amadey | d4cb3f4a5554ec5411cc328cffb5ee564a2114446cbd2c9b27dd5125b15b30b4

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	d4cb3f4a5554ec5411cc328cffb5ee564a2114446cbd2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	nbveek.exe

Loads dropped DLL 2 IoCs

pid	Process
3488	rundll32.exe
3756	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	MEMZ.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4704	2876	WerFault.exe	66
4384	3756	WerFault.exe	107

Checks SCSI registry key(s) 3 TTPs 9 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

pid	Process
2320	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
1508	chrome.exe
1508	chrome.exe
3596	chrome.exe
3596	chrome.exe
3192	chrome.exe
3192	chrome.exe
4836	chrome.exe
4836	chrome.exe
3064	chrome.exe
3064	chrome.exe
3512	chrome.exe
3512	chrome.exe
4288	taskmgr.exe
4288	taskmgr.exe
4288	taskmgr.exe
4288	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 19 IoCs

pid	Process
3596	chrome.exe
3596	chrome.exe
3596	chrome.exe
3596	chrome.exe
3596	chrome.exe
3596	chrome.exe
3596	chrome.exe
3596	chrome.exe
3596	chrome.exe
3596	chrome.exe
3596	chrome.exe
3596	chrome.exe
3596	chrome.exe
3596	chrome.exe
3596	chrome.exe
3596	chrome.exe
3596	chrome.exe
3596	chrome.exe
3596	chrome.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	368	taskmgr.exe
Token: SeSystemProfilePrivilege	368	taskmgr.exe
Token: SeCreateGlobalPrivilege	368	taskmgr.exe
Token: 33	368	taskmgr.exe
Token: SeIncBasePriorityPrivilege	368	taskmgr.exe
Token: SeDebugPrivilege	4288	taskmgr.exe
Token: SeSystemProfilePrivilege	4288	taskmgr.exe
Token: SeCreateGlobalPrivilege	4288	taskmgr.exe
Token: 33	4288	taskmgr.exe
Token: SeIncBasePriorityPrivilege	4288	taskmgr.exe
Token: SeDebugPrivilege	1628	taskmgr.exe
Token: SeSystemProfilePrivilege	1628	taskmgr.exe
Token: SeCreateGlobalPrivilege	1628	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe
368	taskmgr.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1388	MEMZ.exe
4392	MEMZ.exe
1288	MEMZ.exe
3548	MEMZ.exe
4392	MEMZ.exe
1388	MEMZ.exe
1288	MEMZ.exe
3548	MEMZ.exe
4392	MEMZ.exe
1288	MEMZ.exe
1388	MEMZ.exe
3548	MEMZ.exe
1388	MEMZ.exe
1288	MEMZ.exe
4392	MEMZ.exe
3548	MEMZ.exe
1288	MEMZ.exe
4392	MEMZ.exe
1388	MEMZ.exe
3548	MEMZ.exe
1388	MEMZ.exe
4392	MEMZ.exe
1288	MEMZ.exe
3548	MEMZ.exe
4392	MEMZ.exe
1388	MEMZ.exe
1288	MEMZ.exe
3548	MEMZ.exe
1388	MEMZ.exe
1288	MEMZ.exe
4392	MEMZ.exe
3548	MEMZ.exe
4392	MEMZ.exe
1288	MEMZ.exe
1388	MEMZ.exe
3548	MEMZ.exe
1388	MEMZ.exe
4392	MEMZ.exe
1288	MEMZ.exe
3548	MEMZ.exe
4392	MEMZ.exe
1388	MEMZ.exe
1288	MEMZ.exe
3548	MEMZ.exe
1288	MEMZ.exe
1388	MEMZ.exe
4392	MEMZ.exe
3548	MEMZ.exe
4392	MEMZ.exe
1388	MEMZ.exe
1288	MEMZ.exe
3548	MEMZ.exe
1288	MEMZ.exe
1388	MEMZ.exe
4392	MEMZ.exe
3548	MEMZ.exe
4392	MEMZ.exe
1388	MEMZ.exe
1288	MEMZ.exe
3548	MEMZ.exe
1288	MEMZ.exe
1388	MEMZ.exe
4392	MEMZ.exe
3548	MEMZ.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4444 wrote to memory of 732	4444	d4cb3f4a5554ec5411cc328cffb5ee564a2114446cbd2.exe	82
PID 4444 wrote to memory of 732	4444	d4cb3f4a5554ec5411cc328cffb5ee564a2114446cbd2.exe	82
PID 4444 wrote to memory of 732	4444	d4cb3f4a5554ec5411cc328cffb5ee564a2114446cbd2.exe	82
PID 732 wrote to memory of 2320	732	nbveek.exe	83
PID 732 wrote to memory of 2320	732	nbveek.exe	83
PID 732 wrote to memory of 2320	732	nbveek.exe	83
PID 732 wrote to memory of 4252	732	nbveek.exe	85
PID 732 wrote to memory of 4252	732	nbveek.exe	85
PID 732 wrote to memory of 4252	732	nbveek.exe	85
PID 4252 wrote to memory of 4984	4252	cmd.exe	87
PID 4252 wrote to memory of 4984	4252	cmd.exe	87
PID 4252 wrote to memory of 4984	4252	cmd.exe	87
PID 4252 wrote to memory of 2360	4252	cmd.exe	88
PID 4252 wrote to memory of 2360	4252	cmd.exe	88
PID 4252 wrote to memory of 2360	4252	cmd.exe	88
PID 4252 wrote to memory of 4980	4252	cmd.exe	89
PID 4252 wrote to memory of 4980	4252	cmd.exe	89
PID 4252 wrote to memory of 4980	4252	cmd.exe	89
PID 4252 wrote to memory of 4760	4252	cmd.exe	90
PID 4252 wrote to memory of 4760	4252	cmd.exe	90
PID 4252 wrote to memory of 4760	4252	cmd.exe	90
PID 4252 wrote to memory of 4620	4252	cmd.exe	91
PID 4252 wrote to memory of 4620	4252	cmd.exe	91
PID 4252 wrote to memory of 4620	4252	cmd.exe	91
PID 4252 wrote to memory of 1480	4252	cmd.exe	92
PID 4252 wrote to memory of 1480	4252	cmd.exe	92
PID 4252 wrote to memory of 1480	4252	cmd.exe	92
PID 732 wrote to memory of 3488	732	nbveek.exe	105
PID 732 wrote to memory of 3488	732	nbveek.exe	105
PID 732 wrote to memory of 3488	732	nbveek.exe	105
PID 3488 wrote to memory of 3756	3488	rundll32.exe	107
PID 3488 wrote to memory of 3756	3488	rundll32.exe	107
PID 3596 wrote to memory of 4032	3596	chrome.exe	109
PID 3596 wrote to memory of 4032	3596	chrome.exe	109
PID 3596 wrote to memory of 4896	3596	chrome.exe	114
PID 3596 wrote to memory of 4896	3596	chrome.exe	114
PID 3596 wrote to memory of 4896	3596	chrome.exe	114
PID 3596 wrote to memory of 4896	3596	chrome.exe	114
PID 3596 wrote to memory of 4896	3596	chrome.exe	114
PID 3596 wrote to memory of 4896	3596	chrome.exe	114
PID 3596 wrote to memory of 4896	3596	chrome.exe	114
PID 3596 wrote to memory of 4896	3596	chrome.exe	114
PID 3596 wrote to memory of 4896	3596	chrome.exe	114
PID 3596 wrote to memory of 4896	3596	chrome.exe	114
PID 3596 wrote to memory of 4896	3596	chrome.exe	114
PID 3596 wrote to memory of 4896	3596	chrome.exe	114
PID 3596 wrote to memory of 4896	3596	chrome.exe	114
PID 3596 wrote to memory of 4896	3596	chrome.exe	114
PID 3596 wrote to memory of 4896	3596	chrome.exe	114
PID 3596 wrote to memory of 4896	3596	chrome.exe	114
PID 3596 wrote to memory of 4896	3596	chrome.exe	114
PID 3596 wrote to memory of 4896	3596	chrome.exe	114
PID 3596 wrote to memory of 4896	3596	chrome.exe	114
PID 3596 wrote to memory of 4896	3596	chrome.exe	114
PID 3596 wrote to memory of 4896	3596	chrome.exe	114
PID 3596 wrote to memory of 4896	3596	chrome.exe	114
PID 3596 wrote to memory of 4896	3596	chrome.exe	114
PID 3596 wrote to memory of 4896	3596	chrome.exe	114
PID 3596 wrote to memory of 4896	3596	chrome.exe	114
PID 3596 wrote to memory of 4896	3596	chrome.exe	114
PID 3596 wrote to memory of 4896	3596	chrome.exe	114
PID 3596 wrote to memory of 4896	3596	chrome.exe	114
PID 3596 wrote to memory of 4896	3596	chrome.exe	114
PID 3596 wrote to memory of 4896	3596	chrome.exe	114

C:\Users\Admin\AppData\Local\Temp\d4cb3f4a5554ec5411cc328cffb5ee564a2114446cbd2.exe
"C:\Users\Admin\AppData\Local\Temp\d4cb3f4a5554ec5411cc328cffb5ee564a2114446cbd2.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4444
- C:\Users\Admin\AppData\Local\Temp\588b4b1c98\nbveek.exe
  "C:\Users\Admin\AppData\Local\Temp\588b4b1c98\nbveek.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:732
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN nbveek.exe /TR "C:\Users\Admin\AppData\Local\Temp\588b4b1c98\nbveek.exe" /F
    3⤵
    - Creates scheduled task(s)
    PID:2320
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "nbveek.exe" /P "Admin:N"&&CACLS "nbveek.exe" /P "Admin:R" /E&&echo Y|CACLS "..\588b4b1c98" /P "Admin:N"&&CACLS "..\588b4b1c98" /P "Admin:R" /E&&Exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4252
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
      4⤵
      PID:4984
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "nbveek.exe" /P "Admin:N"
      4⤵
      PID:2360
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "nbveek.exe" /P "Admin:R" /E
      4⤵
      PID:4980
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
      4⤵
      PID:4760
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "..\588b4b1c98" /P "Admin:N"
      4⤵
      PID:4620
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "..\588b4b1c98" /P "Admin:R" /E
      4⤵
      PID:1480
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:3488
  - - C:\Windows\system32\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main
      4⤵
      Loads dropped DLL
      PID:3756
    - - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 3756 -s 684
        5⤵
        Program crash
        
        PID:4384

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:368

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 424 -p 2876 -ip 2876
1⤵
PID:4112

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2876 -s 772
1⤵
- Program crash
PID:4704

C:\Users\Admin\AppData\Local\Temp\588b4b1c98\nbveek.exe
C:\Users\Admin\AppData\Local\Temp\588b4b1c98\nbveek.exe
1⤵
- Executes dropped EXE
PID:3800

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of WriteProcessMemory
PID:3596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffea6274f50,0x7ffea6274f60,0x7ffea6274f70
  2⤵
  PID:4032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1628,4894624520709154313,4781160149125105397,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1664 /prefetch:2
  2⤵
  PID:4896
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1628,4894624520709154313,4781160149125105397,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2016 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1628,4894624520709154313,4781160149125105397,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2316 /prefetch:8
  2⤵
  PID:4152
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1628,4894624520709154313,4781160149125105397,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2956 /prefetch:1
  2⤵
  PID:4496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1628,4894624520709154313,4781160149125105397,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3152 /prefetch:1
  2⤵
  PID:2648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1628,4894624520709154313,4781160149125105397,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3860 /prefetch:1
  2⤵
  PID:3444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1628,4894624520709154313,4781160149125105397,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4504 /prefetch:8
  2⤵
  PID:3512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1628,4894624520709154313,4781160149125105397,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4648 /prefetch:8
  2⤵
  PID:4784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1628,4894624520709154313,4781160149125105397,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4796 /prefetch:8
  2⤵
  PID:4752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1628,4894624520709154313,4781160149125105397,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4852 /prefetch:8
  2⤵
  PID:3972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1628,4894624520709154313,4781160149125105397,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4876 /prefetch:8
  2⤵
  PID:4004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1628,4894624520709154313,4781160149125105397,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5144 /prefetch:8
  2⤵
  PID:536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1628,4894624520709154313,4781160149125105397,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4928 /prefetch:8
  2⤵
  PID:4304
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1628,4894624520709154313,4781160149125105397,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4908 /prefetch:8
  2⤵
  PID:4920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1628,4894624520709154313,4781160149125105397,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4844 /prefetch:8
  2⤵
  PID:1288
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1628,4894624520709154313,4781160149125105397,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5404 /prefetch:8
  2⤵
  PID:224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1628,4894624520709154313,4781160149125105397,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5392 /prefetch:8
  2⤵
  PID:2356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1628,4894624520709154313,4781160149125105397,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5536 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3192
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1628,4894624520709154313,4781160149125105397,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5224 /prefetch:8
  2⤵
  PID:4012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1628,4894624520709154313,4781160149125105397,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5212 /prefetch:8
  2⤵
  PID:4672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1628,4894624520709154313,4781160149125105397,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5172 /prefetch:8
  2⤵
  PID:60
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1628,4894624520709154313,4781160149125105397,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4972 /prefetch:1
  2⤵
  PID:2272
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1628,4894624520709154313,4781160149125105397,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4620 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1628,4894624520709154313,4781160149125105397,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5592 /prefetch:1
  2⤵
  PID:2824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1628,4894624520709154313,4781160149125105397,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2964 /prefetch:1
  2⤵
  PID:5068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1628,4894624520709154313,4781160149125105397,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5604 /prefetch:1
  2⤵
  PID:1164
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1628,4894624520709154313,4781160149125105397,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5752 /prefetch:1
  2⤵
  PID:3500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1628,4894624520709154313,4781160149125105397,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3948 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1628,4894624520709154313,4781160149125105397,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5948 /prefetch:8
  2⤵
  PID:1800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1628,4894624520709154313,4781160149125105397,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3432 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1628,4894624520709154313,4781160149125105397,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2712 /prefetch:8
  2⤵
  PID:224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1628,4894624520709154313,4781160149125105397,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2140 /prefetch:8
  2⤵
  PID:1300
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1628,4894624520709154313,4781160149125105397,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3812 /prefetch:1
  2⤵
  PID:872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1628,4894624520709154313,4781160149125105397,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
  2⤵
  PID:3408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1628,4894624520709154313,4781160149125105397,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2540 /prefetch:8
  2⤵
  PID:4908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1628,4894624520709154313,4781160149125105397,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2544 /prefetch:1
  2⤵
  PID:4260
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1628,4894624520709154313,4781160149125105397,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3664 /prefetch:8
  2⤵
  PID:1436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1628,4894624520709154313,4781160149125105397,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2564 /prefetch:1
  2⤵
  PID:2356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1628,4894624520709154313,4781160149125105397,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3052 /prefetch:1
  2⤵
  PID:1112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1628,4894624520709154313,4781160149125105397,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5968 /prefetch:1
  2⤵
  PID:856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1628,4894624520709154313,4781160149125105397,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5008 /prefetch:1
  2⤵
  PID:4880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1628,4894624520709154313,4781160149125105397,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6132 /prefetch:1
  2⤵
  PID:3464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1628,4894624520709154313,4781160149125105397,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6028 /prefetch:1
  2⤵
  PID:3120
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1628,4894624520709154313,4781160149125105397,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4732 /prefetch:1
  2⤵
  PID:2504
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1628,4894624520709154313,4781160149125105397,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2712 /prefetch:8
  2⤵
  PID:3996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1628,4894624520709154313,4781160149125105397,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4744 /prefetch:8
  2⤵
  PID:4644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1628,4894624520709154313,4781160149125105397,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3408 /prefetch:8
  2⤵
  PID:984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1628,4894624520709154313,4781160149125105397,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6080 /prefetch:8
  2⤵
  PID:2240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1628,4894624520709154313,4781160149125105397,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3412 /prefetch:1
  2⤵
  PID:5112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1628,4894624520709154313,4781160149125105397,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4524 /prefetch:8
  2⤵
  PID:4672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1628,4894624520709154313,4781160149125105397,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3972 /prefetch:8
  2⤵
  PID:4492
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1628,4894624520709154313,4781160149125105397,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5420 /prefetch:8
  2⤵
  PID:4596

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 184 -p 3756 -ip 3756
1⤵
PID:980

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3764

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3944

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4288

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Temp1_memz-trojan.zip\MEMZ-master\WindowsTrojan\Data\KillMessages.txt
1⤵
PID:4220

C:\Users\Admin\AppData\Local\Temp\588b4b1c98\nbveek.exe
C:\Users\Admin\AppData\Local\Temp\588b4b1c98\nbveek.exe
1⤵
- Executes dropped EXE
PID:4880

C:\Users\Admin\Desktop\MEMZ.exe
"C:\Users\Admin\Desktop\MEMZ.exe"
1⤵
PID:4312
- C:\Users\Admin\Desktop\MEMZ.exe
  "C:\Users\Admin\Desktop\MEMZ.exe" /watchdog
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1388
- C:\Users\Admin\Desktop\MEMZ.exe
  "C:\Users\Admin\Desktop\MEMZ.exe" /watchdog
  2⤵
  PID:4556
- C:\Users\Admin\Desktop\MEMZ.exe
  "C:\Users\Admin\Desktop\MEMZ.exe" /watchdog
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:3548
- C:\Users\Admin\Desktop\MEMZ.exe
  "C:\Users\Admin\Desktop\MEMZ.exe" /watchdog
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1288
- C:\Users\Admin\Desktop\MEMZ.exe
  "C:\Users\Admin\Desktop\MEMZ.exe" /watchdog
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:4392
- C:\Users\Admin\Desktop\MEMZ.exe
  "C:\Users\Admin\Desktop\MEMZ.exe" /main
  2⤵
  - Writes to the Master Boot Record (MBR)
  PID:2144
- - C:\Windows\SysWOW64\notepad.exe
    "C:\Windows\System32\notepad.exe" \note.txt
    3⤵
    PID:2720
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=how+2+buy+weed
    3⤵
    PID:2760
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x118,0x11c,0x120,0xf8,0x124,0x7ffea4fa46f8,0x7ffea4fa4708,0x7ffea4fa4718
      4⤵
      PID:4688

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:1628

C:\Users\Admin\AppData\Local\Temp\588b4b1c98\nbveek.exe
C:\Users\Admin\AppData\Local\Temp\588b4b1c98\nbveek.exe
1⤵
- Executes dropped EXE
PID:3996

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Bootkit

T1067

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery