Resubmissions

01-02-2022 13:08

220201-qdmyjsdde8 10

01-02-2022 12:57

220201-p62fzabab6 10

01-02-2022 07:00

220201-hsnvdsbab7 10

Analysis

  • max time kernel
    384s
  • max time network
    429s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    01-02-2022 13:08

General

  • Target

    Pzszsebwqndrzimfyunhokbpqivlqwshnn.exe

  • Size

    920KB

  • MD5

    65523cf4b441d2dbe144566c4bea5849

  • SHA1

    119d9e00c6b08f5e93f477a9429c263390e4a4c2

  • SHA256

    09effc5108b5ca6e852a9712180ad493ad2e4aa5e3693056953583fbce18cf92

  • SHA512

    348e742fae24048357e04e10872228438c1a327b7292944beefb0b885b7f9995d01b0aec2e0a5316cf5ac6bcc2f8afd7868076d477bf6b09791d3127b57a089b

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

pvxz

Decoy

imt-token.club

abravewayocen.online

shcloudcar.com

mshoppingworld.online

ncgf08.xyz

stuinfo.xyz

wesavetheplanetofficial.com

tourbox.xyz

believeinyourselftraining.com

jsboyat.com

aaeconomy.info

9etmorea.info

purosepeti7.com

goticketly.com

pinkmemorypt.com

mylifewellnesscentre.com

iridina.online

petrestore.online

neema.xyz

novelfooditalia.com

Extracted

Family

bitrat

Version

1.38

C2

homeplace.kozow.com:4449

Attributes
  • communication_password

    f51dc802382ce2b548bf73ff0726a31d

  • tor_process

    tor

Signatures

  • BitRAT

    BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

  • Xloader

    Xloader is a rebranded version of Formbook malware.

  • Xloader Payload 2 IoCs
  • Adds policy Run key to start application 2 TTPs 2 IoCs
  • Executes dropped EXE 10 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Detected potential entity reuse from brand google.
  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Suspicious use of SetThreadContext 5 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 11 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks SCSI registry key(s) 3 TTPs 7 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies Internet Explorer settings 1 TTPs 10 IoCs
  • Modifies data under HKEY_USERS 2 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious behavior: MapViewOfSection 13 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 20 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    PID:3040
    • C:\Users\Admin\AppData\Local\Temp\Pzszsebwqndrzimfyunhokbpqivlqwshnn.exe
      "C:\Users\Admin\AppData\Local\Temp\Pzszsebwqndrzimfyunhokbpqivlqwshnn.exe"
      2⤵
      • Adds Run key to start application
      PID:3496
      • C:\Windows\SysWOW64\DpiScaling.exe
        C:\Windows\System32\DpiScaling.exe
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:3200
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe"
      2⤵
      • Enumerates system info in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2284
      • C:\Program Files\Google\Chrome\Application\chrome.exe
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ff8c69c4f50,0x7ff8c69c4f60,0x7ff8c69c4f70
        3⤵
          PID:1116
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1592,12638038351005608423,8876317546404406646,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1660 /prefetch:8
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:2744
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1592,12638038351005608423,8876317546404406646,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1608 /prefetch:2
          3⤵
            PID:1592
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1592,12638038351005608423,8876317546404406646,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2188 /prefetch:8
            3⤵
              PID:1256
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1592,12638038351005608423,8876317546404406646,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2700 /prefetch:1
              3⤵
                PID:1160
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1592,12638038351005608423,8876317546404406646,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2644 /prefetch:1
                3⤵
                  PID:1200
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1592,12638038351005608423,8876317546404406646,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3640 /prefetch:1
                  3⤵
                    PID:1844
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1592,12638038351005608423,8876317546404406646,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4280 /prefetch:8
                    3⤵
                      PID:1448
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1592,12638038351005608423,8876317546404406646,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4380 /prefetch:8
                      3⤵
                        PID:368
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1592,12638038351005608423,8876317546404406646,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4316 /prefetch:8
                        3⤵
                          PID:1924
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1592,12638038351005608423,8876317546404406646,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4956 /prefetch:8
                          3⤵
                          • Suspicious behavior: EnumeratesProcesses
                          PID:1472
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1592,12638038351005608423,8876317546404406646,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2140 /prefetch:8
                          3⤵
                            PID:2724
                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1592,12638038351005608423,8876317546404406646,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2136 /prefetch:8
                            3⤵
                              PID:700
                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1592,12638038351005608423,8876317546404406646,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5076 /prefetch:8
                              3⤵
                                PID:3676
                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1592,12638038351005608423,8876317546404406646,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4624 /prefetch:8
                                3⤵
                                • Suspicious behavior: EnumeratesProcesses
                                PID:4020
                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1592,12638038351005608423,8876317546404406646,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4680 /prefetch:8
                                3⤵
                                  PID:3652
                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1592,12638038351005608423,8876317546404406646,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2172 /prefetch:8
                                  3⤵
                                    PID:3988
                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1592,12638038351005608423,8876317546404406646,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4380 /prefetch:8
                                    3⤵
                                      PID:3348
                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1592,12638038351005608423,8876317546404406646,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4280 /prefetch:8
                                      3⤵
                                        PID:3664
                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1592,12638038351005608423,8876317546404406646,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5192 /prefetch:8
                                        3⤵
                                          PID:2480
                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1592,12638038351005608423,8876317546404406646,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4976 /prefetch:8
                                          3⤵
                                          • Suspicious behavior: EnumeratesProcesses
                                          PID:2664
                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1592,12638038351005608423,8876317546404406646,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5000 /prefetch:8
                                          3⤵
                                            PID:2484
                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1592,12638038351005608423,8876317546404406646,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5164 /prefetch:1
                                            3⤵
                                              PID:3996
                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1592,12638038351005608423,8876317546404406646,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4452 /prefetch:8
                                              3⤵
                                                PID:2704
                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1592,12638038351005608423,8876317546404406646,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5104 /prefetch:1
                                                3⤵
                                                  PID:3988
                                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1592,12638038351005608423,8876317546404406646,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1416 /prefetch:8
                                                  3⤵
                                                    PID:668
                                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1592,12638038351005608423,8876317546404406646,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4976 /prefetch:8
                                                    3⤵
                                                      PID:1736
                                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1592,12638038351005608423,8876317546404406646,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4528 /prefetch:2
                                                      3⤵
                                                      • Suspicious behavior: EnumeratesProcesses
                                                      PID:3300
                                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1592,12638038351005608423,8876317546404406646,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2428 /prefetch:8
                                                      3⤵
                                                        PID:1748
                                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1592,12638038351005608423,8876317546404406646,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2440 /prefetch:8
                                                        3⤵
                                                          PID:3848
                                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1592,12638038351005608423,8876317546404406646,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4540 /prefetch:8
                                                          3⤵
                                                            PID:3196
                                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1592,12638038351005608423,8876317546404406646,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4592 /prefetch:8
                                                            3⤵
                                                              PID:1776
                                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1592,12638038351005608423,8876317546404406646,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1668 /prefetch:8
                                                              3⤵
                                                                PID:2480
                                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1592,12638038351005608423,8876317546404406646,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4720 /prefetch:8
                                                                3⤵
                                                                  PID:864
                                                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1592,12638038351005608423,8876317546404406646,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5168 /prefetch:8
                                                                  3⤵
                                                                    PID:60
                                                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1592,12638038351005608423,8876317546404406646,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4812 /prefetch:8
                                                                    3⤵
                                                                      PID:3348
                                                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1592,12638038351005608423,8876317546404406646,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4296 /prefetch:8
                                                                      3⤵
                                                                        PID:620
                                                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1592,12638038351005608423,8876317546404406646,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4712 /prefetch:8
                                                                        3⤵
                                                                          PID:1044
                                                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1592,12638038351005608423,8876317546404406646,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2440 /prefetch:1
                                                                          3⤵
                                                                            PID:2392
                                                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1592,12638038351005608423,8876317546404406646,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3128 /prefetch:1
                                                                            3⤵
                                                                              PID:1764
                                                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1592,12638038351005608423,8876317546404406646,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3608 /prefetch:8
                                                                              3⤵
                                                                                PID:200
                                                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1592,12638038351005608423,8876317546404406646,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5248 /prefetch:8
                                                                                3⤵
                                                                                  PID:3812
                                                                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1592,12638038351005608423,8876317546404406646,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3804 /prefetch:1
                                                                                  3⤵
                                                                                    PID:3744
                                                                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1592,12638038351005608423,8876317546404406646,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3744 /prefetch:1
                                                                                    3⤵
                                                                                      PID:2640
                                                                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1592,12638038351005608423,8876317546404406646,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4504 /prefetch:1
                                                                                      3⤵
                                                                                        PID:1208
                                                                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1592,12638038351005608423,8876317546404406646,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4720 /prefetch:8
                                                                                        3⤵
                                                                                          PID:3752
                                                                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1592,12638038351005608423,8876317546404406646,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 /prefetch:8
                                                                                          3⤵
                                                                                            PID:3064
                                                                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1592,12638038351005608423,8876317546404406646,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4620 /prefetch:8
                                                                                            3⤵
                                                                                              PID:1736
                                                                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1592,12638038351005608423,8876317546404406646,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2784 /prefetch:1
                                                                                              3⤵
                                                                                                PID:2672
                                                                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1592,12638038351005608423,8876317546404406646,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5292 /prefetch:8
                                                                                                3⤵
                                                                                                  PID:2392
                                                                                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1592,12638038351005608423,8876317546404406646,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5492 /prefetch:8
                                                                                                  3⤵
                                                                                                    PID:604
                                                                                                • C:\Windows\SysWOW64\svchost.exe
                                                                                                  "C:\Windows\SysWOW64\svchost.exe"
                                                                                                  2⤵
                                                                                                  • Adds policy Run key to start application
                                                                                                  • Suspicious use of SetThreadContext
                                                                                                  • Drops file in Program Files directory
                                                                                                  • Modifies Internet Explorer settings
                                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                                  • Suspicious behavior: MapViewOfSection
                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                  PID:1456
                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                    /c del "C:\Windows\SysWOW64\DpiScaling.exe"
                                                                                                    3⤵
                                                                                                      PID:3948
                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                      /c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
                                                                                                      3⤵
                                                                                                        PID:1272
                                                                                                      • C:\Program Files\Mozilla Firefox\Firefox.exe
                                                                                                        "C:\Program Files\Mozilla Firefox\Firefox.exe"
                                                                                                        3⤵
                                                                                                          PID:1668
                                                                                                        • C:\Users\Admin\AppData\Local\Temp\axadtjq8.exe
                                                                                                          "C:\Users\Admin\AppData\Local\Temp\axadtjq8.exe"
                                                                                                          3⤵
                                                                                                          • Executes dropped EXE
                                                                                                          • Adds Run key to start application
                                                                                                          • Suspicious use of SetThreadContext
                                                                                                          PID:2672
                                                                                                          • C:\Users\Admin\AppData\Local\Temp\axadtjq8.exe
                                                                                                            C:\Users\Admin\AppData\Local\Temp\axadtjq8.exe
                                                                                                            4⤵
                                                                                                            • Executes dropped EXE
                                                                                                            • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                            • Suspicious use of SetWindowsHookEx
                                                                                                            PID:2172
                                                                                                      • C:\Program Files (x86)\Llhbxnz\sdz8mzicha0or5x.exe
                                                                                                        "C:\Program Files (x86)\Llhbxnz\sdz8mzicha0or5x.exe"
                                                                                                        2⤵
                                                                                                        • Executes dropped EXE
                                                                                                        • Checks computer location settings
                                                                                                        PID:3852
                                                                                                        • C:\Windows\explorer.exe
                                                                                                          "C:\Windows\explorer.exe" ms-settings:display
                                                                                                          3⤵
                                                                                                            PID:1288
                                                                                                        • C:\Users\Admin\AppData\Local\Temp\Temp1_malware-master.zip\malware-master\MEMZ\MEMZ.exe
                                                                                                          "C:\Users\Admin\AppData\Local\Temp\Temp1_malware-master.zip\malware-master\MEMZ\MEMZ.exe"
                                                                                                          2⤵
                                                                                                          • Executes dropped EXE
                                                                                                          • Suspicious use of SetWindowsHookEx
                                                                                                          PID:3984
                                                                                                          • C:\Users\Admin\AppData\Local\Temp\Temp1_malware-master.zip\malware-master\MEMZ\MEMZ.exe
                                                                                                            "C:\Users\Admin\AppData\Local\Temp\Temp1_malware-master.zip\malware-master\MEMZ\MEMZ.exe" /watchdog
                                                                                                            3⤵
                                                                                                            • Executes dropped EXE
                                                                                                            • Suspicious use of SetWindowsHookEx
                                                                                                            PID:2436
                                                                                                          • C:\Users\Admin\AppData\Local\Temp\Temp1_malware-master.zip\malware-master\MEMZ\MEMZ.exe
                                                                                                            "C:\Users\Admin\AppData\Local\Temp\Temp1_malware-master.zip\malware-master\MEMZ\MEMZ.exe" /watchdog
                                                                                                            3⤵
                                                                                                            • Executes dropped EXE
                                                                                                            • Suspicious use of SetWindowsHookEx
                                                                                                            PID:3804
                                                                                                          • C:\Users\Admin\AppData\Local\Temp\Temp1_malware-master.zip\malware-master\MEMZ\MEMZ.exe
                                                                                                            "C:\Users\Admin\AppData\Local\Temp\Temp1_malware-master.zip\malware-master\MEMZ\MEMZ.exe" /watchdog
                                                                                                            3⤵
                                                                                                            • Executes dropped EXE
                                                                                                            • Suspicious use of SetWindowsHookEx
                                                                                                            PID:3660
                                                                                                          • C:\Users\Admin\AppData\Local\Temp\Temp1_malware-master.zip\malware-master\MEMZ\MEMZ.exe
                                                                                                            "C:\Users\Admin\AppData\Local\Temp\Temp1_malware-master.zip\malware-master\MEMZ\MEMZ.exe" /watchdog
                                                                                                            3⤵
                                                                                                            • Executes dropped EXE
                                                                                                            • Suspicious use of SetWindowsHookEx
                                                                                                            PID:3204
                                                                                                          • C:\Users\Admin\AppData\Local\Temp\Temp1_malware-master.zip\malware-master\MEMZ\MEMZ.exe
                                                                                                            "C:\Users\Admin\AppData\Local\Temp\Temp1_malware-master.zip\malware-master\MEMZ\MEMZ.exe" /main
                                                                                                            3⤵
                                                                                                            • Executes dropped EXE
                                                                                                            • Checks computer location settings
                                                                                                            • Writes to the Master Boot Record (MBR)
                                                                                                            • Suspicious use of SetWindowsHookEx
                                                                                                            PID:604
                                                                                                            • C:\Windows\SysWOW64\notepad.exe
                                                                                                              "C:\Windows\System32\notepad.exe" \note.txt
                                                                                                              4⤵
                                                                                                                PID:3936
                                                                                                            • C:\Users\Admin\AppData\Local\Temp\Temp1_malware-master.zip\malware-master\MEMZ\MEMZ.exe
                                                                                                              "C:\Users\Admin\AppData\Local\Temp\Temp1_malware-master.zip\malware-master\MEMZ\MEMZ.exe" /watchdog
                                                                                                              3⤵
                                                                                                              • Executes dropped EXE
                                                                                                              • Suspicious use of SetWindowsHookEx
                                                                                                              PID:2788
                                                                                                          • C:\Windows\system32\taskmgr.exe
                                                                                                            "C:\Windows\system32\taskmgr.exe" /4
                                                                                                            2⤵
                                                                                                            • Drops file in Windows directory
                                                                                                            • Checks SCSI registry key(s)
                                                                                                            • Modifies registry class
                                                                                                            PID:2484
                                                                                                        • C:\Windows\explorer.exe
                                                                                                          C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
                                                                                                          1⤵
                                                                                                          • Drops file in Windows directory
                                                                                                          PID:800
                                                                                                        • C:\Windows\ImmersiveControlPanel\SystemSettings.exe
                                                                                                          "C:\Windows\ImmersiveControlPanel\SystemSettings.exe" -ServerName:microsoft.windows.immersivecontrolpanel
                                                                                                          1⤵
                                                                                                          • Drops file in Windows directory
                                                                                                          • Checks SCSI registry key(s)
                                                                                                          • Suspicious use of SetWindowsHookEx
                                                                                                          PID:3204
                                                                                                        • C:\Windows\System32\rundll32.exe
                                                                                                          C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                                                                                          1⤵
                                                                                                            PID:200
                                                                                                          • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
                                                                                                            "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
                                                                                                            1⤵
                                                                                                            • Drops file in Windows directory
                                                                                                            • Modifies Internet Explorer settings
                                                                                                            • Modifies registry class
                                                                                                            • Suspicious use of SetWindowsHookEx
                                                                                                            PID:4356
                                                                                                          • C:\Windows\system32\browser_broker.exe
                                                                                                            C:\Windows\system32\browser_broker.exe -Embedding
                                                                                                            1⤵
                                                                                                            • Modifies Internet Explorer settings
                                                                                                            PID:4408
                                                                                                          • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                            "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                            1⤵
                                                                                                            • Suspicious behavior: MapViewOfSection
                                                                                                            • Suspicious use of SetWindowsHookEx
                                                                                                            PID:4644
                                                                                                          • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                            "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                            1⤵
                                                                                                            • Drops file in Windows directory
                                                                                                            • Modifies Internet Explorer settings
                                                                                                            • Modifies registry class
                                                                                                            PID:4712
                                                                                                          • C:\Windows\SysWOW64\DllHost.exe
                                                                                                            C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
                                                                                                            1⤵
                                                                                                              PID:4916
                                                                                                            • \??\c:\windows\system32\svchost.exe
                                                                                                              c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s Netman
                                                                                                              1⤵
                                                                                                              • Modifies data under HKEY_USERS
                                                                                                              PID:512
                                                                                                            • \??\c:\windows\system32\svchost.exe
                                                                                                              c:\windows\system32\svchost.exe -k netsvcs -s NetSetupSvc
                                                                                                              1⤵
                                                                                                                PID:216
                                                                                                              • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                1⤵
                                                                                                                • Modifies registry class
                                                                                                                PID:4596

                                                                                                              Network

                                                                                                              MITRE ATT&CK Matrix ATT&CK v6

                                                                                                              Persistence

                                                                                                              Registry Run Keys / Startup Folder

                                                                                                              2
                                                                                                              T1060

                                                                                                              Bootkit

                                                                                                              1
                                                                                                              T1067

                                                                                                              Defense Evasion

                                                                                                              Modify Registry

                                                                                                              3
                                                                                                              T1112

                                                                                                              Credential Access

                                                                                                              Credentials in Files

                                                                                                              1
                                                                                                              T1081

                                                                                                              Discovery

                                                                                                              Query Registry

                                                                                                              3
                                                                                                              T1012

                                                                                                              System Information Discovery

                                                                                                              4
                                                                                                              T1082

                                                                                                              Peripheral Device Discovery

                                                                                                              1
                                                                                                              T1120

                                                                                                              Collection

                                                                                                              Data from Local System

                                                                                                              1
                                                                                                              T1005

                                                                                                              Replay Monitor

                                                                                                              Loading Replay Monitor...

                                                                                                              Downloads

                                                                                                              • C:\Program Files (x86)\Llhbxnz\sdz8mzicha0or5x.exe
                                                                                                                MD5

                                                                                                                87e4bb0a76b0a2c7d3246a014ca81aba

                                                                                                                SHA1

                                                                                                                71a8281b31c8702a9c6582b01d574d3f62268d8d

                                                                                                                SHA256

                                                                                                                376fd0e6c1f5fe65b99d7377fbb1e97ee7cd90e4d2eeeb2eaa0b6223cd784a2a

                                                                                                                SHA512

                                                                                                                1fa170ef2ac672c51cbbcfa2515e88f5079a60586839cfb84df50f58d22b52e8c25f36fc003ba24e9a26064b94ccb064e506efbbf9939408444886424570362f

                                                                                                              • C:\Program Files (x86)\Llhbxnz\sdz8mzicha0or5x.exe
                                                                                                                MD5

                                                                                                                87e4bb0a76b0a2c7d3246a014ca81aba

                                                                                                                SHA1

                                                                                                                71a8281b31c8702a9c6582b01d574d3f62268d8d

                                                                                                                SHA256

                                                                                                                376fd0e6c1f5fe65b99d7377fbb1e97ee7cd90e4d2eeeb2eaa0b6223cd784a2a

                                                                                                                SHA512

                                                                                                                1fa170ef2ac672c51cbbcfa2515e88f5079a60586839cfb84df50f58d22b52e8c25f36fc003ba24e9a26064b94ccb064e506efbbf9939408444886424570362f

                                                                                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
                                                                                                                MD5

                                                                                                                8ca78a5f7c6d1185833bdca7c587eeae

                                                                                                                SHA1

                                                                                                                cb84babc09c6869b56c7e86d38ca5bae57fd2c00

                                                                                                                SHA256

                                                                                                                9e1f94ac4eb55b274dc487354e1d803a6fdaa6e02ed6bc073afa6028479e6df4

                                                                                                                SHA512

                                                                                                                77f387a1a1a95447fdc5bd0919e4ec6c5bef2a8786eeb892cbd08bca493c64870e1896d8aecacb1abe67397d08693c50b669b5fa614a1940a071bdf091a1b3f3

                                                                                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
                                                                                                                MD5

                                                                                                                41dcc1bea8c30b44ff9b0fca15bd3650

                                                                                                                SHA1

                                                                                                                7568e9cec185b3c2f95177ffa9a5f60a9021eb36

                                                                                                                SHA256

                                                                                                                770aff47ac3628aa6cb9ef63285045c20f179c2b2afecbf42f61fffba70d12be

                                                                                                                SHA512

                                                                                                                78dbc7d9189b7d441144c8b7279cc885a44c75f986286411b178a59c96eac70a60b6ae9e4fbe848ca3f29868af140efccad21654e2316fcd83683a43ca81643e

                                                                                                              • C:\Users\Admin\AppData\Local\Temp\DB1
                                                                                                                MD5

                                                                                                                b608d407fc15adea97c26936bc6f03f6

                                                                                                                SHA1

                                                                                                                953e7420801c76393902c0d6bb56148947e41571

                                                                                                                SHA256

                                                                                                                b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf

                                                                                                                SHA512

                                                                                                                cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4

                                                                                                              • C:\Users\Admin\AppData\Local\Temp\Temp1_malware-master.zip\malware-master\MEMZ\MEMZ.exe
                                                                                                                MD5

                                                                                                                19dbec50735b5f2a72d4199c4e184960

                                                                                                                SHA1

                                                                                                                6fed7732f7cb6f59743795b2ab154a3676f4c822

                                                                                                                SHA256

                                                                                                                a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d

                                                                                                                SHA512

                                                                                                                aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d

                                                                                                              • C:\Users\Admin\AppData\Local\Temp\Temp1_malware-master.zip\malware-master\MEMZ\MEMZ.exe
                                                                                                                MD5

                                                                                                                19dbec50735b5f2a72d4199c4e184960

                                                                                                                SHA1

                                                                                                                6fed7732f7cb6f59743795b2ab154a3676f4c822

                                                                                                                SHA256

                                                                                                                a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d

                                                                                                                SHA512

                                                                                                                aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d

                                                                                                              • C:\Users\Admin\AppData\Local\Temp\Temp1_malware-master.zip\malware-master\MEMZ\MEMZ.exe
                                                                                                                MD5

                                                                                                                19dbec50735b5f2a72d4199c4e184960

                                                                                                                SHA1

                                                                                                                6fed7732f7cb6f59743795b2ab154a3676f4c822

                                                                                                                SHA256

                                                                                                                a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d

                                                                                                                SHA512

                                                                                                                aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d

                                                                                                              • C:\Users\Admin\AppData\Local\Temp\Temp1_malware-master.zip\malware-master\MEMZ\MEMZ.exe
                                                                                                                MD5

                                                                                                                19dbec50735b5f2a72d4199c4e184960

                                                                                                                SHA1

                                                                                                                6fed7732f7cb6f59743795b2ab154a3676f4c822

                                                                                                                SHA256

                                                                                                                a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d

                                                                                                                SHA512

                                                                                                                aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d

                                                                                                              • C:\Users\Admin\AppData\Local\Temp\Temp1_malware-master.zip\malware-master\MEMZ\MEMZ.exe
                                                                                                                MD5

                                                                                                                19dbec50735b5f2a72d4199c4e184960

                                                                                                                SHA1

                                                                                                                6fed7732f7cb6f59743795b2ab154a3676f4c822

                                                                                                                SHA256

                                                                                                                a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d

                                                                                                                SHA512

                                                                                                                aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d

                                                                                                              • C:\Users\Admin\AppData\Local\Temp\axadtjq8.exe
                                                                                                                MD5

                                                                                                                ff476c4a1f50a3bbac330d380d7f6a16

                                                                                                                SHA1

                                                                                                                701188aee494733ad75919636b65659ff6d15bb6

                                                                                                                SHA256

                                                                                                                9f9c0f6ab3b081afef2191c79be5bb8335317620bdd3135aed53834bd9a16c92

                                                                                                                SHA512

                                                                                                                49ff0747dd03cdaf27387ec6b6b2451d4fa8e6ff186b2a758817523874a995523bc44a40f6f129a79c82841be91caac4c524d6d36d8533e7288ef6a7b0ce0efe

                                                                                                              • C:\Users\Admin\AppData\Local\Temp\axadtjq8.exe
                                                                                                                MD5

                                                                                                                ff476c4a1f50a3bbac330d380d7f6a16

                                                                                                                SHA1

                                                                                                                701188aee494733ad75919636b65659ff6d15bb6

                                                                                                                SHA256

                                                                                                                9f9c0f6ab3b081afef2191c79be5bb8335317620bdd3135aed53834bd9a16c92

                                                                                                                SHA512

                                                                                                                49ff0747dd03cdaf27387ec6b6b2451d4fa8e6ff186b2a758817523874a995523bc44a40f6f129a79c82841be91caac4c524d6d36d8533e7288ef6a7b0ce0efe

                                                                                                              • C:\Users\Admin\AppData\Local\Temp\axadtjq8.exe
                                                                                                                MD5

                                                                                                                ff476c4a1f50a3bbac330d380d7f6a16

                                                                                                                SHA1

                                                                                                                701188aee494733ad75919636b65659ff6d15bb6

                                                                                                                SHA256

                                                                                                                9f9c0f6ab3b081afef2191c79be5bb8335317620bdd3135aed53834bd9a16c92

                                                                                                                SHA512

                                                                                                                49ff0747dd03cdaf27387ec6b6b2451d4fa8e6ff186b2a758817523874a995523bc44a40f6f129a79c82841be91caac4c524d6d36d8533e7288ef6a7b0ce0efe

                                                                                                              • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms
                                                                                                                MD5

                                                                                                                1021aec5362eec97491ec78812636da7

                                                                                                                SHA1

                                                                                                                53f72a9ae23b3dfc99aa241ea9d0b4aed74cbb86

                                                                                                                SHA256

                                                                                                                749af674e412f6e5dd3f26bd4c2313585d3fe784faafa82b3425c9b51daa1d3c

                                                                                                                SHA512

                                                                                                                cbdb33cf9f79e9f0a7aafaeeed1feae54afb51510e7a2666ba42770d54f7a6eee0a2399321695e793cdfaca49fb441fa8e60d56bd0f76e7b9b2a4933045e14d5

                                                                                                              • C:\Users\Admin\Downloads\malware-master.zip
                                                                                                                MD5

                                                                                                                5eba758ab6c01a378d8f67c30e327cba

                                                                                                                SHA1

                                                                                                                5e0040767b9093e337ee6384f8a2830ddf2a0f76

                                                                                                                SHA256

                                                                                                                5d8e8e31e5529bf443f5d654a21bc0ec836520348ee91b185eb1477d67258bd6

                                                                                                                SHA512

                                                                                                                e4a8b7760cd6e8f02ae54f9f3b0b9980a9fef6a820ccdd1a5821aefbca8469887c33e346ea216575ccca003aa0c85fd51b7317a0552124dfd8c29e469fbd3d2c

                                                                                                              • \??\pipe\crashpad_2284_WYBQTHFQMIUFJACE
                                                                                                                MD5

                                                                                                                d41d8cd98f00b204e9800998ecf8427e

                                                                                                                SHA1

                                                                                                                da39a3ee5e6b4b0d3255bfef95601890afd80709

                                                                                                                SHA256

                                                                                                                e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                                                                                                SHA512

                                                                                                                cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                                                                                              • memory/800-299-0x0000000004C70000-0x0000000004DB4000-memory.dmp
                                                                                                                Filesize

                                                                                                                1.3MB

                                                                                                              • memory/800-261-0x0000000001110000-0x000000000111F000-memory.dmp
                                                                                                                Filesize

                                                                                                                60KB

                                                                                                              • memory/1288-300-0x00000000048D0000-0x0000000004A5A000-memory.dmp
                                                                                                                Filesize

                                                                                                                1.5MB

                                                                                                              • memory/1456-211-0x0000000000E20000-0x0000000000E2C000-memory.dmp
                                                                                                                Filesize

                                                                                                                48KB

                                                                                                              • memory/1456-213-0x0000000003A20000-0x0000000003D40000-memory.dmp
                                                                                                                Filesize

                                                                                                                3.1MB

                                                                                                              • memory/1456-212-0x0000000002E70000-0x0000000002E99000-memory.dmp
                                                                                                                Filesize

                                                                                                                164KB

                                                                                                              • memory/1456-214-0x0000000003700000-0x000000000388D000-memory.dmp
                                                                                                                Filesize

                                                                                                                1.6MB

                                                                                                              • memory/2172-334-0x0000000000400000-0x00000000007E4000-memory.dmp
                                                                                                                Filesize

                                                                                                                3.9MB

                                                                                                              • memory/2172-332-0x0000000000400000-0x00000000007E4000-memory.dmp
                                                                                                                Filesize

                                                                                                                3.9MB

                                                                                                              • memory/2172-335-0x0000000000400000-0x00000000007E4000-memory.dmp
                                                                                                                Filesize

                                                                                                                3.9MB

                                                                                                              • memory/2672-226-0x0000000000550000-0x00000000005FE000-memory.dmp
                                                                                                                Filesize

                                                                                                                696KB

                                                                                                              • memory/3040-215-0x0000000005440000-0x000000000554A000-memory.dmp
                                                                                                                Filesize

                                                                                                                1.0MB

                                                                                                              • memory/3040-210-0x0000000003170000-0x000000000323A000-memory.dmp
                                                                                                                Filesize

                                                                                                                808KB

                                                                                                              • memory/3200-208-0x00000000045A0000-0x00000000048C0000-memory.dmp
                                                                                                                Filesize

                                                                                                                3.1MB

                                                                                                              • memory/3200-209-0x0000000002C90000-0x0000000002CA1000-memory.dmp
                                                                                                                Filesize

                                                                                                                68KB

                                                                                                              • memory/3200-206-0x0000000072480000-0x00000000724A9000-memory.dmp
                                                                                                                Filesize

                                                                                                                164KB

                                                                                                              • memory/3200-205-0x0000000000B80000-0x0000000000B81000-memory.dmp
                                                                                                                Filesize

                                                                                                                4KB

                                                                                                              • memory/3496-121-0x0000000000840000-0x0000000000841000-memory.dmp
                                                                                                                Filesize

                                                                                                                4KB