b029393ea7b7cf644fb1c9f984f57c1980077562ee2e15d0ffd049c4c48098d3

Analysis

max time kernel
398s
max time network
407s
platform
windows7_x64
resource
win7-20230220-es
resource tags

arch:x64arch:x86image:win7-20230220-eslocale:es-esos:windows7-x64systemwindows
submitted
27-03-2023 03:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

desktop.ini
Size

282B
MD5

3a37312509712d4e12d27240137ff377
SHA1

30ced927e23b584725cf16351394175a6d2a9577
SHA256

b029393ea7b7cf644fb1c9f984f57c1980077562ee2e15d0ffd049c4c48098d3
SHA512

dbb9abe70f8a781d141a71651a62a3a743c71a75a8305e9d23af92f7307fb639dc4a85499115885e2a781b040cbb7613f582544c2d6de521e588531e9c294b05

Score

8^/10

bootkit persistence

Malware Config

Signatures

Downloads MZ/PE file
Executes dropped EXE 7 IoCs

Processes:

MEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exe

pid process

2992 MEMZ.exe
1492 MEMZ.exe
3048 MEMZ.exe
3064 MEMZ.exe
2084 MEMZ.exe
1048 MEMZ.exe
560 MEMZ.exe
Loads dropped DLL 1 IoCs

Processes:

MEMZ.exe

pid process

2992 MEMZ.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

MEMZ.exe

description ioc process

File opened for modification \??\PhysicalDrive0 MEMZ.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
2992	MEMZ.exe
1492	MEMZ.exe
3048	MEMZ.exe
3064	MEMZ.exe
2084	MEMZ.exe
1048	MEMZ.exe
560	MEMZ.exe

pid	process
2992	MEMZ.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	MEMZ.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

1604 NOTEPAD.EXE

pid	process
1604	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

chrome.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exe

pid	process
860	chrome.exe
860	chrome.exe
860	chrome.exe
860	chrome.exe
1492	MEMZ.exe
3048	MEMZ.exe
3064	MEMZ.exe
1048	MEMZ.exe
2084	MEMZ.exe
1492	MEMZ.exe
3048	MEMZ.exe
3064	MEMZ.exe
1048	MEMZ.exe
2084	MEMZ.exe
1492	MEMZ.exe
3064	MEMZ.exe
3048	MEMZ.exe
1048	MEMZ.exe
2084	MEMZ.exe
1492	MEMZ.exe
3048	MEMZ.exe
3064	MEMZ.exe
2084	MEMZ.exe
1048	MEMZ.exe
1492	MEMZ.exe
3064	MEMZ.exe
3048	MEMZ.exe
2084	MEMZ.exe
1048	MEMZ.exe
1492	MEMZ.exe
3064	MEMZ.exe
3048	MEMZ.exe
2084	MEMZ.exe
1048	MEMZ.exe
1492	MEMZ.exe
3064	MEMZ.exe
3048	MEMZ.exe
2084	MEMZ.exe
1048	MEMZ.exe
1492	MEMZ.exe
3048	MEMZ.exe
3064	MEMZ.exe
1048	MEMZ.exe
2084	MEMZ.exe
1492	MEMZ.exe
3048	MEMZ.exe
3064	MEMZ.exe
2084	MEMZ.exe
1048	MEMZ.exe
1492	MEMZ.exe
3064	MEMZ.exe
3048	MEMZ.exe
1048	MEMZ.exe
2084	MEMZ.exe
1492	MEMZ.exe
3064	MEMZ.exe
3048	MEMZ.exe
2084	MEMZ.exe
1048	MEMZ.exe
1492	MEMZ.exe
3064	MEMZ.exe
3048	MEMZ.exe
2084	MEMZ.exe
1048	MEMZ.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	860	chrome.exe
Token: SeShutdownPrivilege	860	chrome.exe
Token: SeShutdownPrivilege	860	chrome.exe
Token: SeShutdownPrivilege	860	chrome.exe
Token: SeShutdownPrivilege	860	chrome.exe
Token: SeShutdownPrivilege	860	chrome.exe
Token: SeShutdownPrivilege	860	chrome.exe
Token: SeShutdownPrivilege	860	chrome.exe
Token: SeShutdownPrivilege	860	chrome.exe
Token: SeShutdownPrivilege	860	chrome.exe
Token: SeShutdownPrivilege	860	chrome.exe
Token: SeShutdownPrivilege	860	chrome.exe
Token: SeShutdownPrivilege	860	chrome.exe
Token: SeShutdownPrivilege	860	chrome.exe
Token: SeShutdownPrivilege	860	chrome.exe
Token: SeShutdownPrivilege	860	chrome.exe
Token: SeShutdownPrivilege	860	chrome.exe
Token: SeShutdownPrivilege	860	chrome.exe
Token: SeShutdownPrivilege	860	chrome.exe
Token: SeShutdownPrivilege	860	chrome.exe
Token: SeShutdownPrivilege	860	chrome.exe
Token: SeShutdownPrivilege	860	chrome.exe
Token: SeShutdownPrivilege	860	chrome.exe
Token: SeShutdownPrivilege	860	chrome.exe
Token: SeShutdownPrivilege	860	chrome.exe
Token: SeShutdownPrivilege	860	chrome.exe
Token: SeShutdownPrivilege	860	chrome.exe
Token: SeShutdownPrivilege	860	chrome.exe
Token: SeShutdownPrivilege	860	chrome.exe
Token: SeShutdownPrivilege	860	chrome.exe
Token: SeShutdownPrivilege	860	chrome.exe
Token: SeShutdownPrivilege	860	chrome.exe
Token: SeShutdownPrivilege	860	chrome.exe
Token: SeShutdownPrivilege	860	chrome.exe
Token: SeShutdownPrivilege	860	chrome.exe
Token: SeShutdownPrivilege	860	chrome.exe
Token: SeShutdownPrivilege	860	chrome.exe
Token: SeShutdownPrivilege	860	chrome.exe
Token: SeShutdownPrivilege	860	chrome.exe
Token: SeShutdownPrivilege	860	chrome.exe
Token: SeShutdownPrivilege	860	chrome.exe
Token: SeShutdownPrivilege	860	chrome.exe
Token: SeShutdownPrivilege	860	chrome.exe
Token: SeShutdownPrivilege	860	chrome.exe
Token: SeShutdownPrivilege	860	chrome.exe
Token: SeShutdownPrivilege	860	chrome.exe
Token: SeShutdownPrivilege	860	chrome.exe
Token: SeShutdownPrivilege	860	chrome.exe
Token: SeShutdownPrivilege	860	chrome.exe
Token: SeShutdownPrivilege	860	chrome.exe
Token: SeShutdownPrivilege	860	chrome.exe
Token: SeShutdownPrivilege	860	chrome.exe
Token: SeShutdownPrivilege	860	chrome.exe
Token: SeShutdownPrivilege	860	chrome.exe
Token: SeShutdownPrivilege	860	chrome.exe
Token: SeShutdownPrivilege	860	chrome.exe
Token: SeShutdownPrivilege	860	chrome.exe
Token: SeShutdownPrivilege	860	chrome.exe
Token: SeShutdownPrivilege	860	chrome.exe
Token: SeShutdownPrivilege	860	chrome.exe
Token: SeShutdownPrivilege	860	chrome.exe
Token: SeShutdownPrivilege	860	chrome.exe
Token: SeShutdownPrivilege	860	chrome.exe
Token: SeShutdownPrivilege	860	chrome.exe

Suspicious use of FindShellTrayWindow 49 IoCs

Processes:

chrome.exe

pid	process
860	chrome.exe
860	chrome.exe
860	chrome.exe
860	chrome.exe
860	chrome.exe
860	chrome.exe
860	chrome.exe
860	chrome.exe
860	chrome.exe
860	chrome.exe
860	chrome.exe
860	chrome.exe
860	chrome.exe
860	chrome.exe
860	chrome.exe
860	chrome.exe
860	chrome.exe
860	chrome.exe
860	chrome.exe
860	chrome.exe
860	chrome.exe
860	chrome.exe
860	chrome.exe
860	chrome.exe
860	chrome.exe
860	chrome.exe
860	chrome.exe
860	chrome.exe
860	chrome.exe
860	chrome.exe
860	chrome.exe
860	chrome.exe
860	chrome.exe
860	chrome.exe
860	chrome.exe
860	chrome.exe
860	chrome.exe
860	chrome.exe
860	chrome.exe
860	chrome.exe
860	chrome.exe
860	chrome.exe
860	chrome.exe
860	chrome.exe
860	chrome.exe
860	chrome.exe
860	chrome.exe
860	chrome.exe
860	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

Processes:

chrome.exe

pid	process
860	chrome.exe
860	chrome.exe
860	chrome.exe
860	chrome.exe
860	chrome.exe
860	chrome.exe
860	chrome.exe
860	chrome.exe
860	chrome.exe
860	chrome.exe
860	chrome.exe
860	chrome.exe
860	chrome.exe
860	chrome.exe
860	chrome.exe
860	chrome.exe
860	chrome.exe
860	chrome.exe
860	chrome.exe
860	chrome.exe
860	chrome.exe
860	chrome.exe
860	chrome.exe
860	chrome.exe
860	chrome.exe
860	chrome.exe
860	chrome.exe
860	chrome.exe
860	chrome.exe
860	chrome.exe
860	chrome.exe
860	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 860 wrote to memory of 796	860	chrome.exe	chrome.exe
PID 860 wrote to memory of 796	860	chrome.exe	chrome.exe
PID 860 wrote to memory of 796	860	chrome.exe	chrome.exe
PID 860 wrote to memory of 772	860	chrome.exe	chrome.exe
PID 860 wrote to memory of 772	860	chrome.exe	chrome.exe
PID 860 wrote to memory of 772	860	chrome.exe	chrome.exe
PID 860 wrote to memory of 772	860	chrome.exe	chrome.exe
PID 860 wrote to memory of 772	860	chrome.exe	chrome.exe
PID 860 wrote to memory of 772	860	chrome.exe	chrome.exe
PID 860 wrote to memory of 772	860	chrome.exe	chrome.exe
PID 860 wrote to memory of 772	860	chrome.exe	chrome.exe
PID 860 wrote to memory of 772	860	chrome.exe	chrome.exe
PID 860 wrote to memory of 772	860	chrome.exe	chrome.exe
PID 860 wrote to memory of 772	860	chrome.exe	chrome.exe
PID 860 wrote to memory of 772	860	chrome.exe	chrome.exe
PID 860 wrote to memory of 772	860	chrome.exe	chrome.exe
PID 860 wrote to memory of 772	860	chrome.exe	chrome.exe
PID 860 wrote to memory of 772	860	chrome.exe	chrome.exe
PID 860 wrote to memory of 772	860	chrome.exe	chrome.exe
PID 860 wrote to memory of 772	860	chrome.exe	chrome.exe
PID 860 wrote to memory of 772	860	chrome.exe	chrome.exe
PID 860 wrote to memory of 772	860	chrome.exe	chrome.exe
PID 860 wrote to memory of 772	860	chrome.exe	chrome.exe
PID 860 wrote to memory of 772	860	chrome.exe	chrome.exe
PID 860 wrote to memory of 772	860	chrome.exe	chrome.exe
PID 860 wrote to memory of 772	860	chrome.exe	chrome.exe
PID 860 wrote to memory of 772	860	chrome.exe	chrome.exe
PID 860 wrote to memory of 772	860	chrome.exe	chrome.exe
PID 860 wrote to memory of 772	860	chrome.exe	chrome.exe
PID 860 wrote to memory of 772	860	chrome.exe	chrome.exe
PID 860 wrote to memory of 772	860	chrome.exe	chrome.exe
PID 860 wrote to memory of 772	860	chrome.exe	chrome.exe
PID 860 wrote to memory of 772	860	chrome.exe	chrome.exe
PID 860 wrote to memory of 772	860	chrome.exe	chrome.exe
PID 860 wrote to memory of 772	860	chrome.exe	chrome.exe
PID 860 wrote to memory of 772	860	chrome.exe	chrome.exe
PID 860 wrote to memory of 772	860	chrome.exe	chrome.exe
PID 860 wrote to memory of 772	860	chrome.exe	chrome.exe
PID 860 wrote to memory of 772	860	chrome.exe	chrome.exe
PID 860 wrote to memory of 772	860	chrome.exe	chrome.exe
PID 860 wrote to memory of 772	860	chrome.exe	chrome.exe
PID 860 wrote to memory of 772	860	chrome.exe	chrome.exe
PID 860 wrote to memory of 1032	860	chrome.exe	chrome.exe
PID 860 wrote to memory of 1032	860	chrome.exe	chrome.exe
PID 860 wrote to memory of 1032	860	chrome.exe	chrome.exe
PID 860 wrote to memory of 1748	860	chrome.exe	chrome.exe
PID 860 wrote to memory of 1748	860	chrome.exe	chrome.exe
PID 860 wrote to memory of 1748	860	chrome.exe	chrome.exe
PID 860 wrote to memory of 1748	860	chrome.exe	chrome.exe
PID 860 wrote to memory of 1748	860	chrome.exe	chrome.exe
PID 860 wrote to memory of 1748	860	chrome.exe	chrome.exe
PID 860 wrote to memory of 1748	860	chrome.exe	chrome.exe
PID 860 wrote to memory of 1748	860	chrome.exe	chrome.exe
PID 860 wrote to memory of 1748	860	chrome.exe	chrome.exe
PID 860 wrote to memory of 1748	860	chrome.exe	chrome.exe
PID 860 wrote to memory of 1748	860	chrome.exe	chrome.exe
PID 860 wrote to memory of 1748	860	chrome.exe	chrome.exe
PID 860 wrote to memory of 1748	860	chrome.exe	chrome.exe
PID 860 wrote to memory of 1748	860	chrome.exe	chrome.exe
PID 860 wrote to memory of 1748	860	chrome.exe	chrome.exe
PID 860 wrote to memory of 1748	860	chrome.exe	chrome.exe
PID 860 wrote to memory of 1748	860	chrome.exe	chrome.exe
PID 860 wrote to memory of 1748	860	chrome.exe	chrome.exe
PID 860 wrote to memory of 1748	860	chrome.exe	chrome.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\desktop.ini
1⤵
- Opens file in notepad (likely ransom note)
PID:1604

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:860

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef7019758,0x7fef7019768,0x7fef7019778
2⤵
PID:796

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1164 --field-trial-handle=1316,i,12671941768617867071,18020387883285009222,131072 /prefetch:2
2⤵
PID:772

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1476 --field-trial-handle=1316,i,12671941768617867071,18020387883285009222,131072 /prefetch:8
2⤵
PID:1032

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1644 --field-trial-handle=1316,i,12671941768617867071,18020387883285009222,131072 /prefetch:8
2⤵
PID:1748

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2328 --field-trial-handle=1316,i,12671941768617867071,18020387883285009222,131072 /prefetch:1
2⤵
PID:1652

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2344 --field-trial-handle=1316,i,12671941768617867071,18020387883285009222,131072 /prefetch:1
2⤵
PID:1588

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=3704 --field-trial-handle=1316,i,12671941768617867071,18020387883285009222,131072 /prefetch:2
2⤵
PID:2108

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1440 --field-trial-handle=1316,i,12671941768617867071,18020387883285009222,131072 /prefetch:1
2⤵
PID:2176

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3912 --field-trial-handle=1316,i,12671941768617867071,18020387883285009222,131072 /prefetch:8
2⤵
PID:2236

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3932 --field-trial-handle=1316,i,12671941768617867071,18020387883285009222,131072 /prefetch:8
2⤵
PID:2252

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=1648 --field-trial-handle=1316,i,12671941768617867071,18020387883285009222,131072 /prefetch:1
2⤵
PID:2580

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=584 --field-trial-handle=1316,i,12671941768617867071,18020387883285009222,131072 /prefetch:1
2⤵
PID:2852

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3604 --field-trial-handle=1316,i,12671941768617867071,18020387883285009222,131072 /prefetch:8
2⤵
PID:2376

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=776 --field-trial-handle=1316,i,12671941768617867071,18020387883285009222,131072 /prefetch:1
2⤵
PID:1500

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1880 --field-trial-handle=1316,i,12671941768617867071,18020387883285009222,131072 /prefetch:8
2⤵
PID:2116

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=1128 --field-trial-handle=1316,i,12671941768617867071,18020387883285009222,131072 /prefetch:8
2⤵
PID:1860

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3648 --field-trial-handle=1316,i,12671941768617867071,18020387883285009222,131072 /prefetch:8
2⤵
PID:1516

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2188 --field-trial-handle=1316,i,12671941768617867071,18020387883285009222,131072 /prefetch:8
2⤵
PID:2356

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3848 --field-trial-handle=1316,i,12671941768617867071,18020387883285009222,131072 /prefetch:8
2⤵
PID:2688

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3620 --field-trial-handle=1316,i,12671941768617867071,18020387883285009222,131072 /prefetch:8
2⤵
PID:2416

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3560 --field-trial-handle=1316,i,12671941768617867071,18020387883285009222,131072 /prefetch:8
2⤵
PID:988

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=1876 --field-trial-handle=1316,i,12671941768617867071,18020387883285009222,131072 /prefetch:8
2⤵
PID:2224

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1224

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1316

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x1dc
1⤵
PID:2776

C:\Users\Admin\Downloads\MEMZ.exe
"C:\Users\Admin\Downloads\MEMZ.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2992

C:\Users\Admin\Downloads\MEMZ.exe
"C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1492

C:\Users\Admin\Downloads\MEMZ.exe
"C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3048

C:\Users\Admin\Downloads\MEMZ.exe
"C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3064

C:\Users\Admin\Downloads\MEMZ.exe
"C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2084

C:\Users\Admin\Downloads\MEMZ.exe
"C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1048

C:\Users\Admin\Downloads\MEMZ.exe
"C:\Users\Admin\Downloads\MEMZ.exe" /main
2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:560

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\System32\notepad.exe" \note.txt
3⤵
PID:2700

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
672B

MD5
f74df4b33816246b8fb304bfa6e1e5e4

SHA1
40a6831676f83a0855ff1ee95d103af9801c3322

SHA256
0cc5d370b801e9d19048d7df3f6dd9cac34252f90230068e32d7f8c413cdebde

SHA512
2fe4cb62e0d67cfee6ab2dd5cb24beb5a247f07157282583673cfe89c6ee0f63fb4af7cacad99b44a0b20bd675ae0b81f2cb213ed931b1d20ef24b5481237948

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
1KB

MD5
fc505461825da5724a2cd314884e4330

SHA1
5a70f9015ae0160249f9af5055152b39dd6b0530

SHA256
e7751f4634bd9e970b14f8a59559f469d994641bc09dce09bcff1bcfe2cf8fdd

SHA512
104f9e7ad2d2b7b17b1b3c9529b5f9f3c52d924e84e556a47ab2ccebd67461bdb80716ea34320b78e647d1844b9efaad316ddcbc3a9fd198a3f1d84e784d9c5c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000002.dbtmp
Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1
Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
2KB

MD5
a7dcb8b7f0b70194b585285aa3401a81

SHA1
e212ba53dca254fc91b262963b5c9cef60b10d38

SHA256
aa3c3ce3b04678995eedd9d4c693a501bae9a13d47506eca94f94725c11794b6

SHA512
f28ab54e3977567ba19a3caddff73250c74464d05c7234c35a1257eeb25e5e29e29f592cea05002370cee688544be369b124d42266f2120f13a1e6fd7a22c162

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
2KB

MD5
10785a37c20be3c6786d66e101bb2dfe

SHA1
6294ce44fa740d478eb768ffa890c56b90f15ac0

SHA256
183ce070dfb32438524001834100bdb3edece96aaec6e43e4a2de036a99e1d35

SHA512
b7e91bc8772af587fbefaa86754bc2af3e264e033cf2d1fa9e8eadc5c809369aaec20effc88adac2dbec86034ddfda0de523e82541c66a77867842e96b3ec2fa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
363B

MD5
ab3b98c3a5e2789b76417d33aa70157d

SHA1
a5ae264b8fb20cbfdd648d28fb3b6ebee913fb53

SHA256
3033561043ef2e7155475c2c841b70e553d0631add2643c42973b913460e548a

SHA512
391f0cc506073ce5dd606f3bf6e7781dcb0366ed3a81ff2efca76450a2e90484fd8639c71fb1d4432b425f1b95552efa3592e21c276796f9513d4d7d4b1dac41

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
9b8523ce518884f55fdc80ae4b447b8a

SHA1
722ac1b7f5cf4ab30ba15a9e5f133af43f471f4e

SHA256
3d7c02cf5d4643acb0e5bd54e3b417de1fc79b2fe6e34e0c97bfa3aee5b31820

SHA512
d5c091f896370d68dc9225881719236ff9f78ca4804ad863e4a4fe71991fab3d015f1f168bae82efcc720ab5e2a7c6bc770d7c287e21820d02d5c7594d661792

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
d3c22f6f011a056a849ed2f57a0e9182

SHA1
5a3f3c1de0832fe8ae4ebc5d00ba7aa017f64e11

SHA256
879c9c5ac802f811074537cdfd8265e9152abe6b36157d5c7ace451209627b80

SHA512
597f398e9b5734f30e75b92eef8903093477c8c2fe151f6626317e83f2163805aa45da9c60a23bf5f46a80b564d52e80883493f01db26e67979fbf9312c61fd3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
9d38653c54dbbd4ca9cf70e8cd7b3257

SHA1
d078537cfb653474caa02c7e54af2cae093a75ed

SHA256
daa028d66b7d05dc590a2189d479503bd82cd34af6910f986a9e713c3a472f60

SHA512
784489c073c54c00a781083fd2c5245cd5f932481592e7a39192c34b565dcb620cc2e382fb1d57b1283246c98546a2c053e11c67c74df38c6c919d56ff9f7dbf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
527B

MD5
c87b8c59dca7981444ea52b5b3d67ffc

SHA1
270210d9687583e4a7dc2607c914a8c17c8b4917

SHA256
8567e52408cd04a39ff42339e4a2b2b32447a3594893e682ff55f38b7d98078d

SHA512
7e3fd23a9915ae04838f1242c5a35632f2521d4f4a505d41489e6322703a8063ffb93743cd99a8e71fcbaaa2a82bdf119b6f25f81069d1d7fa2d0af809082930

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
88f2d9aa8b9da0249d26a4f6e94d8f75

SHA1
394f7360fe73e29fe942e7fd87e04811b07a16a2

SHA256
3434d6bb3217721c1e73aa710146f0d2c6674ae6edd5eee0f608116f708d2922

SHA512
68323101a284aaa7b0a1c2d334b59a6e2aded0f94c8fe19a70236e08136f55d0cd153ffa3fd4be021c07d2c595305a35741f3ab1d22e510722eaa98cf24d89fa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
4KB

MD5
510642b0a368b8d07fc5b23d36c3055d

SHA1
852035c8b658d02822ef62444d0bc92c5c9ff4b4

SHA256
52d72f491c5e61a23a508fc85c2cfa30573662f5f0cab066a533002a1bc9070a

SHA512
aabfa0dde6911a349c44cec92466275904766aef27ca233de733a5713aadb7e8049f385e8577f6c33f44c056feb62c9fb2cdc930e05846b8a8d320b05dc14984

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
4KB

MD5
1a577f3d511d394accebc02b3a35ec7b

SHA1
59cf9fe2a354bb25408948f356267e9720f26429

SHA256
2ffaaa950180e25ef00c137ef05f514ef98c84f2e7a21e71f31327e3d2c85d90

SHA512
bc56ed171e47ae000dda4007d2b8786a17897220ca828190e35e45fd281b0f0a0a20b732950cb7271d6fbc2ebbc70143035469c21dcd1fb7d3ab70cc5b0a9b2f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
9db2e5f58ee1ffa2aa48c12c1be12632

SHA1
342f37336a523f2f24461a891d3d91d167b744f7

SHA256
83877044218955ea60a59e605debc5c42eaec128c49f4e5b6f5c4021f1d74580

SHA512
b63460511cf43a8f68edea5a414363dbe015395bd326269a58ab288c432d93a31d0dc2e6b78a56ab5304a98c12e20b339938dbf5a5c6569114b196fa97e6a327

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
1a236b107252fd6a80516057477ccf8e

SHA1
5e9b31e3a8f06f2722a4f0369d3eee4108c2402f

SHA256
0132d67267885b856a810e5d1e33342b628b9b8fda5c7034e95eb070e068d6fc

SHA512
7318fed723a08765a52268cd66a97cd58a9a1f69f6cd6257b6169d77d92acfbdf63ef5f22ce2eb0169e666446b4ab1f52fb950472ec5442753772b721168dbc0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000004.dbtmp
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\Downloads\MEMZ.exe
Filesize
16KB

MD5
1d5ad9c8d3fee874d0feb8bfac220a11

SHA1
ca6d3f7e6c784155f664a9179ca64e4034df9595

SHA256
3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff

SHA512
c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1

Download Submit
C:\Users\Admin\Downloads\MEMZ.exe
Filesize
16KB

MD5
1d5ad9c8d3fee874d0feb8bfac220a11

SHA1
ca6d3f7e6c784155f664a9179ca64e4034df9595

SHA256
3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff

SHA512
c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1

Download Submit
C:\Users\Admin\Downloads\MEMZ.exe
Filesize
16KB

MD5
1d5ad9c8d3fee874d0feb8bfac220a11

SHA1
ca6d3f7e6c784155f664a9179ca64e4034df9595

SHA256
3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff

SHA512
c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1

Download Submit
C:\Users\Admin\Downloads\MEMZ.exe
Filesize
16KB

MD5
1d5ad9c8d3fee874d0feb8bfac220a11

SHA1
ca6d3f7e6c784155f664a9179ca64e4034df9595

SHA256
3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff

SHA512
c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1

Download Submit
C:\Users\Admin\Downloads\MEMZ.exe
Filesize
16KB

MD5
1d5ad9c8d3fee874d0feb8bfac220a11

SHA1
ca6d3f7e6c784155f664a9179ca64e4034df9595

SHA256
3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff

SHA512
c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1

Download Submit
C:\Users\Admin\Downloads\MEMZ.exe
Filesize
16KB

MD5
1d5ad9c8d3fee874d0feb8bfac220a11

SHA1
ca6d3f7e6c784155f664a9179ca64e4034df9595

SHA256
3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff

SHA512
c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1

Download Submit
C:\Users\Admin\Downloads\MEMZ.exe
Filesize
16KB

MD5
1d5ad9c8d3fee874d0feb8bfac220a11

SHA1
ca6d3f7e6c784155f664a9179ca64e4034df9595

SHA256
3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff

SHA512
c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1

Download Submit
C:\Users\Admin\Downloads\MEMZ.exe
Filesize
16KB

MD5
1d5ad9c8d3fee874d0feb8bfac220a11

SHA1
ca6d3f7e6c784155f664a9179ca64e4034df9595

SHA256
3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff

SHA512
c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1

Download Submit
C:\Users\Admin\Downloads\MEMZ.exe
Filesize
16KB

MD5
1d5ad9c8d3fee874d0feb8bfac220a11

SHA1
ca6d3f7e6c784155f664a9179ca64e4034df9595

SHA256
3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff

SHA512
c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1

Download Submit
C:\note.txt
Filesize
218B

MD5
afa6955439b8d516721231029fb9ca1b

SHA1
087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

SHA256
8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

SHA512
5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

Download Submit
\??\pipe\crashpad_860_DZURYQHEXKXEEMFH
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\Downloads\MEMZ.exe
Filesize
16KB

MD5
1d5ad9c8d3fee874d0feb8bfac220a11

SHA1
ca6d3f7e6c784155f664a9179ca64e4034df9595

SHA256
3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff

SHA512
c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1

Download Submit