hxxp://google[.]com

Resubmissions

17/04/2024, 09:41

240417-ln55nacg6w 8

17/04/2024, 09:41

17/04/2024, 07:37

16/04/2024, 14:11

16/04/2024, 14:07

17/04/2024, 07:43

Analysis

max time kernel
55s
max time network
66s
platform
windows11-21h2_x64
resource
win11-20240412-en
resource tags

arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system
submitted
17/04/2024, 09:41

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

http://google.com

Score

8^/10

bootkit persistence

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 7 IoCs

pid	Process
2240	MEMZ.exe
5068	MEMZ.exe
248	MEMZ.exe
3332	MEMZ.exe
3772	MEMZ.exe
4760	MEMZ.exe
3440	MEMZ.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
17	raw.githubusercontent.com
65	raw.githubusercontent.com

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	MEMZ.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 40673.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\MEMZ.exe:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4848	msedge.exe
4848	msedge.exe
1588	msedge.exe
1588	msedge.exe
3192	msedge.exe
3192	msedge.exe
2312	identity_helper.exe
2312	identity_helper.exe
2800	msedge.exe
2800	msedge.exe
5068	MEMZ.exe
5068	MEMZ.exe
5068	MEMZ.exe
5068	MEMZ.exe
5068	MEMZ.exe
5068	MEMZ.exe
5068	MEMZ.exe
5068	MEMZ.exe
5068	MEMZ.exe
5068	MEMZ.exe
5068	MEMZ.exe
5068	MEMZ.exe
5068	MEMZ.exe
5068	MEMZ.exe
5068	MEMZ.exe
5068	MEMZ.exe
5068	MEMZ.exe
5068	MEMZ.exe
5068	MEMZ.exe
5068	MEMZ.exe
5068	MEMZ.exe
5068	MEMZ.exe
5068	MEMZ.exe
5068	MEMZ.exe
5068	MEMZ.exe
5068	MEMZ.exe
5068	MEMZ.exe
5068	MEMZ.exe
5068	MEMZ.exe
5068	MEMZ.exe
5068	MEMZ.exe
5068	MEMZ.exe
5068	MEMZ.exe
5068	MEMZ.exe
5068	MEMZ.exe
5068	MEMZ.exe
5068	MEMZ.exe
5068	MEMZ.exe
5068	MEMZ.exe
5068	MEMZ.exe
5068	MEMZ.exe
5068	MEMZ.exe
5068	MEMZ.exe
5068	MEMZ.exe
5068	MEMZ.exe
5068	MEMZ.exe
5068	MEMZ.exe
5068	MEMZ.exe
5068	MEMZ.exe
5068	MEMZ.exe
5068	MEMZ.exe
5068	MEMZ.exe
5068	MEMZ.exe
5068	MEMZ.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs

pid	Process
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3332	MEMZ.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
5068	MEMZ.exe
3332	MEMZ.exe
248	MEMZ.exe
3772	MEMZ.exe
3772	MEMZ.exe
3332	MEMZ.exe
5068	MEMZ.exe
248	MEMZ.exe
5068	MEMZ.exe
3332	MEMZ.exe
248	MEMZ.exe
3772	MEMZ.exe
3772	MEMZ.exe
248	MEMZ.exe
3332	MEMZ.exe
5068	MEMZ.exe
5068	MEMZ.exe
3332	MEMZ.exe
248	MEMZ.exe
3772	MEMZ.exe
3772	MEMZ.exe
248	MEMZ.exe
3332	MEMZ.exe
5068	MEMZ.exe
5068	MEMZ.exe
3332	MEMZ.exe
3772	MEMZ.exe
248	MEMZ.exe
3772	MEMZ.exe
248	MEMZ.exe
3332	MEMZ.exe
5068	MEMZ.exe
3332	MEMZ.exe
5068	MEMZ.exe
248	MEMZ.exe
3772	MEMZ.exe
3332	MEMZ.exe
3772	MEMZ.exe
248	MEMZ.exe
5068	MEMZ.exe
3332	MEMZ.exe
3772	MEMZ.exe
248	MEMZ.exe
5068	MEMZ.exe
3332	MEMZ.exe
248	MEMZ.exe
3772	MEMZ.exe
5068	MEMZ.exe
3332	MEMZ.exe
5068	MEMZ.exe
3772	MEMZ.exe
248	MEMZ.exe
3332	MEMZ.exe
248	MEMZ.exe
5068	MEMZ.exe
3772	MEMZ.exe
3332	MEMZ.exe
5068	MEMZ.exe
248	MEMZ.exe
3772	MEMZ.exe
3332	MEMZ.exe
248	MEMZ.exe
3772	MEMZ.exe
5068	MEMZ.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1588 wrote to memory of 2256	1588	msedge.exe	79
PID 1588 wrote to memory of 2256	1588	msedge.exe	79
PID 1588 wrote to memory of 4984	1588	msedge.exe	80
PID 1588 wrote to memory of 4984	1588	msedge.exe	80
PID 1588 wrote to memory of 4984	1588	msedge.exe	80
PID 1588 wrote to memory of 4984	1588	msedge.exe	80
PID 1588 wrote to memory of 4984	1588	msedge.exe	80
PID 1588 wrote to memory of 4984	1588	msedge.exe	80
PID 1588 wrote to memory of 4984	1588	msedge.exe	80
PID 1588 wrote to memory of 4984	1588	msedge.exe	80
PID 1588 wrote to memory of 4984	1588	msedge.exe	80
PID 1588 wrote to memory of 4984	1588	msedge.exe	80
PID 1588 wrote to memory of 4984	1588	msedge.exe	80
PID 1588 wrote to memory of 4984	1588	msedge.exe	80
PID 1588 wrote to memory of 4984	1588	msedge.exe	80
PID 1588 wrote to memory of 4984	1588	msedge.exe	80
PID 1588 wrote to memory of 4984	1588	msedge.exe	80
PID 1588 wrote to memory of 4984	1588	msedge.exe	80
PID 1588 wrote to memory of 4984	1588	msedge.exe	80
PID 1588 wrote to memory of 4984	1588	msedge.exe	80
PID 1588 wrote to memory of 4984	1588	msedge.exe	80
PID 1588 wrote to memory of 4984	1588	msedge.exe	80
PID 1588 wrote to memory of 4984	1588	msedge.exe	80
PID 1588 wrote to memory of 4984	1588	msedge.exe	80
PID 1588 wrote to memory of 4984	1588	msedge.exe	80
PID 1588 wrote to memory of 4984	1588	msedge.exe	80
PID 1588 wrote to memory of 4984	1588	msedge.exe	80
PID 1588 wrote to memory of 4984	1588	msedge.exe	80
PID 1588 wrote to memory of 4984	1588	msedge.exe	80
PID 1588 wrote to memory of 4984	1588	msedge.exe	80
PID 1588 wrote to memory of 4984	1588	msedge.exe	80
PID 1588 wrote to memory of 4984	1588	msedge.exe	80
PID 1588 wrote to memory of 4984	1588	msedge.exe	80
PID 1588 wrote to memory of 4984	1588	msedge.exe	80
PID 1588 wrote to memory of 4984	1588	msedge.exe	80
PID 1588 wrote to memory of 4984	1588	msedge.exe	80
PID 1588 wrote to memory of 4984	1588	msedge.exe	80
PID 1588 wrote to memory of 4984	1588	msedge.exe	80
PID 1588 wrote to memory of 4984	1588	msedge.exe	80
PID 1588 wrote to memory of 4984	1588	msedge.exe	80
PID 1588 wrote to memory of 4984	1588	msedge.exe	80
PID 1588 wrote to memory of 4984	1588	msedge.exe	80
PID 1588 wrote to memory of 4848	1588	msedge.exe	81
PID 1588 wrote to memory of 4848	1588	msedge.exe	81
PID 1588 wrote to memory of 1272	1588	msedge.exe	82
PID 1588 wrote to memory of 1272	1588	msedge.exe	82
PID 1588 wrote to memory of 1272	1588	msedge.exe	82
PID 1588 wrote to memory of 1272	1588	msedge.exe	82
PID 1588 wrote to memory of 1272	1588	msedge.exe	82
PID 1588 wrote to memory of 1272	1588	msedge.exe	82
PID 1588 wrote to memory of 1272	1588	msedge.exe	82
PID 1588 wrote to memory of 1272	1588	msedge.exe	82
PID 1588 wrote to memory of 1272	1588	msedge.exe	82
PID 1588 wrote to memory of 1272	1588	msedge.exe	82
PID 1588 wrote to memory of 1272	1588	msedge.exe	82
PID 1588 wrote to memory of 1272	1588	msedge.exe	82
PID 1588 wrote to memory of 1272	1588	msedge.exe	82
PID 1588 wrote to memory of 1272	1588	msedge.exe	82
PID 1588 wrote to memory of 1272	1588	msedge.exe	82
PID 1588 wrote to memory of 1272	1588	msedge.exe	82
PID 1588 wrote to memory of 1272	1588	msedge.exe	82
PID 1588 wrote to memory of 1272	1588	msedge.exe	82
PID 1588 wrote to memory of 1272	1588	msedge.exe	82
PID 1588 wrote to memory of 1272	1588	msedge.exe	82

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.com
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9979a3cb8,0x7ff9979a3cc8,0x7ff9979a3cd8
  2⤵
  PID:2256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1904,468703246044950718,12364983587336630868,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1900 /prefetch:2
  2⤵
  PID:4984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1904,468703246044950718,12364983587336630868,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2312 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1904,468703246044950718,12364983587336630868,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2692 /prefetch:8
  2⤵
  PID:1272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,468703246044950718,12364983587336630868,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3180 /prefetch:1
  2⤵
  PID:1904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,468703246044950718,12364983587336630868,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3188 /prefetch:1
  2⤵
  PID:4692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,468703246044950718,12364983587336630868,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2104 /prefetch:1
  2⤵
  PID:1068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1904,468703246044950718,12364983587336630868,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1968 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,468703246044950718,12364983587336630868,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4632 /prefetch:1
  2⤵
  PID:4652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,468703246044950718,12364983587336630868,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4692 /prefetch:1
  2⤵
  PID:4552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,468703246044950718,12364983587336630868,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4856 /prefetch:1
  2⤵
  PID:2240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,468703246044950718,12364983587336630868,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4964 /prefetch:1
  2⤵
  PID:412
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1904,468703246044950718,12364983587336630868,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5616 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,468703246044950718,12364983587336630868,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5752 /prefetch:1
  2⤵
  PID:2364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,468703246044950718,12364983587336630868,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5980 /prefetch:1
  2⤵
  PID:3016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,468703246044950718,12364983587336630868,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5972 /prefetch:1
  2⤵
  PID:1644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,468703246044950718,12364983587336630868,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
  2⤵
  PID:4196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1904,468703246044950718,12364983587336630868,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6156 /prefetch:8
  2⤵
  PID:4572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1904,468703246044950718,12364983587336630868,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4980 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:2800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,468703246044950718,12364983587336630868,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6068 /prefetch:1
  2⤵
  PID:3800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,468703246044950718,12364983587336630868,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5984 /prefetch:1
  2⤵
  PID:4588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,468703246044950718,12364983587336630868,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6260 /prefetch:1
  2⤵
  PID:1192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,468703246044950718,12364983587336630868,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6176 /prefetch:1
  2⤵
  PID:1080
- C:\Users\Admin\Downloads\MEMZ.exe
  "C:\Users\Admin\Downloads\MEMZ.exe"
  2⤵
  - Executes dropped EXE
  PID:2240
- - C:\Users\Admin\Downloads\MEMZ.exe
    "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:5068
- - C:\Users\Admin\Downloads\MEMZ.exe
    "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:248
- - C:\Users\Admin\Downloads\MEMZ.exe
    "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:3332
- - C:\Users\Admin\Downloads\MEMZ.exe
    "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3772
- - C:\Users\Admin\Downloads\MEMZ.exe
    "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    PID:4760
- - C:\Users\Admin\Downloads\MEMZ.exe
    "C:\Users\Admin\Downloads\MEMZ.exe" /main
    3⤵
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    PID:3440
  - - C:\Windows\SysWOW64\notepad.exe
      "C:\Windows\System32\notepad.exe" \note.txt
      4⤵
      PID:940

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2312

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1000

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0fcda4fac8ec713700f95299a89bc126

SHA1
576a818957f882dc0b892a29da15c4bb71b93455

SHA256
f7a257742d3a6e6edd16ac8c4c4696d4bdf653041868329461444a0973e71430

SHA512
ab350ca508c412ff860f82d25ac7492afb3baf4a2827249ebc7ec9632ee444f8f0716389f0623afc0756f395cf00d7a90a0f89b360acdf72b1befe34eecb5986

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
21986fa2280bae3957498a58adf62fc2

SHA1
d01ad69975b7dc46eba6806783450f987fa2b48d

SHA256
c91d76b0f27ccea28c4f5f872dee6a98f2d37424ef0b5f188af8c6757090cbb5

SHA512
ae9ba1abe7def7f6924d486a58427f04a02af7dd82aa3a36c1ed527a23ec7897f00b0e30f22529e9599ae2db88e8abc7ba8013b426885aa3c961ee74678455f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
760a53fd57715e1324ca6efe70dafff1

SHA1
578156282bea44318da1e7bf1082df441e0ab05c

SHA256
f75bf329c2e5fa6dac2a1a0550ce29e773ff2e53f789e586947f833505cb8c97

SHA512
5f8430e242933353a5f50f50f3102e22f09fe568d3b97a74b7f540381c881998e2194014b2f4a6895a3fb8093bdf468de9bb4f61f090084aa85d0fc66d94f362

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
967ef804d0b19966a8690caa349fa0ec

SHA1
b404f1de39b1890cb5162876bb84d56bcdf91400

SHA256
abb29e1675bf05fa0560e38c624e479da4e7b8494543963364e059b1863dec02

SHA512
d85b15167fbb618c0aff928e6c17b4a094a7014d5c03e7e407c6c0fbb808c202f4abc6da22f118bfa6cc2accf53621f95775158647a3eeddd75736c8e42dab1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
65e8607a9c1947ac1289b8f4308b2803

SHA1
37d2eaae4d55fe93bbb7e7f42e3ccbe9db3a232e

SHA256
a1028caeb1321e78e609ae47bc15febdd55cea79016abb6a51588538de088abf

SHA512
299399c911b43ca833488a7494670837e5ae1e2f54b60753a6aa399e78c7ac965fa48408983bcc551bce1e2e5602741cbbec168e6dbc1b1771daea81c27d9bca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
bc6a26a1073b46eb98e44b87947ad3d6

SHA1
4bbb8eb7c592501889a98b1ee27c49d696f63970

SHA256
93772703cf14d8c0e6b4f75d3208b206514803776a54217a6b422844410fe8aa

SHA512
884213c075083f5ef0391d1c247a6b5be5274ecb6e4a2cae6dcaab854de5d54df0e7661ed8f483055cef63e18ca81178f847249b0b1a0ee6875a89ea22ae778f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
76bfe56265511e153fd09d3ea32ece9f

SHA1
77e8904673c3b1b530cab9ebf2b1534276c5ff7d

SHA256
ec0b5ceabb190494c5798c91c90e0c0e54afe823c4783e567579e6ccae9613b8

SHA512
20da56d95569aa9daf18b4409c4fc9487ba5da578b109bd62e16f677a82c14e924b9f0c51ef89e06f9387587d76ad7488ecbfb1f8cb9380dc038aa344df8cf9c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
90B

MD5
e48d30b5abf73e26efba97842b999497

SHA1
3f760ced02841e75edafb486f289fd037d0c3276

SHA256
f8ac695cd7f4e2dd07ce34906d7fb3347eea00a3a3b97242784f140874c508f0

SHA512
d5f4e5ac8f5c96fa171e8607d44684b8d2db2644959fbe2c559fde92b7ad7e4b2156669ea7485b54fa78bedabda0cb6c253452232b0e7d20782d68b72224e0b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
26B

MD5
2892eee3e20e19a9ba77be6913508a54

SHA1
7c4ef82faa28393c739c517d706ac6919a8ffc49

SHA256
4f110831bb434c728a6895190323d159df6d531be8c4bb7109864eeb7c989ff2

SHA512
b13a336db33299ab3405e13811e3ed9e5a18542e5d835f2b7130a6ff4c22f74272002fc43e7d9f94ac3aa6a4d53518f87f25d90c29e0d286b6470667ea9336ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
d8cdc13b659d42750c42887ffae2bf3e

SHA1
d43f444a4659a0b6cd11a6e1465df0d45608f64d

SHA256
ce81f2a344d328b3518a82109611aec3edb2569d4f9c6df4e9b6cd854127bd7f

SHA512
ccff3c791dbce0170415878896c1fec113d8709f7dffb28e2e997a14ad0a2c33b934b402acbf64d62189af4d3da351d06892ea3ef1359d47fa0fe9b0c34b9266

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
9cdf1211a5108ce257b23c698a1f9759

SHA1
7f355dc23bd1ea89bb2ffb8bf7640cfa199025c3

SHA256
7608c83a3bfd2aeb04380db3715385e632b10c879202e0ef779713847a93fd27

SHA512
430c2332ed37e5856111a67b8d5c441a3c14d335c1ecdde36e6e416bbb8fe7de796704272d32e374c029f609ad024af3c22e7631ad0166f288719050e7d87fe4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57b1ac.TMP

Filesize
370B

MD5
f91539b2c0d285102240c478ee750c0c

SHA1
034701eedbd034d9deb836ca809cc08694006376

SHA256
b6aa7e1a4356f41d51ded9790267765f2a7991417b354e2ee0b42fa35df56689

SHA512
8470432af4b0fa74bfd759e908c52f84ddab909af05fcb06ad5fcb4af56ae80c317c710d57607c54df90657b0b1269405cf7ed3b4b4174c3648f9297179b98d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
210410dfa71b92bfe0952fd9ace5d686

SHA1
bb3fd694d74d6657da637b6aa8604754dc49e19f

SHA256
9612876c53f290104154622f4e122a5d7599c2d3d0db5c4d56e238f25e6df59b

SHA512
4846affcf9ed02bfdfd1b625d28af4e8f3a8fbec7ec35c8cd9e7a806b9afc32a42326e9895a736393c4b15325c00d2536a9370e4a7b4c06ea5e4bc29b3cbff7b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
9a1bf6a738ab3c2321368eba080306a1

SHA1
38dbda6f59d99e644e5db2ebd785d1ad79f2a78e

SHA256
778ed89be0ef99cfaf48c91f241a85fc5ee0af202bece96444864a2bdd8663b3

SHA512
61efc4285274a4bad1e2351ba02707a6d71d44bdc04643c820d1f99f4f1a08ada000242b1fea03b0512098007744c0931c52178f92b8953732f2ba0fd584211b

Download Submit
C:\Users\Admin\Downloads\MEMZ.exe

Filesize
16KB

MD5
1d5ad9c8d3fee874d0feb8bfac220a11

SHA1
ca6d3f7e6c784155f664a9179ca64e4034df9595

SHA256
3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff

SHA512
c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1

Download Submit
C:\Users\Admin\Downloads\MEMZ.exe:Zone.Identifier

Filesize
55B

MD5
0f98a5550abe0fb880568b1480c96a1c

SHA1
d2ce9f7057b201d31f79f3aee2225d89f36be07d

SHA256
2dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1

SHA512
dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6

Download Submit
C:\note.txt

Filesize
218B

MD5
afa6955439b8d516721231029fb9ca1b

SHA1
087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

SHA256
8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

SHA512
5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

Download Submit

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads