9eea480bd30c98ae11a97cb89a9278235cbbbd03c171ee5e5198bd86b7965b4b

Analysis

max time kernel
90s
max time network
94s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
21-11-2024 00:56

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

node-v22.11.0-x64.msi
Size

28.9MB
MD5

fa9e1f3064a66913362e9bff7097cef5
SHA1

b34f1f9a9f6242c54486a4bc453a9336840b4425
SHA256

9eea480bd30c98ae11a97cb89a9278235cbbbd03c171ee5e5198bd86b7965b4b
SHA512

ad3e9469326dccac6b49185b5b2814ba700b5d83b4b3ce17f85a9adc5f90bdebf54d79800b253ed5c371ab82d27304841f86ab1a8a3c7ffade8a2d78e55dc99f
SSDEEP

786432:EtShU+9S49htlhk3tKuiU9IsO9IP1/lBMS8k4:EAUK/U9IN961/l

Score

6^/10

bootkit discovery persistence privilege_escalation

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
2	1756	msiexec.exe
3	1756	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	MEMZ.exe

Loads dropped DLL 2 IoCs

pid	Process
1684	MsiExec.exe
1684	MsiExec.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
1756	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\MEMZ-virus-main.zip:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4576	msedge.exe
4576	msedge.exe
572	msedge.exe
572	msedge.exe
1616	identity_helper.exe
1616	identity_helper.exe
1460	msedge.exe
1460	msedge.exe
2008	msedge.exe
2008	msedge.exe
3016	MEMZ.exe
3016	MEMZ.exe
3016	MEMZ.exe
3016	MEMZ.exe
3016	MEMZ.exe
3016	MEMZ.exe
3016	MEMZ.exe
3016	MEMZ.exe
3016	MEMZ.exe
3016	MEMZ.exe
3016	MEMZ.exe
3016	MEMZ.exe
3016	MEMZ.exe
3016	MEMZ.exe
3016	MEMZ.exe
3016	MEMZ.exe
3016	MEMZ.exe
3016	MEMZ.exe
3016	MEMZ.exe
3016	MEMZ.exe
3016	MEMZ.exe
3016	MEMZ.exe
3016	MEMZ.exe
3016	MEMZ.exe
3016	MEMZ.exe
3016	MEMZ.exe
3016	MEMZ.exe
3016	MEMZ.exe
3016	MEMZ.exe
3016	MEMZ.exe
3016	MEMZ.exe
3016	MEMZ.exe
3016	MEMZ.exe
3016	MEMZ.exe
3016	MEMZ.exe
3016	MEMZ.exe
3016	MEMZ.exe
3016	MEMZ.exe
3016	MEMZ.exe
3016	MEMZ.exe
3016	MEMZ.exe
3016	MEMZ.exe
3016	MEMZ.exe
3016	MEMZ.exe
3016	MEMZ.exe
3016	MEMZ.exe
3016	MEMZ.exe
3016	MEMZ.exe
3016	MEMZ.exe
3016	MEMZ.exe
3016	MEMZ.exe
3016	MEMZ.exe
3016	MEMZ.exe
3016	MEMZ.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs

pid	Process
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1756	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1756	msiexec.exe
Token: SeSecurityPrivilege	3036	msiexec.exe
Token: SeCreateTokenPrivilege	1756	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1756	msiexec.exe
Token: SeLockMemoryPrivilege	1756	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1756	msiexec.exe
Token: SeMachineAccountPrivilege	1756	msiexec.exe
Token: SeTcbPrivilege	1756	msiexec.exe
Token: SeSecurityPrivilege	1756	msiexec.exe
Token: SeTakeOwnershipPrivilege	1756	msiexec.exe
Token: SeLoadDriverPrivilege	1756	msiexec.exe
Token: SeSystemProfilePrivilege	1756	msiexec.exe
Token: SeSystemtimePrivilege	1756	msiexec.exe
Token: SeProfSingleProcessPrivilege	1756	msiexec.exe
Token: SeIncBasePriorityPrivilege	1756	msiexec.exe
Token: SeCreatePagefilePrivilege	1756	msiexec.exe
Token: SeCreatePermanentPrivilege	1756	msiexec.exe
Token: SeBackupPrivilege	1756	msiexec.exe
Token: SeRestorePrivilege	1756	msiexec.exe
Token: SeShutdownPrivilege	1756	msiexec.exe
Token: SeDebugPrivilege	1756	msiexec.exe
Token: SeAuditPrivilege	1756	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1756	msiexec.exe
Token: SeChangeNotifyPrivilege	1756	msiexec.exe
Token: SeRemoteShutdownPrivilege	1756	msiexec.exe
Token: SeUndockPrivilege	1756	msiexec.exe
Token: SeSyncAgentPrivilege	1756	msiexec.exe
Token: SeEnableDelegationPrivilege	1756	msiexec.exe
Token: SeManageVolumePrivilege	1756	msiexec.exe
Token: SeImpersonatePrivilege	1756	msiexec.exe
Token: SeCreateGlobalPrivilege	1756	msiexec.exe
Token: SeCreateTokenPrivilege	1756	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1756	msiexec.exe
Token: SeLockMemoryPrivilege	1756	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1756	msiexec.exe
Token: SeMachineAccountPrivilege	1756	msiexec.exe
Token: SeTcbPrivilege	1756	msiexec.exe
Token: SeSecurityPrivilege	1756	msiexec.exe
Token: SeTakeOwnershipPrivilege	1756	msiexec.exe
Token: SeLoadDriverPrivilege	1756	msiexec.exe
Token: SeSystemProfilePrivilege	1756	msiexec.exe
Token: SeSystemtimePrivilege	1756	msiexec.exe
Token: SeProfSingleProcessPrivilege	1756	msiexec.exe
Token: SeIncBasePriorityPrivilege	1756	msiexec.exe
Token: SeCreatePagefilePrivilege	1756	msiexec.exe
Token: SeCreatePermanentPrivilege	1756	msiexec.exe
Token: SeBackupPrivilege	1756	msiexec.exe
Token: SeRestorePrivilege	1756	msiexec.exe
Token: SeShutdownPrivilege	1756	msiexec.exe
Token: SeDebugPrivilege	1756	msiexec.exe
Token: SeAuditPrivilege	1756	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1756	msiexec.exe
Token: SeChangeNotifyPrivilege	1756	msiexec.exe
Token: SeRemoteShutdownPrivilege	1756	msiexec.exe
Token: SeUndockPrivilege	1756	msiexec.exe
Token: SeSyncAgentPrivilege	1756	msiexec.exe
Token: SeEnableDelegationPrivilege	1756	msiexec.exe
Token: SeManageVolumePrivilege	1756	msiexec.exe
Token: SeImpersonatePrivilege	1756	msiexec.exe
Token: SeCreateGlobalPrivilege	1756	msiexec.exe
Token: SeCreateTokenPrivilege	1756	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1756	msiexec.exe
Token: SeLockMemoryPrivilege	1756	msiexec.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
1756	msiexec.exe
1756	msiexec.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
2232	MEMZ.exe
3016	MEMZ.exe
908	MEMZ.exe
3396	MEMZ.exe
2232	MEMZ.exe
908	MEMZ.exe
3016	MEMZ.exe
3396	MEMZ.exe
2232	MEMZ.exe
3016	MEMZ.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3036 wrote to memory of 1684	3036	msiexec.exe	83
PID 3036 wrote to memory of 1684	3036	msiexec.exe	83
PID 4576 wrote to memory of 652	4576	msedge.exe	85
PID 4576 wrote to memory of 652	4576	msedge.exe	85
PID 4576 wrote to memory of 1056	4576	msedge.exe	86
PID 4576 wrote to memory of 1056	4576	msedge.exe	86
PID 4576 wrote to memory of 1056	4576	msedge.exe	86
PID 4576 wrote to memory of 1056	4576	msedge.exe	86
PID 4576 wrote to memory of 1056	4576	msedge.exe	86
PID 4576 wrote to memory of 1056	4576	msedge.exe	86
PID 4576 wrote to memory of 1056	4576	msedge.exe	86
PID 4576 wrote to memory of 1056	4576	msedge.exe	86
PID 4576 wrote to memory of 1056	4576	msedge.exe	86
PID 4576 wrote to memory of 1056	4576	msedge.exe	86
PID 4576 wrote to memory of 1056	4576	msedge.exe	86
PID 4576 wrote to memory of 1056	4576	msedge.exe	86
PID 4576 wrote to memory of 1056	4576	msedge.exe	86
PID 4576 wrote to memory of 1056	4576	msedge.exe	86
PID 4576 wrote to memory of 1056	4576	msedge.exe	86
PID 4576 wrote to memory of 1056	4576	msedge.exe	86
PID 4576 wrote to memory of 1056	4576	msedge.exe	86
PID 4576 wrote to memory of 1056	4576	msedge.exe	86
PID 4576 wrote to memory of 1056	4576	msedge.exe	86
PID 4576 wrote to memory of 1056	4576	msedge.exe	86
PID 4576 wrote to memory of 1056	4576	msedge.exe	86
PID 4576 wrote to memory of 1056	4576	msedge.exe	86
PID 4576 wrote to memory of 1056	4576	msedge.exe	86
PID 4576 wrote to memory of 1056	4576	msedge.exe	86
PID 4576 wrote to memory of 1056	4576	msedge.exe	86
PID 4576 wrote to memory of 1056	4576	msedge.exe	86
PID 4576 wrote to memory of 1056	4576	msedge.exe	86
PID 4576 wrote to memory of 1056	4576	msedge.exe	86
PID 4576 wrote to memory of 1056	4576	msedge.exe	86
PID 4576 wrote to memory of 1056	4576	msedge.exe	86
PID 4576 wrote to memory of 1056	4576	msedge.exe	86
PID 4576 wrote to memory of 1056	4576	msedge.exe	86
PID 4576 wrote to memory of 1056	4576	msedge.exe	86
PID 4576 wrote to memory of 1056	4576	msedge.exe	86
PID 4576 wrote to memory of 1056	4576	msedge.exe	86
PID 4576 wrote to memory of 1056	4576	msedge.exe	86
PID 4576 wrote to memory of 1056	4576	msedge.exe	86
PID 4576 wrote to memory of 1056	4576	msedge.exe	86
PID 4576 wrote to memory of 1056	4576	msedge.exe	86
PID 4576 wrote to memory of 1056	4576	msedge.exe	86
PID 4576 wrote to memory of 572	4576	msedge.exe	87
PID 4576 wrote to memory of 572	4576	msedge.exe	87
PID 4576 wrote to memory of 2380	4576	msedge.exe	88
PID 4576 wrote to memory of 2380	4576	msedge.exe	88
PID 4576 wrote to memory of 2380	4576	msedge.exe	88
PID 4576 wrote to memory of 2380	4576	msedge.exe	88
PID 4576 wrote to memory of 2380	4576	msedge.exe	88
PID 4576 wrote to memory of 2380	4576	msedge.exe	88
PID 4576 wrote to memory of 2380	4576	msedge.exe	88
PID 4576 wrote to memory of 2380	4576	msedge.exe	88
PID 4576 wrote to memory of 2380	4576	msedge.exe	88
PID 4576 wrote to memory of 2380	4576	msedge.exe	88
PID 4576 wrote to memory of 2380	4576	msedge.exe	88
PID 4576 wrote to memory of 2380	4576	msedge.exe	88
PID 4576 wrote to memory of 2380	4576	msedge.exe	88
PID 4576 wrote to memory of 2380	4576	msedge.exe	88
PID 4576 wrote to memory of 2380	4576	msedge.exe	88
PID 4576 wrote to memory of 2380	4576	msedge.exe	88
PID 4576 wrote to memory of 2380	4576	msedge.exe	88
PID 4576 wrote to memory of 2380	4576	msedge.exe	88

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\node-v22.11.0-x64.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1756

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3036
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 0EAAFA9BA4AD2D9CD8B2DFCF0318FD29 C
  2⤵
  - Loads dropped DLL
  PID:1684

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb50f93cb8,0x7ffb50f93cc8,0x7ffb50f93cd8
  2⤵
  PID:652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1928,17120076546497092418,12233811352731589428,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1940 /prefetch:2
  2⤵
  PID:1056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1928,17120076546497092418,12233811352731589428,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2308 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1928,17120076546497092418,12233811352731589428,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2576 /prefetch:8
  2⤵
  PID:2380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,17120076546497092418,12233811352731589428,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
  2⤵
  PID:3028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,17120076546497092418,12233811352731589428,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
  2⤵
  PID:2816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,17120076546497092418,12233811352731589428,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4108 /prefetch:1
  2⤵
  PID:4448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,17120076546497092418,12233811352731589428,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4624 /prefetch:1
  2⤵
  PID:1104
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1928,17120076546497092418,12233811352731589428,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5420 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,17120076546497092418,12233811352731589428,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5488 /prefetch:1
  2⤵
  PID:4504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,17120076546497092418,12233811352731589428,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5512 /prefetch:1
  2⤵
  PID:3340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,17120076546497092418,12233811352731589428,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5536 /prefetch:1
  2⤵
  PID:3600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1928,17120076546497092418,12233811352731589428,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3516 /prefetch:8
  2⤵
  PID:2384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1928,17120076546497092418,12233811352731589428,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5428 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,17120076546497092418,12233811352731589428,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4652 /prefetch:1
  2⤵
  PID:1104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,17120076546497092418,12233811352731589428,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3568 /prefetch:1
  2⤵
  PID:1008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,17120076546497092418,12233811352731589428,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3472 /prefetch:1
  2⤵
  PID:1796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1928,17120076546497092418,12233811352731589428,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3512 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:2008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,17120076546497092418,12233811352731589428,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6128 /prefetch:1
  2⤵
  PID:3812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,17120076546497092418,12233811352731589428,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3512 /prefetch:1
  2⤵
  PID:4140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,17120076546497092418,12233811352731589428,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6040 /prefetch:1
  2⤵
  PID:4420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,17120076546497092418,12233811352731589428,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3520 /prefetch:1
  2⤵
  PID:4368

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2740

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:788

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004D4 0x00000000000004C8
1⤵
PID:244

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:224

C:\Users\Admin\Downloads\MEMZ-virus-main\MEMZ-virus-main\MEMZ.exe
"C:\Users\Admin\Downloads\MEMZ-virus-main\MEMZ-virus-main\MEMZ.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:4280
- C:\Users\Admin\Downloads\MEMZ-virus-main\MEMZ-virus-main\MEMZ.exe
  "C:\Users\Admin\Downloads\MEMZ-virus-main\MEMZ-virus-main\MEMZ.exe" /watchdog
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:3016
- C:\Users\Admin\Downloads\MEMZ-virus-main\MEMZ-virus-main\MEMZ.exe
  "C:\Users\Admin\Downloads\MEMZ-virus-main\MEMZ-virus-main\MEMZ.exe" /watchdog
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2232
- C:\Users\Admin\Downloads\MEMZ-virus-main\MEMZ-virus-main\MEMZ.exe
  "C:\Users\Admin\Downloads\MEMZ-virus-main\MEMZ-virus-main\MEMZ.exe" /watchdog
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3396
- C:\Users\Admin\Downloads\MEMZ-virus-main\MEMZ-virus-main\MEMZ.exe
  "C:\Users\Admin\Downloads\MEMZ-virus-main\MEMZ-virus-main\MEMZ.exe" /watchdog
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:908
- C:\Users\Admin\Downloads\MEMZ-virus-main\MEMZ-virus-main\MEMZ.exe
  "C:\Users\Admin\Downloads\MEMZ-virus-main\MEMZ-virus-main\MEMZ.exe" /watchdog
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3464
- C:\Users\Admin\Downloads\MEMZ-virus-main\MEMZ-virus-main\MEMZ.exe
  "C:\Users\Admin\Downloads\MEMZ-virus-main\MEMZ-virus-main\MEMZ.exe" /main
  2⤵
  - Writes to the Master Boot Record (MBR)
  - System Location Discovery: System Language Discovery
  PID:3876
- - C:\Windows\SysWOW64\notepad.exe
    "C:\Windows\System32\notepad.exe" \note.txt
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d91478312beae099b8ed57e547611ba2

SHA1
4b927559aedbde267a6193e3e480fb18e75c43d7

SHA256
df43cd7779d9fc91fd0416155d6771bc81565e98be38689cb17caece256bf043

SHA512
4086c4ebe410a37d0124fc8bd00c58775e70ab2b7b5a39b4e49b332ce5b4866c6775707436395467aff9596507c96fb4896f3bf0249c5b9c99a927f31dcc1a96

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d7145ec3fa29a4f2df900d1418974538

SHA1
1368d579635ba1a53d7af0ed89bf0b001f149f9d

SHA256
efc56eb46cf3352bf706c0309d5d740bca6ac06142f9bdc5e8344b81d4d83d59

SHA512
5bb663ede88f8b7c96b09c1214aac68eda99bc09525ac383baa96914ff7d553ea1aed09e3c9d16893d791c81ddb164c682dfbb4759ac0bc751221f3e36558a91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
6881039760c82d41924ca2f8b3c2140c

SHA1
e9cdd3227ee9ce0dfb17900473684d838f302ea0

SHA256
58cbf86775c403020470f362868bd6c5d45c06b56e2fd11b17333bfec3d7f8b4

SHA512
d95bd0cf7d49a7f6fdfb77f1cff26925bad2e0536fecbb494a7069e9a5fa9520d0ff7159a0c890eb95cc88fe6c1671f090bb0da297eebd32bc76a1b20f72a3a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
c75311872913dffea233ca3e36119005

SHA1
70f337d0a98760066c2612ea2b5fcc300a871a29

SHA256
415397594acdae575fbcacf72b37a0e400addb57c0d22b66059f3af9bc83db79

SHA512
9a4d39b2b3d536f135db7d6e94ae3ca4ecc65e2d0e6997cda992151359c48a7954fced77b9e8610c86b253ee2409ef0dd1122858b91752b811a10791aa95e22c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8eefa970f7782cbe0f3ba08d8cea2abd

SHA1
feb27db3d179cfa4695a93b4632ca00dd8fc20bd

SHA256
cb1960eab3c0223879d10b3b97b6d46100049092e1888e07464509c573a9bed6

SHA512
f87df83819605d0cf2ac2cd4bd3e1b79938ecb44c7c60776cd76452f1aa869adc5c3567b81d54107cb4e283c3950a741b7e833035267c7e847d838e359d8861d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
93dc3240ba5a7e985e4ca22d52aa8251

SHA1
5072d211c0e3ff2b6bdf2172ce78338879c634bf

SHA256
8e9ba608c8ba396d4ffd4af2ee6a1714d899986547163a201f06c9fceaa4c2f3

SHA512
35cc0a8ca3b1749673dc23a9ee9e76aa4fcb61f4bf84de59bb024fbdb1cb10d5fe440b65ed0965a96f13616d8a4f537f2b08e971645c06071eb8d42395e703be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
e6d36c6d4861b10bc7322b664d518122

SHA1
698b8fd74c8418c05f049a0a4d612810d01fa8a7

SHA256
242e22572abb04bbf132783a9aab6d8102e39c324e2867d8050d36d11bc7ddcb

SHA512
dfc74129c9f4ad905d35bc0cabbe9fbd8501f36e8e4adaff4201b131756e02143beee18db74bb361047c5004a1f6fe2827c288a5924f6c1d803a164837bafe81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58cc34.TMP

Filesize
1KB

MD5
fd832a36bf92bba2bcc329d9ba8ff476

SHA1
672015fad13e91165106eb28f8e669a27631a49b

SHA256
0537b8a737555f9a871f8277259b1cc3fce32769839dbbbd28a0b8892b8efa1e

SHA512
8c498b16c1e1eb5d2373b72e4fa7753969ffa21471a1bba8128e37fccf7906a514bc8d5ba4650ab9d63248a3c0ddd0b1aae4a4e8a3c4c6671facdbe592c66ec3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
9d94eb5963fabf82a10f4a327c1b2c1a

SHA1
70d76afc14fba2b66856b041101cc3dff3c1cb26

SHA256
ebb454d02d23f2911fb37b4018060f244aaeeca093dc62db2361a7eb5df44a78

SHA512
2d000d8808ef5f71d3dc0e837a3a32773ab621b5179895ab10c7acb45a37580a956b09b1799f2f02a3f1106a4ab5a83af2839e54821a8ff9ebcb822895153c92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
ff5b9784b73e63ca278975f89eb60531

SHA1
87a774770f7b1fb650c86f2c7a29a6c7fb9ee6ef

SHA256
0920dac1a62abf8329a87bd7726e24ebd7470dc343798585227271b0fe6a96fe

SHA512
7c94bb9730d82371a9aaa8e6599cab6c37c0404bc9b45fe821462f1529a7878a6af1b7ad36bd9800c96a3d6c5d404ad55a552770eaf673a94da24ac0f8747412

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIDC46.tmp

Filesize
144KB

MD5
7fa9d662d634534d7c2240dd126bdeee

SHA1
bd01e22ed2da0d0d485824b372ac67da683863d2

SHA256
c0e8683b697b3c6e55deb4497d3434d6e2cc841eb8c9a1b7d3f8907cff7de206

SHA512
cbc737e3eb94151c9dacaa5ee780cb550176ca2be2e0c66925884b5bc6222b7bcde5ed66e881f2a76f3d26edf5331abf0e74c819ad4f5fd7d0819bc4c138bb81

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIDCD4.tmp

Filesize
390KB

MD5
80bebea11fbe87108b08762a1bbff2cd

SHA1
a7ec111a792fd9a870841be430d130a545613782

SHA256
facf518f88cd67afd959c99c3ba233f78a4fbfe7fd3565489da74a585b55e9d1

SHA512
a760debb2084d801b6381a0e1dcef66080df03a768cc577b20b8472be87ad8477d59c331159555de10182d87340aa68fe1f3f5d0212048fd7692d85f4da656f6

Download Submit
C:\Users\Admin\Downloads\MEMZ-virus-main.zip

Filesize
8KB

MD5
a043dc5c624d091f7c2600dd18b300b7

SHA1
4682f79dabfc6da05441e2b6d820382ff02b4c58

SHA256
0acffde0f952b44d500cf2689d6c9ab87e66ac7fa29a51f3c3e36a43ea5e694a

SHA512
ee4f691a6c7b6c047bca49723b65e5980a8f83cbbc129ddfd578b855430b78acf3d0e461238739cd64c8a5c9071fe132c10da3ac28085fc978b6a19ee1ca3313

Download Submit
C:\Users\Admin\Downloads\MEMZ-virus-main.zip:Zone.Identifier

Filesize
151B

MD5
c0aaf6dc437b95d10bb053831c3cba7c

SHA1
f3b57f1b2dfc8a4ca0f366b7d1051d68f59110d7

SHA256
5d3db06bf246f33b99bfabbac16d6142e6bac695092228d5367b3cc03959653a

SHA512
9effe9ccb34ac61508648e32efb4f7fe8dd5ce195259f60707c720ac4cb9ebee0f5e944bda0ebd804eb441a8a32cf56336677389a9ad59a8c1d4402c164f2ff0

Download Submit
C:\note.txt

Filesize
218B

MD5
afa6955439b8d516721231029fb9ca1b

SHA1
087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

SHA256
8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

SHA512
5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

Download Submit

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads