4b1aa26e12d9f06ba494ad2e2223466c8ddc5bc61b5f189630dffea54f3d93ce

Resubmissions

10-04-2024 19:40

240410-ydkgescg9z 1

10-04-2024 19:27

10-04-2024 19:16

10-04-2024 19:04

10-04-2024 18:56

10-04-2024 18:54

10-04-2024 18:49

10-04-2024 18:41

Analysis

max time kernel
242s
max time network
261s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
10-04-2024 18:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sample.html
Size

467KB
MD5

12b9d6652e7d1689ed510c50c53bd38c
SHA1

013a1cc01a97a97d9b18dfbafcfec91a57e6232a
SHA256

4b1aa26e12d9f06ba494ad2e2223466c8ddc5bc61b5f189630dffea54f3d93ce
SHA512

0ce40b9a4d137d99330f7bc2776734d121d485d3f1e3af23ede4bbebead330c30de2c4568029303259812d591ef7bbc52bd1f16d8912dd5ea006523008346e7c
SSDEEP

6144:DFoiM/iMTiMkiMriM2iMSiMliMziMViMuMt:D2iciiiViQibiRimiIiOiXMt

Score

6^/10

bootkit persistence

Malware Config

Signatures

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

MEMZ-Destructive.exe

description ioc process

File opened for modification \??\PhysicalDrive0 MEMZ-Destructive.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	MEMZ-Destructive.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3852399462-405385529-394778097-1000\{70652DB8-9ADF-4269-A6AC-70F48119A8A3}	msedge.exe

NTFS ADS 1 IoCs

Processes:

msedge.exe

description ioc process

File opened for modification C:\Users\Admin\Downloads\memz-master.zip:Zone.Identifier msedge.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\memz-master.zip:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

msedge.exemsedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exeMEMZ-Destructive.exe

pid	process
4820	msedge.exe
4820	msedge.exe
1692	msedge.exe
1692	msedge.exe
2432	msedge.exe
2432	msedge.exe
2732	msedge.exe
2732	msedge.exe
2348	identity_helper.exe
2348	identity_helper.exe
4092	msedge.exe
4092	msedge.exe
840	msedge.exe
840	msedge.exe
1712	msedge.exe
1712	msedge.exe
1712	msedge.exe
1712	msedge.exe
4996	MEMZ-Destructive.exe
4996	MEMZ-Destructive.exe
4996	MEMZ-Destructive.exe
4996	MEMZ-Destructive.exe
4996	MEMZ-Destructive.exe
4996	MEMZ-Destructive.exe
4996	MEMZ-Destructive.exe
4996	MEMZ-Destructive.exe
4996	MEMZ-Destructive.exe
4996	MEMZ-Destructive.exe
4996	MEMZ-Destructive.exe
4996	MEMZ-Destructive.exe
4996	MEMZ-Destructive.exe
4996	MEMZ-Destructive.exe
4996	MEMZ-Destructive.exe
4996	MEMZ-Destructive.exe
4996	MEMZ-Destructive.exe
4996	MEMZ-Destructive.exe
4996	MEMZ-Destructive.exe
4996	MEMZ-Destructive.exe
4996	MEMZ-Destructive.exe
4996	MEMZ-Destructive.exe
4996	MEMZ-Destructive.exe
4996	MEMZ-Destructive.exe
4996	MEMZ-Destructive.exe
4996	MEMZ-Destructive.exe
4996	MEMZ-Destructive.exe
4996	MEMZ-Destructive.exe
4996	MEMZ-Destructive.exe
4996	MEMZ-Destructive.exe
4996	MEMZ-Destructive.exe
4996	MEMZ-Destructive.exe
4996	MEMZ-Destructive.exe
4996	MEMZ-Destructive.exe
4996	MEMZ-Destructive.exe
4996	MEMZ-Destructive.exe
4996	MEMZ-Destructive.exe
4996	MEMZ-Destructive.exe
4996	MEMZ-Destructive.exe
4996	MEMZ-Destructive.exe
4996	MEMZ-Destructive.exe
4996	MEMZ-Destructive.exe
4996	MEMZ-Destructive.exe
4996	MEMZ-Destructive.exe
4996	MEMZ-Destructive.exe
4996	MEMZ-Destructive.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

