0000000140841000-memory.dmp

Filesize
8.3MB

Download
memory/1504-2-0x0000000140000000-0x0000000140841000-memory.dmp

Filesize
8.3MB

Download
memory/1504-0-0x0000000140000000-0x0000000140841000-memory.dmp

Filesize
8.3MB

Download