340b6dde731c4ad30afc48d0266f38390c369c3d5a3b3021b667a239de8fbbf6

Analysis

max time kernel
150s
max time network
152s
platform
windows7_x64
resource
win7-20220414-en
submitted
20-05-2022 03:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

340b6dde731c4ad30afc48d0266f38390c369c3d5a3b3021b667a239de8fbbf6.exe
Size

222KB
MD5

d5bf56df56fb286035f2ba1be411577b
SHA1

83f913a90bc11aba30f7873455de57365b9f9bf2
SHA256

340b6dde731c4ad30afc48d0266f38390c369c3d5a3b3021b667a239de8fbbf6
SHA512

897cf30a94f32ad87d8c56542f6fc07269e015b8b7a8f14f08eb07b431b9f70d25b7e509e8ae70bdcf37427d2b757a10adc7d569f42224f499c862d13a90b1f2

Score

8^/10

bootkit persistence

Malware Config

Signatures

Executes dropped EXE 7 IoCs

Processes:

MEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exe

pid process

1496 MEMZ.exe
576 MEMZ.exe
472 MEMZ.exe
1952 MEMZ.exe
1812 MEMZ.exe
436 MEMZ.exe
1392 MEMZ.exe

pid	process
1496	MEMZ.exe
576	MEMZ.exe
472	MEMZ.exe
1952	MEMZ.exe
1812	MEMZ.exe
436	MEMZ.exe
1392	MEMZ.exe

Drops startup file 1 IoCs

Processes:

340b6dde731c4ad30afc48d0266f38390c369c3d5a3b3021b667a239de8fbbf6.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MEMZ.lnk	340b6dde731c4ad30afc48d0266f38390c369c3d5a3b3021b667a239de8fbbf6.exe

Loads dropped DLL 11 IoCs

Processes:

340b6dde731c4ad30afc48d0266f38390c369c3d5a3b3021b667a239de8fbbf6.exeMEMZ.exe

pid	process
388	340b6dde731c4ad30afc48d0266f38390c369c3d5a3b3021b667a239de8fbbf6.exe
388	340b6dde731c4ad30afc48d0266f38390c369c3d5a3b3021b667a239de8fbbf6.exe
388	340b6dde731c4ad30afc48d0266f38390c369c3d5a3b3021b667a239de8fbbf6.exe
388	340b6dde731c4ad30afc48d0266f38390c369c3d5a3b3021b667a239de8fbbf6.exe
1496	MEMZ.exe
1496	MEMZ.exe
1496	MEMZ.exe
1496	MEMZ.exe
1496	MEMZ.exe
1496	MEMZ.exe
1496	MEMZ.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

MEMZ.exe

description ioc process

File opened for modification \??\PhysicalDrive0 MEMZ.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	\??\PhysicalDrive0	MEMZ.exe

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "359783403"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004863fcdc101a3947b120786fa95ba35b00000000020000000000106600000001000020000000b9b3736edac6a2095c8e303d9664880e637fe6123773acb14e172c369aee0ab4000000000e800000000200002000000063afdd7046c08d05eab3cab0c0a119bd013f26851742fffd595622f5eaf956ff9000000006ed0bb45e956414e603e5c6b767f7fb565ccd4ac417e0e671e4fe7ef6d0e785660c4e95e2663ff04d601ee21a0414ce4895eeea23822f35bb0cc32d7b6bf976b2e36b8b5ed4d5e41769d212c22128ac40cac1b3913c3d6379168b1859d37f78209fe102d6b0f96948b8c9df1440ed4b76dc7f10eb1d4177e4a6975938cc8d5ddd0f41fb9e03a60416262c50de10d64b40000000fd77787c54c299d7aab385a548777a6b71af14b4163362c3657e0916ff6ad0b233fd3937db0a873a5a8601678acdab12c6c35c1ddfc2fa1361c585fa51aa71d5	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004863fcdc101a3947b120786fa95ba35b0000000002000000000010660000000100002000000077d0dc1148d54bc844f507414688674f7ea3525d7d18a12acf9252c48d0be51b000000000e800000000200002000000025eb3a6786357930b69105be0c5688b3368010ba053e2b075782acb3fdced6bc20000000be4720e5c817dca5d6f68960ef5c5e5d99fbe2d917bdf6a6acc10527b9af3f44400000009e77a9c664c0e1e5f10f3be2291f94e71b37a3115790af4cac1cbe7407132a370d97e36651deea9e3ab9a3ef0391f9cb6363cce670ff77b98a7e594547993acc	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 10f72360fc6bd801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{85420A01-D7EF-11EC-A2A7-5AC3572C4626} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

MEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exe

pid	process
472	MEMZ.exe
576	MEMZ.exe
1952	MEMZ.exe
436	MEMZ.exe
1812	MEMZ.exe
472	MEMZ.exe
576	MEMZ.exe
1952	MEMZ.exe
436	MEMZ.exe
1812	MEMZ.exe
472	MEMZ.exe
576	MEMZ.exe
1952	MEMZ.exe
436	MEMZ.exe
1812	MEMZ.exe
472	MEMZ.exe
576	MEMZ.exe
1952	MEMZ.exe
1812	MEMZ.exe
436	MEMZ.exe
472	MEMZ.exe
576	MEMZ.exe
1952	MEMZ.exe
436	MEMZ.exe
1812	MEMZ.exe
472	MEMZ.exe
576	MEMZ.exe
1952	MEMZ.exe
1812	MEMZ.exe
436	MEMZ.exe
472	MEMZ.exe
576	MEMZ.exe
1952	MEMZ.exe
436	MEMZ.exe
1812	MEMZ.exe
472	MEMZ.exe
576	MEMZ.exe
1952	MEMZ.exe
436	MEMZ.exe
1812	MEMZ.exe
472	MEMZ.exe
576	MEMZ.exe
1952	MEMZ.exe
436	MEMZ.exe
1812	MEMZ.exe
472	MEMZ.exe
576	MEMZ.exe
1952	MEMZ.exe
436	MEMZ.exe
1812	MEMZ.exe
472	MEMZ.exe
576	MEMZ.exe
1952	MEMZ.exe
1812	MEMZ.exe
436	MEMZ.exe
472	MEMZ.exe
576	MEMZ.exe
1952	MEMZ.exe
1812	MEMZ.exe
436	MEMZ.exe
472	MEMZ.exe
576	MEMZ.exe
1952	MEMZ.exe
1812	MEMZ.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

AUDIODG.EXE

description	pid	process
Token: 33	668	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	668	AUDIODG.EXE
Token: 33	668	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	668	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

2036 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

2036 iexplore.exe
2036 iexplore.exe
1084 IEXPLORE.EXE
1084 IEXPLORE.EXE
1084 IEXPLORE.EXE
1084 IEXPLORE.EXE

pid	process
2036	iexplore.exe

pid	process
2036	iexplore.exe
2036	iexplore.exe
1084	IEXPLORE.EXE
1084	IEXPLORE.EXE
1084	IEXPLORE.EXE
1084	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

340b6dde731c4ad30afc48d0266f38390c369c3d5a3b3021b667a239de8fbbf6.exeMEMZ.exeMEMZ.exeiexplore.exe

description	pid	process	target process
PID 388 wrote to memory of 1496	388	340b6dde731c4ad30afc48d0266f38390c369c3d5a3b3021b667a239de8fbbf6.exe	MEMZ.exe
PID 388 wrote to memory of 1496	388	340b6dde731c4ad30afc48d0266f38390c369c3d5a3b3021b667a239de8fbbf6.exe	MEMZ.exe
PID 388 wrote to memory of 1496	388	340b6dde731c4ad30afc48d0266f38390c369c3d5a3b3021b667a239de8fbbf6.exe	MEMZ.exe
PID 388 wrote to memory of 1496	388	340b6dde731c4ad30afc48d0266f38390c369c3d5a3b3021b667a239de8fbbf6.exe	MEMZ.exe
PID 388 wrote to memory of 1496	388	340b6dde731c4ad30afc48d0266f38390c369c3d5a3b3021b667a239de8fbbf6.exe	MEMZ.exe
PID 388 wrote to memory of 1496	388	340b6dde731c4ad30afc48d0266f38390c369c3d5a3b3021b667a239de8fbbf6.exe	MEMZ.exe
PID 388 wrote to memory of 1496	388	340b6dde731c4ad30afc48d0266f38390c369c3d5a3b3021b667a239de8fbbf6.exe	MEMZ.exe
PID 1496 wrote to memory of 576	1496	MEMZ.exe	MEMZ.exe
PID 1496 wrote to memory of 576	1496	MEMZ.exe	MEMZ.exe
PID 1496 wrote to memory of 576	1496	MEMZ.exe	MEMZ.exe
PID 1496 wrote to memory of 576	1496	MEMZ.exe	MEMZ.exe
PID 1496 wrote to memory of 576	1496	MEMZ.exe	MEMZ.exe
PID 1496 wrote to memory of 576	1496	MEMZ.exe	MEMZ.exe
PID 1496 wrote to memory of 576	1496	MEMZ.exe	MEMZ.exe
PID 1496 wrote to memory of 472	1496	MEMZ.exe	MEMZ.exe
PID 1496 wrote to memory of 472	1496	MEMZ.exe	MEMZ.exe
PID 1496 wrote to memory of 472	1496	MEMZ.exe	MEMZ.exe
PID 1496 wrote to memory of 472	1496	MEMZ.exe	MEMZ.exe
PID 1496 wrote to memory of 472	1496	MEMZ.exe	MEMZ.exe
PID 1496 wrote to memory of 472	1496	MEMZ.exe	MEMZ.exe
PID 1496 wrote to memory of 472	1496	MEMZ.exe	MEMZ.exe
PID 1496 wrote to memory of 1952	1496	MEMZ.exe	MEMZ.exe
PID 1496 wrote to memory of 1952	1496	MEMZ.exe	MEMZ.exe
PID 1496 wrote to memory of 1952	1496	MEMZ.exe	MEMZ.exe
PID 1496 wrote to memory of 1952	1496	MEMZ.exe	MEMZ.exe
PID 1496 wrote to memory of 1952	1496	MEMZ.exe	MEMZ.exe
PID 1496 wrote to memory of 1952	1496	MEMZ.exe	MEMZ.exe
PID 1496 wrote to memory of 1952	1496	MEMZ.exe	MEMZ.exe
PID 1496 wrote to memory of 1812	1496	MEMZ.exe	MEMZ.exe
PID 1496 wrote to memory of 1812	1496	MEMZ.exe	MEMZ.exe
PID 1496 wrote to memory of 1812	1496	MEMZ.exe	MEMZ.exe
PID 1496 wrote to memory of 1812	1496	MEMZ.exe	MEMZ.exe
PID 1496 wrote to memory of 1812	1496	MEMZ.exe	MEMZ.exe
PID 1496 wrote to memory of 1812	1496	MEMZ.exe	MEMZ.exe
PID 1496 wrote to memory of 1812	1496	MEMZ.exe	MEMZ.exe
PID 1496 wrote to memory of 436	1496	MEMZ.exe	MEMZ.exe
PID 1496 wrote to memory of 436	1496	MEMZ.exe	MEMZ.exe
PID 1496 wrote to memory of 436	1496	MEMZ.exe	MEMZ.exe
PID 1496 wrote to memory of 436	1496	MEMZ.exe	MEMZ.exe
PID 1496 wrote to memory of 436	1496	MEMZ.exe	MEMZ.exe
PID 1496 wrote to memory of 436	1496	MEMZ.exe	MEMZ.exe
PID 1496 wrote to memory of 436	1496	MEMZ.exe	MEMZ.exe
PID 1496 wrote to memory of 1392	1496	MEMZ.exe	MEMZ.exe
PID 1496 wrote to memory of 1392	1496	MEMZ.exe	MEMZ.exe
PID 1496 wrote to memory of 1392	1496	MEMZ.exe	MEMZ.exe
PID 1496 wrote to memory of 1392	1496	MEMZ.exe	MEMZ.exe
PID 1496 wrote to memory of 1392	1496	MEMZ.exe	MEMZ.exe
PID 1496 wrote to memory of 1392	1496	MEMZ.exe	MEMZ.exe
PID 1496 wrote to memory of 1392	1496	MEMZ.exe	MEMZ.exe
PID 1392 wrote to memory of 1824	1392	MEMZ.exe	notepad.exe
PID 1392 wrote to memory of 1824	1392	MEMZ.exe	notepad.exe
PID 1392 wrote to memory of 1824	1392	MEMZ.exe	notepad.exe
PID 1392 wrote to memory of 1824	1392	MEMZ.exe	notepad.exe
PID 1392 wrote to memory of 1824	1392	MEMZ.exe	notepad.exe
PID 1392 wrote to memory of 1824	1392	MEMZ.exe	notepad.exe
PID 1392 wrote to memory of 1824	1392	MEMZ.exe	notepad.exe
PID 1392 wrote to memory of 2036	1392	MEMZ.exe	iexplore.exe
PID 1392 wrote to memory of 2036	1392	MEMZ.exe	iexplore.exe
PID 1392 wrote to memory of 2036	1392	MEMZ.exe	iexplore.exe
PID 1392 wrote to memory of 2036	1392	MEMZ.exe	iexplore.exe
PID 2036 wrote to memory of 1084	2036	iexplore.exe	IEXPLORE.EXE
PID 2036 wrote to memory of 1084	2036	iexplore.exe	IEXPLORE.EXE
PID 2036 wrote to memory of 1084	2036	iexplore.exe	IEXPLORE.EXE
PID 2036 wrote to memory of 1084	2036	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\340b6dde731c4ad30afc48d0266f38390c369c3d5a3b3021b667a239de8fbbf6.exe
"C:\Users\Admin\AppData\Local\Temp\340b6dde731c4ad30afc48d0266f38390c369c3d5a3b3021b667a239de8fbbf6.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:388

C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
"C:\Users\Admin\AppData\Local\Temp\MEMZ.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1496

C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
"C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:576

C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
"C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:472

C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
"C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1952

C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
"C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1812

C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
"C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /main
3⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of WriteProcessMemory
PID:1392

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\System32\notepad.exe" \note.txt
4⤵
PID:1824

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://google.co.ck/search?q=is+illuminati+real
4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2036

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2036 CREDAT:275457 /prefetch:2
5⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1084

C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
"C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:436

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x5ac
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:668

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
709d09c2f6e24b9f60d4b1ff63c38827

SHA1
390d247672421c85a62aab26ae9e29d59c5aeb84

SHA256
32a00d73010bd778d538f35d109693d0a5fa1913c79f9c2460696153717c53d1

SHA512
6241aacb407671d34357f276fc18bdb48d977e78446a1a0b6e3869217ed8ca49e5111cfb61047e721993dbab920756bd60d0d97c7b2f9f9415a1226961333f6c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\ezmz917\imagestore.dat
Filesize
9KB

MD5
d3d0c3043c2885dea2d8cc0eedeffdcf

SHA1
6d0ae85c9133a63ab221b45e1accd247f15e12cb

SHA256
b8339c59a6f0d3c7f3bf9df8b1e78a705932fbacc2be202f7e46980752c87332

SHA512
3c041cdcf90931ff4b7a9d09a95fbbf5061aebbf74bcbe865ba8c794c3e1a386e493e71e9d8bcfa36ce95101c0cbbc3d6693b096fd821622869cc714448af363

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
Filesize
14KB

MD5
19dbec50735b5f2a72d4199c4e184960

SHA1
6fed7732f7cb6f59743795b2ab154a3676f4c822

SHA256
a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d

SHA512
aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
Filesize
14KB

MD5
19dbec50735b5f2a72d4199c4e184960

SHA1
6fed7732f7cb6f59743795b2ab154a3676f4c822

SHA256
a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d

SHA512
aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
Filesize
14KB

MD5
19dbec50735b5f2a72d4199c4e184960

SHA1
6fed7732f7cb6f59743795b2ab154a3676f4c822

SHA256
a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d

SHA512
aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
Filesize
14KB

MD5
19dbec50735b5f2a72d4199c4e184960

SHA1
6fed7732f7cb6f59743795b2ab154a3676f4c822

SHA256
a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d

SHA512
aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
Filesize
14KB

MD5
19dbec50735b5f2a72d4199c4e184960

SHA1
6fed7732f7cb6f59743795b2ab154a3676f4c822

SHA256
a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d

SHA512
aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
Filesize
14KB

MD5
19dbec50735b5f2a72d4199c4e184960

SHA1
6fed7732f7cb6f59743795b2ab154a3676f4c822

SHA256
a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d

SHA512
aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
Filesize
14KB

MD5
19dbec50735b5f2a72d4199c4e184960

SHA1
6fed7732f7cb6f59743795b2ab154a3676f4c822

SHA256
a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d

SHA512
aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
Filesize
14KB

MD5
19dbec50735b5f2a72d4199c4e184960

SHA1
6fed7732f7cb6f59743795b2ab154a3676f4c822

SHA256
a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d

SHA512
aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\WEIZAMBK.txt
Filesize
602B

MD5
cbd107952dc3101136bcd0a9425a0631

SHA1
5c4ceb758f1c79496f79afb3b85aefd519128ecb

SHA256
f693cc71bec9bde1b64f44833c9616014aa88686afa1f958ac0ff202fb43dd59

SHA512
579cb978d8efad20fd6394840889fe3317b346c4f3ac8d2388c50a3aef779648aee855c4c05136d247bb7ae6fb530e2fa28c0989b0510ddb4eed717c5fad4d89

Download Submit
C:\note.txt
Filesize
218B

MD5
afa6955439b8d516721231029fb9ca1b

SHA1
087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

SHA256
8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

SHA512
5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

Download Submit
\Users\Admin\AppData\Local\Temp\MEMZ.exe
Filesize
14KB

MD5
19dbec50735b5f2a72d4199c4e184960

SHA1
6fed7732f7cb6f59743795b2ab154a3676f4c822

SHA256
a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d

SHA512
aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d

Download Submit
\Users\Admin\AppData\Local\Temp\MEMZ.exe
Filesize
14KB

MD5
19dbec50735b5f2a72d4199c4e184960

SHA1
6fed7732f7cb6f59743795b2ab154a3676f4c822

SHA256
a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d

SHA512
aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d

Download Submit
\Users\Admin\AppData\Local\Temp\MEMZ.exe
Filesize
14KB

MD5
19dbec50735b5f2a72d4199c4e184960

SHA1
6fed7732f7cb6f59743795b2ab154a3676f4c822

SHA256
a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d

SHA512
aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d

Download Submit
\Users\Admin\AppData\Local\Temp\MEMZ.exe
Filesize
14KB

MD5
19dbec50735b5f2a72d4199c4e184960

SHA1
6fed7732f7cb6f59743795b2ab154a3676f4c822

SHA256
a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d

SHA512
aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d

Download Submit
\Users\Admin\AppData\Local\Temp\MEMZ.exe
Filesize
14KB

MD5
19dbec50735b5f2a72d4199c4e184960

SHA1
6fed7732f7cb6f59743795b2ab154a3676f4c822

SHA256
a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d

SHA512
aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d

Download Submit
\Users\Admin\AppData\Local\Temp\MEMZ.exe
Filesize
14KB

MD5
19dbec50735b5f2a72d4199c4e184960

SHA1
6fed7732f7cb6f59743795b2ab154a3676f4c822

SHA256
a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d

SHA512
aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d

Download Submit
\Users\Admin\AppData\Local\Temp\MEMZ.exe
Filesize
14KB

MD5
19dbec50735b5f2a72d4199c4e184960

SHA1
6fed7732f7cb6f59743795b2ab154a3676f4c822

SHA256
a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d

SHA512
aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d

Download Submit
\Users\Admin\AppData\Local\Temp\MEMZ.exe
Filesize
14KB

MD5
19dbec50735b5f2a72d4199c4e184960

SHA1
6fed7732f7cb6f59743795b2ab154a3676f4c822

SHA256
a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d

SHA512
aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d

Download Submit
\Users\Admin\AppData\Local\Temp\MEMZ.exe
Filesize
14KB

MD5
19dbec50735b5f2a72d4199c4e184960

SHA1
6fed7732f7cb6f59743795b2ab154a3676f4c822

SHA256
a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d

SHA512
aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d

Download Submit
\Users\Admin\AppData\Local\Temp\MEMZ.exe
Filesize
14KB

MD5
19dbec50735b5f2a72d4199c4e184960

SHA1
6fed7732f7cb6f59743795b2ab154a3676f4c822

SHA256
a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d

SHA512
aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d

Download Submit
\Users\Admin\AppData\Local\Temp\MEMZ.exe
Filesize
14KB

MD5
19dbec50735b5f2a72d4199c4e184960

SHA1
6fed7732f7cb6f59743795b2ab154a3676f4c822

SHA256
a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d

SHA512
aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d

Download Submit
memory/388-54-0x0000000076C81000-0x0000000076C83000-memory.dmp

Filesize
8KB

Download
memory/436-79-0x0000000000000000-mapping.dmp

Download
memory/472-67-0x0000000000000000-mapping.dmp

Download
memory/576-64-0x0000000000000000-mapping.dmp

Download
memory/1392-85-0x0000000000000000-mapping.dmp

Download
memory/1496-59-0x0000000000000000-mapping.dmp

Download
memory/1812-76-0x0000000000000000-mapping.dmp

Download
memory/1824-88-0x0000000000000000-mapping.dmp

Download
memory/1952-72-0x0000000000000000-mapping.dmp

Download