AUDIODG.EXE

description pid process

Token: 33 3448 AUDIODG.EXE
Token: SeIncBasePriorityPrivilege 3448 AUDIODG.EXE

description	pid	process
Token: 33	3448	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3448	AUDIODG.EXE

Suspicious use of SetWindowsHookEx 9 IoCs

Processes:

MEMZ-Clean.exeMEMZ-Destructive.exeMEMZ-Destructive.exeMEMZ-Destructive.exeMEMZ-Destructive.exeMEMZ-Destructive.exeMEMZ-Destructive.exeMEMZ-Destructive.exe

pid	process
2264	MEMZ-Clean.exe
1104	MEMZ-Destructive.exe
4996	MEMZ-Destructive.exe
2200	MEMZ-Destructive.exe
4992	MEMZ-Destructive.exe
1932	MEMZ-Destructive.exe
3756	MEMZ-Destructive.exe
3984	MEMZ-Destructive.exe
2200	MEMZ-Destructive.exe

Suspicious use of WriteProcessMemory 62 IoCs

Processes:

msedge.exeMEMZ-Destructive.exe

description	pid	process	target process
PID 1624 wrote to memory of 3280	1624	msedge.exe	msedge.exe
PID 1624 wrote to memory of 3280	1624	msedge.exe	msedge.exe
PID 1624 wrote to memory of 1744	1624	msedge.exe	msedge.exe
PID 1624 wrote to memory of 1744	1624	msedge.exe	msedge.exe
PID 1624 wrote to memory of 1744	1624	msedge.exe	msedge.exe
PID 1624 wrote to memory of 1744	1624	msedge.exe	msedge.exe
PID 1624 wrote to memory of 1744	1624	msedge.exe	msedge.exe
PID 1624 wrote to memory of 1744	1624	msedge.exe	msedge.exe
PID 1624 wrote to memory of 1744	1624	msedge.exe	msedge.exe
PID 1624 wrote to memory of 1744	1624	msedge.exe	msedge.exe
PID 1624 wrote to memory of 1744	1624	msedge.exe	msedge.exe
PID 1624 wrote to memory of 1744	1624	msedge.exe	msedge.exe
PID 1624 wrote to memory of 1744	1624	msedge.exe	msedge.exe
PID 1624 wrote to memory of 1744	1624	msedge.exe	msedge.exe
PID 1624 wrote to memory of 1744	1624	msedge.exe	msedge.exe
PID 1624 wrote to memory of 1744	1624	msedge.exe	msedge.exe
PID 1624 wrote to memory of 1744	1624	msedge.exe	msedge.exe
PID 1624 wrote to memory of 1744	1624	msedge.exe	msedge.exe
PID 1624 wrote to memory of 1744	1624	msedge.exe	msedge.exe
PID 1624 wrote to memory of 1744	1624	msedge.exe	msedge.exe
PID 1624 wrote to memory of 1744	1624	msedge.exe	msedge.exe
PID 1624 wrote to memory of 1744	1624	msedge.exe	msedge.exe
PID 1624 wrote to memory of 1744	1624	msedge.exe	msedge.exe
PID 1624 wrote to memory of 1744	1624	msedge.exe	msedge.exe
PID 1624 wrote to memory of 1744	1624	msedge.exe	msedge.exe
PID 1624 wrote to memory of 1744	1624	msedge.exe	msedge.exe
PID 1624 wrote to memory of 1744	1624	msedge.exe	msedge.exe
PID 1624 wrote to memory of 1744	1624	msedge.exe	msedge.exe
PID 1624 wrote to memory of 1744	1624	msedge.exe	msedge.exe
PID 1624 wrote to memory of 1744	1624	msedge.exe	msedge.exe
PID 1624 wrote to memory of 1744	1624	msedge.exe	msedge.exe
PID 1624 wrote to memory of 1744	1624	msedge.exe	msedge.exe
PID 1624 wrote to memory of 1744	1624	msedge.exe	msedge.exe
PID 1624 wrote to memory of 1744	1624	msedge.exe	msedge.exe
PID 1624 wrote to memory of 1744	1624	msedge.exe	msedge.exe
PID 1624 wrote to memory of 1744	1624	msedge.exe	msedge.exe
PID 1624 wrote to memory of 1744	1624	msedge.exe	msedge.exe
PID 1624 wrote to memory of 1744	1624	msedge.exe	msedge.exe
PID 1624 wrote to memory of 1744	1624	msedge.exe	msedge.exe
PID 1624 wrote to memory of 1744	1624	msedge.exe	msedge.exe
PID 1624 wrote to memory of 1744	1624	msedge.exe	msedge.exe
PID 1624 wrote to memory of 1744	1624	msedge.exe	msedge.exe
PID 1624 wrote to memory of 1692	1624	msedge.exe	msedge.exe
PID 1624 wrote to memory of 1692	1624	msedge.exe	msedge.exe
PID 1104 wrote to memory of 4996	1104	MEMZ-Destructive.exe	MEMZ-Destructive.exe
PID 1104 wrote to memory of 4996	1104	MEMZ-Destructive.exe	MEMZ-Destructive.exe
PID 1104 wrote to memory of 4996	1104	MEMZ-Destructive.exe	MEMZ-Destructive.exe
PID 1104 wrote to memory of 2200	1104	MEMZ-Destructive.exe	MEMZ-Destructive.exe
PID 1104 wrote to memory of 2200	1104	MEMZ-Destructive.exe	MEMZ-Destructive.exe
PID 1104 wrote to memory of 2200	1104	MEMZ-Destructive.exe	MEMZ-Destructive.exe
PID 1104 wrote to memory of 4992	1104	MEMZ-Destructive.exe	MEMZ-Destructive.exe
PID 1104 wrote to memory of 4992	1104	MEMZ-Destructive.exe	MEMZ-Destructive.exe
PID 1104 wrote to memory of 4992	1104	MEMZ-Destructive.exe	MEMZ-Destructive.exe
PID 1104 wrote to memory of 1932	1104	MEMZ-Destructive.exe	MEMZ-Destructive.exe
PID 1104 wrote to memory of 1932	1104	MEMZ-Destructive.exe	MEMZ-Destructive.exe
PID 1104 wrote to memory of 1932	1104	MEMZ-Destructive.exe	MEMZ-Destructive.exe
PID 1104 wrote to memory of 3756	1104	MEMZ-Destructive.exe	MEMZ-Destructive.exe
PID 1104 wrote to memory of 3756	1104	MEMZ-Destructive.exe	MEMZ-Destructive.exe
PID 1104 wrote to memory of 3756	1104	MEMZ-Destructive.exe	MEMZ-Destructive.exe
PID 1104 wrote to memory of 3984	1104	MEMZ-Destructive.exe	MEMZ-Destructive.exe
PID 1104 wrote to memory of 3984	1104	MEMZ-Destructive.exe	MEMZ-Destructive.exe
PID 1104 wrote to memory of 3984	1104	MEMZ-Destructive.exe	MEMZ-Destructive.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\sample.html
1⤵
- Suspicious use of WriteProcessMemory
PID:1624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc3fed3cb8,0x7ffc3fed3cc8,0x7ffc3fed3cd8
  2⤵
  PID:3280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2024,1286307008968766071,16987978384403650486,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2016 /prefetch:2
  2⤵
  PID:1744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2024,1286307008968766071,16987978384403650486,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2064 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1692

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc3fed3cb8,0x7ffc3fed3cc8,0x7ffc3fed3cd8
1⤵
PID:3108

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc3fed3cb8,0x7ffc3fed3cc8,0x7ffc3fed3cd8
1⤵
PID:4468

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1876,4842332593598767562,9637066392465939183,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1896 /prefetch:2
1⤵
PID:4020

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1876,4842332593598767562,9637066392465939183,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2288 /prefetch:3
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:4820

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1876,4842332593598767562,9637066392465939183,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2504 /prefetch:8
1⤵
PID:4892

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,4842332593598767562,9637066392465939183,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3212 /prefetch:1
1⤵
PID:1084

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,4842332593598767562,9637066392465939183,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:1
1⤵
PID:1976

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,4842332593598767562,9637066392465939183,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3696 /prefetch:1
1⤵
PID:1364

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1872,2768316095111228325,13383054269813483269,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1920 /prefetch:2
1⤵
PID:236

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1872,2768316095111228325,13383054269813483269,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2312 /prefetch:3
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2432

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,4842332593598767562,9637066392465939183,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3444 /prefetch:1
1⤵
PID:3980

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,4842332593598767562,9637066392465939183,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5220 /prefetch:1
1⤵
PID:3060

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,4842332593598767562,9637066392465939183,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3832 /prefetch:1
1⤵
PID:4092

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2832

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:580

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1876,4842332593598767562,9637066392465939183,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3540 /prefetch:8
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2732

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1876,4842332593598767562,9637066392465939183,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5664 /prefetch:8
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2348

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,4842332593598767562,9637066392465939183,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6132 /prefetch:1
1⤵
PID:400

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,4842332593598767562,9637066392465939183,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6112 /prefetch:1
1⤵
PID:1028

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,4842332593598767562,9637066392465939183,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5296 /prefetch:1
1⤵
PID:2016

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,4842332593598767562,9637066392465939183,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2768 /prefetch:1
1⤵
PID:4152

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,4842332593598767562,9637066392465939183,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4640 /prefetch:1
1⤵
PID:3004

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,4842332593598767562,9637066392465939183,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5824 /prefetch:1
1⤵
PID:4008

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,4842332593598767562,9637066392465939183,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3512 /prefetch:1
1⤵
PID:4572

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,4842332593598767562,9637066392465939183,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5788 /prefetch:1
1⤵
PID:3568

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1876,4842332593598767562,9637066392465939183,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3516 /prefetch:8
1⤵
PID:2240

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1876,4842332593598767562,9637066392465939183,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6464 /prefetch:8
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4092

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,4842332593598767562,9637066392465939183,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6188 /prefetch:1
1⤵
PID:1916

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,4842332593598767562,9637066392465939183,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6316 /prefetch:1
1⤵
PID:3008

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1876,4842332593598767562,9637066392465939183,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6336 /prefetch:8
1⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:840

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:112

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1876,4842332593598767562,9637066392465939183,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4412 /prefetch:2
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1712

C:\Users\Admin\Downloads\memz-master\MEMZ-master\MEMZ-Clean.exe
"C:\Users\Admin\Downloads\memz-master\MEMZ-master\MEMZ-Clean.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:2264

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004E0 0x00000000000004CC
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3448

C:\Users\Admin\Downloads\memz-master\MEMZ-master\MEMZ-Destructive.exe
"C:\Users\Admin\Downloads\memz-master\MEMZ-master\MEMZ-Destructive.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1104
- C:\Users\Admin\Downloads\memz-master\MEMZ-master\MEMZ-Destructive.exe
  "C:\Users\Admin\Downloads\memz-master\MEMZ-master\MEMZ-Destructive.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:4996
- C:\Users\Admin\Downloads\memz-master\MEMZ-master\MEMZ-Destructive.exe
  "C:\Users\Admin\Downloads\memz-master\MEMZ-master\MEMZ-Destructive.exe" /watchdog
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2200
- C:\Users\Admin\Downloads\memz-master\MEMZ-master\MEMZ-Destructive.exe
  "C:\Users\Admin\Downloads\memz-master\MEMZ-master\MEMZ-Destructive.exe" /watchdog
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:4992
- C:\Users\Admin\Downloads\memz-master\MEMZ-master\MEMZ-Destructive.exe
  "C:\Users\Admin\Downloads\memz-master\MEMZ-master\MEMZ-Destructive.exe" /watchdog
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1932
- C:\Users\Admin\Downloads\memz-master\MEMZ-master\MEMZ-Destructive.exe
  "C:\Users\Admin\Downloads\memz-master\MEMZ-master\MEMZ-Destructive.exe" /watchdog
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:3756
- C:\Users\Admin\Downloads\memz-master\MEMZ-master\MEMZ-Destructive.exe
  "C:\Users\Admin\Downloads\memz-master\MEMZ-master\MEMZ-Destructive.exe" /main
  2⤵
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of SetWindowsHookEx
  PID:3984
- - C:\Windows\SysWOW64\notepad.exe
    "C:\Windows\System32\notepad.exe" \note.txt
    3⤵
    PID:4316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\1f04bcfe-c980-4093-a886-16127c0f5402.tmp

Filesize
8KB

MD5
295c300ebac6d4c79d6271f6a4cde36c

SHA1
2d6ae39a16d54de4d7683265e7db3b08af6bff7a

SHA256
085741d6958ee59949744afa1a740a5eace8b2f9dea26cd025e4ae85e5602c9c

SHA512
6ce32607ca5791413013084f1cab5a293fc2adc397b799538e87b4db6cc2941217bd800497a56f00c83e5f54d53113c66ff216823547d1c446038b7bc2a0c2d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
88e9aaca62aa2aed293699f139d7e7e1

SHA1
09d9ccfbdff9680366291d5d1bc311b0b56a05e9

SHA256
27dcdb1cddab5d56ac53cff93489038de93f61b5504f8595b1eb2d3124bbc12c

SHA512
d90dabe34504dde422f5f6dec87851af8f4849f521759a768dfa0a38f50827b099dfde256d8f8467460c289bdb168358b2678772b8b49418c23b882ba21d4793

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
e88eeef7a9db755ce696ea3b2257f6b8

SHA1
9124df61c5a3cc230011e0612c2519af7e6c0d9b

SHA256
92bdbae54f9fa9daeb4ad832a483fddb25f5b387a42e9f32ca624c96e58c1837

SHA512
bbb27afbb2d6e991e6478fbfa5e595134148aea5c4c19d6c9d6e0de8b36c80c1956e86d981940e4c3ec4cd0f65a586a679f260febe9abbaa7b47262bf42a69e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
62a39931790c950e537478d35e72c031

SHA1
88e10cc58b0c30001fef234cad5ed686d5d3c675

SHA256
7bb713c32c1284e4b182bedb3154d977719e818f9268cd20d2eaa202bca84522

SHA512
cd9a59e304b24d4e3df6cb37f46c4dc30eeedba6348f2ff53b6f30688696bd614616db0b140f113eb39b823688bf8fb9bf5a0f5881bf931dab15e21171bc9589

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
05b318fbfb9c377544f9e93272af6ee1

SHA1
2e14dad12ac224374f375bc304fa16e3c18fa183

SHA256
5cd3cc81b5c808b9a6e161d3e33d960b9d45e802ae944b2019ed2383c56d31ae

SHA512
8d42d8230c43445599fe9c133afa1a1ab3c129301765f9e572df820d2e64e3833a7cae5ea504da3eb3c527051631f50d9522cbba32688007839083db65cc1035

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
da6b35b00b3fc241b59cef529be50f6d

SHA1
f677217d9f67a650fef04f22aed2f7dc3337e8ff

SHA256
c6b10a4fda143c4865f1c6f95ea9a0d8a7f6e6067fd8d885c26a0248458e0082

SHA512
1bc3b7b83a4f466e36d7a1187db174b8d824b823079451b161b7287b77c2a690fcb7ad56c1b20d68372b02f1c9717f5159d4e6468e56a247752aea758812eacc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58e53b.TMP

Filesize
370B

MD5
4fc92e19e749d60beef4dd1216a5ecad

SHA1
4a807731f673983fdf77320786f1b0118c82aad2

SHA256
0f1739cddcfa5f7a691549ce2711d535b17f7b9440943c0a12b3c20801a45666

SHA512
d004ff39892df6b01d8fa2c87127b774c172ebe2d6e322c1c3d19e1db8b33269ece5531bd7ed162efb140f910a07cae48cf7f6ec9ee345f86cdd43fe9ce30a0e

Download Submit
C:\note.txt

Filesize
218B

MD5
afa6955439b8d516721231029fb9ca1b

SHA1
087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

SHA256
8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

SHA512
5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

Download Submit
\??\pipe\LOCAL\crashpad_1452_PECNVPQAFWOANXEH

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit