3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff

Analysis

max time kernel
150s
max time network
149s
platform
windows11-21h2_x64
resource
win11-20240709-en
resource tags

arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system
submitted
19-07-2024 18:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MEMZ.exe
Size

16KB
MD5

1d5ad9c8d3fee874d0feb8bfac220a11
SHA1

ca6d3f7e6c784155f664a9179ca64e4034df9595
SHA256

3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff
SHA512

c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1
SSDEEP

192:M2WgyvSW8gRc6olcIEiwqZKBkDFR43xWTM3LHf26gFrcx3sNq:JWgnSmFlcIqq3agmLH+6gF23sN

Score

6^/10

bootkit persistence

Malware Config

Signatures

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	MEMZ.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1632	MEMZ.exe
1632	MEMZ.exe
1632	MEMZ.exe
1632	MEMZ.exe
716	MEMZ.exe
716	MEMZ.exe
716	MEMZ.exe
716	MEMZ.exe
1632	MEMZ.exe
1632	MEMZ.exe
4600	MEMZ.exe
4600	MEMZ.exe
1632	MEMZ.exe
1632	MEMZ.exe
716	MEMZ.exe
716	MEMZ.exe
5072	MEMZ.exe
5072	MEMZ.exe
2692	MEMZ.exe
2692	MEMZ.exe
2692	MEMZ.exe
2692	MEMZ.exe
5072	MEMZ.exe
5072	MEMZ.exe
716	MEMZ.exe
716	MEMZ.exe
1632	MEMZ.exe
1632	MEMZ.exe
4600	MEMZ.exe
4600	MEMZ.exe
1632	MEMZ.exe
1632	MEMZ.exe
716	MEMZ.exe
716	MEMZ.exe
5072	MEMZ.exe
5072	MEMZ.exe
2692	MEMZ.exe
2692	MEMZ.exe
2692	MEMZ.exe
2692	MEMZ.exe
5072	MEMZ.exe
5072	MEMZ.exe
716	MEMZ.exe
716	MEMZ.exe
1632	MEMZ.exe
1632	MEMZ.exe
4600	MEMZ.exe
4600	MEMZ.exe
4600	MEMZ.exe
4600	MEMZ.exe
1632	MEMZ.exe
1632	MEMZ.exe
716	MEMZ.exe
716	MEMZ.exe
5072	MEMZ.exe
5072	MEMZ.exe
2692	MEMZ.exe
2692	MEMZ.exe
5072	MEMZ.exe
716	MEMZ.exe
716	MEMZ.exe
5072	MEMZ.exe
1632	MEMZ.exe
1632	MEMZ.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs

pid	Process
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	2684	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2684	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 49 IoCs

pid	Process
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2368	wordpad.exe
2368	wordpad.exe
2368	wordpad.exe
2368	wordpad.exe
2368	wordpad.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3636 wrote to memory of 1632	3636	MEMZ.exe	78
PID 3636 wrote to memory of 1632	3636	MEMZ.exe	78
PID 3636 wrote to memory of 1632	3636	MEMZ.exe	78
PID 3636 wrote to memory of 716	3636	MEMZ.exe	79
PID 3636 wrote to memory of 716	3636	MEMZ.exe	79
PID 3636 wrote to memory of 716	3636	MEMZ.exe	79
PID 3636 wrote to memory of 4600	3636	MEMZ.exe	80
PID 3636 wrote to memory of 4600	3636	MEMZ.exe	80
PID 3636 wrote to memory of 4600	3636	MEMZ.exe	80
PID 3636 wrote to memory of 2692	3636	MEMZ.exe	81
PID 3636 wrote to memory of 2692	3636	MEMZ.exe	81
PID 3636 wrote to memory of 2692	3636	MEMZ.exe	81
PID 3636 wrote to memory of 5072	3636	MEMZ.exe	82
PID 3636 wrote to memory of 5072	3636	MEMZ.exe	82
PID 3636 wrote to memory of 5072	3636	MEMZ.exe	82
PID 3636 wrote to memory of 2000	3636	MEMZ.exe	83
PID 3636 wrote to memory of 2000	3636	MEMZ.exe	83
PID 3636 wrote to memory of 2000	3636	MEMZ.exe	83
PID 2000 wrote to memory of 1072	2000	MEMZ.exe	86
PID 2000 wrote to memory of 1072	2000	MEMZ.exe	86
PID 2000 wrote to memory of 1072	2000	MEMZ.exe	86
PID 2000 wrote to memory of 3324	2000	MEMZ.exe	88
PID 2000 wrote to memory of 3324	2000	MEMZ.exe	88
PID 3324 wrote to memory of 3032	3324	msedge.exe	89
PID 3324 wrote to memory of 3032	3324	msedge.exe	89
PID 3324 wrote to memory of 4276	3324	msedge.exe	90
PID 3324 wrote to memory of 4276	3324	msedge.exe	90
PID 3324 wrote to memory of 4276	3324	msedge.exe	90
PID 3324 wrote to memory of 4276	3324	msedge.exe	90
PID 3324 wrote to memory of 4276	3324	msedge.exe	90
PID 3324 wrote to memory of 4276	3324	msedge.exe	90
PID 3324 wrote to memory of 4276	3324	msedge.exe	90
PID 3324 wrote to memory of 4276	3324	msedge.exe	90
PID 3324 wrote to memory of 4276	3324	msedge.exe	90
PID 3324 wrote to memory of 4276	3324	msedge.exe	90
PID 3324 wrote to memory of 4276	3324	msedge.exe	90
PID 3324 wrote to memory of 4276	3324	msedge.exe	90
PID 3324 wrote to memory of 4276	3324	msedge.exe	90
PID 3324 wrote to memory of 4276	3324	msedge.exe	90
PID 3324 wrote to memory of 4276	3324	msedge.exe	90
PID 3324 wrote to memory of 4276	3324	msedge.exe	90
PID 3324 wrote to memory of 4276	3324	msedge.exe	90
PID 3324 wrote to memory of 4276	3324	msedge.exe	90
PID 3324 wrote to memory of 4276	3324	msedge.exe	90
PID 3324 wrote to memory of 4276	3324	msedge.exe	90
PID 3324 wrote to memory of 4276	3324	msedge.exe	90
PID 3324 wrote to memory of 4276	3324	msedge.exe	90
PID 3324 wrote to memory of 4276	3324	msedge.exe	90
PID 3324 wrote to memory of 4276	3324	msedge.exe	90
PID 3324 wrote to memory of 4276	3324	msedge.exe	90
PID 3324 wrote to memory of 4276	3324	msedge.exe	90
PID 3324 wrote to memory of 4276	3324	msedge.exe	90
PID 3324 wrote to memory of 4276	3324	msedge.exe	90
PID 3324 wrote to memory of 4276	3324	msedge.exe	90
PID 3324 wrote to memory of 4276	3324	msedge.exe	90
PID 3324 wrote to memory of 4276	3324	msedge.exe	90
PID 3324 wrote to memory of 4276	3324	msedge.exe	90
PID 3324 wrote to memory of 4276	3324	msedge.exe	90
PID 3324 wrote to memory of 4276	3324	msedge.exe	90
PID 3324 wrote to memory of 4276	3324	msedge.exe	90
PID 3324 wrote to memory of 4276	3324	msedge.exe	90
PID 3324 wrote to memory of 4276	3324	msedge.exe	90
PID 3324 wrote to memory of 4276	3324	msedge.exe	90
PID 3324 wrote to memory of 4276	3324	msedge.exe	90

C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
"C:\Users\Admin\AppData\Local\Temp\MEMZ.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3636
- C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
  "C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1632
- C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
  "C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:716
- C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
  "C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4600
- C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
  "C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2692
- C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
  "C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5072
- C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
  "C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /main
  2⤵
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of WriteProcessMemory
  PID:2000
- - C:\Windows\SysWOW64\notepad.exe
    "C:\Windows\System32\notepad.exe" \note.txt
    3⤵
    PID:1072
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=virus+builder+legit+free+download
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:3324
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff8b5e3cb8,0x7fff8b5e3cc8,0x7fff8b5e3cd8
      4⤵
      PID:3032
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1820,18261233855727039443,2716081956684796391,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1932 /prefetch:2
      4⤵
      PID:4276
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1820,18261233855727039443,2716081956684796391,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2572 /prefetch:3
      4⤵
      PID:3840
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1820,18261233855727039443,2716081956684796391,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2616 /prefetch:8
      4⤵
      PID:1240
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1820,18261233855727039443,2716081956684796391,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3124 /prefetch:1
      4⤵
      PID:2688
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1820,18261233855727039443,2716081956684796391,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3144 /prefetch:1
      4⤵
      PID:3812
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1820,18261233855727039443,2716081956684796391,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4628 /prefetch:1
      4⤵
      PID:8
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1820,18261233855727039443,2716081956684796391,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3500 /prefetch:1
      4⤵
      PID:1924
  - - C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1820,18261233855727039443,2716081956684796391,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5740 /prefetch:8
      4⤵
      PID:1512
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1820,18261233855727039443,2716081956684796391,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5372 /prefetch:8
      4⤵
      PID:4736
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1820,18261233855727039443,2716081956684796391,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5476 /prefetch:1
      4⤵
      PID:2428
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1820,18261233855727039443,2716081956684796391,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5408 /prefetch:1
      4⤵
      PID:2060
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1820,18261233855727039443,2716081956684796391,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3176 /prefetch:1
      4⤵
      PID:2080
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1820,18261233855727039443,2716081956684796391,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3472 /prefetch:1
      4⤵
      PID:4984
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1820,18261233855727039443,2716081956684796391,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5208 /prefetch:1
      4⤵
      PID:4504
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1820,18261233855727039443,2716081956684796391,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5456 /prefetch:1
      4⤵
      PID:1580
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1820,18261233855727039443,2716081956684796391,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5552 /prefetch:1
      4⤵
      PID:4628
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1820,18261233855727039443,2716081956684796391,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6320 /prefetch:1
      4⤵
      PID:812
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1820,18261233855727039443,2716081956684796391,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6000 /prefetch:1
      4⤵
      PID:816
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1820,18261233855727039443,2716081956684796391,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6512 /prefetch:1
      4⤵
      PID:1552
- - C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
    "C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:2368
  - - C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      4⤵
      PID:4624
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=virus.exe
    3⤵
    PID:5040
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff8b5e3cb8,0x7fff8b5e3cc8,0x7fff8b5e3cd8
      4⤵
      PID:4216
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=vinesauce+meme+collection
    3⤵
    PID:1756
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff8b5e3cb8,0x7fff8b5e3cc8,0x7fff8b5e3cd8
      4⤵
      PID:5104
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=how+to+remove+memz+trojan+virus
    3⤵
    PID:2080
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x110,0x114,0x118,0xec,0x11c,0x7fff8b5e3cb8,0x7fff8b5e3cc8,0x7fff8b5e3cd8
      4⤵
      PID:3436

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3220

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3920

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:736

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:860

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004E0 0x00000000000004EC
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f1998107017edc46fed4599ad24cfe53

SHA1
47e92f0646f0de9241c59f88e0c10561a2236b5e

SHA256
cc6838475e4b8d425548ceb54a16d41fb91d528273396a8f0b216889d79e0caa

SHA512
ef7228c3da52bf2a88332b9d902832ed18176dfff7c295abfbaab4e82399dc21600b125c8dad615eb1580fab2f4192251a7f7c557842c9cac0209033a3113816

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
21cf39beee4d807318a05a10dc3f1bf3

SHA1
01ef7fc09919eb33292a76934d3f2b5ba248f79c

SHA256
b766823dabbf6f78e2ee7c36d231d6708800126dc347ce3e83f4bf27bc6e2939

SHA512
0baf8b0964d390b9eb7fafd217037709ac4ab31abcdf63598244026c31284cd838f12d628dcffe35d5661ba15a5e4f3b82c7c2d9226ac88856a07b5b7b415291

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
211KB

MD5
151fb811968eaf8efb840908b89dc9d4

SHA1
7ec811009fd9b0e6d92d12d78b002275f2f1bee1

SHA256
043fd8558e4a5a60aaccd2f0377f77a544e3e375242e9d7200dc6e51f94103ed

SHA512
83aface0ab01da52fd077f747c9d5916e3c06b0ea5c551d7d316707ec3e8f3f986ce1c82e6f2136e48c6511a83cb0ac67ff6dc8f0e440ac72fc6854086a87674

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
f8e60b8f3236dd403bb27608654283f6

SHA1
8798fcb5bce005fc7b88536ea3c05447fb763e76

SHA256
ccf5270db5e29a60b7b9b60c6fbb0ee760c53e9e6a0eaf77c8bae445300630dc

SHA512
3df1c289073cfd71022f1a114a99e2f46df7f2e17cdf631bf1679b0d7c7f4548c8f23ced067aaab156c342296a5bbcff9b8368c34b93df2aa9da952d336e01b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
175354d2e1235246c295a906884d194d

SHA1
42af6391af2405237845f4f74cb06dc52173c70a

SHA256
a6ff2cd330142f98ed93ca22daa59b9af391ed5f808662afff64523a03ca82b4

SHA512
1e69679ed061228deecdfc34cd3bc564815104ce16cf42d971177c03739914750cd240191a7299a05aea8c3eaf3d7b144a0e31dcaaaa03332453b978924ee79c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
b9f740d62b0d4a8536a6ed4cc2471b71

SHA1
2085e6127cd5bab0b34ef1524283c9f1ceef9c62

SHA256
4894faf7383985bf7c05f9ac97923677f7c013b4cec2be388db52d5bcfa4bbd9

SHA512
a66061f136405d5824749668b19b819fee3060cf3746e1c4fe6e5ad4199480d62783ad4112bfbaf5eb8343b511820291cdbabfc86561d0941d6487523b5d48b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
814B

MD5
77738c8684e76249729274bf66de2ebf

SHA1
74e3c77b0ce59f3d7e0e0230f0281561af9e0714

SHA256
f597986037a9088adce6403abcb252b30f45ffd5c2937adf3a47dfcc6b002ce5

SHA512
faf63876ec8a802b9a635706f4056f50a67989ad15d4b40f57a026278d6c8eaa110333d61ceb7015f72eb887d50325c7daeba41ab088e8b21c7c694593ccd73d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
dfef9866ab54648494830aa293a464b3

SHA1
8751e4e3bc2ccce9565dfc1682fd0fe160708beb

SHA256
66498a5e0b8d052f9d14360ae76df9c4d257ca77167612caab837ecf5dd8e265

SHA512
d77a13d55c728836e64c79eb853a6b4a5c2d19162881de2a39d9925a5fc686c3c11fbbfa4e1dfa6f5bf1b40c7aeba14961b3f703d1af984d292ba80f2038d349

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e65022de7362a2ae2dc27fad4854d0d0

SHA1
27aba63b684f5d64c8515b31beec75d7b8fe97b2

SHA256
056adb14c8a19825eeda9a4e396abd7bc8d298d517ef67ec45fa4f9cfdb25210

SHA512
55a745b1e077e67b282d260e1e3e564c4ddbbead9b7d57e84572431d9715fa99a555055987fcfc27d123b5402ca2f62110b4e83e427a1e50d9eda454fc4b763b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0114ee549b828e38f6de572bb634f47d

SHA1
b9433b4f5732f87aab8f7d8c5e5edbb1bbc56b23

SHA256
7d7084319bfb86f870ca8186279f32bccebcea5d9dd2fb2bf4b06729659e63b7

SHA512
51692e6d4617068f8dc1a308c66d0f380f0519075430688d62f82f1421f5e990961236b535a1bcf944bbfa1843a616c99e2b95b2770730fdbccd38af78177ff1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
471d2348ad86f11cddef6fed84154695

SHA1
8eec7bdd2c1a4c008736617e6897cbc6bd146bee

SHA256
ecafcd256448cf0955c5bd8d10461bc7ce1525e7f97485c098373eeb5a578620

SHA512
f73f611b0e7c6e7752d7643df938838194b3cc5fcf379ccdeb13fc70062a098ad3815eb429fd9d02cc1924557eae0ce9268cdafa892812c9d2b18bef3d2ef777

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4ae29039bb2464f8eaac927b0d898477

SHA1
2c576a0975d6f6980aa67dc66dff02616bb24eb6

SHA256
7c02d96ef47e5d00558c06d7f47e0f48de0c7062236095a451b585983d58627c

SHA512
66d2ad1cbe72fad9c38fe1c5bbbcfac438caf38fe2d93dab8f0d54ff8cc2a878fe69d2838d36858a8ba936bc601d20b88f4e72988bbba3db29dd0ef77b65bd82

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0e1d52731fe513612fd6eead33d86f76

SHA1
1180501db4b378f3a6cd615f07ce3a64a34c149e

SHA256
7ea5d17990a1e9a32fedc3f29fa7b9debb4f4d64fb9eb8e6e4565dc7640284d5

SHA512
516db467aec02185425d753ea660a88e2c3f2e96f69daab604e50cb0a770bf38f8313ce03132aa72e3f48232d76a382e1f9d60770e6a5c45eb4347e14cab1dce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
f80330f4e26da6df7e15dbb8b6de863b

SHA1
afc01956cf11d44999a0ab3a0a6aa35512ec2ea5

SHA256
5ec6bea56e636698bb5e7b9a9e87ebe38d0993a640cafbdc7d35875edd8b88b8

SHA512
9ab1d3489989bd78538ec851d22615be6dc43f7f9ff2a49fe0a0e5af88c8554cc5ef5aecf10abfdeaefaf9ee06ceaef6ca904180aa0b1a5eef28f3e227cc6771

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
8afe4d37282efa664df88dd70aa9ec81

SHA1
9782bc9dd4d03b4d4c89aeb22e63e7b9db723035

SHA256
518a0d3049a5b58a93f35e75585b3611a65aef8a6bffba480c1672f1556a5a77

SHA512
8fe85dc4addb854a21ad5eeadfa9f7f125b396c8da005266b2677feee98ee5735b1e4f0173a96305debb7bae5e8e3bbd0aed7d178cf4d456bf9abfef09020a9e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
e6b024569f1245a1cb4862317f3abfb4

SHA1
25c5c5527eb520b61d91c09ca443d7ec9c7ec27c

SHA256
265c67c44aec22ad507a09c0e2436d9d0829891e69e581a16894dea7ee89edfd

SHA512
45b3f72b46895580c52038cbed2b29de963f3c100d3b74917a8422de8b78d54bb0be5416f87d50f6c32be0d2500f5d579f7eea07ff066ecdd209833d4356a8fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
d7d718640111db433c400e764f62bbf4

SHA1
bbc208ce624985e7b9b75eb3baa6f0cc8e02d839

SHA256
426e68e0358c17737d1eb8bece969f7a5f04de25e44cf1ea221884fafc4d3cff

SHA512
0314bbe5fe759764b2f4290bc641756faa677649428198a66d4fb4630d4e3d77d5d0a3e9259df3666ac5a84e71e21ae6e75f6cae3bb31a4695e1156833ed3965

Download Submit
C:\note.txt

Filesize
218B

MD5
afa6955439b8d516721231029fb9ca1b

SHA1
087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

SHA256
8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

SHA512
5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

Download Submit