hxxp://google[.]com

Analysis

max time kernel
123s
max time network
76s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
31-03-2023 20:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://google.com

Score

6^/10

bootkit persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Processes:

chrome.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Windows\CurrentVersion\Run chrome.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

MEMZ.exe

description ioc process

File opened for modification \??\PhysicalDrive0 MEMZ.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Windows\CurrentVersion\Run	chrome.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	MEMZ.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133247744723378033"	chrome.exe

Modifies registry class 1 IoCs

Processes:

chrome.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

chrome.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exe

pid	process
3244	chrome.exe
3244	chrome.exe
4392	MEMZ.exe
4392	MEMZ.exe
4408	MEMZ.exe
4408	MEMZ.exe
4392	MEMZ.exe
4392	MEMZ.exe
4392	MEMZ.exe
4392	MEMZ.exe
4408	MEMZ.exe
4408	MEMZ.exe
4456	MEMZ.exe
4456	MEMZ.exe
4468	MEMZ.exe
4468	MEMZ.exe
4980	MEMZ.exe
4980	MEMZ.exe
4408	MEMZ.exe
4408	MEMZ.exe
4392	MEMZ.exe
4392	MEMZ.exe
4392	MEMZ.exe
4392	MEMZ.exe
4408	MEMZ.exe
4408	MEMZ.exe
4980	MEMZ.exe
4468	MEMZ.exe
4980	MEMZ.exe
4468	MEMZ.exe
4456	MEMZ.exe
4456	MEMZ.exe
4392	MEMZ.exe
4392	MEMZ.exe
4408	MEMZ.exe
4408	MEMZ.exe
4408	MEMZ.exe
4408	MEMZ.exe
4392	MEMZ.exe
4392	MEMZ.exe
4456	MEMZ.exe
4456	MEMZ.exe
4468	MEMZ.exe
4468	MEMZ.exe
4980	MEMZ.exe
4980	MEMZ.exe
4408	MEMZ.exe
4408	MEMZ.exe
4392	MEMZ.exe
4392	MEMZ.exe
4468	MEMZ.exe
4456	MEMZ.exe
4456	MEMZ.exe
4468	MEMZ.exe
4980	MEMZ.exe
4980	MEMZ.exe
4392	MEMZ.exe
4392	MEMZ.exe
4408	MEMZ.exe
4408	MEMZ.exe
4408	MEMZ.exe
4408	MEMZ.exe
4392	MEMZ.exe
4392	MEMZ.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

chrome.exe

pid process

3244 chrome.exe
3244 chrome.exe
3244 chrome.exe
3244 chrome.exe
3244 chrome.exe
3244 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	3244	chrome.exe
Token: SeCreatePagefilePrivilege	3244	chrome.exe
Token: SeShutdownPrivilege	3244	chrome.exe
Token: SeCreatePagefilePrivilege	3244	chrome.exe
Token: SeShutdownPrivilege	3244	chrome.exe
Token: SeCreatePagefilePrivilege	3244	chrome.exe
Token: SeShutdownPrivilege	3244	chrome.exe
Token: SeCreatePagefilePrivilege	3244	chrome.exe
Token: SeShutdownPrivilege	3244	chrome.exe
Token: SeCreatePagefilePrivilege	3244	chrome.exe
Token: SeShutdownPrivilege	3244	chrome.exe
Token: SeCreatePagefilePrivilege	3244	chrome.exe
Token: SeShutdownPrivilege	3244	chrome.exe
Token: SeCreatePagefilePrivilege	3244	chrome.exe
Token: SeShutdownPrivilege	3244	chrome.exe
Token: SeCreatePagefilePrivilege	3244	chrome.exe
Token: SeShutdownPrivilege	3244	chrome.exe
Token: SeCreatePagefilePrivilege	3244	chrome.exe
Token: SeShutdownPrivilege	3244	chrome.exe
Token: SeCreatePagefilePrivilege	3244	chrome.exe
Token: SeShutdownPrivilege	3244	chrome.exe
Token: SeCreatePagefilePrivilege	3244	chrome.exe
Token: SeShutdownPrivilege	3244	chrome.exe
Token: SeCreatePagefilePrivilege	3244	chrome.exe
Token: SeShutdownPrivilege	3244	chrome.exe
Token: SeCreatePagefilePrivilege	3244	chrome.exe
Token: SeShutdownPrivilege	3244	chrome.exe
Token: SeCreatePagefilePrivilege	3244	chrome.exe
Token: SeShutdownPrivilege	3244	chrome.exe
Token: SeCreatePagefilePrivilege	3244	chrome.exe
Token: SeShutdownPrivilege	3244	chrome.exe
Token: SeCreatePagefilePrivilege	3244	chrome.exe
Token: SeShutdownPrivilege	3244	chrome.exe
Token: SeCreatePagefilePrivilege	3244	chrome.exe
Token: SeShutdownPrivilege	3244	chrome.exe
Token: SeCreatePagefilePrivilege	3244	chrome.exe
Token: SeShutdownPrivilege	3244	chrome.exe
Token: SeCreatePagefilePrivilege	3244	chrome.exe
Token: SeShutdownPrivilege	3244	chrome.exe
Token: SeCreatePagefilePrivilege	3244	chrome.exe
Token: SeShutdownPrivilege	3244	chrome.exe
Token: SeCreatePagefilePrivilege	3244	chrome.exe
Token: SeShutdownPrivilege	3244	chrome.exe
Token: SeCreatePagefilePrivilege	3244	chrome.exe
Token: SeShutdownPrivilege	3244	chrome.exe
Token: SeCreatePagefilePrivilege	3244	chrome.exe
Token: SeShutdownPrivilege	3244	chrome.exe
Token: SeCreatePagefilePrivilege	3244	chrome.exe
Token: SeShutdownPrivilege	3244	chrome.exe
Token: SeCreatePagefilePrivilege	3244	chrome.exe
Token: SeShutdownPrivilege	3244	chrome.exe
Token: SeCreatePagefilePrivilege	3244	chrome.exe
Token: SeShutdownPrivilege	3244	chrome.exe
Token: SeCreatePagefilePrivilege	3244	chrome.exe
Token: SeShutdownPrivilege	3244	chrome.exe
Token: SeCreatePagefilePrivilege	3244	chrome.exe
Token: SeShutdownPrivilege	3244	chrome.exe
Token: SeCreatePagefilePrivilege	3244	chrome.exe
Token: SeShutdownPrivilege	3244	chrome.exe
Token: SeCreatePagefilePrivilege	3244	chrome.exe
Token: SeShutdownPrivilege	3244	chrome.exe
Token: SeCreatePagefilePrivilege	3244	chrome.exe
Token: SeShutdownPrivilege	3244	chrome.exe
Token: SeCreatePagefilePrivilege	3244	chrome.exe

Suspicious use of FindShellTrayWindow 35 IoCs

Processes:

chrome.exenotepad.exe

pid	process
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
2132	notepad.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe

Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

MEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exe

pid process

4436 MEMZ.exe
4392 MEMZ.exe
4408 MEMZ.exe
4980 MEMZ.exe
4456 MEMZ.exe
4468 MEMZ.exe
5060 MEMZ.exe

pid	process
4436	MEMZ.exe
4392	MEMZ.exe
4408	MEMZ.exe
4980	MEMZ.exe
4456	MEMZ.exe
4468	MEMZ.exe
5060	MEMZ.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 3244 wrote to memory of 3296	3244	chrome.exe	chrome.exe
PID 3244 wrote to memory of 3296	3244	chrome.exe	chrome.exe
PID 3244 wrote to memory of 3964	3244	chrome.exe	chrome.exe
PID 3244 wrote to memory of 3964	3244	chrome.exe	chrome.exe
PID 3244 wrote to memory of 3964	3244	chrome.exe	chrome.exe
PID 3244 wrote to memory of 3964	3244	chrome.exe	chrome.exe
PID 3244 wrote to memory of 3964	3244	chrome.exe	chrome.exe
PID 3244 wrote to memory of 3964	3244	chrome.exe	chrome.exe
PID 3244 wrote to memory of 3964	3244	chrome.exe	chrome.exe
PID 3244 wrote to memory of 3964	3244	chrome.exe	chrome.exe
PID 3244 wrote to memory of 3964	3244	chrome.exe	chrome.exe
PID 3244 wrote to memory of 3964	3244	chrome.exe	chrome.exe
PID 3244 wrote to memory of 3964	3244	chrome.exe	chrome.exe
PID 3244 wrote to memory of 3964	3244	chrome.exe	chrome.exe
PID 3244 wrote to memory of 3964	3244	chrome.exe	chrome.exe
PID 3244 wrote to memory of 3964	3244	chrome.exe	chrome.exe
PID 3244 wrote to memory of 3964	3244	chrome.exe	chrome.exe
PID 3244 wrote to memory of 3964	3244	chrome.exe	chrome.exe
PID 3244 wrote to memory of 3964	3244	chrome.exe	chrome.exe
PID 3244 wrote to memory of 3964	3244	chrome.exe	chrome.exe
PID 3244 wrote to memory of 3964	3244	chrome.exe	chrome.exe
PID 3244 wrote to memory of 3964	3244	chrome.exe	chrome.exe
PID 3244 wrote to memory of 3964	3244	chrome.exe	chrome.exe
PID 3244 wrote to memory of 3964	3244	chrome.exe	chrome.exe
PID 3244 wrote to memory of 3964	3244	chrome.exe	chrome.exe
PID 3244 wrote to memory of 3964	3244	chrome.exe	chrome.exe
PID 3244 wrote to memory of 3964	3244	chrome.exe	chrome.exe
PID 3244 wrote to memory of 3964	3244	chrome.exe	chrome.exe
PID 3244 wrote to memory of 3964	3244	chrome.exe	chrome.exe
PID 3244 wrote to memory of 3964	3244	chrome.exe	chrome.exe
PID 3244 wrote to memory of 3964	3244	chrome.exe	chrome.exe
PID 3244 wrote to memory of 3964	3244	chrome.exe	chrome.exe
PID 3244 wrote to memory of 3964	3244	chrome.exe	chrome.exe
PID 3244 wrote to memory of 3964	3244	chrome.exe	chrome.exe
PID 3244 wrote to memory of 3964	3244	chrome.exe	chrome.exe
PID 3244 wrote to memory of 3964	3244	chrome.exe	chrome.exe
PID 3244 wrote to memory of 3964	3244	chrome.exe	chrome.exe
PID 3244 wrote to memory of 3964	3244	chrome.exe	chrome.exe
PID 3244 wrote to memory of 3964	3244	chrome.exe	chrome.exe
PID 3244 wrote to memory of 3964	3244	chrome.exe	chrome.exe
PID 3244 wrote to memory of 4604	3244	chrome.exe	chrome.exe
PID 3244 wrote to memory of 4604	3244	chrome.exe	chrome.exe
PID 3244 wrote to memory of 1280	3244	chrome.exe	chrome.exe
PID 3244 wrote to memory of 1280	3244	chrome.exe	chrome.exe
PID 3244 wrote to memory of 1280	3244	chrome.exe	chrome.exe
PID 3244 wrote to memory of 1280	3244	chrome.exe	chrome.exe
PID 3244 wrote to memory of 1280	3244	chrome.exe	chrome.exe
PID 3244 wrote to memory of 1280	3244	chrome.exe	chrome.exe
PID 3244 wrote to memory of 1280	3244	chrome.exe	chrome.exe
PID 3244 wrote to memory of 1280	3244	chrome.exe	chrome.exe
PID 3244 wrote to memory of 1280	3244	chrome.exe	chrome.exe
PID 3244 wrote to memory of 1280	3244	chrome.exe	chrome.exe
PID 3244 wrote to memory of 1280	3244	chrome.exe	chrome.exe
PID 3244 wrote to memory of 1280	3244	chrome.exe	chrome.exe
PID 3244 wrote to memory of 1280	3244	chrome.exe	chrome.exe
PID 3244 wrote to memory of 1280	3244	chrome.exe	chrome.exe
PID 3244 wrote to memory of 1280	3244	chrome.exe	chrome.exe
PID 3244 wrote to memory of 1280	3244	chrome.exe	chrome.exe
PID 3244 wrote to memory of 1280	3244	chrome.exe	chrome.exe
PID 3244 wrote to memory of 1280	3244	chrome.exe	chrome.exe
PID 3244 wrote to memory of 1280	3244	chrome.exe	chrome.exe
PID 3244 wrote to memory of 1280	3244	chrome.exe	chrome.exe
PID 3244 wrote to memory of 1280	3244	chrome.exe	chrome.exe
PID 3244 wrote to memory of 1280	3244	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" http://google.com
1⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3244

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffe31749758,0x7ffe31749768,0x7ffe31749778
2⤵
PID:3296

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1580 --field-trial-handle=1740,i,15749766055468381429,11274599551894641994,131072 /prefetch:2
2⤵
PID:3964

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1960 --field-trial-handle=1740,i,15749766055468381429,11274599551894641994,131072 /prefetch:8
2⤵
PID:4604

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2084 --field-trial-handle=1740,i,15749766055468381429,11274599551894641994,131072 /prefetch:8
2⤵
PID:1280

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2736 --field-trial-handle=1740,i,15749766055468381429,11274599551894641994,131072 /prefetch:1
2⤵
PID:1560

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2756 --field-trial-handle=1740,i,15749766055468381429,11274599551894641994,131072 /prefetch:1
2⤵
PID:3904

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4220 --field-trial-handle=1740,i,15749766055468381429,11274599551894641994,131072 /prefetch:1
2⤵
PID:2748

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4624 --field-trial-handle=1740,i,15749766055468381429,11274599551894641994,131072 /prefetch:8
2⤵
PID:4944

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4712 --field-trial-handle=1740,i,15749766055468381429,11274599551894641994,131072 /prefetch:8
2⤵
PID:5004

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=2388 --field-trial-handle=1740,i,15749766055468381429,11274599551894641994,131072 /prefetch:1
2⤵
PID:4268

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5044 --field-trial-handle=1740,i,15749766055468381429,11274599551894641994,131072 /prefetch:8
2⤵
PID:4012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=4980 --field-trial-handle=1740,i,15749766055468381429,11274599551894641994,131072 /prefetch:1
2⤵
PID:812

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4336 --field-trial-handle=1740,i,15749766055468381429,11274599551894641994,131072 /prefetch:1
2⤵
PID:4848

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5032 --field-trial-handle=1740,i,15749766055468381429,11274599551894641994,131072 /prefetch:8
2⤵
PID:2768

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5440 --field-trial-handle=1740,i,15749766055468381429,11274599551894641994,131072 /prefetch:8
2⤵
PID:4420

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1600

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1268

C:\Users\Admin\Desktop\MEMZ 3.0\MEMZ.exe
"C:\Users\Admin\Desktop\MEMZ 3.0\MEMZ.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:4436

C:\Users\Admin\Desktop\MEMZ 3.0\MEMZ.exe
"C:\Users\Admin\Desktop\MEMZ 3.0\MEMZ.exe" /watchdog
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4392

C:\Users\Admin\Desktop\MEMZ 3.0\MEMZ.exe
"C:\Users\Admin\Desktop\MEMZ 3.0\MEMZ.exe" /watchdog
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4468

C:\Users\Admin\Desktop\MEMZ 3.0\MEMZ.exe
"C:\Users\Admin\Desktop\MEMZ 3.0\MEMZ.exe" /watchdog
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4408

C:\Users\Admin\Desktop\MEMZ 3.0\MEMZ.exe
"C:\Users\Admin\Desktop\MEMZ 3.0\MEMZ.exe" /watchdog
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4456

C:\Users\Admin\Desktop\MEMZ 3.0\MEMZ.exe
"C:\Users\Admin\Desktop\MEMZ 3.0\MEMZ.exe" /watchdog
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4980

C:\Users\Admin\Desktop\MEMZ 3.0\MEMZ.exe
"C:\Users\Admin\Desktop\MEMZ 3.0\MEMZ.exe" /main
2⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetWindowsHookEx
PID:5060

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\System32\notepad.exe" \note.txt
3⤵
- Suspicious use of FindShellTrayWindow
PID:2132

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:424

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:596

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Bootkit

T1067

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
288B

MD5
cb18baf5d51802182c09ed3ac81c4fbe

SHA1
450ac432db5a828bd87417d954540979593b8911

SHA256
5cfc6eafcfa5ab60bf11783c41a9de9ed8a68f60556821be18ecf0c9d790f159

SHA512
04672b678f28861d71d1fffe4c987adeb5320223ab668165aca247e9559abdb5de8e75fd087dc41f65d2abf4fe9af1a4470eb9a53e60186d396aed9167e41355

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
2KB

MD5
863c32e7ac08353571ea762a0c878d57

SHA1
78fca84678354c172c59b2e83da570d4a32faba4

SHA256
2aa79b34faab8883792fa3c9c5ac4cb7ac63e05b7fabb2f057cb8ad0034f10d2

SHA512
e4941d3c8f6413ea0247c6831e71936c624881c1d60f6826dc0b4dfc6ef580ea0972934e2efb721a9420e201352c1d106be95c9ba666924a250c0b61cf5de957

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1
Filesize
264KB

MD5
c61ae51f18341cab2b19777e95acd67f

SHA1
4a4976f1503173fd73e93979bbcfacf0976bf922

SHA256
47d427eec8ef22bdd9e6e681a341a204b8695e28a285e293ff1741da0031c530

SHA512
d7f686d6b25aeb91c707856aa0ba30c6b7d0eecf806be34c35d139b07c3d7d8a68e354a778b55e5f730e1cf9f14635329ea3ad491b2da51d0e6ebe5a2daf8566

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
4KB

MD5
883d0a7fca8b2f9a839e5e0bd08115e2

SHA1
2916b703692a038088227cfe10880c8bdc920210

SHA256
d6445021acd3ac3e859cfed17401e347d34c1bfe06bdd387f5b50239c515a711

SHA512
4ccb4837be2f55557b7fc5fef52125c6c1204dbd135c7f3a1b3933206fdb9f4e4c9206e32701a0e1f5737008bb238bd1d3344dc5c012684de49a64bb7cc39f87

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
539B

MD5
1cd838e69c931286cce72b3530df5d34

SHA1
da8d1c5e4b9439060c45004771fbd78f6299a58b

SHA256
f793ab4ac77fa23cd4db2e41b809421bbbf97a8c6e819757ab39ec0e455e20e2

SHA512
f3831cc1618e1fe9af3ec8d04bf4dcb14db0c17042dfe5b75a0982fd777ec2e988e70e0a0ddb0710762a293ca80a58cabc317d4a1087a214ec0ceb010de0b65b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
a44f42229b7f168f3fb0b841e648548a

SHA1
8d47ad857f2fca62606dc8f3a3365d319b16f819

SHA256
4224e435909a42149dfdcefd8a6554c5ba98fab353df2480b0f3f442b277883c

SHA512
89060f55294ee8bb0b082d6b5b7177bdb0376973693e68d8818e0ef569e5dd2c88158f02f47c3d2442711d2187220216aa1c877d8635a9d67a3690e318ebfd85

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
707B

MD5
40cd7977a8f3c9f7cbbcf24ce76fbef2

SHA1
d11799ad46ebf2f2fd9c819f198f9cb1600b9e08

SHA256
805b571b84172950745a560663c6642098d082120af519704375db5933eea057

SHA512
832b1d79b4e42aa4fe422a256f6e27ef460a5748d7f0c1be6cbecd123023968f2b27338e4d05936bc29b6f9379fd10a15ecbebb66a07ed5b9ff99ce0d82f0bd7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
8ceb65a1d2ede66970eaf6c5bdf512b3

SHA1
921bcf6ff23f007db59a27af8b22d0e291605c90

SHA256
5eb4372797600295cb184fd5a5b7b8813816c48cfe2b3d006f6fd8141b6671f1

SHA512
b04f019013ed44a86e69fe345c3043cffcbf289bd8d6cd06d57e76bf3a38183a33cc4b73e2da13b2ea4c8cfb17742c57428732e7932ae4a9e2f82c3231fdeb6c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
84f6b6ec6ab0d643830a98a44f9b4635

SHA1
79d30e8a717e4e1c0068c524a0d2ebf619349ca3

SHA256
4fe979ccc26279ea7c3eb9d01a8a0ad234965d56ae84291842f518ba0f902788

SHA512
917914ebd44aa1c6eaade3c0d3b15502ba9702cc389a07a6ba326129e7e9826e373d778acde161864d2be00985ac4828125ffbb8a78f46ef333edefec566f0ec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
319c1e5d3f5f66e92bb3ee8a5d84f030

SHA1
cd77d98f263739a6f5826b70e7c1c01e63974cbb

SHA256
e24c38765c60bd8060da2e4794154a97614d78390fd23708e1ea132be12fc729

SHA512
532016254871c73e275f05591811f73f8dfacea84a8512585c8fd4a15f3dbaba3b08abbad1b95b3f6cceb0591f02663ed4f4340bc9ff2253248d53b0135cfedf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
f52932856b2a2720da8f130024a07d70

SHA1
0b62c3225b12d71e6e22ec76e9d88e58dd01a461

SHA256
92b9c7e166ee102f281be06fcea931671172cd4af9d43cc6da0f68fd38c649f2

SHA512
657215e2f10643c257cb1dd97a8277ffeae7bec2c6dc58de7531f19bdf4c9e06943a9a6d8f50d805942716c9f4dedbfdcac3eeaf701466b7fb88b3a6f93638d5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
ca48acd0ddb82a3e070355878593c269

SHA1
84ff3ab0edf9a58c5b7472ee587c30b49ee59865

SHA256
bb67dbcfd1f8d7009ea540a7cf23201ef6f02f5f522c051c37d270f44d437b53

SHA512
0f063149f49a2569d062fa88f900a4cad393da2a2c1bd83cb654f2de33b710a9d7c3ada5720666fb1bce41c1d054ba3759aeaba997e97316460960706b311834

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize
56B

MD5
ae1bccd6831ebfe5ad03b482ee266e4f

SHA1
01f4179f48f1af383b275d7ee338dd160b6f558a

SHA256
1b11047e738f76c94c9d15ee981ec46b286a54def1a7852ca1ade7f908988649

SHA512
baf7ff6747f30e542c254f46a9678b9dbf42312933962c391b79eca6fcb615e4ba9283c00f554d6021e594f18c087899bc9b5362c41c0d6f862bba7fb9f83038

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe578107.TMP
Filesize
120B

MD5
400edf9a3d3df5efdd961030af54a27f

SHA1
a275b8e14a651fc65d3da547d5da3f8af7de9a39

SHA256
c57c733486f1baae5ee5f7f673ee34b46df68501837e3519e6de7f3e046348b0

SHA512
aeac2e2411c5ab1619128e614199795f516c7fde62f270a71c2c3ee2b2f4f8d812aba86704d5f42482b5e02e0478770ad370427586df295a497b2f522012a2fd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
173KB

MD5
b828dc15c2d73bc81910033b8f2da761

SHA1
ee84491d6c371843c40a86788d838ca80feb7803

SHA256
b541b67fcf918cef9d4516190aa5c2da1861736c212b95f9c375570c507ac622

SHA512
09c8fb26b86bb04842d70a7652fac4bd61c17a806b5e0b7f774e8fe6c02b8df1a2bb9d36d1d1bb9f5953384dff4f18d251468402b3d6c8054005d5de9594e20c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
173KB

MD5
ec5d9b4436177bbb054761573604bd19

SHA1
5a1527fcc90a2edd753fceced620e7817fac2d04

SHA256
c021921c301b5eba877c10776660755ba874c9764a706830981bbab8d0f25473

SHA512
f29a084da2755c96eb3221461ce4a65ae1c564d73af057fd4e828aa319d28306e766bd0bbeb7e4cd2473b960da0dfe99deed763fb206f63874c58261de152298

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
173KB

MD5
f43d25a2aa5aac507a068f415953cc0b

SHA1
e6b7340480e2f985eb94422c338ed786b3b35e75

SHA256
7ec9213e8e56739bf171bfcfc70830b3d4e01485ea7030710d33d4613c11b0c9

SHA512
d57c15006b1b9f76f117641820cf8b32ac27eb534364117d29df1cd9f30a56596b10dc9644f9c05d671d94c05728e0130c7896f8f2ab9b7c1506b036915447e6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
98KB

MD5
a0ff155b5ea64ca4f8a1526566723a15

SHA1
54cb4dbc38088539fbd09cfdaaaa839fe695574f

SHA256
b74b5923314ee6a177ed5b9f3b1bd4651419dc7aef6f89e69c3952266e2f7127

SHA512
181aed467a6d9129f639a79089c3bd0e447645380a091ec8a54c3785f18f14a39a1bcc6e43d4f7dd01ee12c5fcb1d5f005b82da062b2c35b260ce960fd4e3f50

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe579a5b.TMP
Filesize
93KB

MD5
e29acfd0231d16409c74cf432d28edd9

SHA1
d5c13587172c729b44ca91441c20744a2fc435fc

SHA256
e0d08e7515b12b9406851b69577d7a0ade5c3c8d539925fba5ee65e5460b6ede

SHA512
85fae02515a5777ea735b74abc1c613e2cb4c5881b4410b57ac84b70f3d058a8a8a8f9f2c1594e1ffbad1946da78c5b3fc35d7162bc81c7b05ead3b795269429

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\Downloads\MEMZ 3.0 (1).zip
Filesize
15KB

MD5
230d7dcb83b67deff379a563abbbd536

SHA1
dc032d6a626f57b542613fde876715765e0b1a42

SHA256
a9cd3d966d453afd424d9ac54df414b80073bb51d249f4089185976fb316e254

SHA512
7dff68e3f9be9320872ccb105b2e87f15b23807af96ca195a38a249d868468632c3d5811d9a51295ec89fe702d821c9466f93994993951d1238f07f096fb7d77

Download Submit
C:\note.txt
Filesize
218B

MD5
afa6955439b8d516721231029fb9ca1b

SHA1
087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

SHA256
8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

SHA512
5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

Download Submit
\??\pipe\crashpad_3244_CRSSXLLERMBFIQGV
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/424-563-0x000001DDD2A20000-0x000001DDD2A30000-memory.dmp

Filesize
64KB

Download
memory/424-581-0x000001DDD3300000-0x000001DDD3310000-memory.dmp

Filesize
64KB

Download