c7a53cef7508f2abb86996be29a075c2ea63bf09b1bb08e1b1b7a592cf074e60

max time kernel
95s
max time network
102s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
10-04-2024 18:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sample.html
Size

18KB
MD5

975aed651740cac29bc0fa6e3992d3cc
SHA1

42033f32c97b6be4e446c0a77690745eafc28112
SHA256

c7a53cef7508f2abb86996be29a075c2ea63bf09b1bb08e1b1b7a592cf074e60
SHA512

53a57fbf3952c5f0e08781879747d059d27a81f58c3f1a9f38c8763ba7aa8d31849e9797092c7624311b626e9aedd4937956bdefc54350ade3d480b04d1eb87d
SSDEEP

384:rTqN2DpmReVoOs41N9ylKeGM+U8HhhbG167uS2LjFrSE3+dVJCBXQL:rTqYBVoOs41ryI1M0Bhb68CFrSEMJQQL

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-160263616-143223877-1356318919-1000\{9A93A989-8E94-41D1-AAC2-435EE1616719}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-160263616-143223877-1356318919-1000_Classes\Local Settings	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\memz-master.zip:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4772	msedge.exe
4772	msedge.exe
324	msedge.exe
324	msedge.exe
952	msedge.exe
952	msedge.exe
1420	identity_helper.exe
1420	identity_helper.exe
4524	msedge.exe
4524	msedge.exe
5024	msedge.exe
5024	msedge.exe
4812	msedge.exe
4812	msedge.exe
772	MEMZ-Destructive.exe
772	MEMZ-Destructive.exe
772	MEMZ-Destructive.exe
772	MEMZ-Destructive.exe
772	MEMZ-Destructive.exe
772	MEMZ-Destructive.exe
772	MEMZ-Destructive.exe
772	MEMZ-Destructive.exe
772	MEMZ-Destructive.exe
772	MEMZ-Destructive.exe
772	MEMZ-Destructive.exe
772	MEMZ-Destructive.exe
772	MEMZ-Destructive.exe
772	MEMZ-Destructive.exe
772	MEMZ-Destructive.exe
772	MEMZ-Destructive.exe
772	MEMZ-Destructive.exe
772	MEMZ-Destructive.exe
772	MEMZ-Destructive.exe
772	MEMZ-Destructive.exe
772	MEMZ-Destructive.exe
772	MEMZ-Destructive.exe
772	MEMZ-Destructive.exe
772	MEMZ-Destructive.exe
772	MEMZ-Destructive.exe
772	MEMZ-Destructive.exe
772	MEMZ-Destructive.exe
772	MEMZ-Destructive.exe
772	MEMZ-Destructive.exe
772	MEMZ-Destructive.exe
772	MEMZ-Destructive.exe
772	MEMZ-Destructive.exe
772	MEMZ-Destructive.exe
772	MEMZ-Destructive.exe
772	MEMZ-Destructive.exe
772	MEMZ-Destructive.exe
772	MEMZ-Destructive.exe
772	MEMZ-Destructive.exe
772	MEMZ-Destructive.exe
772	MEMZ-Destructive.exe
772	MEMZ-Destructive.exe
772	MEMZ-Destructive.exe
772	MEMZ-Destructive.exe
772	MEMZ-Destructive.exe
772	MEMZ-Destructive.exe
772	MEMZ-Destructive.exe
772	MEMZ-Destructive.exe
772	MEMZ-Destructive.exe
772	MEMZ-Destructive.exe
772	MEMZ-Destructive.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs

pid	Process
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe
952	msedge.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
780	MEMZ-Destructive.exe
772	MEMZ-Destructive.exe
2408	MEMZ-Destructive.exe
2332	MEMZ-Destructive.exe
788	MEMZ-Destructive.exe
672	MEMZ-Destructive.exe
1472	MEMZ-Destructive.exe
772	MEMZ-Destructive.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 952 wrote to memory of 896	952	msedge.exe	79
PID 952 wrote to memory of 896	952	msedge.exe	79
PID 1436 wrote to memory of 4764	1436	msedge.exe	84
PID 1436 wrote to memory of 4764	1436	msedge.exe	84
PID 952 wrote to memory of 2280	952	msedge.exe	85
PID 952 wrote to memory of 2280	952	msedge.exe	85
PID 952 wrote to memory of 2280	952	msedge.exe	85
PID 952 wrote to memory of 2280	952	msedge.exe	85
PID 952 wrote to memory of 2280	952	msedge.exe	85
PID 952 wrote to memory of 2280	952	msedge.exe	85
PID 952 wrote to memory of 2280	952	msedge.exe	85
PID 952 wrote to memory of 2280	952	msedge.exe	85
PID 952 wrote to memory of 2280	952	msedge.exe	85
PID 952 wrote to memory of 2280	952	msedge.exe	85
PID 952 wrote to memory of 2280	952	msedge.exe	85
PID 952 wrote to memory of 2280	952	msedge.exe	85
PID 952 wrote to memory of 2280	952	msedge.exe	85
PID 952 wrote to memory of 2280	952	msedge.exe	85
PID 952 wrote to memory of 2280	952	msedge.exe	85
PID 952 wrote to memory of 2280	952	msedge.exe	85
PID 952 wrote to memory of 2280	952	msedge.exe	85
PID 952 wrote to memory of 2280	952	msedge.exe	85
PID 952 wrote to memory of 2280	952	msedge.exe	85
PID 952 wrote to memory of 2280	952	msedge.exe	85
PID 952 wrote to memory of 2280	952	msedge.exe	85
PID 952 wrote to memory of 2280	952	msedge.exe	85
PID 952 wrote to memory of 2280	952	msedge.exe	85
PID 952 wrote to memory of 2280	952	msedge.exe	85
PID 952 wrote to memory of 2280	952	msedge.exe	85
PID 952 wrote to memory of 2280	952	msedge.exe	85
PID 952 wrote to memory of 2280	952	msedge.exe	85
PID 952 wrote to memory of 2280	952	msedge.exe	85
PID 952 wrote to memory of 2280	952	msedge.exe	85
PID 952 wrote to memory of 2280	952	msedge.exe	85
PID 952 wrote to memory of 2280	952	msedge.exe	85
PID 952 wrote to memory of 2280	952	msedge.exe	85
PID 952 wrote to memory of 2280	952	msedge.exe	85
PID 952 wrote to memory of 2280	952	msedge.exe	85
PID 952 wrote to memory of 2280	952	msedge.exe	85
PID 952 wrote to memory of 2280	952	msedge.exe	85
PID 952 wrote to memory of 2280	952	msedge.exe	85
PID 952 wrote to memory of 2280	952	msedge.exe	85
PID 952 wrote to memory of 2280	952	msedge.exe	85
PID 952 wrote to memory of 2280	952	msedge.exe	85
PID 952 wrote to memory of 4772	952	msedge.exe	86
PID 952 wrote to memory of 4772	952	msedge.exe	86
PID 952 wrote to memory of 1236	952	msedge.exe	87
PID 952 wrote to memory of 1236	952	msedge.exe	87
PID 952 wrote to memory of 1236	952	msedge.exe	87
PID 952 wrote to memory of 1236	952	msedge.exe	87
PID 952 wrote to memory of 1236	952	msedge.exe	87
PID 952 wrote to memory of 1236	952	msedge.exe	87
PID 952 wrote to memory of 1236	952	msedge.exe	87
PID 952 wrote to memory of 1236	952	msedge.exe	87
PID 952 wrote to memory of 1236	952	msedge.exe	87
PID 952 wrote to memory of 1236	952	msedge.exe	87
PID 952 wrote to memory of 1236	952	msedge.exe	87
PID 952 wrote to memory of 1236	952	msedge.exe	87
PID 952 wrote to memory of 1236	952	msedge.exe	87
PID 952 wrote to memory of 1236	952	msedge.exe	87
PID 952 wrote to memory of 1236	952	msedge.exe	87
PID 952 wrote to memory of 1236	952	msedge.exe	87
PID 952 wrote to memory of 1236	952	msedge.exe	87
PID 952 wrote to memory of 1236	952	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\sample.html
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x104,0x108,0x10c,0xdc,0x110,0x7ffaf87b3cb8,0x7ffaf87b3cc8,0x7ffaf87b3cd8
  2⤵
  PID:896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1904,941829310540229148,3445102780618922707,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1916 /prefetch:2
  2⤵
  PID:2280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1904,941829310540229148,3445102780618922707,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2376 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1904,941829310540229148,3445102780618922707,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2708 /prefetch:8
  2⤵
  PID:1236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,941829310540229148,3445102780618922707,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3176 /prefetch:1
  2⤵
  PID:4340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,941829310540229148,3445102780618922707,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3196 /prefetch:1
  2⤵
  PID:4068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,941829310540229148,3445102780618922707,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3740 /prefetch:1
  2⤵
  PID:3304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,941829310540229148,3445102780618922707,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5200 /prefetch:1
  2⤵
  PID:4780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,941829310540229148,3445102780618922707,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5172 /prefetch:1
  2⤵
  PID:3956
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1904,941829310540229148,3445102780618922707,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3260 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,941829310540229148,3445102780618922707,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4064 /prefetch:1
  2⤵
  PID:3672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,941829310540229148,3445102780618922707,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5456 /prefetch:1
  2⤵
  PID:2408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,941829310540229148,3445102780618922707,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5720 /prefetch:1
  2⤵
  PID:1920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1904,941829310540229148,3445102780618922707,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5572 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,941829310540229148,3445102780618922707,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5692 /prefetch:1
  2⤵
  PID:3304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,941829310540229148,3445102780618922707,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4980 /prefetch:1
  2⤵
  PID:3272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,941829310540229148,3445102780618922707,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5920 /prefetch:1
  2⤵
  PID:4508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,941829310540229148,3445102780618922707,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4932 /prefetch:1
  2⤵
  PID:1072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,941829310540229148,3445102780618922707,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5452 /prefetch:1
  2⤵
  PID:5088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1904,941829310540229148,3445102780618922707,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6804 /prefetch:8
  2⤵
  PID:2892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1904,941829310540229148,3445102780618922707,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6816 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:5024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,941829310540229148,3445102780618922707,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6964 /prefetch:1
  2⤵
  PID:3060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,941829310540229148,3445102780618922707,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6920 /prefetch:1
  2⤵
  PID:2964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1904,941829310540229148,3445102780618922707,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6292 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4812

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Suspicious use of WriteProcessMemory
PID:1436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffaf87b3cb8,0x7ffaf87b3cc8,0x7ffaf87b3cd8
  2⤵
  PID:4764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1884,14930348081084815417,455325421854927904,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1896 /prefetch:2
  2⤵
  PID:1072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1884,14930348081084815417,455325421854927904,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2140 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:324

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3444

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:856

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2564

C:\Users\Admin\Downloads\memz-master\MEMZ-master\MEMZ-Destructive.exe
"C:\Users\Admin\Downloads\memz-master\MEMZ-master\MEMZ-Destructive.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:780
- C:\Users\Admin\Downloads\memz-master\MEMZ-master\MEMZ-Destructive.exe
  "C:\Users\Admin\Downloads\memz-master\MEMZ-master\MEMZ-Destructive.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:772
- C:\Users\Admin\Downloads\memz-master\MEMZ-master\MEMZ-Destructive.exe
  "C:\Users\Admin\Downloads\memz-master\MEMZ-master\MEMZ-Destructive.exe" /watchdog
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2408
- C:\Users\Admin\Downloads\memz-master\MEMZ-master\MEMZ-Destructive.exe
  "C:\Users\Admin\Downloads\memz-master\MEMZ-master\MEMZ-Destructive.exe" /watchdog
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2332
- C:\Users\Admin\Downloads\memz-master\MEMZ-master\MEMZ-Destructive.exe
  "C:\Users\Admin\Downloads\memz-master\MEMZ-master\MEMZ-Destructive.exe" /watchdog
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:788
- C:\Users\Admin\Downloads\memz-master\MEMZ-master\MEMZ-Destructive.exe
  "C:\Users\Admin\Downloads\memz-master\MEMZ-master\MEMZ-Destructive.exe" /watchdog
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:672
- C:\Users\Admin\Downloads\memz-master\MEMZ-master\MEMZ-Destructive.exe
  "C:\Users\Admin\Downloads\memz-master\MEMZ-master\MEMZ-Destructive.exe" /main
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1472
- - C:\Windows\SysWOW64\notepad.exe
    "C:\Windows\System32\notepad.exe" \note.txt
    3⤵
    PID:3528

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
5c48e8b68231fb5b2d7f1188b930bc0e

SHA1
1822aef5da8fdd47626fb91afcf79a2be175a325

SHA256
c3b287c29eaa57166b2ab1ba9bd0aaced13cc2f946a04b8d708ac429187fe944

SHA512
2bd09b83e44e0104fbe080a8573690217dc9fbf7fd59ff25a1a9e9ebd2d87ac533f9b99350773d081a7e748b39657115a13e94538b153bceb13ecdfc4672a0f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f2dc80f5403feb8461b7ffa09890d6a0

SHA1
d5b61e6d672e7e71571e0132e21cead181da8805

SHA256
eadeadba37eed18e5acba408d7e076270b00403fed372b77164577232232428a

SHA512
5e2119529b99b76be105c43714e4b9977ee2147172c1c44e92bd9b41fa7a66f55d4073c864aac668a912aff2898bd216fb38f2fe34ef65de69ad12965218caf5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000015

Filesize
1.1MB

MD5
02da96db3e3eff85fba8f54abe1460af

SHA1
677fc0c75c57a1c503efd93d95d5f187c91e49ec

SHA256
cd0474d94bdc651c21d8105693752f1dcaa8d9a77a90e6ab0762720c10e15b58

SHA512
03c5ad6eda925fcfb59cfbbd80d95a28c22837c12ccc692ec5e2028391d9513956c4613bca2ceb9bdd577be2432618186df9f302deee9780b9bcc6209ba2cd19

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
f404457f4d13eb686c00d784f85766d5

SHA1
0d836d32e526b1dd0fdc3abe675f536d6f029aca

SHA256
7a58fd923d99beb6314ebd8f0ef6e5d5cea1c5a1a350aac1b3f2511e0451abfd

SHA512
46219ae84c06178ba502f09281b6f86114bb8849d52f6518a4d76c42169decac15f2644eef1a3e32c9b78fdae76c105cdb41b427b8f1405d0bb7bf6085d5dac5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
6756fe81d427cae665f35df0826d6c19

SHA1
444d013fe2207c9e9e61c396a5df8ce89b09c5a1

SHA256
32af35727972862d092aa43008d9290a085e81ea84aa544f4bfc5d259efd8f1a

SHA512
f4e6f9a9f1416f8482fc00656bdc11beb3af0f0a054d13e46b2084ad0d76d050ffb9614956262febe4ab5e8f117ef8bb1265c282bb3befcc4859bc59c64b9530

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
79fae4b2e6fd9772f73e7475af6c8083

SHA1
df91a08f0264f4b581c9d7fa8838f7a71284eb6f

SHA256
0b6ea168f543ce9c3a2bda9c32d2ecc2e5f40502aaedbe518022a586cdbc326d

SHA512
e43fd18a566dd956d68575bf2fc0da5e11c6a82cd9a7484ea406147f0294127dcfdbe03f4bac61de76d9198badc4ea14908bc6cb9351532a92ffd7f50060bde9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0f5a6c4b2dba7e4014c0e4310d6af92e

SHA1
6e25cb0fffaa9dfef307cf40266ba0f8095eeb0b

SHA256
dbac412415afce84f292eed963259d334961c569f27413763cea3688a698f908

SHA512
9ee8adde0bf25d4802dacbe4565af0dc0e4817c224e6eb434c476ecdbda6e4d764e2e689f207b56c819cfb249ede1b73a908e66223c4b006a496b14b41ee51a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
5f852a38f5d7dee9c299e24c02f67a00

SHA1
48ce10701b28f6306826f11160de42c611bfe36c

SHA256
cffefc3a33b326c0809c07dd1a392c389a6979d9696cca3f96de042e981c2621

SHA512
43475f8da901493b42740554c9881fc9fc22a6dda451aea0cd30848ebae040896791964a0c2459dc28a84dd1f226a592144d6997aba77028a7c481d2bd328781

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
873B

MD5
5628e7a75bcc6323f86e907072d12acc

SHA1
18e1cf45a34f2b8c0204e39910465cec2d25ad4b

SHA256
09328ffffdf59fa68907b6d0adbd9c17e699244313ebb8f9631aeec3333754f8

SHA512
21adacd05074bb1a20edd1fab8517258ccc6349067eaf7c9f2d392f00c2879c1cdf1fcc961a4d56f12bb81ce02cea0abcf3c43ff14aca38e1a2e055a02a313c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe584541.TMP

Filesize
538B

MD5
be23d7c07f0318704b4e7021270441dc

SHA1
f57c42aea6f6c9a8b796867c90a64c96cc7378bf

SHA256
767f15a4ca5979e56b1a44c0352f92a231c350d69b9e33e90b907e5c3caef681

SHA512
d834705989f0ab2dbdbc10f2d5a9b0f2401fe96feb14489cf67476ba166b50ac33dadaf0a87a5afe3099fab7501125278867b619c05c21a333f616ec612d8772

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
c883de473491133fe6f32e2d9f19a842

SHA1
d3628f50ba3a27944b63a6fbadb5a0cb991a1ce9

SHA256
7a614b258a3fa0a00292b325daacd829979be7445b77f192f56f9bf926383e0f

SHA512
3003d0d5c0b3f0d9ad6f10122c52a591bd656515835fb8a35f69c10235927b4ce871e2fb3fab61a39c2e095b54b051d2edb9833e888bdab5fa5fdb47160d7437

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
38e9084e119b0468fe4ab5f182265a86

SHA1
bfd6cd150adebc7a628deeaa1a475b9e3aa2f02d

SHA256
8295c87a1f6c917d2bf70495f39edcf8b359d6e02afd07398472b543f771c819

SHA512
f83d53861c215fb3ae93de691465832ba890c6c3d17de6fdd6c9ed1814be9de9dc6f9ce036e339aaacb7ea333dbc1bc6b474c0dc5d6caad0dd7fbc8c4bc49c96

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
5e1c544b5ac979d2514268ace40f1cb1

SHA1
86149d52d09c1ab8dfd9d78f7873406d07d7bd20

SHA256
b33a2febe9e36c4d8a3756621ecac0269487dad5c9afe0c0a9a26424355e0be3

SHA512
b96a8ba95d58ffce7762060dadcdd61a95c2029003b985419264fb64e90b5f30cc653d37a0dfcfb23a9b97d2ce3d2a6ae3a21c745f7b03b3966b047e588e8365

Download Submit
C:\Users\Admin\Downloads\memz-master.zip

Filesize
17KB

MD5
4790677e05d72ef7429dddf35562bf4a

SHA1
4243d6ea53db7e8cc0c355e70d6cffb54787b90b

SHA256
319bf6087040d17b87f46cd05f5ee064c291ba9ca46e1910f28d1f4c57cb3d96

SHA512
a93c5f691938bc1bdd9ef20b975f0b22cf494543e7df82ec31838bf811552ead5cd855959be4e47186ee7de944be005030f52f58b9dc85e7cde719cb97b794e3

Download Submit
C:\Users\Admin\Downloads\memz-master.zip:Zone.Identifier

Filesize
167B

MD5
48aa202d5600ab0160ddf7d753b4a177

SHA1
4d1e68a6908f66faaa15d253130aeff6fe323c3f

SHA256
832b62b5324e24a4e7f43cc66e1610f2e22871acd1a930b9991b4d79e5930154

SHA512
1a51b931c974ad6c54ce5167535f17df75c5fcf11b8314d3a55dbdda777d826f3d27032b51308725f6af925163dc0b22095ca62523375850cd63349fc7148c79

Download Submit
C:\note.txt

Filesize
218B

MD5
afa6955439b8d516721231029fb9ca1b

SHA1
087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

SHA256
8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

SHA512
5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

Download Submit