hxxps://github[.]com/Dfmaaa/MEMZ-virus

Analysis

max time kernel
120s
max time network
104s
platform
windows11-21h2_x64
resource
win11-20240730-en
resource tags

arch:x64arch:x86image:win11-20240730-enlocale:en-usos:windows11-21h2-x64system
submitted
02/08/2024, 09:11

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://github.com/Dfmaaa/MEMZ-virus

Score

6^/10

bootkit discovery persistence

Malware Config

Signatures

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	MEMZ.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	UserOOBEBroker.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FileCoAuth.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629259545-4196337482-2684730723-1000_Classes\Local Settings	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\MEMZ-virus-main.zip:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3964	msedge.exe
3964	msedge.exe
3444	msedge.exe
3444	msedge.exe
4252	identity_helper.exe
4252	identity_helper.exe
1596	msedge.exe
1596	msedge.exe
1588	msedge.exe
1588	msedge.exe
4920	MEMZ.exe
4920	MEMZ.exe
4920	MEMZ.exe
4920	MEMZ.exe
4920	MEMZ.exe
4920	MEMZ.exe
4920	MEMZ.exe
4920	MEMZ.exe
4920	MEMZ.exe
4920	MEMZ.exe
4920	MEMZ.exe
4920	MEMZ.exe
4920	MEMZ.exe
4920	MEMZ.exe
4920	MEMZ.exe
4920	MEMZ.exe
4920	MEMZ.exe
4920	MEMZ.exe
4920	MEMZ.exe
4920	MEMZ.exe
4920	MEMZ.exe
4920	MEMZ.exe
4920	MEMZ.exe
4920	MEMZ.exe
4920	MEMZ.exe
4920	MEMZ.exe
4920	MEMZ.exe
4920	MEMZ.exe
4920	MEMZ.exe
4920	MEMZ.exe
4920	MEMZ.exe
4920	MEMZ.exe
4920	MEMZ.exe
4920	MEMZ.exe
4920	MEMZ.exe
4920	MEMZ.exe
4920	MEMZ.exe
4920	MEMZ.exe
4920	MEMZ.exe
4920	MEMZ.exe
4920	MEMZ.exe
4920	MEMZ.exe
4920	MEMZ.exe
4920	MEMZ.exe
4920	MEMZ.exe
4920	MEMZ.exe
4920	MEMZ.exe
4920	MEMZ.exe
4920	MEMZ.exe
4920	MEMZ.exe
4920	MEMZ.exe
4920	MEMZ.exe
4920	MEMZ.exe
4920	MEMZ.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2496	MEMZ.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
3032	OpenWith.exe
1636	OpenWith.exe
3124	OpenWith.exe
876	OpenWith.exe
2496	MEMZ.exe
4392	MEMZ.exe
3160	MEMZ.exe
4920	MEMZ.exe
4392	MEMZ.exe
2496	MEMZ.exe
4920	MEMZ.exe
3160	MEMZ.exe
2496	MEMZ.exe
4392	MEMZ.exe
3160	MEMZ.exe
4920	MEMZ.exe
4392	MEMZ.exe
2496	MEMZ.exe
4920	MEMZ.exe
3160	MEMZ.exe
2496	MEMZ.exe
4392	MEMZ.exe
3160	MEMZ.exe
4920	MEMZ.exe
2496	MEMZ.exe
4392	MEMZ.exe
3160	MEMZ.exe
4920	MEMZ.exe
2496	MEMZ.exe
4392	MEMZ.exe
3160	MEMZ.exe
4920	MEMZ.exe
4392	MEMZ.exe
2496	MEMZ.exe
4920	MEMZ.exe
3160	MEMZ.exe
2496	MEMZ.exe
4392	MEMZ.exe
3160	MEMZ.exe
4920	MEMZ.exe
4392	MEMZ.exe
2496	MEMZ.exe
4920	MEMZ.exe
3160	MEMZ.exe
2496	MEMZ.exe
4392	MEMZ.exe
3160	MEMZ.exe
4920	MEMZ.exe
4392	MEMZ.exe
2496	MEMZ.exe
4920	MEMZ.exe
3160	MEMZ.exe
2496	MEMZ.exe
4392	MEMZ.exe
3160	MEMZ.exe
4920	MEMZ.exe
4392	MEMZ.exe
2496	MEMZ.exe
4920	MEMZ.exe
3160	MEMZ.exe
2496	MEMZ.exe
4392	MEMZ.exe
3160	MEMZ.exe
4920	MEMZ.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3444 wrote to memory of 4040	3444	msedge.exe	82
PID 3444 wrote to memory of 4040	3444	msedge.exe	82
PID 3444 wrote to memory of 940	3444	msedge.exe	83
PID 3444 wrote to memory of 940	3444	msedge.exe	83
PID 3444 wrote to memory of 940	3444	msedge.exe	83
PID 3444 wrote to memory of 940	3444	msedge.exe	83
PID 3444 wrote to memory of 940	3444	msedge.exe	83
PID 3444 wrote to memory of 940	3444	msedge.exe	83
PID 3444 wrote to memory of 940	3444	msedge.exe	83
PID 3444 wrote to memory of 940	3444	msedge.exe	83
PID 3444 wrote to memory of 940	3444	msedge.exe	83
PID 3444 wrote to memory of 940	3444	msedge.exe	83
PID 3444 wrote to memory of 940	3444	msedge.exe	83
PID 3444 wrote to memory of 940	3444	msedge.exe	83
PID 3444 wrote to memory of 940	3444	msedge.exe	83
PID 3444 wrote to memory of 940	3444	msedge.exe	83
PID 3444 wrote to memory of 940	3444	msedge.exe	83
PID 3444 wrote to memory of 940	3444	msedge.exe	83
PID 3444 wrote to memory of 940	3444	msedge.exe	83
PID 3444 wrote to memory of 940	3444	msedge.exe	83
PID 3444 wrote to memory of 940	3444	msedge.exe	83
PID 3444 wrote to memory of 940	3444	msedge.exe	83
PID 3444 wrote to memory of 940	3444	msedge.exe	83
PID 3444 wrote to memory of 940	3444	msedge.exe	83
PID 3444 wrote to memory of 940	3444	msedge.exe	83
PID 3444 wrote to memory of 940	3444	msedge.exe	83
PID 3444 wrote to memory of 940	3444	msedge.exe	83
PID 3444 wrote to memory of 940	3444	msedge.exe	83
PID 3444 wrote to memory of 940	3444	msedge.exe	83
PID 3444 wrote to memory of 940	3444	msedge.exe	83
PID 3444 wrote to memory of 940	3444	msedge.exe	83
PID 3444 wrote to memory of 940	3444	msedge.exe	83
PID 3444 wrote to memory of 940	3444	msedge.exe	83
PID 3444 wrote to memory of 940	3444	msedge.exe	83
PID 3444 wrote to memory of 940	3444	msedge.exe	83
PID 3444 wrote to memory of 940	3444	msedge.exe	83
PID 3444 wrote to memory of 940	3444	msedge.exe	83
PID 3444 wrote to memory of 940	3444	msedge.exe	83
PID 3444 wrote to memory of 940	3444	msedge.exe	83
PID 3444 wrote to memory of 940	3444	msedge.exe	83
PID 3444 wrote to memory of 940	3444	msedge.exe	83
PID 3444 wrote to memory of 940	3444	msedge.exe	83
PID 3444 wrote to memory of 3964	3444	msedge.exe	84
PID 3444 wrote to memory of 3964	3444	msedge.exe	84
PID 3444 wrote to memory of 1820	3444	msedge.exe	85
PID 3444 wrote to memory of 1820	3444	msedge.exe	85
PID 3444 wrote to memory of 1820	3444	msedge.exe	85
PID 3444 wrote to memory of 1820	3444	msedge.exe	85
PID 3444 wrote to memory of 1820	3444	msedge.exe	85
PID 3444 wrote to memory of 1820	3444	msedge.exe	85
PID 3444 wrote to memory of 1820	3444	msedge.exe	85
PID 3444 wrote to memory of 1820	3444	msedge.exe	85
PID 3444 wrote to memory of 1820	3444	msedge.exe	85
PID 3444 wrote to memory of 1820	3444	msedge.exe	85
PID 3444 wrote to memory of 1820	3444	msedge.exe	85
PID 3444 wrote to memory of 1820	3444	msedge.exe	85
PID 3444 wrote to memory of 1820	3444	msedge.exe	85
PID 3444 wrote to memory of 1820	3444	msedge.exe	85
PID 3444 wrote to memory of 1820	3444	msedge.exe	85
PID 3444 wrote to memory of 1820	3444	msedge.exe	85
PID 3444 wrote to memory of 1820	3444	msedge.exe	85
PID 3444 wrote to memory of 1820	3444	msedge.exe	85
PID 3444 wrote to memory of 1820	3444	msedge.exe	85
PID 3444 wrote to memory of 1820	3444	msedge.exe	85

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Dfmaaa/MEMZ-virus
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffad6a73cb8,0x7ffad6a73cc8,0x7ffad6a73cd8
  2⤵
  PID:4040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1924,17418434235253466919,16901661136481495338,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1936 /prefetch:2
  2⤵
  PID:940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1924,17418434235253466919,16901661136481495338,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2368 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1924,17418434235253466919,16901661136481495338,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2696 /prefetch:8
  2⤵
  PID:1820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,17418434235253466919,16901661136481495338,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
  2⤵
  PID:4068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,17418434235253466919,16901661136481495338,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
  2⤵
  PID:1448
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1924,17418434235253466919,16901661136481495338,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5528 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1924,17418434235253466919,16901661136481495338,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5540 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,17418434235253466919,16901661136481495338,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5140 /prefetch:1
  2⤵
  PID:1088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1924,17418434235253466919,16901661136481495338,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5576 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:1588

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3592

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:244

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4988

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:3740

C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:5008

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
- System Location Discovery: System Language Discovery
PID:4564

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:3032

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:1636

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:3124

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:876

C:\Users\Admin\Downloads\MEMZ-virus-main\MEMZ-virus-main\MEMZ.exe
"C:\Users\Admin\Downloads\MEMZ-virus-main\MEMZ-virus-main\MEMZ.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:1436

C:\Users\Admin\Downloads\MEMZ-virus-main\MEMZ-virus-main\MEMZ.exe
"C:\Users\Admin\Downloads\MEMZ-virus-main\MEMZ-virus-main\MEMZ.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:3068
- C:\Users\Admin\Downloads\MEMZ-virus-main\MEMZ-virus-main\MEMZ.exe
  "C:\Users\Admin\Downloads\MEMZ-virus-main\MEMZ-virus-main\MEMZ.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:4920
- C:\Users\Admin\Downloads\MEMZ-virus-main\MEMZ-virus-main\MEMZ.exe
  "C:\Users\Admin\Downloads\MEMZ-virus-main\MEMZ-virus-main\MEMZ.exe" /watchdog
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:4392
- C:\Users\Admin\Downloads\MEMZ-virus-main\MEMZ-virus-main\MEMZ.exe
  "C:\Users\Admin\Downloads\MEMZ-virus-main\MEMZ-virus-main\MEMZ.exe" /watchdog
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:3160
- C:\Users\Admin\Downloads\MEMZ-virus-main\MEMZ-virus-main\MEMZ.exe
  "C:\Users\Admin\Downloads\MEMZ-virus-main\MEMZ-virus-main\MEMZ.exe" /watchdog
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2496
- C:\Users\Admin\Downloads\MEMZ-virus-main\MEMZ-virus-main\MEMZ.exe
  "C:\Users\Admin\Downloads\MEMZ-virus-main\MEMZ-virus-main\MEMZ.exe" /watchdog
  2⤵
  PID:3060
- C:\Users\Admin\Downloads\MEMZ-virus-main\MEMZ-virus-main\MEMZ.exe
  "C:\Users\Admin\Downloads\MEMZ-virus-main\MEMZ-virus-main\MEMZ.exe" /main
  2⤵
  - Writes to the Master Boot Record (MBR)
  - System Location Discovery: System Language Discovery
  PID:4424
- - C:\Windows\SysWOW64\notepad.exe
    "C:\Windows\System32\notepad.exe" \note.txt
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0f7c8f29e855c33ef4092cdfc2ec0a4c

SHA1
db6eb184137c0480fc73d6803e9b71a20f0b2066

SHA256
b01c3d129f1a499fcade8496bd824bda062a0390bc4d04ccfa77696112c89d58

SHA512
1025c240c57325d5bc394f4c593b61a951f35448868f179e8fcaefa00f60e75fa6ef5bc84e768d2526831a4a6070e67e78b159b88d72ca789fb65f55535d2f60

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6d3f8df50f4e8800dcbd5fd773aa6da8

SHA1
bb98e6a9da020326e7fbde6fe37e330e90d1d546

SHA256
036b439d9115e20ed1f57085fc45f342d4e487718b07fbae2036ff4c2dcf6a9f

SHA512
f6e0d0c564a1adb05457e9179b7b4e82e0449f7dabd08fc2daa4eb11720680d4b2339ca06fd9f6cfabe38714c64bdb95a9c6d4885b70115870fb57d08424d733

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
98b41f063cd0d5797c008b31c7782fb5

SHA1
2ab6ccd643ecf6e8f9817d57be0dfbb833e6faf3

SHA256
c0c9a6d3b4467fcda8b8455ca1003bd043165266256ccc23cdbe46a056638b21

SHA512
e80758dc35cc6bc2802d303b9031c5baa06d8799e59746fa7785d8fbaa83bca4d3c292a8167b7094afdb7c88a51b5a887f72c8f0b38b8565effa5bae1d92ad8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
573B

MD5
37baf21f6884d62dd3fae3bcac0e3f54

SHA1
86387f81e0e639f4b89ac148a2611dbe17c692e5

SHA256
fd6b196dedb818f06d7e045bc0ca39921765ba16deeb416261c8605de41aa1be

SHA512
13d36ff793b191e5036fad9a998d653eba70f27900f205c8eb1e2b336837f6a6b9977e0129b0645844b6d40a08883ccbc71b132e22f5577c5db8b44ad4f74461

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
c081eccfed8df8377cf5e2acf03f1ea4

SHA1
5cf4cd51d19754c254ae7e07c6a458ea4b7c13e0

SHA256
552f23f202a69ee85caa4541e3e3932a4be7d19e9eca474e126af27f5290c48b

SHA512
51b947b2ba82031f83c4e60bb1714b36538e8207f793e170c2a38f3f98fc4a186f8e71f585949c323dede677599d1a3a52f721ec2c84efc0c70a67dea57c85a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
80994b31fb3b0735284bad7e7d339584

SHA1
4db461fee847afc58e9364bda6851e4e385862b1

SHA256
34b72b0a4d4880c0ebf3352eb4058008f5420a6583247752603a11cb963ceb5e

SHA512
7061a7deac148d900acac84bae189a643d65a790beb9e3c18e2f6cb37f45c1e4a34a06a72724577379691806b562f37b6bfe96edff5c1e993975acdb9ad41a9d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
5ed44f723a07a41af8ccf97c1bb68d01

SHA1
f1ba4dbe31771a7da8f2f2c70c29ca77f7c01b26

SHA256
3ca3f3f2cf6322dbc3c6049a33a90052b42e1eb3db6f9213cc5d4797014e7df0

SHA512
882a1c3e970bb7130a325c183b76acd5d8b30ed49a5a163a47785d55830c0f2fe3c6410e4f00560d89649174b7d2710ae5d38f784ac0cfd33e9771f5bfce117c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
f1eabde01eadd36a4735ccc28c06a53d

SHA1
f2946ab7f5a6677e911895ce0aa9e7e25a6c53c3

SHA256
d790e1c3b23cfe18cbf158d8cbe7e6ed6fa1172093d95505e816d928a3b35d26

SHA512
9ec8c4d1ddc9c6155c84c69d4b76956e429f0aeef2e382446159a8de29d01a63ce45492818774edb71d11678cb50d6784525b7b94cf5f4258b3168fd6bb35413

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57f973.TMP

Filesize
874B

MD5
e0b412d098d07ce0e3e16d290f391013

SHA1
9279439a8df7a089add622160c69eee8f9bb44de

SHA256
915a6ebcf1a4b5720f6f3486b31f8a6d15691ffc64d17fee2f253b8c83b5fa84

SHA512
46b0abb6bca5b8a11c6ebdae6874d8f365e6577527689ed132e3c47fa7185e11672b314e3bd0eb6419286bdd3df20a27aba4bc6f1d75bd8a133396eea2970e37

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
cb37d15b47a6b008e18202c48a9425e8

SHA1
5b4f86e486548bb9f982716a5b3df138aac56759

SHA256
d424b2b3c480fbbe0723b65dcbb14b0804f9db731963f6821a846553940198a0

SHA512
3a35c46d37024e75e1528a2e5f9f7de6cec7984bcbd08609e0014d0603b641a6314669e307759a944388172e5cb43a5f924b6bafe9e96aab04253d5d4573d0ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ad6cfc9b-0b62-42f7-863f-7b2f5809ce6e.tmp

Filesize
11KB

MD5
f8e16bddff64542c2122fb2110c9ebe7

SHA1
02e1c35858444c1df068ef84043b6e2c4b571630

SHA256
6e013406e1c3dc0288c083b2f234a2b85a395c51879baa8f5d4c71dfde9492b0

SHA512
928f60af84c19da96bbc8e97c242ce0709be2c787d3f49e8692bdbeabdd4973e44353cf6ed8cd8537d12dcfb623b760e8220d103fa343924e9f8cc580039f086

Download Submit
C:\Users\Admin\Downloads\MEMZ-virus-main.zip

Filesize
8KB

MD5
a043dc5c624d091f7c2600dd18b300b7

SHA1
4682f79dabfc6da05441e2b6d820382ff02b4c58

SHA256
0acffde0f952b44d500cf2689d6c9ab87e66ac7fa29a51f3c3e36a43ea5e694a

SHA512
ee4f691a6c7b6c047bca49723b65e5980a8f83cbbc129ddfd578b855430b78acf3d0e461238739cd64c8a5c9071fe132c10da3ac28085fc978b6a19ee1ca3313

Download Submit
C:\Users\Admin\Downloads\MEMZ-virus-main.zip:Zone.Identifier

Filesize
151B

MD5
c0aaf6dc437b95d10bb053831c3cba7c

SHA1
f3b57f1b2dfc8a4ca0f366b7d1051d68f59110d7

SHA256
5d3db06bf246f33b99bfabbac16d6142e6bac695092228d5367b3cc03959653a

SHA512
9effe9ccb34ac61508648e32efb4f7fe8dd5ce195259f60707c720ac4cb9ebee0f5e944bda0ebd804eb441a8a32cf56336677389a9ad59a8c1d4402c164f2ff0

Download Submit
C:\note.txt

Filesize
218B

MD5
afa6955439b8d516721231029fb9ca1b

SHA1
087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

SHA256
8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

SHA512
5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

Download Submit

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads