hxxps://github[.]com/Dfmaaa/MEMZ-virus

Analysis

max time kernel
102s
max time network
100s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
18/04/2024, 12:08

Sharing

Copy URL Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://github.com/Dfmaaa/MEMZ-virus

Score

6^/10

bootkit persistence

Malware Config

Signatures

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	MEMZ.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\main.cpl,-101#immutable1 = "Customize your mouse settings, such as the button configuration, double-click speed, mouse pointers, and motion speed."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\autoplay.dll,-2#immutable1 = "Change default settings for CDs, DVDs, and devices so that you can automatically play music, view pictures, install software, and play games."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\DiagCpl.dll,-15#immutable1 = "Troubleshoot and fix common computer problems."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\fvecpl.dll,-1#immutable1 = "BitLocker Drive Encryption"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\system32\DeviceCenter.dll,-1000#immutable1 = "Devices and Printers"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\fhcpl.dll,-2#immutable1 = "Keep a history of your files"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\accessibilitycpl.dll,-45#immutable1 = "Make your computer easier to use."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\powercpl.dll,-2#immutable1 = "Conserve energy or maximize performance by choosing how your computer manages power."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\FirewallControlPanel.dll,-12122#immutable1 = "Windows Defender Firewall"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\Speech\SpeechUX\speechuxcpl.dll,-1#immutable1 = "Speech Recognition"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\main.cpl,-102#immutable1 = "Keyboard"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\devmgr.dll,-4#immutable1 = "Device Manager"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\devmgr.dll,-5#immutable1 = "View and update your device hardware settings and driver software."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\recovery.dll,-101#immutable1 = "Recovery"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\SyncCenter.dll,-3000#immutable1 = "Sync Center"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\RADCUI.dll,-15300#immutable1 = "RemoteApp and Desktop Connections"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\RADCUI.dll,-15301#immutable1 = "Manage your RemoteApp and Desktop Connections"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\FirewallControlPanel.dll,-12123#immutable1 = "Set firewall security options to help protect your computer from hackers and malicious software."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\Speech\SpeechUX\speechuxcpl.dll,-2#immutable1 = "Configure how speech recognition works on your computer."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\usercpl.dll,-1#immutable1 = "User Accounts"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\main.cpl,-100#immutable1 = "Mouse"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\sud.dll,-10#immutable1 = "Choose which programs you want Windows to use for activities like web browsing, editing photos, sending e-mail, and playing music."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\system32\appwiz.cpl,-160#immutable1 = "Uninstall or change programs on your computer."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\DiagCpl.dll,-1#immutable1 = "Troubleshooting"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\accessibilitycpl.dll,-10#immutable1 = "Ease of Access Center"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\mmsys.cpl,-301#immutable1 = "Configure your audio devices or change the sound scheme for your computer."	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\main.cpl,-103#immutable1 = "Customize your keyboard settings, such as the cursor blink rate and the character repeat rate."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\srchadmin.dll,-601#immutable1 = "Indexing Options"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\srchadmin.dll,-602#immutable1 = "Change how Windows indexes to search faster"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\inetcpl.cpl,-4313#immutable1 = "Configure your Internet display and connection settings."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\system32\DeviceCenter.dll,-2000#immutable1 = "View and manage devices, printers, and print jobs"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\system32\colorcpl.exe,-6#immutable1 = "Color Management"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\usercpl.dll,-2#immutable1 = "Change user account settings and passwords for people who share this computer."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\system32\appwiz.cpl,-159#immutable1 = "Programs and Features"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\system32\colorcpl.exe,-7#immutable1 = "Change advanced color management settings for displays, scanners, and printers."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\timedate.cpl,-51#immutable1 = "Date and Time"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_Classes\Local Settings	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\telephon.cpl,-1#immutable1 = "Phone and Modem"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\system32\Vault.dll,-2#immutable1 = "Manage your Windows credentials."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\intl.cpl,-3#immutable1 = "Region"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\sdcpl.dll,-101#immutable1 = "Backup and Restore (Windows 7)"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\systemcpl.dll,-1#immutable1 = "System"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\systemcpl.dll,-2#immutable1 = "View information about your computer, and change settings for hardware, performance, and remote connections."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\fvecpl.dll,-2#immutable1 = "Protect your PC using BitLocker Drive Encryption."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\netcenter.dll,-1#immutable1 = "Network and Sharing Center"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\timedate.cpl,-52#immutable1 = "Set the date, time, and time zone for your computer."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\powercpl.dll,-1#immutable1 = "Power Options"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\autoplay.dll,-1#immutable1 = "AutoPlay"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_Classes\Local Settings	control.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\netcenter.dll,-2#immutable1 = "Check network status, change network settings and set preferences for sharing files and printers."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\SyncCenter.dll,-3001#immutable1 = "Sync files between your computer and network folders"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\recovery.dll,-2#immutable1 = "Recovery"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\inetcpl.cpl,-4312#immutable1 = "Internet Options"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\system32\Vault.dll,-1#immutable1 = "Credential Manager"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\sud.dll,-1#immutable1 = "Default Programs"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\telephon.cpl,-2#immutable1 = "Configure your telephone dialing rules and modem settings."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\intl.cpl,-2#immutable1 = "Customize settings for the display of languages, numbers, times, and dates."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\sdcpl.dll,-100#immutable1 = "Recover copies of your files backed up in Windows 7"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\mmsys.cpl,-300#immutable1 = "Sound"	explorer.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
5280	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1568	msedge.exe
1568	msedge.exe
3472	msedge.exe
3472	msedge.exe
3520	identity_helper.exe
3520	identity_helper.exe
4416	msedge.exe
4416	msedge.exe
1544	MEMZ.exe
1544	MEMZ.exe
440	MEMZ.exe
440	MEMZ.exe
1776	MEMZ.exe
1544	MEMZ.exe
1544	MEMZ.exe
1776	MEMZ.exe
440	MEMZ.exe
440	MEMZ.exe
440	MEMZ.exe
440	MEMZ.exe
1776	MEMZ.exe
1776	MEMZ.exe
1544	MEMZ.exe
1544	MEMZ.exe
440	MEMZ.exe
440	MEMZ.exe
2652	MEMZ.exe
2652	MEMZ.exe
4052	MEMZ.exe
4052	MEMZ.exe
440	MEMZ.exe
440	MEMZ.exe
1544	MEMZ.exe
1544	MEMZ.exe
1776	MEMZ.exe
1776	MEMZ.exe
1544	MEMZ.exe
1544	MEMZ.exe
440	MEMZ.exe
440	MEMZ.exe
4052	MEMZ.exe
4052	MEMZ.exe
2652	MEMZ.exe
2652	MEMZ.exe
440	MEMZ.exe
440	MEMZ.exe
1544	MEMZ.exe
1544	MEMZ.exe
1776	MEMZ.exe
1776	MEMZ.exe
1776	MEMZ.exe
1544	MEMZ.exe
1544	MEMZ.exe
1776	MEMZ.exe
440	MEMZ.exe
2652	MEMZ.exe
440	MEMZ.exe
2652	MEMZ.exe
4052	MEMZ.exe
4052	MEMZ.exe
4052	MEMZ.exe
2652	MEMZ.exe
2652	MEMZ.exe
4052	MEMZ.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2184	taskmgr.exe
Token: SeSystemProfilePrivilege	2184	taskmgr.exe
Token: SeCreateGlobalPrivilege	2184	taskmgr.exe
Token: SeShutdownPrivilege	5280	explorer.exe
Token: SeCreatePagefilePrivilege	5280	explorer.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
2184	taskmgr.exe
2184	taskmgr.exe
2184	taskmgr.exe
2184	taskmgr.exe
2184	taskmgr.exe
2184	taskmgr.exe
2184	taskmgr.exe
2184	taskmgr.exe
2184	taskmgr.exe
2184	taskmgr.exe
2184	taskmgr.exe
2184	taskmgr.exe
2184	taskmgr.exe
2184	taskmgr.exe
2184	taskmgr.exe
2184	taskmgr.exe
2184	taskmgr.exe
2184	taskmgr.exe
2184	taskmgr.exe
2184	taskmgr.exe
2184	taskmgr.exe
2184	taskmgr.exe
2184	taskmgr.exe
2184	taskmgr.exe
5280	explorer.exe
2184	taskmgr.exe
2184	taskmgr.exe
2184	taskmgr.exe
2184	taskmgr.exe
2184	taskmgr.exe
2184	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
2184	taskmgr.exe
2184	taskmgr.exe
2184	taskmgr.exe
2184	taskmgr.exe
2184	taskmgr.exe
2184	taskmgr.exe
2184	taskmgr.exe
2184	taskmgr.exe
2184	taskmgr.exe
2184	taskmgr.exe
2184	taskmgr.exe
2184	taskmgr.exe
2184	taskmgr.exe
2184	taskmgr.exe
2184	taskmgr.exe
2184	taskmgr.exe
2184	taskmgr.exe
2184	taskmgr.exe
2184	taskmgr.exe
2184	taskmgr.exe
2184	taskmgr.exe
2184	taskmgr.exe
2184	taskmgr.exe
2184	taskmgr.exe
2184	taskmgr.exe
2184	taskmgr.exe
2184	taskmgr.exe
2184	taskmgr.exe
2184	taskmgr.exe
2184	taskmgr.exe
2184	taskmgr.exe
2184	taskmgr.exe
2184	taskmgr.exe
2184	taskmgr.exe
2184	taskmgr.exe
2184	taskmgr.exe
2184	taskmgr.exe
2184	taskmgr.exe
2184	taskmgr.exe
2184	taskmgr.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
440	MEMZ.exe
1776	MEMZ.exe
4052	MEMZ.exe
1544	MEMZ.exe
440	MEMZ.exe
4052	MEMZ.exe
1776	MEMZ.exe
1544	MEMZ.exe
440	MEMZ.exe
1776	MEMZ.exe
4052	MEMZ.exe
1544	MEMZ.exe
440	MEMZ.exe
1544	MEMZ.exe
4052	MEMZ.exe
1776	MEMZ.exe
440	MEMZ.exe
1544	MEMZ.exe
1776	MEMZ.exe
4052	MEMZ.exe
1544	MEMZ.exe
440	MEMZ.exe
4052	MEMZ.exe
1776	MEMZ.exe
1544	MEMZ.exe
440	MEMZ.exe
4052	MEMZ.exe
1776	MEMZ.exe
1544	MEMZ.exe
4052	MEMZ.exe
440	MEMZ.exe
1776	MEMZ.exe
1544	MEMZ.exe
4052	MEMZ.exe
440	MEMZ.exe
1776	MEMZ.exe
1544	MEMZ.exe
1776	MEMZ.exe
440	MEMZ.exe
4052	MEMZ.exe
1544	MEMZ.exe
4052	MEMZ.exe
440	MEMZ.exe
1776	MEMZ.exe
4052	MEMZ.exe
440	MEMZ.exe
1544	MEMZ.exe
1776	MEMZ.exe
4052	MEMZ.exe
440	MEMZ.exe
1776	MEMZ.exe
1544	MEMZ.exe
1544	MEMZ.exe
1776	MEMZ.exe
4052	MEMZ.exe
440	MEMZ.exe
4052	MEMZ.exe
440	MEMZ.exe
1776	MEMZ.exe
1544	MEMZ.exe
1776	MEMZ.exe
4052	MEMZ.exe
440	MEMZ.exe
1544	MEMZ.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3472 wrote to memory of 1764	3472	msedge.exe	84
PID 3472 wrote to memory of 1764	3472	msedge.exe	84
PID 3472 wrote to memory of 2060	3472	msedge.exe	85
PID 3472 wrote to memory of 2060	3472	msedge.exe	85
PID 3472 wrote to memory of 2060	3472	msedge.exe	85
PID 3472 wrote to memory of 2060	3472	msedge.exe	85
PID 3472 wrote to memory of 2060	3472	msedge.exe	85
PID 3472 wrote to memory of 2060	3472	msedge.exe	85
PID 3472 wrote to memory of 2060	3472	msedge.exe	85
PID 3472 wrote to memory of 2060	3472	msedge.exe	85
PID 3472 wrote to memory of 2060	3472	msedge.exe	85
PID 3472 wrote to memory of 2060	3472	msedge.exe	85
PID 3472 wrote to memory of 2060	3472	msedge.exe	85
PID 3472 wrote to memory of 2060	3472	msedge.exe	85
PID 3472 wrote to memory of 2060	3472	msedge.exe	85
PID 3472 wrote to memory of 2060	3472	msedge.exe	85
PID 3472 wrote to memory of 2060	3472	msedge.exe	85
PID 3472 wrote to memory of 2060	3472	msedge.exe	85
PID 3472 wrote to memory of 2060	3472	msedge.exe	85
PID 3472 wrote to memory of 2060	3472	msedge.exe	85
PID 3472 wrote to memory of 2060	3472	msedge.exe	85
PID 3472 wrote to memory of 2060	3472	msedge.exe	85
PID 3472 wrote to memory of 2060	3472	msedge.exe	85
PID 3472 wrote to memory of 2060	3472	msedge.exe	85
PID 3472 wrote to memory of 2060	3472	msedge.exe	85
PID 3472 wrote to memory of 2060	3472	msedge.exe	85
PID 3472 wrote to memory of 2060	3472	msedge.exe	85
PID 3472 wrote to memory of 2060	3472	msedge.exe	85
PID 3472 wrote to memory of 2060	3472	msedge.exe	85
PID 3472 wrote to memory of 2060	3472	msedge.exe	85
PID 3472 wrote to memory of 2060	3472	msedge.exe	85
PID 3472 wrote to memory of 2060	3472	msedge.exe	85
PID 3472 wrote to memory of 2060	3472	msedge.exe	85
PID 3472 wrote to memory of 2060	3472	msedge.exe	85
PID 3472 wrote to memory of 2060	3472	msedge.exe	85
PID 3472 wrote to memory of 2060	3472	msedge.exe	85
PID 3472 wrote to memory of 2060	3472	msedge.exe	85
PID 3472 wrote to memory of 2060	3472	msedge.exe	85
PID 3472 wrote to memory of 2060	3472	msedge.exe	85
PID 3472 wrote to memory of 2060	3472	msedge.exe	85
PID 3472 wrote to memory of 2060	3472	msedge.exe	85
PID 3472 wrote to memory of 2060	3472	msedge.exe	85
PID 3472 wrote to memory of 1568	3472	msedge.exe	86
PID 3472 wrote to memory of 1568	3472	msedge.exe	86
PID 3472 wrote to memory of 116	3472	msedge.exe	87
PID 3472 wrote to memory of 116	3472	msedge.exe	87
PID 3472 wrote to memory of 116	3472	msedge.exe	87
PID 3472 wrote to memory of 116	3472	msedge.exe	87
PID 3472 wrote to memory of 116	3472	msedge.exe	87
PID 3472 wrote to memory of 116	3472	msedge.exe	87
PID 3472 wrote to memory of 116	3472	msedge.exe	87
PID 3472 wrote to memory of 116	3472	msedge.exe	87
PID 3472 wrote to memory of 116	3472	msedge.exe	87
PID 3472 wrote to memory of 116	3472	msedge.exe	87
PID 3472 wrote to memory of 116	3472	msedge.exe	87
PID 3472 wrote to memory of 116	3472	msedge.exe	87
PID 3472 wrote to memory of 116	3472	msedge.exe	87
PID 3472 wrote to memory of 116	3472	msedge.exe	87
PID 3472 wrote to memory of 116	3472	msedge.exe	87
PID 3472 wrote to memory of 116	3472	msedge.exe	87
PID 3472 wrote to memory of 116	3472	msedge.exe	87
PID 3472 wrote to memory of 116	3472	msedge.exe	87
PID 3472 wrote to memory of 116	3472	msedge.exe	87
PID 3472 wrote to memory of 116	3472	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Dfmaaa/MEMZ-virus
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb23b746f8,0x7ffb23b74708,0x7ffb23b74718
  2⤵
  PID:1764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2184,10198618324297306370,7525757051848493431,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2196 /prefetch:2
  2⤵
  PID:2060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2184,10198618324297306370,7525757051848493431,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2248 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2184,10198618324297306370,7525757051848493431,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2856 /prefetch:8
  2⤵
  PID:116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,10198618324297306370,7525757051848493431,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
  2⤵
  PID:984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,10198618324297306370,7525757051848493431,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3452 /prefetch:1
  2⤵
  PID:552
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2184,10198618324297306370,7525757051848493431,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5568 /prefetch:8
  2⤵
  PID:2584
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2184,10198618324297306370,7525757051848493431,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5568 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2184,10198618324297306370,7525757051848493431,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5792 /prefetch:8
  2⤵
  PID:2600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,10198618324297306370,7525757051848493431,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5696 /prefetch:1
  2⤵
  PID:4624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2184,10198618324297306370,7525757051848493431,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5260 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,10198618324297306370,7525757051848493431,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5564 /prefetch:1
  2⤵
  PID:2912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,10198618324297306370,7525757051848493431,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6128 /prefetch:1
  2⤵
  PID:876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,10198618324297306370,7525757051848493431,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6540 /prefetch:1
  2⤵
  PID:2428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,10198618324297306370,7525757051848493431,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6564 /prefetch:1
  2⤵
  PID:4348

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3836

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2440

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3844

C:\Users\Admin\AppData\Local\Temp\Temp1_MEMZ-virus-main.zip\MEMZ-virus-main\MEMZ.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_MEMZ-virus-main.zip\MEMZ-virus-main\MEMZ.exe"
1⤵
PID:4164
- C:\Users\Admin\AppData\Local\Temp\Temp1_MEMZ-virus-main.zip\MEMZ-virus-main\MEMZ.exe
  "C:\Users\Admin\AppData\Local\Temp\Temp1_MEMZ-virus-main.zip\MEMZ-virus-main\MEMZ.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1544
- C:\Users\Admin\AppData\Local\Temp\Temp1_MEMZ-virus-main.zip\MEMZ-virus-main\MEMZ.exe
  "C:\Users\Admin\AppData\Local\Temp\Temp1_MEMZ-virus-main.zip\MEMZ-virus-main\MEMZ.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:440
- C:\Users\Admin\AppData\Local\Temp\Temp1_MEMZ-virus-main.zip\MEMZ-virus-main\MEMZ.exe
  "C:\Users\Admin\AppData\Local\Temp\Temp1_MEMZ-virus-main.zip\MEMZ-virus-main\MEMZ.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1776
- C:\Users\Admin\AppData\Local\Temp\Temp1_MEMZ-virus-main.zip\MEMZ-virus-main\MEMZ.exe
  "C:\Users\Admin\AppData\Local\Temp\Temp1_MEMZ-virus-main.zip\MEMZ-virus-main\MEMZ.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:4052
- C:\Users\Admin\AppData\Local\Temp\Temp1_MEMZ-virus-main.zip\MEMZ-virus-main\MEMZ.exe
  "C:\Users\Admin\AppData\Local\Temp\Temp1_MEMZ-virus-main.zip\MEMZ-virus-main\MEMZ.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2652
- C:\Users\Admin\AppData\Local\Temp\Temp1_MEMZ-virus-main.zip\MEMZ-virus-main\MEMZ.exe
  "C:\Users\Admin\AppData\Local\Temp\Temp1_MEMZ-virus-main.zip\MEMZ-virus-main\MEMZ.exe" /main
  2⤵
  - Writes to the Master Boot Record (MBR)
  PID:4152
- - C:\Windows\SysWOW64\notepad.exe
    "C:\Windows\System32\notepad.exe" \note.txt
    3⤵
    PID:3968
- - C:\Windows\SysWOW64\control.exe
    "C:\Windows\System32\control.exe"
    3⤵
    - Modifies registry class
    PID:5240

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2184

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5280

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:5376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e2ece0fcb9f6256efba522462a9a9288

SHA1
ccc599f64d30e15833b45c7e52924d4bd2f54acb

SHA256
0eff6f3011208a312a1010db0620bb6680fe49d4fa3344930302e950b74ad005

SHA512
ead68dd972cfb1eccc194572279ae3e4ac989546bfb9e8d511c6bc178fc12aaebd20b49860d2b70ac1f5d4236b0df1b484a979b926edbe23f281b8139ff1a9ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
864aa9768ef47143c455b31fd314d660

SHA1
09d879e0e77698f28b435ed0e7d8e166e28fafa2

SHA256
3118d55d1f04ecdd849971d8c49896b5c874bdbea63e5288547b9812c0640e10

SHA512
75dce411fce8166c8905ed8da910adb1dd08ab1c9d7cd5431ef905531f2f0374caf73dedd5d238b457ece61273f6c81e632d23eb8409efbb6bf0d01442008488

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
2da5239f3969a1520716e358e7696018

SHA1
6b8d532373b1b03e7f08f340ff3cf48a291ef2ac

SHA256
420678fcc01498fe2be439f5b4b823ac0f7c4dfba316678c3d812e65b3556505

SHA512
9b008bcef3e052da1822a8ac0e157f0cef43809bfbaf531b62ac4d0d043a00192003c07a2b026191322243ed0938353e049beb4d356a88660fbd1aea4efe70dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
573B

MD5
37baf21f6884d62dd3fae3bcac0e3f54

SHA1
86387f81e0e639f4b89ac148a2611dbe17c692e5

SHA256
fd6b196dedb818f06d7e045bc0ca39921765ba16deeb416261c8605de41aa1be

SHA512
13d36ff793b191e5036fad9a998d653eba70f27900f205c8eb1e2b336837f6a6b9977e0129b0645844b6d40a08883ccbc71b132e22f5577c5db8b44ad4f74461

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
069289fee8851756e4a9bb50f0f9aa99

SHA1
4638b00a8599cf3579591d37e893f1406f042b0a

SHA256
ceaaa4cf0db71242ee37395f9ac5118e2c9963d08660910b4c4ce293f244cd76

SHA512
20ef77b78479a3219f72b075d496467e802eb45ec623aadfbe2adc3f4e7dd73084121910030de632ca1a4405bcb8396a4e2579789057e74ddffdc8c3f002c44e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
2d99593cf027c7d607c589394dc7efec

SHA1
8efcc5d0d46176be075fc2dd4381b7b6e51949f3

SHA256
58ce9cf939c09f1cae6c9a75555ff2f86eb4d90124b27efe07dbc92a2a9711b5

SHA512
d7e838905cdb1b59cb45f794ec430255a503d355dd0396317df22e2550d32c08775bac5842710512e18043af26f3bfc50ca8f0c1ffefc45f233b03d5ab30bd85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
66bfc73ddafdcb85209f07ab0ef4b1b0

SHA1
fda9d710e4458b4b23fa3a9e91b140fcc2021e98

SHA256
cdbb00deb618f140be7fba26c507366b3d6ad59dc5b2b9f558c97c3462cad9b4

SHA512
d3101952c5d4c3c428222aa2041e4ea148785cc1f03a7564f12c44d0a0364f447f2087095e8645a9a275838c909883b9538c82177e4349f485f917bb2475f1fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
f40cc1b060d6c8647c2687b5ac2198f7

SHA1
fb894bb0a61e1ae6f8bb3bb225092aef175e4df5

SHA256
6f616b7aaefb2c22add2002106f71a7391ae6922d655d7fe7e0793d5e13351d8

SHA512
d6015cad6ae008e310bd46ea1a1c44f0a6e7c1ade594b6317a63f9b531bb40fe8a65fc69e093e2abfea1ee6253ee72c479e4e33e184a71f88157cf6364a79bd5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
3e41673412209736ef9a821a4294fc59

SHA1
bb851cd3f309994d5900da9b74a2ff7775b47ec7

SHA256
4bee26fc69983b95d163e96c0f0bc7d34f66430f04969a25ee387164651ec963

SHA512
c3605a7ea0c9c9a0b4859ab813138bfbb696e88d1e4ea70e196ac480d642c58c29f81be613b6102c7cc09cad89c8490df2ab74f495dca8cdf00eb9c0e7fcd2af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57c6bb.TMP

Filesize
874B

MD5
9cbcaa2584083f8aec96728fc8f247ce

SHA1
b9b6a75cca4a4f74eae763a8faad010ab790492e

SHA256
ac24ca003e20d8ccc76a19e392db6c83dff0bb2348acd5b6d049a9ae178b8caf

SHA512
9f4b879f577ddee060519c0b8d15d89ad33c9a20294b8f6b429ea5656d0295cdc8edd6ae54b88cef66250e53f1a29af4859316b6aad889fe51038609f11de779

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
00a3fe2998a778fceca2a83d014587f5

SHA1
f53c1a81173b62a7559807880117da62bad2291e

SHA256
5e740c2f9d52ee6be47db8374a0f7b5faf42c42c02f31c5f4bedd507c7a3491f

SHA512
eeb039f0141a2b9f66f52a5a45381832ee0e3a8a157aaffbdad3e83484a4e72765d4e2f4041024d7c7874d7104d014662a8a2ef32215b234239df18056346ff5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
be4fe771aa319b65651057da2aacc9c9

SHA1
8d3fe82e0c23f7a5546e87f6d400785c726df4e8

SHA256
4550910b211504b9853dec91746b611612bd836d1e951dcd817eb645c5b4c0f9

SHA512
e77e1190a196a788206048603716ee927768f87f1e80ba893c77ac0c4941c150cee07c7676b7245f1f0115e1d5fa049d29bc2222c74c414d5c81415b298e96d6

Download Submit
C:\Users\Admin\Downloads\MEMZ-virus-main.zip

Filesize
8KB

MD5
a043dc5c624d091f7c2600dd18b300b7

SHA1
4682f79dabfc6da05441e2b6d820382ff02b4c58

SHA256
0acffde0f952b44d500cf2689d6c9ab87e66ac7fa29a51f3c3e36a43ea5e694a

SHA512
ee4f691a6c7b6c047bca49723b65e5980a8f83cbbc129ddfd578b855430b78acf3d0e461238739cd64c8a5c9071fe132c10da3ac28085fc978b6a19ee1ca3313

Download Submit
C:\note.txt

Filesize
218B

MD5
afa6955439b8d516721231029fb9ca1b

SHA1
087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

SHA256
8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

SHA512
5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

Download Submit
memory/2184-259-0x000001A71C870000-0x000001A71C871000-memory.dmp

Filesize
4KB

Download
memory/2184-261-0x000001A71C870000-0x000001A71C871000-memory.dmp

Filesize
4KB

Download
memory/2184-265-0x000001A71C870000-0x000001A71C871000-memory.dmp

Filesize
4KB

Download
memory/2184-266-0x000001A71C870000-0x000001A71C871000-memory.dmp

Filesize
4KB

Download
memory/2184-267-0x000001A71C870000-0x000001A71C871000-memory.dmp

Filesize
4KB

Download
memory/2184-268-0x000001A71C870000-0x000001A71C871000-memory.dmp

Filesize
4KB

Download
memory/2184-269-0x000001A71C870000-0x000001A71C871000-memory.dmp

Filesize
4KB

Download
memory/2184-271-0x000001A71C870000-0x000001A71C871000-memory.dmp

Filesize
4KB

Download
memory/2184-270-0x000001A71C870000-0x000001A71C871000-memory.dmp

Filesize
4KB

Download
memory/2184-260-0x000001A71C870000-0x000001A71C871000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads