hxxps://github[.]com/Dfmaaa/MEMZ-virus/blob/main/MEMZ[.]exe

Resubmissions

15/03/2025, 04:55

250315-fj3wvayn19 4

01/02/2024, 06:10

240201-gw9qlaehfn 8

Analysis

max time kernel
131s
max time network
135s
platform
windows10-1703_x64
resource
win10-20231215-en
resource tags

arch:x64arch:x86image:win10-20231215-enlocale:en-usos:windows10-1703-x64system
submitted
01/02/2024, 06:10

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Dfmaaa/MEMZ-virus/blob/main/MEMZ.exe

Score

8^/10

bootkit persistence

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000\Control Panel\International\Geo\Nation	MEMZ.exe

Executes dropped EXE 7 IoCs

pid	Process
4960	MEMZ.exe
3876	MEMZ.exe
1688	MEMZ.exe
1056	MEMZ.exe
652	MEMZ.exe
2728	MEMZ.exe
4524	MEMZ.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
32	raw.githubusercontent.com
33	raw.githubusercontent.com

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	MEMZ.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\1601268389\3877292338.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	taskmgr.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\4183903823\810424605.pri	taskmgr.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133512414805351328"	chrome.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Revision = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DXFeatureLevel = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Explorer\Main\OperationalData = "1"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\DisallowDefaultBrowserPrompt = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Cookies	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionHigh = "268435456"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\Active = "1"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = e4dfe7a3d554da01	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\Active = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = c549d3a9d554da01	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\LastCleanup = 471eb0abd554da01	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = b57d7bb4d554da01	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History\CacheLimit = "1"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-Revision = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\EnablementState = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "395205405"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\LowMic	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Content\CacheLimit = "256000"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating\NextPromptBuild = "15063"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI\IsSignedIn = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DeviceId = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "268435456"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionLow = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionHigh = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DXFeatureLevel = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\JumpListInPrivateBrowsingAllowed = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content\CacheLimit = "256000"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\SyncIEFirstTimeFullScan = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = f0f663a4d554da01	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DeviceId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionLow = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Content	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Explorer\Main	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Extensible Cache	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\PrivacyAdvanced = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\ACGPolicyState = "6"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing\NewTabPage	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath\dummySetting = "1"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\SharedCookie_MRACMigrationDone = "1"	MicrosoftEdge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
96	chrome.exe
96	chrome.exe
3876	MEMZ.exe
3876	MEMZ.exe
3876	MEMZ.exe
1688	MEMZ.exe
3876	MEMZ.exe
1688	MEMZ.exe
1688	MEMZ.exe
1688	MEMZ.exe
1056	MEMZ.exe
1056	MEMZ.exe
652	MEMZ.exe
652	MEMZ.exe
3876	MEMZ.exe
3876	MEMZ.exe
3876	MEMZ.exe
652	MEMZ.exe
3876	MEMZ.exe
652	MEMZ.exe
1056	MEMZ.exe
1056	MEMZ.exe
1688	MEMZ.exe
2728	MEMZ.exe
1688	MEMZ.exe
2728	MEMZ.exe
652	MEMZ.exe
3876	MEMZ.exe
3876	MEMZ.exe
652	MEMZ.exe
3876	MEMZ.exe
1688	MEMZ.exe
3876	MEMZ.exe
1688	MEMZ.exe
2728	MEMZ.exe
2728	MEMZ.exe
1056	MEMZ.exe
1056	MEMZ.exe
652	MEMZ.exe
3876	MEMZ.exe
652	MEMZ.exe
3876	MEMZ.exe
652	MEMZ.exe
1056	MEMZ.exe
652	MEMZ.exe
1056	MEMZ.exe
1688	MEMZ.exe
1688	MEMZ.exe
2728	MEMZ.exe
2728	MEMZ.exe
1056	MEMZ.exe
1056	MEMZ.exe
3876	MEMZ.exe
3876	MEMZ.exe
1688	MEMZ.exe
1688	MEMZ.exe
652	MEMZ.exe
652	MEMZ.exe
1688	MEMZ.exe
1688	MEMZ.exe
1056	MEMZ.exe
1056	MEMZ.exe
3876	MEMZ.exe
3876	MEMZ.exe

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
3032	MicrosoftEdgeCP.exe
3032	MicrosoftEdgeCP.exe
3032	MicrosoftEdgeCP.exe
3032	MicrosoftEdgeCP.exe
3032	MicrosoftEdgeCP.exe
3032	MicrosoftEdgeCP.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
96	chrome.exe
96	chrome.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

description	pid	Process
Token: SeShutdownPrivilege	96	chrome.exe
Token: SeCreatePagefilePrivilege	96	chrome.exe
Token: SeShutdownPrivilege	96	chrome.exe
Token: SeCreatePagefilePrivilege	96	chrome.exe
Token: SeShutdownPrivilege	96	chrome.exe
Token: SeCreatePagefilePrivilege	96	chrome.exe
Token: SeShutdownPrivilege	96	chrome.exe
Token: SeCreatePagefilePrivilege	96	chrome.exe
Token: SeShutdownPrivilege	96	chrome.exe
Token: SeCreatePagefilePrivilege	96	chrome.exe
Token: SeShutdownPrivilege	96	chrome.exe
Token: SeCreatePagefilePrivilege	96	chrome.exe
Token: SeShutdownPrivilege	96	chrome.exe
Token: SeCreatePagefilePrivilege	96	chrome.exe
Token: SeShutdownPrivilege	96	chrome.exe
Token: SeCreatePagefilePrivilege	96	chrome.exe
Token: SeShutdownPrivilege	96	chrome.exe
Token: SeCreatePagefilePrivilege	96	chrome.exe
Token: SeShutdownPrivilege	96	chrome.exe
Token: SeCreatePagefilePrivilege	96	chrome.exe
Token: SeShutdownPrivilege	96	chrome.exe
Token: SeCreatePagefilePrivilege	96	chrome.exe
Token: SeShutdownPrivilege	96	chrome.exe
Token: SeCreatePagefilePrivilege	96	chrome.exe
Token: SeShutdownPrivilege	96	chrome.exe
Token: SeCreatePagefilePrivilege	96	chrome.exe
Token: SeShutdownPrivilege	96	chrome.exe
Token: SeCreatePagefilePrivilege	96	chrome.exe
Token: SeShutdownPrivilege	96	chrome.exe
Token: SeCreatePagefilePrivilege	96	chrome.exe
Token: SeShutdownPrivilege	96	chrome.exe
Token: SeCreatePagefilePrivilege	96	chrome.exe
Token: SeShutdownPrivilege	96	chrome.exe
Token: SeCreatePagefilePrivilege	96	chrome.exe
Token: SeShutdownPrivilege	96	chrome.exe
Token: SeCreatePagefilePrivilege	96	chrome.exe
Token: SeShutdownPrivilege	96	chrome.exe
Token: SeCreatePagefilePrivilege	96	chrome.exe
Token: SeShutdownPrivilege	96	chrome.exe
Token: SeCreatePagefilePrivilege	96	chrome.exe
Token: SeDebugPrivilege	3764	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	3764	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	3764	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	3764	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	2040	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	2040	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	5292	taskmgr.exe
Token: SeSystemProfilePrivilege	5292	taskmgr.exe
Token: SeCreateGlobalPrivilege	5292	taskmgr.exe

Suspicious use of FindShellTrayWindow 62 IoCs

pid	Process
96	chrome.exe
96	chrome.exe
96	chrome.exe
96	chrome.exe
96	chrome.exe
96	chrome.exe
96	chrome.exe
96	chrome.exe
96	chrome.exe
96	chrome.exe
96	chrome.exe
96	chrome.exe
96	chrome.exe
96	chrome.exe
96	chrome.exe
96	chrome.exe
96	chrome.exe
96	chrome.exe
96	chrome.exe
96	chrome.exe
96	chrome.exe
96	chrome.exe
96	chrome.exe
96	chrome.exe
96	chrome.exe
96	chrome.exe
96	chrome.exe
96	chrome.exe
96	chrome.exe
96	chrome.exe
96	chrome.exe
96	chrome.exe
96	chrome.exe
96	chrome.exe
96	chrome.exe
5292	taskmgr.exe
5292	taskmgr.exe
5292	taskmgr.exe
5292	taskmgr.exe
5292	taskmgr.exe
5292	taskmgr.exe
5292	taskmgr.exe
5292	taskmgr.exe
5292	taskmgr.exe
5292	taskmgr.exe
5292	taskmgr.exe
5292	taskmgr.exe
5292	taskmgr.exe
5292	taskmgr.exe
5292	taskmgr.exe
5292	taskmgr.exe
5292	taskmgr.exe
5292	taskmgr.exe
5292	taskmgr.exe
5292	taskmgr.exe
5292	taskmgr.exe
5292	taskmgr.exe
5292	taskmgr.exe
5292	taskmgr.exe
5292	taskmgr.exe
5292	taskmgr.exe
5292	taskmgr.exe

Suspicious use of SendNotifyMessage 51 IoCs

pid	Process
96	chrome.exe
96	chrome.exe
96	chrome.exe
96	chrome.exe
96	chrome.exe
96	chrome.exe
96	chrome.exe
96	chrome.exe
96	chrome.exe
96	chrome.exe
96	chrome.exe
96	chrome.exe
96	chrome.exe
96	chrome.exe
96	chrome.exe
96	chrome.exe
96	chrome.exe
96	chrome.exe
96	chrome.exe
96	chrome.exe
96	chrome.exe
96	chrome.exe
96	chrome.exe
96	chrome.exe
5292	taskmgr.exe
5292	taskmgr.exe
5292	taskmgr.exe
5292	taskmgr.exe
5292	taskmgr.exe
5292	taskmgr.exe
5292	taskmgr.exe
5292	taskmgr.exe
5292	taskmgr.exe
5292	taskmgr.exe
5292	taskmgr.exe
5292	taskmgr.exe
5292	taskmgr.exe
5292	taskmgr.exe
5292	taskmgr.exe
5292	taskmgr.exe
5292	taskmgr.exe
5292	taskmgr.exe
5292	taskmgr.exe
5292	taskmgr.exe
5292	taskmgr.exe
5292	taskmgr.exe
5292	taskmgr.exe
5292	taskmgr.exe
5292	taskmgr.exe
5292	taskmgr.exe
5292	taskmgr.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
3020	mspaint.exe
3020	mspaint.exe
3020	mspaint.exe
3020	mspaint.exe
4676	MicrosoftEdge.exe
3032	MicrosoftEdgeCP.exe
3764	MicrosoftEdgeCP.exe
3032	MicrosoftEdgeCP.exe
3876	MEMZ.exe
652	MEMZ.exe
1056	MEMZ.exe
1688	MEMZ.exe
1688	MEMZ.exe
1056	MEMZ.exe
652	MEMZ.exe
3876	MEMZ.exe
1688	MEMZ.exe
1056	MEMZ.exe
3876	MEMZ.exe
652	MEMZ.exe
1688	MEMZ.exe
1056	MEMZ.exe
3876	MEMZ.exe
652	MEMZ.exe
652	MEMZ.exe
3876	MEMZ.exe
1056	MEMZ.exe
1688	MEMZ.exe
1688	MEMZ.exe
1056	MEMZ.exe
3876	MEMZ.exe
652	MEMZ.exe
652	MEMZ.exe
3876	MEMZ.exe
1056	MEMZ.exe
1688	MEMZ.exe
1688	MEMZ.exe
1056	MEMZ.exe
3876	MEMZ.exe
652	MEMZ.exe
652	MEMZ.exe
3876	MEMZ.exe
1056	MEMZ.exe
1688	MEMZ.exe
1688	MEMZ.exe
1056	MEMZ.exe
652	MEMZ.exe
3876	MEMZ.exe
3876	MEMZ.exe
652	MEMZ.exe
1056	MEMZ.exe
1688	MEMZ.exe
1688	MEMZ.exe
1056	MEMZ.exe
652	MEMZ.exe
3876	MEMZ.exe
3876	MEMZ.exe
652	MEMZ.exe
1056	MEMZ.exe
1688	MEMZ.exe
1688	MEMZ.exe
652	MEMZ.exe
1056	MEMZ.exe
3876	MEMZ.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 96 wrote to memory of 3680	96	chrome.exe	73
PID 96 wrote to memory of 3680	96	chrome.exe	73
PID 96 wrote to memory of 4628	96	chrome.exe	76
PID 96 wrote to memory of 4628	96	chrome.exe	76
PID 96 wrote to memory of 4628	96	chrome.exe	76
PID 96 wrote to memory of 4628	96	chrome.exe	76
PID 96 wrote to memory of 4628	96	chrome.exe	76
PID 96 wrote to memory of 4628	96	chrome.exe	76
PID 96 wrote to memory of 4628	96	chrome.exe	76
PID 96 wrote to memory of 4628	96	chrome.exe	76
PID 96 wrote to memory of 4628	96	chrome.exe	76
PID 96 wrote to memory of 4628	96	chrome.exe	76
PID 96 wrote to memory of 4628	96	chrome.exe	76
PID 96 wrote to memory of 4628	96	chrome.exe	76
PID 96 wrote to memory of 4628	96	chrome.exe	76
PID 96 wrote to memory of 4628	96	chrome.exe	76
PID 96 wrote to memory of 4628	96	chrome.exe	76
PID 96 wrote to memory of 4628	96	chrome.exe	76
PID 96 wrote to memory of 4628	96	chrome.exe	76
PID 96 wrote to memory of 4628	96	chrome.exe	76
PID 96 wrote to memory of 4628	96	chrome.exe	76
PID 96 wrote to memory of 4628	96	chrome.exe	76
PID 96 wrote to memory of 4628	96	chrome.exe	76
PID 96 wrote to memory of 4628	96	chrome.exe	76
PID 96 wrote to memory of 4628	96	chrome.exe	76
PID 96 wrote to memory of 4628	96	chrome.exe	76
PID 96 wrote to memory of 4628	96	chrome.exe	76
PID 96 wrote to memory of 4628	96	chrome.exe	76
PID 96 wrote to memory of 4628	96	chrome.exe	76
PID 96 wrote to memory of 4628	96	chrome.exe	76
PID 96 wrote to memory of 4628	96	chrome.exe	76
PID 96 wrote to memory of 4628	96	chrome.exe	76
PID 96 wrote to memory of 4628	96	chrome.exe	76
PID 96 wrote to memory of 4628	96	chrome.exe	76
PID 96 wrote to memory of 4628	96	chrome.exe	76
PID 96 wrote to memory of 4628	96	chrome.exe	76
PID 96 wrote to memory of 4628	96	chrome.exe	76
PID 96 wrote to memory of 4628	96	chrome.exe	76
PID 96 wrote to memory of 4628	96	chrome.exe	76
PID 96 wrote to memory of 4628	96	chrome.exe	76
PID 96 wrote to memory of 900	96	chrome.exe	75
PID 96 wrote to memory of 900	96	chrome.exe	75
PID 96 wrote to memory of 2972	96	chrome.exe	77
PID 96 wrote to memory of 2972	96	chrome.exe	77
PID 96 wrote to memory of 2972	96	chrome.exe	77
PID 96 wrote to memory of 2972	96	chrome.exe	77
PID 96 wrote to memory of 2972	96	chrome.exe	77
PID 96 wrote to memory of 2972	96	chrome.exe	77
PID 96 wrote to memory of 2972	96	chrome.exe	77
PID 96 wrote to memory of 2972	96	chrome.exe	77
PID 96 wrote to memory of 2972	96	chrome.exe	77
PID 96 wrote to memory of 2972	96	chrome.exe	77
PID 96 wrote to memory of 2972	96	chrome.exe	77
PID 96 wrote to memory of 2972	96	chrome.exe	77
PID 96 wrote to memory of 2972	96	chrome.exe	77
PID 96 wrote to memory of 2972	96	chrome.exe	77
PID 96 wrote to memory of 2972	96	chrome.exe	77
PID 96 wrote to memory of 2972	96	chrome.exe	77
PID 96 wrote to memory of 2972	96	chrome.exe	77
PID 96 wrote to memory of 2972	96	chrome.exe	77
PID 96 wrote to memory of 2972	96	chrome.exe	77
PID 96 wrote to memory of 2972	96	chrome.exe	77
PID 96 wrote to memory of 2972	96	chrome.exe	77
PID 96 wrote to memory of 2972	96	chrome.exe	77

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/Dfmaaa/MEMZ-virus/blob/main/MEMZ.exe
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:96
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ff948169758,0x7ff948169768,0x7ff948169778
  2⤵
  PID:3680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1820 --field-trial-handle=1764,i,4408714099890122631,4906204597264111227,131072 /prefetch:8
  2⤵
  PID:900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1528 --field-trial-handle=1764,i,4408714099890122631,4906204597264111227,131072 /prefetch:2
  2⤵
  PID:4628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2040 --field-trial-handle=1764,i,4408714099890122631,4906204597264111227,131072 /prefetch:8
  2⤵
  PID:2972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2848 --field-trial-handle=1764,i,4408714099890122631,4906204597264111227,131072 /prefetch:1
  2⤵
  PID:2432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2840 --field-trial-handle=1764,i,4408714099890122631,4906204597264111227,131072 /prefetch:1
  2⤵
  PID:3368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4480 --field-trial-handle=1764,i,4408714099890122631,4906204597264111227,131072 /prefetch:8
  2⤵
  PID:5072
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4980 --field-trial-handle=1764,i,4408714099890122631,4906204597264111227,131072 /prefetch:8
  2⤵
  PID:2128
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4420 --field-trial-handle=1764,i,4408714099890122631,4906204597264111227,131072 /prefetch:8
  2⤵
  PID:3064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4676 --field-trial-handle=1764,i,4408714099890122631,4906204597264111227,131072 /prefetch:8
  2⤵
  PID:3340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3728 --field-trial-handle=1764,i,4408714099890122631,4906204597264111227,131072 /prefetch:8
  2⤵
  PID:3492
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5208 --field-trial-handle=1764,i,4408714099890122631,4906204597264111227,131072 /prefetch:8
  2⤵
  PID:2388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5472 --field-trial-handle=1764,i,4408714099890122631,4906204597264111227,131072 /prefetch:8
  2⤵
  PID:2588
- C:\Users\Admin\Downloads\MEMZ.exe
  "C:\Users\Admin\Downloads\MEMZ.exe"
  2⤵
  - Executes dropped EXE
  PID:4960
- - C:\Users\Admin\Downloads\MEMZ.exe
    "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1688
- - C:\Users\Admin\Downloads\MEMZ.exe
    "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1056
- - C:\Users\Admin\Downloads\MEMZ.exe
    "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3876
- - C:\Users\Admin\Downloads\MEMZ.exe
    "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:652
- - C:\Users\Admin\Downloads\MEMZ.exe
    "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2728
- - C:\Users\Admin\Downloads\MEMZ.exe
    "C:\Users\Admin\Downloads\MEMZ.exe" /main
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    PID:4524
  - - C:\Windows\SysWOW64\notepad.exe
      "C:\Windows\System32\notepad.exe" \note.txt
      4⤵
      PID:2680
  - - C:\Windows\SysWOW64\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      PID:3020

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1260

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s DeviceAssociationService
1⤵
PID:2716

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4676

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:5100

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:3032

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3764

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:484

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2040

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:5108

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:1364

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
d8acb50b8c00dea668ab02674d1c7a73

SHA1
5ef28c7c3b8fafd86d2bb0600a7185e556435bca

SHA256
3c2a6c674cb361c7c3351bdfb40e5c5353b45627e37c8c2b680508994feddc98

SHA512
2855be0e6cb6a8413bfb0fd137bd22a2ea617f885ef9ea999575e9c85517068ced6a4cc45bc96029f169db732188590dfa186ae1f7e75c43f533f55d4b10985f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
e0e54482165d94255d4a64e18b876f54

SHA1
f1ea381e629bce8f54fc47b03cdf3164cc4af5e7

SHA256
baefdb05ae1803b7e24f3b46b6241d0dfd9e1ed002555a4edc95a04c9184cc6b

SHA512
a53f41d21d1e38b276a65500bd3fb8b14a07ccaa62d50a210b14dab1bedab2d7f5485824a173216c7a1c6e66bc953ffe2d99339a35e19207bb65e8cf54dd2977

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
c2f69debdd25a84ec79ff1d3d6d5f474

SHA1
bdbbc0f0c3fe88a35bcc21eb5158ae1f86f6f4a6

SHA256
15d20e6e77edb30d88242fe7347ac1f0ea3ca9d4941bc0d107c1c725ba1d8b14

SHA512
1e6b4a3b906736cdfa2dcab97fde7a7d5253ba1a5e23104259c63bdda9f38a3b6fa0db293010fcf264c29a433d0fac3f9e7985c8acb465de8ee6d307a4b537ba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
2b2dbae9bb5d71351a7b0be8addba27b

SHA1
10cc040d82d261c15fe89d615f9c589c9b915d05

SHA256
9c279fdffcca4c5d8a9dc269ec84b8ef6db1a0c16763ee384ecbd38291c9b9b4

SHA512
c22aadbc482b3a938cb470a1e63e131e6831daf4441544080e3c4402f83cf1986097b0a566fd2a0c5f922b2efdf173a10612c7c0eca7e5ad149c5c4b65b3b76e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
a013f61423ab83ccba7909d6efa856d8

SHA1
cedf10da41ccb68807f1af4319f47b352dd9062f

SHA256
4c9c54fb02ae79203d323225246069b66b2c2f43f84efd654a4f215acd62e97c

SHA512
b0cafa20a9aa697b25abf6f61ffe21374392b4ed417067ab251916d23e20be89f67be3ec63e398e9c913be741700990e2c3f7d63d6e7367f1fcdbfce30cc8864

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
16c6c27ac2e5efd7e6c78a1a4b35eaf7

SHA1
02e0307171b012ab1a1503b60b17c0a868aad0ac

SHA256
722836706862cc3f8b14fd540f55a2736210def12db5ea9641e2d28b511f8b79

SHA512
345641808d9d7c15fbf403b66dd96aa11fba07101ecc4bf7db78be020e8354e31b2c483e7c930ff76acd9ad8fe907c1f4a5179bc611e87e33575aed27be1db7a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
114KB

MD5
5119a1b501de41288e48737bbcf76be6

SHA1
dc5794268c89b95e72064093e6cfd8827a10ba04

SHA256
4afaf334868df8e4b03032c2b71bf53e4c2bae559284a1914db35a52bd0ee6d8

SHA512
36fb56df23d0d9e023dded9ccf3ba98e242526e394dfb38c21de67ffa09b7785673346e73c08ada6f991647f83f4f2911999f6cb5118d0016379e8d596b7691b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
114KB

MD5
fda89499ad730ff8c53a7a3813b518d1

SHA1
5efc166408d13cda5f4967d739647bf7c1c2cc8a

SHA256
3d4e6c7c2af303342e85ca49df8ae67c18f6613179df738ad2411e76a6e3b6c9

SHA512
474b7a2c6cfe1941d600013a5c908d1fb4a9dd5fc536a4c5d0245b165d3bf789d94a17c272d92c6aba85c3e5eef6652b377f9a60a4a372b4fd35ee9d835de1fb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\DNDP7OJQ\edgecompatviewlist[1].xml

Filesize
74KB

MD5
d4fc49dc14f63895d997fa4940f24378

SHA1
3efb1437a7c5e46034147cbbc8db017c69d02c31

SHA256
853d2f4eb81c9fdcea2ee079f6faf98214b111b77cdf68709b38989d123890f1

SHA512
cc60d79b4afe5007634ac21dc4bc92081880be4c0d798a1735b63b27e936c02f399964f744dc73711987f01e8a1064b02a4867dd6cac27538e5fbe275cc61e0a

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\XAJ9FEK0\favicon[1].ico

Filesize
5KB

MD5
f3418a443e7d841097c714d69ec4bcb8

SHA1
49263695f6b0cdd72f45cf1b775e660fdc36c606

SHA256
6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770

SHA512
82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
8112ab2a9d7578692e66734917d00015

SHA1
5dc1f7cb2c66c925d195fb98784917d108a001dd

SHA256
919561b1927726f5218e79f21184c4bf7117db4466686fc93d3d5dbc1380033b

SHA512
538f1f36b44d628d2ade163cc40deb58b50cb7fbd56019d9526c8233c30771db8542ed5786d311322dfd2e9d44e979da9513c4a0bbc7416b47bb7beca90013d1

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_A94555E99303C70425221A00610112B3

Filesize
471B

MD5
074b0fbc9d343d684595cd4ef6e2932e

SHA1
c69c62ee6703c04e979016e730182fcf0113b3ac

SHA256
0a272e9fe28c982effc5be6b9f26f0b59029829a62c0d876ea0ad0462662e379

SHA512
3b3e964af78dcf318e3864823fbc0a223520f3d4f2a4f6c946b348ff40cc559ac4f5fc477ba08f50ca6258f8ed59555ae2482916b30dee20125384b4d017e550

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

Filesize
724B

MD5
ac89a852c2aaa3d389b2d2dd312ad367

SHA1
8f421dd6493c61dbda6b839e2debb7b50a20c930

SHA256
0b720e19270c672f9b6e0ec40b468ac49376807de08a814573fe038779534f45

SHA512
c6a88f33688cc0c287f04005e07d5b5e4a8721d204aa429f93ade2a56aeb86e05d89a8f7a44c1e93359a185a4c5f418240c6cdbc5a21314226681c744cf37f36

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
b0c3e1c2653b5661f5c8b73167ae1125

SHA1
b8bdbda6c4d43ba2910bac520aed44dad8489b08

SHA256
79a4981818ecc22030fa0b5f73261375af5f429e141d691ba9ca7796b0b5a48e

SHA512
3c2a8877e6057c63846ebd54a900da4620684680ad6e269647f49c997899d82e959a6157cb537ac65ed06b7a32ff520f044e092fb8c16eb6f7585d9d12edb7bb

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_A94555E99303C70425221A00610112B3

Filesize
406B

MD5
a3b5fd48441b2475c3e7283789ece57b

SHA1
27b7607fdd9e938b512cc8a0747632e72813a014

SHA256
c4bd2a4434a638ac6fe996fca93997f87d552ea3c261cc8d6a2a6049b101a512

SHA512
ffbd97305e74931178c9dcaa6aa8161cdc4ff084a955b1f00f5800896e4d34d995660dc19dc08d4bfa65855dd04869f1a3fdea7e09d198da64b6790f65f95e32

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

Filesize
392B

MD5
fc9e27305e6ccaeebae650cb0382f593

SHA1
74f219e270de2f0ced259e28484b129c12e1c342

SHA256
f060406ad90511399dd0292bfd885dbf3491c85a2e35ae55a6a28fc4ecc36ae3

SHA512
823d88e3c299de3363121e09f349d46866de7060805c748ed1cde281f30bfc0eb6cc382a4f23cff9d035e0c80158b022d4204e6587980f7f7e3a97d336a93d16

Download Submit
C:\Users\Admin\Downloads\MEMZ.exe

Filesize
16KB

MD5
1d5ad9c8d3fee874d0feb8bfac220a11

SHA1
ca6d3f7e6c784155f664a9179ca64e4034df9595

SHA256
3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff

SHA512
c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1

Download Submit
C:\note.txt

Filesize
218B

MD5
afa6955439b8d516721231029fb9ca1b

SHA1
087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

SHA256
8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

SHA512
5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

Download Submit
memory/484-373-0x00000266A6600000-0x00000266A6602000-memory.dmp

Filesize
8KB

Download
memory/484-422-0x00000266A76F0000-0x00000266A76F2000-memory.dmp

Filesize
8KB

Download
memory/484-357-0x0000026692880000-0x0000026692882000-memory.dmp

Filesize
8KB

Download
memory/484-375-0x00000266A6620000-0x00000266A6622000-memory.dmp

Filesize
8KB

Download
memory/484-399-0x00000266A6640000-0x00000266A6642000-memory.dmp

Filesize
8KB

Download
memory/484-410-0x00000266A7350000-0x00000266A7352000-memory.dmp

Filesize
8KB

Download
memory/484-408-0x00000266A7330000-0x00000266A7332000-memory.dmp

Filesize
8KB

Download
memory/484-406-0x00000266A6EF0000-0x00000266A6EF2000-memory.dmp

Filesize
8KB

Download
memory/484-417-0x0000026692970000-0x0000026692972000-memory.dmp

Filesize
8KB

Download
memory/484-418-0x00000266A7300000-0x00000266A7320000-memory.dmp

Filesize
128KB

Download
memory/484-420-0x00000266A6E80000-0x00000266A6E82000-memory.dmp

Filesize
8KB

Download
memory/484-360-0x00000266928B0000-0x00000266928B2000-memory.dmp

Filesize
8KB

Download
memory/484-424-0x00000266A7B60000-0x00000266A7B62000-memory.dmp

Filesize
8KB

Download
memory/484-440-0x0000026692F90000-0x0000026692F92000-memory.dmp

Filesize
8KB

Download
memory/484-371-0x00000266A5EF0000-0x00000266A5EF2000-memory.dmp

Filesize
8KB

Download
memory/484-362-0x00000266928D0000-0x00000266928D2000-memory.dmp

Filesize
8KB

Download
memory/4676-391-0x000002B4953E0000-0x000002B4953E1000-memory.dmp

Filesize
4KB

Download
memory/4676-390-0x000002B4953D0000-0x000002B4953D1000-memory.dmp

Filesize
4KB

Download
memory/4676-329-0x000002B48EF00000-0x000002B48EF02000-memory.dmp

Filesize
8KB

Download
memory/4676-310-0x000002B48F500000-0x000002B48F510000-memory.dmp

Filesize
64KB

Download
memory/4676-294-0x000002B48EC20000-0x000002B48EC30000-memory.dmp

Filesize
64KB

Download