Analysis
-
max time kernel
152s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
01-04-2023 06:45
General
-
Target
https://github.com/Endermanch/MalwareDatabase/blob/master/trojans/MEMZ.zip
Malware Config
Signatures
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Drops file in Program Files directory 2 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates system info in registry 2 TTPs 6 IoCs
-
Modifies data under HKEY_USERS 2 IoCs
-
Modifies registry class 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 35 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of SetWindowsHookEx 11 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" https://github.com/Endermanch/MalwareDatabase/blob/master/trojans/MEMZ.zip1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffade449758,0x7ffade449768,0x7ffade4497782⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1788 --field-trial-handle=1812,i,9301458352681603773,17956563521301683544,131072 /prefetch:22⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 --field-trial-handle=1812,i,9301458352681603773,17956563521301683544,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2252 --field-trial-handle=1812,i,9301458352681603773,17956563521301683544,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3208 --field-trial-handle=1812,i,9301458352681603773,17956563521301683544,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3180 --field-trial-handle=1812,i,9301458352681603773,17956563521301683544,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4768 --field-trial-handle=1812,i,9301458352681603773,17956563521301683544,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4984 --field-trial-handle=1812,i,9301458352681603773,17956563521301683544,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5176 --field-trial-handle=1812,i,9301458352681603773,17956563521301683544,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4460 --field-trial-handle=1812,i,9301458352681603773,17956563521301683544,131072 /prefetch:22⤵
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\AppData\Local\Temp\Temp1_MEMZ.zip\[email protected]"C:\Users\Admin\AppData\Local\Temp\Temp1_MEMZ.zip\[email protected]"1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\Temp1_MEMZ.zip\[email protected]"C:\Users\Admin\AppData\Local\Temp\Temp1_MEMZ.zip\[email protected]" /watchdog2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\AppData\Local\Temp\Temp1_MEMZ.zip\[email protected]"C:\Users\Admin\AppData\Local\Temp\Temp1_MEMZ.zip\[email protected]" /watchdog2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\AppData\Local\Temp\Temp1_MEMZ.zip\[email protected]"C:\Users\Admin\AppData\Local\Temp\Temp1_MEMZ.zip\[email protected]" /watchdog2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\AppData\Local\Temp\Temp1_MEMZ.zip\[email protected]"C:\Users\Admin\AppData\Local\Temp\Temp1_MEMZ.zip\[email protected]" /watchdog2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\AppData\Local\Temp\Temp1_MEMZ.zip\[email protected]"C:\Users\Admin\AppData\Local\Temp\Temp1_MEMZ.zip\[email protected]" /watchdog2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\AppData\Local\Temp\Temp1_MEMZ.zip\[email protected]"C:\Users\Admin\AppData\Local\Temp\Temp1_MEMZ.zip\[email protected]" /main2⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\System32\notepad.exe" \note.txt3⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://answers.microsoft.com/en-us/protect/forum/protect_other-protect_scanning/memz-malwarevirus-trojan-completely-destroying/268bc1c2-39f4-42f8-90c2-597a673b6b453⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffad92846f8,0x7ffad9284708,0x7ffad92847184⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2060,4105258535743641833,8633158875806845248,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:34⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,4105258535743641833,8633158875806845248,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2072 /prefetch:24⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2060,4105258535743641833,8633158875806845248,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2940 /prefetch:84⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,4105258535743641833,8633158875806845248,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3480 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,4105258535743641833,8633158875806845248,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3464 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,4105258535743641833,8633158875806845248,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,4105258535743641833,8633158875806845248,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5488 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,4105258535743641833,8633158875806845248,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3688 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,4105258535743641833,8633158875806845248,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5440 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,4105258535743641833,8633158875806845248,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3692 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,4105258535743641833,8633158875806845248,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3968 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,4105258535743641833,8633158875806845248,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5940 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,4105258535743641833,8633158875806845248,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5924 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,4105258535743641833,8633158875806845248,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5764 /prefetch:84⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings4⤵
- Drops file in Program Files directory
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff614975460,0x7ff614975470,0x7ff6149754805⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,4105258535743641833,8633158875806845248,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5764 /prefetch:84⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,4105258535743641833,8633158875806845248,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6020 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,4105258535743641833,8633158875806845248,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3908 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,4105258535743641833,8633158875806845248,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5896 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,4105258535743641833,8633158875806845248,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6320 /prefetch:14⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://pcoptimizerpro.com/3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffad92846f8,0x7ffad9284708,0x7ffad92847184⤵
-
-
-
C:\Windows\SysWOW64\mspaint.exe"C:\Windows\System32\mspaint.exe"3⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService1⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5a3816ec4abd2f9cf9cb7943031dc3d8a
SHA142b60959fcaac20cb25347ab7a41555456a2b4b7
SHA256288df140e1ec3ad76d739b6f88a2603dd32971e9801506f1be3d71b2daa813f9
SHA5120e0845d99e3de6f8fa272cb748dc4f53b9a4e0458b1f683fcffcf584d94ede11f4b270b6addc7a334a8caee9b9ff4476fe5bc8ca8833ba6d2867bf4ccae58e00
-
Filesize
1KB
MD5e344cd0e2bef6c9b118be294103f9adb
SHA10e0d23c7ddcf5b5dd906f44cd3046efdc69a994e
SHA256edb474089775969e5759d7729e0a350400029c707d60afadc6853ea3345647b0
SHA51202d86965dd6986b4507f4f710a6b583706b4c47cf4fcb20f036323dd7bb891bafa7b7b368b1478a0475f4a822c0e95b84b2e2e47fff6f7807b414672efb84df3
-
Filesize
1KB
MD53f7065305a4116dcb09d21e949adbddd
SHA1282d998143e48b92179311924a643cec2b0beb89
SHA256e4b12532e280c74365bdf6591dbc21914ead2cd1d2e5378088967ffae5b2a414
SHA512ca1a33fb5e31ab6c9645e1a0a7d000f9a0621d1a00033362c5491ca84d97d722db527bf5bfda72915c2320ef7a71ccedd9578e14b16a6243853761ca7a8be392
-
Filesize
1KB
MD578a4ec7a0a053b0ed4c2c2c7c141726a
SHA1206e3957deb6afeef71c0450139306218f154950
SHA2564b84058ae2f33c287aa1133fb571f8e3ec279365ccbc4e85120faa9c4dcd446b
SHA512c324f132d43bb0de807543b9d600ac68eedc136420dc85ffa10f4f620ab80477869a5ed55f7feb0a8120e6755e875be285a72773c2fbdfafddc0f7becc27689e
-
Filesize
6KB
MD5689ba893c7f135ec755c558a1da13be7
SHA1f3b3e44a8942bcc9130f066cfac3a6a40e7edaa2
SHA256307eecbd7257ae85e4f214b605ba3c924f57c07cc57ccfe26b7240957db8341a
SHA512a5b4c642b31259ffcf0b9c97010a62e5dfa09e260af56848a327e85a09f272e1187896f9847adb12327ebfa0cebd5a0cf02375e1fd2e8515c81bb33ce7c9e241
-
Filesize
5KB
MD53a223540ec3e38831ead6608e25c5df9
SHA14df41895e1ed885d879f1cf0cfb236312955b88b
SHA256457422f30f86c4eed46a69b09c433e8524005513f87b61cae028698d70509d5a
SHA5129ee98798c3550f0ffaea46498dc663f46aa70db15d7c7a1d1686e17b8bbf510a20e770d360b22a5caf0995b3d2e2cf39dc7ffb8411d0a46d3ca848a5c72a06e8
-
Filesize
5KB
MD52caacb576a2165b7eec1a5c63672ccb2
SHA1c461336165dbc790711cbf8b3e5e15e473f82593
SHA2561a74f727ad87cfee9d3537b65c7315508d73c256d24e32825274cceacae23e6e
SHA5125375c619d0da88cb84c8925394362ab3c072d1b0b80910cd033ad196a710517af2be71b0298d8af619dd305913ee6f87e52c2bd06ca78b21d04186b13593ca07
-
Filesize
5KB
MD58aaf720cc75767091c728efdbcf28a7d
SHA1fa4bdce19a42b5adec40bb458047ac67534041e9
SHA256a2afe139f5a1f4facd45aac41b490d0b3b9a8c2581f9addbadcde99130e40fbd
SHA512c687649ccfec0ff546f983c9c09a49db443fd0d8257a03d53890d79c16758e3af1f413f5bcffb8570a21ca0cc7b2246619ca157a812085e9c43874b571fd6f37
-
Filesize
173KB
MD5e13f3604eab61d33a5a5e0a643442e05
SHA140e3a0fd7acf18a5e0fdede34af373867024abd3
SHA2562b86e5874f4810be06c14935531fbf4aa7cab9ff8ddde67f47e710a9ee236c08
SHA5127ebb7ee5f8a5aaf941f81b60bed1ad686b15925b91f8685a3efca2d5e33fbf2b9454139c4186eda7ea37439e1a29a1b379d71cd01403c547e09bc50b60d8516b
-
Filesize
173KB
MD5e13f3604eab61d33a5a5e0a643442e05
SHA140e3a0fd7acf18a5e0fdede34af373867024abd3
SHA2562b86e5874f4810be06c14935531fbf4aa7cab9ff8ddde67f47e710a9ee236c08
SHA5127ebb7ee5f8a5aaf941f81b60bed1ad686b15925b91f8685a3efca2d5e33fbf2b9454139c4186eda7ea37439e1a29a1b379d71cd01403c547e09bc50b60d8516b
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
Filesize
152B
MD5462f3c1360a4b5e319363930bc4806f6
SHA19ba5e43d833c284b89519423f6b6dab5a859a8d0
SHA256fec64069c72a8d223ed89a816501b3950f5e4f5dd88f289a923c5f961d259f85
SHA5125584ef75dfb8a1907c071a194fa78f56d10d1555948dffb8afcacaaa2645fd9d842a923437d0e94fad1d1919dcef5b25bf065863405c8d2a28216df27c87a417
-
Filesize
152B
MD5014c9ce3e520f19a8bba679c7296f8c0
SHA1dea10f30a0c313c5c9e23e45b21ed5c5e02624b9
SHA2568d37ac330684d1c59dfd971e5e5b8b1923e4d127262a8ed5159896358c52a295
SHA512d473297d1104abedeb488e33d49b6d563d0c8e002dad29abdcd7b7735e14d1b32c36bd057421a52befdbbbce06260c58530ffd38aad4878af74a722e664f050f
-
Filesize
1KB
MD52fe437b052017e175454c022cf76815f
SHA1e3fcbb7964a07dc824b54819486deccbadd01937
SHA256935967c5697754153228f8f7fc2641f0f8b1628b7dfcb492fdd41ed064576e4f
SHA512ada53b27033678c9dbf3380dbbf1dc4d5222dce932868b0388fbee9adff87ebe0b5408c5483e9a13f157afa096d5a2a7107d409b6a5e53b21db8b87adbb357a8
-
Filesize
432B
MD59ecae2e3db056eeff722d72c233b4359
SHA1d29667f71cf0803716feb2408181801e74246347
SHA256b143f876d07cfc29911c7dc753921a34c6e66e0712dec7f136c26de54f6fd3ca
SHA512f14ca6aca364f788398069ee11a739f5573f18f2b22d697544bd71a84453489b4773ddce832f54b6b20fc0c42929a75119c8a2275266f3e25bc60aae9ab68b01
-
Filesize
792B
MD52468c719ecafb3cd015cf2f48d7e8803
SHA199d256aad025bf14ece0c84e5dd98b763d5696bb
SHA256b3e70c0a4432e8f1d15458a748a3c54b266e3af5fe3fb250363c5edf1a9a01c6
SHA5128430ae3549d91d1c84fcf7338366e51e5e811597e71676c8022a0ac5cb752a214d7d39cf90055dcc8e4705cbaf040f6d73d954c3926b4eb219a91c495b8a7d1f
-
Filesize
48B
MD5c0ecece6175798169c8dd67d9b085acc
SHA157acc1903ef992de055ea64d4384ac0c3ac4acd8
SHA2569f8e7b3bb310f433b8d5388f450544d8917eada0c6c45aab63540393092ea726
SHA512c2f4c0df9567c0e0df00e8ce2a670e0a0e681cc8ad7beb7988a90ebe179845d60fed0c909d3c56719e205f27ef6f472fee778143d95f0a6ededc64306e610b81
-
Filesize
70KB
MD5e5e3377341056643b0494b6842c0b544
SHA1d53fd8e256ec9d5cef8ef5387872e544a2df9108
SHA256e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25
SHA51283f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
2KB
MD5f3e349da720076c2e02255d88f0ab52f
SHA117499624fd7b45c18ba4555c958499dae9c6fca2
SHA2564715087a1c4e3964a50f0f433e468eca0777ae32172537bb97dde9d31e067a74
SHA5122e637beca72a89e9824a2214eef114237c67dbee0a577134ac1dbde394775de31a615a3485a0ee9d0a326e67c5ba74c2203552d14603e74478fca437398ed44a
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
2KB
MD557ba770ae30666e100c9973383092226
SHA178831f396e25f3f7fa7bb33311d146b783aee3b7
SHA25663c6b6581585b0a8b8fe56bfa96b00b66313de7327fb6a47433e1c15968c1279
SHA5121732e13dabae7b8da37da9e6e82a527bf14cea533f8fce19d4b2727fa87411f58c24b7a77dd1c3dd3c7c3fc869ab25089b12820dd5cfe90433d5691631bef805
-
Filesize
4KB
MD51008f45a0e638aa7372730235d96d09c
SHA1b9b1409027c5f8c72202864f257944163f79d830
SHA2561efb436a1c83ef657e8df663d0b4fb387d9f6b0f515d54436ccdee836ac34aea
SHA5120f48d50306fc397ebaaf8da6e25167a3decedbb02f7683618f43843bc80e6a551798eb797767e5e675656acc0664fe869a361bf418b46b980182af8b74fe763a
-
Filesize
7KB
MD54a3c3f55a243f43bffeb7a278a0803c1
SHA1f55e75cafe483d36fe169a3730aff2d5407ba021
SHA256904316a0e7427c877d48d16ba8814632a10edbbd47d742d3fbb8be2671d39b48
SHA512c3e40682613036527cb5564f12c390c74e8219876f659c0ce130abb1ee9e8f6491887380c17a4dee71b05d3708ed4bcb1fa5d0053816c911c967fdf04e390700
-
Filesize
5KB
MD54ecee3ffa292341bcc10aa039830dbbb
SHA18f3e9771b7357f7fd49f5db77bae1f52d34d730f
SHA2561cf40fdc183525dc58ca218a30db0319f915e71cc7ab98f08730a76bfe9d64eb
SHA512e1539ea94397cd007fcd3e6417861b250df5969fae9e401de629a402feb9832fde8752da424ae9f168433a8b5ac83d1e43be390bdcb648dcfe80ede9fd8f8918
-
Filesize
7KB
MD5300cef0e9e896e99ef8611641c0b95bb
SHA19e2ba1cb7696dd11b19a26cac5eb9155f45c66b2
SHA256afadd7e42f6b813f8a5f94402caf41a3aac2b50a5f9a70a98847c8d47f019404
SHA512774e6db1e89d72b8e1b424ff4117aa74e4dc8fb1a0de3e67cd1164852d2b81d7ee850de3f1375b6a5b54fff05c53bf2b39d37beae9c620ec392b4a9e629545bc
-
Filesize
24KB
MD5130644a5f79b27202a13879460f2c31a
SHA129e213847a017531e849139c7449bce6b39cb2fa
SHA2561306a93179e1eaf354d9daa6043ae8ffb37b76a1d1396e7b8df671485582bcd1
SHA512fbc8606bf988cf0a6dea28c16d4394c9b1e47f6b68256132b5c85caf1ec7b516c0e3d33034db275adf267d5a84af2854f50bd38a9ed5e86eb392144c63252e01
-
Filesize
2KB
MD5dc663744f4c19c3d36f688496fc98e8f
SHA1fd705a541f128076551acb79bc5dee91c412c650
SHA25650564030084ae844cd55a287b87112d44d30e14181bb17f867ffff9e3b47975b
SHA5126e640961db583fa61f7fb704d1def38a982a1bced118cd0a29ccd7a8c50bc8c56a79cb49b3ff968a0e68c26ccb19bfd9787cc6bfb3881c47efa1efa13acdc76d
-
Filesize
1KB
MD54327d87f2cdea63dec34bc6b302c9301
SHA19ca5009524398634197df6dd164f7d729a025adc
SHA256d35a4e544694430b66476008dea9653ef1c6e19fc78d1a223a17dfe16ca7becd
SHA512bfe92e37aea24e50371d9653b05725e6772bd487b230041c609cc72ffb47b28cbc54c65ef0684ef9fe514b25109b7c296c388f15008dc98aa55f5d99e461b47e
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
Filesize
13KB
MD50d5876af5c75c0f7916442b6e78e97fc
SHA18fb85a374923a1f6f9bdea360421dec83f11f5a8
SHA256c9f81f3e543d44c423a37e95eed962a06887d7de85d3893e4598e257dea3c3f0
SHA512af74d1ce54b6eb17248e589a394abf9979f81cdd44111bea9516cad6a9d6aa86b95f8e28dd5abe76d0694bd55f2cb269251bf0195d85bbb97acf1be0527739d4
-
Filesize
12KB
MD59307d10f6baae86054eba13204d5a6ac
SHA1298941763ed42b0e98e1f3992a42ff0044b2d434
SHA2563c58da624c84f1a1603f150f0fd0951874ffdb90511bfde720b4a53141fc0da5
SHA51263251019abbd6396fb76d0d67996e2b45c8020adf3468c9ccd737bb1ec253cc66627ab3d33d0983c421098e7efc28a06144427a40a8bf511b1d55b22480f2345
-
Filesize
9KB
MD5dc70f82a44fe954e28fde43e006c143b
SHA1026365b6b6eb3b8a5e58726551a7f329f5e46f96
SHA25696c30bb909b4b76276f78daaa0d5fb2d5f3ecdc1d94fd0c6b1dc79b063a61246
SHA5123f3b59df0cf448711f513dd50e7a9281e6522f94c58367b05f9471123fd87fc6a07f6184b884408efd0ee530f8b39c41072fca1a01eb36c6771593f864bc0244
-
Filesize
3KB
MD5eacd7cf95d5d83396deeef7d47064ccc
SHA17a197d2e2768f9f878d015a7e61946b704096023
SHA256b0325adcdaed44b81b25f47947acace94559cd92f168d20ed577f5431d387427
SHA512c92a05abf1088f776894f065d7a1aa74faa430aa3c7d864b0b50ac58f5838746b7b1a53d856713ef5b56c40dc318dbc246f629acfc06f29ed222726544e0e9ca
-
Filesize
218B
MD5afa6955439b8d516721231029fb9ca1b
SHA1087a043cc123c0c0df2ffadcf8e71e3ac86bbae9
SHA2568e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270
SHA5125da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf