hxxps://github[.]com/vvinlind/MEMZ/blob/master/MEMZ[.]exe

Analysis

max time kernel
46s
max time network
69s
platform
windows10-2004_x64
resource
win10v2004-20230220-es
resource tags

arch:x64arch:x86image:win10v2004-20230220-eslocale:es-esos:windows10-2004-x64systemwindows
submitted
02-04-2023 23:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/vvinlind/MEMZ/blob/master/MEMZ.exe

Score

8^/10

bootkit persistence

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

MEMZ.exeMEMZ.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	MEMZ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	MEMZ.exe

Executes dropped EXE 7 IoCs

Processes:

MEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exe

pid process

3648 MEMZ.exe
2744 MEMZ.exe
3544 MEMZ.exe
316 MEMZ.exe
2472 MEMZ.exe
5104 MEMZ.exe
4880 MEMZ.exe
Adds Run key to start application 2 TTPs 1 IoCs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Processes:

chrome.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Windows\CurrentVersion\Run chrome.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

MEMZ.exe

description ioc process

File opened for modification \??\PhysicalDrive0 MEMZ.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
3648	MEMZ.exe
2744	MEMZ.exe
3544	MEMZ.exe
316	MEMZ.exe
2472	MEMZ.exe
5104	MEMZ.exe
4880	MEMZ.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Windows\CurrentVersion\Run	chrome.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	MEMZ.exe

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133249585216021328"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 1 IoCs

Processes:

firefox.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings firefox.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

chrome.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exe

pid	process
3416	chrome.exe
3416	chrome.exe
2744	MEMZ.exe
2744	MEMZ.exe
3544	MEMZ.exe
3544	MEMZ.exe
2744	MEMZ.exe
2744	MEMZ.exe
316	MEMZ.exe
316	MEMZ.exe
2744	MEMZ.exe
2744	MEMZ.exe
3544	MEMZ.exe
3544	MEMZ.exe
2744	MEMZ.exe
2744	MEMZ.exe
316	MEMZ.exe
2472	MEMZ.exe
316	MEMZ.exe
2472	MEMZ.exe
3544	MEMZ.exe
3544	MEMZ.exe
2472	MEMZ.exe
2472	MEMZ.exe
316	MEMZ.exe
316	MEMZ.exe
2744	MEMZ.exe
2744	MEMZ.exe
5104	MEMZ.exe
5104	MEMZ.exe
3544	MEMZ.exe
3544	MEMZ.exe
2744	MEMZ.exe
2744	MEMZ.exe
2472	MEMZ.exe
2472	MEMZ.exe
316	MEMZ.exe
316	MEMZ.exe
3544	MEMZ.exe
3544	MEMZ.exe
5104	MEMZ.exe
5104	MEMZ.exe
2472	MEMZ.exe
2472	MEMZ.exe
2744	MEMZ.exe
2744	MEMZ.exe
316	MEMZ.exe
316	MEMZ.exe
5104	MEMZ.exe
5104	MEMZ.exe
3544	MEMZ.exe
3544	MEMZ.exe
2472	MEMZ.exe
2472	MEMZ.exe
2744	MEMZ.exe
2744	MEMZ.exe
2472	MEMZ.exe
2472	MEMZ.exe
3544	MEMZ.exe
3544	MEMZ.exe
5104	MEMZ.exe
5104	MEMZ.exe
316	MEMZ.exe
316	MEMZ.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

Processes:

chrome.exe

pid process

3416 chrome.exe
3416 chrome.exe

Suspicious use of AdjustPrivilegeToken 54 IoCs

Processes:

chrome.exefirefox.exe

description	pid	process
Token: SeShutdownPrivilege	3416	chrome.exe
Token: SeCreatePagefilePrivilege	3416	chrome.exe
Token: SeShutdownPrivilege	3416	chrome.exe
Token: SeCreatePagefilePrivilege	3416	chrome.exe
Token: SeShutdownPrivilege	3416	chrome.exe
Token: SeCreatePagefilePrivilege	3416	chrome.exe
Token: SeShutdownPrivilege	3416	chrome.exe
Token: SeCreatePagefilePrivilege	3416	chrome.exe
Token: SeShutdownPrivilege	3416	chrome.exe
Token: SeCreatePagefilePrivilege	3416	chrome.exe
Token: SeShutdownPrivilege	3416	chrome.exe
Token: SeCreatePagefilePrivilege	3416	chrome.exe
Token: SeShutdownPrivilege	3416	chrome.exe
Token: SeCreatePagefilePrivilege	3416	chrome.exe
Token: SeShutdownPrivilege	3416	chrome.exe
Token: SeCreatePagefilePrivilege	3416	chrome.exe
Token: SeShutdownPrivilege	3416	chrome.exe
Token: SeCreatePagefilePrivilege	3416	chrome.exe
Token: SeShutdownPrivilege	3416	chrome.exe
Token: SeCreatePagefilePrivilege	3416	chrome.exe
Token: SeShutdownPrivilege	3416	chrome.exe
Token: SeCreatePagefilePrivilege	3416	chrome.exe
Token: SeShutdownPrivilege	3416	chrome.exe
Token: SeCreatePagefilePrivilege	3416	chrome.exe
Token: SeShutdownPrivilege	3416	chrome.exe
Token: SeCreatePagefilePrivilege	3416	chrome.exe
Token: SeShutdownPrivilege	3416	chrome.exe
Token: SeCreatePagefilePrivilege	3416	chrome.exe
Token: SeShutdownPrivilege	3416	chrome.exe
Token: SeCreatePagefilePrivilege	3416	chrome.exe
Token: SeShutdownPrivilege	3416	chrome.exe
Token: SeCreatePagefilePrivilege	3416	chrome.exe
Token: SeShutdownPrivilege	3416	chrome.exe
Token: SeCreatePagefilePrivilege	3416	chrome.exe
Token: SeShutdownPrivilege	3416	chrome.exe
Token: SeCreatePagefilePrivilege	3416	chrome.exe
Token: SeShutdownPrivilege	3416	chrome.exe
Token: SeCreatePagefilePrivilege	3416	chrome.exe
Token: SeShutdownPrivilege	3416	chrome.exe
Token: SeCreatePagefilePrivilege	3416	chrome.exe
Token: SeShutdownPrivilege	3416	chrome.exe
Token: SeCreatePagefilePrivilege	3416	chrome.exe
Token: SeShutdownPrivilege	3416	chrome.exe
Token: SeCreatePagefilePrivilege	3416	chrome.exe
Token: SeShutdownPrivilege	3416	chrome.exe
Token: SeCreatePagefilePrivilege	3416	chrome.exe
Token: SeShutdownPrivilege	3416	chrome.exe
Token: SeCreatePagefilePrivilege	3416	chrome.exe
Token: SeShutdownPrivilege	3416	chrome.exe
Token: SeCreatePagefilePrivilege	3416	chrome.exe
Token: SeShutdownPrivilege	3416	chrome.exe
Token: SeCreatePagefilePrivilege	3416	chrome.exe
Token: SeDebugPrivilege	2240	firefox.exe
Token: SeDebugPrivilege	2240	firefox.exe

Suspicious use of FindShellTrayWindow 39 IoCs

Processes:

chrome.exefirefox.exe

pid	process
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
2240	firefox.exe
2240	firefox.exe
2240	firefox.exe
2240	firefox.exe

Suspicious use of SendNotifyMessage 27 IoCs

Processes:

chrome.exefirefox.exe

pid	process
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
2240	firefox.exe
2240	firefox.exe
2240	firefox.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

firefox.exe

pid process

2240 firefox.exe

pid	process
2240	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 3416 wrote to memory of 4332	3416	chrome.exe	chrome.exe
PID 3416 wrote to memory of 4332	3416	chrome.exe	chrome.exe
PID 3416 wrote to memory of 2364	3416	chrome.exe	chrome.exe
PID 3416 wrote to memory of 2364	3416	chrome.exe	chrome.exe
PID 3416 wrote to memory of 2364	3416	chrome.exe	chrome.exe
PID 3416 wrote to memory of 2364	3416	chrome.exe	chrome.exe
PID 3416 wrote to memory of 2364	3416	chrome.exe	chrome.exe
PID 3416 wrote to memory of 2364	3416	chrome.exe	chrome.exe
PID 3416 wrote to memory of 2364	3416	chrome.exe	chrome.exe
PID 3416 wrote to memory of 2364	3416	chrome.exe	chrome.exe
PID 3416 wrote to memory of 2364	3416	chrome.exe	chrome.exe
PID 3416 wrote to memory of 2364	3416	chrome.exe	chrome.exe
PID 3416 wrote to memory of 2364	3416	chrome.exe	chrome.exe
PID 3416 wrote to memory of 2364	3416	chrome.exe	chrome.exe
PID 3416 wrote to memory of 2364	3416	chrome.exe	chrome.exe
PID 3416 wrote to memory of 2364	3416	chrome.exe	chrome.exe
PID 3416 wrote to memory of 2364	3416	chrome.exe	chrome.exe
PID 3416 wrote to memory of 2364	3416	chrome.exe	chrome.exe
PID 3416 wrote to memory of 2364	3416	chrome.exe	chrome.exe
PID 3416 wrote to memory of 2364	3416	chrome.exe	chrome.exe
PID 3416 wrote to memory of 2364	3416	chrome.exe	chrome.exe
PID 3416 wrote to memory of 2364	3416	chrome.exe	chrome.exe
PID 3416 wrote to memory of 2364	3416	chrome.exe	chrome.exe
PID 3416 wrote to memory of 2364	3416	chrome.exe	chrome.exe
PID 3416 wrote to memory of 2364	3416	chrome.exe	chrome.exe
PID 3416 wrote to memory of 2364	3416	chrome.exe	chrome.exe
PID 3416 wrote to memory of 2364	3416	chrome.exe	chrome.exe
PID 3416 wrote to memory of 2364	3416	chrome.exe	chrome.exe
PID 3416 wrote to memory of 2364	3416	chrome.exe	chrome.exe
PID 3416 wrote to memory of 2364	3416	chrome.exe	chrome.exe
PID 3416 wrote to memory of 2364	3416	chrome.exe	chrome.exe
PID 3416 wrote to memory of 2364	3416	chrome.exe	chrome.exe
PID 3416 wrote to memory of 2364	3416	chrome.exe	chrome.exe
PID 3416 wrote to memory of 2364	3416	chrome.exe	chrome.exe
PID 3416 wrote to memory of 2364	3416	chrome.exe	chrome.exe
PID 3416 wrote to memory of 2364	3416	chrome.exe	chrome.exe
PID 3416 wrote to memory of 2364	3416	chrome.exe	chrome.exe
PID 3416 wrote to memory of 2364	3416	chrome.exe	chrome.exe
PID 3416 wrote to memory of 2364	3416	chrome.exe	chrome.exe
PID 3416 wrote to memory of 2364	3416	chrome.exe	chrome.exe
PID 3416 wrote to memory of 2632	3416	chrome.exe	chrome.exe
PID 3416 wrote to memory of 2632	3416	chrome.exe	chrome.exe
PID 3416 wrote to memory of 3984	3416	chrome.exe	chrome.exe
PID 3416 wrote to memory of 3984	3416	chrome.exe	chrome.exe
PID 3416 wrote to memory of 3984	3416	chrome.exe	chrome.exe
PID 3416 wrote to memory of 3984	3416	chrome.exe	chrome.exe
PID 3416 wrote to memory of 3984	3416	chrome.exe	chrome.exe
PID 3416 wrote to memory of 3984	3416	chrome.exe	chrome.exe
PID 3416 wrote to memory of 3984	3416	chrome.exe	chrome.exe
PID 3416 wrote to memory of 3984	3416	chrome.exe	chrome.exe
PID 3416 wrote to memory of 3984	3416	chrome.exe	chrome.exe
PID 3416 wrote to memory of 3984	3416	chrome.exe	chrome.exe
PID 3416 wrote to memory of 3984	3416	chrome.exe	chrome.exe
PID 3416 wrote to memory of 3984	3416	chrome.exe	chrome.exe
PID 3416 wrote to memory of 3984	3416	chrome.exe	chrome.exe
PID 3416 wrote to memory of 3984	3416	chrome.exe	chrome.exe
PID 3416 wrote to memory of 3984	3416	chrome.exe	chrome.exe
PID 3416 wrote to memory of 3984	3416	chrome.exe	chrome.exe
PID 3416 wrote to memory of 3984	3416	chrome.exe	chrome.exe
PID 3416 wrote to memory of 3984	3416	chrome.exe	chrome.exe
PID 3416 wrote to memory of 3984	3416	chrome.exe	chrome.exe
PID 3416 wrote to memory of 3984	3416	chrome.exe	chrome.exe
PID 3416 wrote to memory of 3984	3416	chrome.exe	chrome.exe
PID 3416 wrote to memory of 3984	3416	chrome.exe	chrome.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" https://github.com/vvinlind/MEMZ/blob/master/MEMZ.exe
1⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3416

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcfc349758,0x7ffcfc349768,0x7ffcfc349778
2⤵
PID:4332

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1664 --field-trial-handle=1828,i,13765297126385336781,1555051367287492560,131072 /prefetch:2
2⤵
PID:2364

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 --field-trial-handle=1828,i,13765297126385336781,1555051367287492560,131072 /prefetch:8
2⤵
PID:2632

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2180 --field-trial-handle=1828,i,13765297126385336781,1555051367287492560,131072 /prefetch:8
2⤵
PID:3984

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3088 --field-trial-handle=1828,i,13765297126385336781,1555051367287492560,131072 /prefetch:1
2⤵
PID:4200

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3080 --field-trial-handle=1828,i,13765297126385336781,1555051367287492560,131072 /prefetch:1
2⤵
PID:4212

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5272 --field-trial-handle=1828,i,13765297126385336781,1555051367287492560,131072 /prefetch:8
2⤵
PID:1308

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5220 --field-trial-handle=1828,i,13765297126385336781,1555051367287492560,131072 /prefetch:8
2⤵
PID:1856

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5580 --field-trial-handle=1828,i,13765297126385336781,1555051367287492560,131072 /prefetch:8
2⤵
PID:4404

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5672 --field-trial-handle=1828,i,13765297126385336781,1555051367287492560,131072 /prefetch:8
2⤵
PID:960

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4700 --field-trial-handle=1828,i,13765297126385336781,1555051367287492560,131072 /prefetch:8
2⤵
PID:4276

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3888 --field-trial-handle=1828,i,13765297126385336781,1555051367287492560,131072 /prefetch:8
2⤵
PID:3744

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5700 --field-trial-handle=1828,i,13765297126385336781,1555051367287492560,131072 /prefetch:8
2⤵
PID:5040

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5252 --field-trial-handle=1828,i,13765297126385336781,1555051367287492560,131072 /prefetch:8
2⤵
PID:2016

C:\Users\Admin\Downloads\MEMZ.exe
"C:\Users\Admin\Downloads\MEMZ.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
PID:3648

C:\Users\Admin\Downloads\MEMZ.exe
"C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2744

C:\Users\Admin\Downloads\MEMZ.exe
"C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3544

C:\Users\Admin\Downloads\MEMZ.exe
"C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:316

C:\Users\Admin\Downloads\MEMZ.exe
"C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2472

C:\Users\Admin\Downloads\MEMZ.exe
"C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:5104

C:\Users\Admin\Downloads\MEMZ.exe
"C:\Users\Admin\Downloads\MEMZ.exe" /main
3⤵
- Checks computer location settings
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:4880

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\System32\notepad.exe" \note.txt
4⤵
PID:944

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\System32\explorer.exe"
4⤵
PID:5176

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:528

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:1576

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2240

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2240.0.791058614\439125846" -parentBuildID 20221007134813 -prefsHandle 1836 -prefMapHandle 1828 -prefsLen 20890 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7f472d6a-7014-4d76-a2b0-6667637895e7} 2240 "\\.\pipe\gecko-crash-server-pipe.2240" 1916 1ce9a8d7858 gpu
3⤵
PID:2224

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2240.1.1606081089\1605255294" -parentBuildID 20221007134813 -prefsHandle 2304 -prefMapHandle 2300 -prefsLen 20926 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {28912c9d-e29d-4c74-86a8-4bfc31f8c3c0} 2240 "\\.\pipe\gecko-crash-server-pipe.2240" 2316 1ce8d971f58 socket
3⤵
PID:1052

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2240.2.1590748081\1097341807" -childID 1 -isForBrowser -prefsHandle 2944 -prefMapHandle 2836 -prefsLen 21074 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {46d386ea-139e-4a67-b7a3-64094e6f5ce5} 2240 "\\.\pipe\gecko-crash-server-pipe.2240" 2996 1ce9e4f2e58 tab
3⤵
PID:2504

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2240.3.1786162931\94876454" -childID 2 -isForBrowser -prefsHandle 1268 -prefMapHandle 1440 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7cbe458f-0792-4e52-bd05-ab85346f6405} 2240 "\\.\pipe\gecko-crash-server-pipe.2240" 1284 1ce8d970d58 tab
3⤵
PID:4748

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2240.4.1268550090\1033099548" -childID 3 -isForBrowser -prefsHandle 4128 -prefMapHandle 4124 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {87010c12-c1fc-4482-bb0e-a49ddfc162ac} 2240 "\\.\pipe\gecko-crash-server-pipe.2240" 4140 1ce9f9b4558 tab
3⤵
PID:1068

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2240.7.71497325\27009192" -childID 6 -isForBrowser -prefsHandle 5260 -prefMapHandle 5264 -prefsLen 26578 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {17e657ec-5993-4089-9a82-3f6fc1838305} 2240 "\\.\pipe\gecko-crash-server-pipe.2240" 5252 1cea0e7c158 tab
3⤵
PID:5264

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2240.6.1500589896\1358108535" -childID 5 -isForBrowser -prefsHandle 5064 -prefMapHandle 5068 -prefsLen 26578 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2f186750-c1f2-4092-a5a6-80c745857970} 2240 "\\.\pipe\gecko-crash-server-pipe.2240" 5056 1cea0e7be58 tab
3⤵
PID:5256

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2240.5.1515971512\978540971" -childID 4 -isForBrowser -prefsHandle 4952 -prefMapHandle 4956 -prefsLen 26578 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {196cb828-11c0-4c3f-9af6-33589b1fe326} 2240 "\\.\pipe\gecko-crash-server-pipe.2240" 4920 1cea0e7bb58 tab
3⤵
PID:5248

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2240.8.1969204039\1733784482" -childID 7 -isForBrowser -prefsHandle 5920 -prefMapHandle 5924 -prefsLen 26738 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {891453d5-8da8-4363-8f5d-6340fe3ad78d} 2240 "\\.\pipe\gecko-crash-server-pipe.2240" 5916 1cea2b64458 tab
3⤵
PID:5868

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2240.9.2100176928\1320725048" -childID 8 -isForBrowser -prefsHandle 5988 -prefMapHandle 5992 -prefsLen 26738 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {42788eb6-f6e6-42c7-a065-d4fc6214ba48} 2240 "\\.\pipe\gecko-crash-server-pipe.2240" 5976 1cea2b64758 tab
3⤵
PID:5880

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2240.10.567394265\2045690431" -parentBuildID 20221007134813 -prefsHandle 6172 -prefMapHandle 6176 -prefsLen 26755 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {088f76e4-5578-484d-9cb5-9d6b86b0da40} 2240 "\\.\pipe\gecko-crash-server-pipe.2240" 6252 1cea2e56758 rdd
3⤵
PID:5184

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2240.11.1492536634\1663918951" -parentBuildID 20221007134813 -sandboxingKind 1 -prefsHandle 6396 -prefMapHandle 6392 -prefsLen 26755 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {74ce92eb-07b0-4ed0-a8d2-793c12c07000} 2240 "\\.\pipe\gecko-crash-server-pipe.2240" 6408 1cea2e55e58 utility
3⤵
PID:5408

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2240.12.680024181\1314841199" -childID 9 -isForBrowser -prefsHandle 6652 -prefMapHandle 6648 -prefsLen 26930 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cd6b0b01-6318-41f4-9ca7-59adaf01197f} 2240 "\\.\pipe\gecko-crash-server-pipe.2240" 6664 1ce8d962558 tab
3⤵
PID:5976

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5400

C:\Users\Admin\Downloads\MEMZ.exe
"C:\Users\Admin\Downloads\MEMZ.exe"
1⤵
PID:1168

C:\Users\Admin\Downloads\MEMZ.exe
"C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
2⤵
PID:3772

C:\Users\Admin\Downloads\MEMZ.exe
"C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
2⤵
PID:5604

C:\Users\Admin\Downloads\MEMZ.exe
"C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
2⤵
PID:5704

C:\Users\Admin\Downloads\MEMZ.exe
"C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
2⤵
PID:5400

C:\Users\Admin\Downloads\MEMZ.exe
"C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
2⤵
PID:1596

C:\Users\Admin\Downloads\MEMZ.exe
"C:\Users\Admin\Downloads\MEMZ.exe" /main
2⤵
PID:5728

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\System32\notepad.exe" \note.txt
3⤵
PID:5964

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
1KB

MD5
1dd059194f42b3f0fc5b18448560cb2a

SHA1
a585978284b44e14a244dcf6b49ff8f5ebb15889

SHA256
9cf88bfdadf16ef96634c17bf09f78eee0949f4e39879e41000f43f034670966

SHA512
9cbc177bbf44e74f3e6a3cace4f0dc13878bbc0ff7c091d008f1612fb12eb9f00bd511bcaf6392246ef9f2e3b8b6dbeb9aa36361a13acd898179734d72534542

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1
Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
dd6ff75278c629f54e7a72c70ceeda1b

SHA1
6168a7fd5dc8ea95fe00ef91c122adb26ad7741c

SHA256
f7f17e9f612450930c69ce11842eeeb5329b2d401f24f3c446dce3ac94e4f4e9

SHA512
d58bdacf7fe71be76676ba3fe468c85d38f782cb03f771d1c72d879a5628335395dda3f5c9f57f466604a61097ec3dc81313fa9bf57b55baaaf8d672d2c63658

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
f67387cfe8b24320748921b4dd92999c

SHA1
0b77f4ee8aeac2ffed47f29849410fb68f352b70

SHA256
c67c5c4c8bfb8f15b750cdb647ac8224032433d34f0b0e62be83432e1965861e

SHA512
4c0b6faf5eb6d18fd8bb435a2e72b92bec4d56c51fa936f568bcd010c1faf83e5ecec636db6299a7e761afa51509f30a4cf7418c69d4b8e0a68287e42751486c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
4a51ca8f9e6891805cae4d8a57c7f9f5

SHA1
f92e4fb19eddcd5ec39243fa90ab687a5fd76708

SHA256
3115962050c971ee99930dc31664b925a5ebb9f0a0cd899e8df08fddf69aa4ba

SHA512
ab13eafc3df7dc0e2c290101fea8818fb3d2bff1945bb57f6fed41a336c9778cf650edcd296fa56055d4762dbde3be00978112c871e1b040005390e35ca71de0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
ce0b3863cd8e0afb64edda2a8850219b

SHA1
2488d9f7ded4357e76e94b3391094cbb4239ee59

SHA256
35ac98a300727a3e470ff3ef6b8e2b5571f2c687ec6a1407010694ea4f9854f4

SHA512
2aa162bd4a8ac109487a9e5db7d631aa466cba97134430d211d27d6171f865e49f4c61beed4c8fdfafe24e52472e7f5bdafffde618c2d2f2af3da6612611f3c8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
7c34ac923dde3d7fdc3698f6c10050d6

SHA1
616445dbb2f77a433c82dc26590e06ab5f7bfdf0

SHA256
5ef03f3da982e236d68e9ae1e5cb2a3986d8bbf912644f927e56db2a07de158d

SHA512
4383df212cf2b33d3192a5325be2e5f88f753f18dcb518339e1b2ab4842728b034e3a42d2fe6af9c6127b7280bb0039bee76184feb2e175e6514b2c2d3718027

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
15KB

MD5
9e88952d0ceed066e38d16142223d452

SHA1
ea38f5fa530c246c3317f04919cf18d969db29ff

SHA256
6b5995fe2b53b75a003c9b699b2d3cd39e8e597eb8282775e6d3245ec53acfeb

SHA512
6d5c98975bdcd18623f77f1a0725db2a0c87c3d4ea6046d793a6ad6b86ea404802f6e1fa39fa529d72094c6fc3ea0ddd3957eeb22704a85e7d3b8ed113bc4f42

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
175KB

MD5
57f87de2caa76fc5794181ddfc7fab59

SHA1
bd3517f9a25e5f864ef8ec408fe226b2cf0f183f

SHA256
5b75f60cfabd86e1b84173bb727edd3c715bfded039e03053f326cdb788ed518

SHA512
dfecb004a2c2dc1ff726507c0a5de2c12c23d5b1125154722c5d2b6ba18f23f33e1bd3ccd262741f56008c73bfa1421accdb6418ab540ce56cb0db92ece9a0d6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
72KB

MD5
159f8db946def818cee0957e6a2753d1

SHA1
324ee3670a6d907fdc70c626c0f3a3417d2ea143

SHA256
03f71caaa8f78327342674684fbc7600edc4cefb678719985e1b7c71da643061

SHA512
63f9cc375330d3b59f8805c024075ad8d7b439f9f8442fb9eba6ff4b3b06030fbbfac77a2bc1f32ea1980f046cce06901d930c1131fda69e53c945e06a0e12bb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
175KB

MD5
068357b66e15cfe343e322668397abdc

SHA1
90f3e3b1dc19bd33b593f5fb56d604207cdddf0a

SHA256
2e45fb4ef666cb2a6a6390bfd6e6bd3e63a80ad8261a6beb91e5fb5592af2f93

SHA512
e01e4837949e617199456b929308801404c3cd9d6c6aeaa2b2b654750e89107703f9b416f02ab4f6e79f1bff01238c716f691541d75d1618052e9c0ff6561427

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3o4pebi0.default-release\activity-stream.discovery_stream.json.tmp
Filesize
154KB

MD5
4a538cf46f125cdef88fd74b4f033b6c

SHA1
82d218cf7b3c96679bd5c67dbc3477be6a0b55c3

SHA256
b15f367f3b3a2cd6304e5aa80c23982af1cf3ff08c4de2cd07b5ba1bc121c36e

SHA512
c150375c5f0b64453271f886515c9726803a7ad4971f41fec65244908e6949d4b39dbf9267911bfccf26dd476494b05bc479995cf34431c453eb6fd3d35e261c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\prefs-1.js
Filesize
6KB

MD5
d7eb752e3bf2e1a0b58fa09b75a7448e

SHA1
57c9a90202d017e794b91ea9065432bb81b6148e

SHA256
50bc74dbb818587ac0f60de468e9535e4e562b8cd53e1d5237e0e1f9e7a91666

SHA512
f1ee5f00404217ede668e53e1f33efcda344acb5ca21f47abf9734e1cf5984207b7a05991d1144b4aa2653bcd3eb64273551f510feaf75bacfb4ae572c64c252

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\prefs-1.js
Filesize
6KB

MD5
9b40003736e478ab7a18320446ef082a

SHA1
43d4d4f101e661bc66aa105659215eae08ddc4a4

SHA256
744a2fbcd271a822b2cd7ba07a09c62f87f6084ecfc8385001762e26cea7c369

SHA512
2fda073984414d143e8b39a0b8a92bbcd8e3bb66b37229e3d540a46c95754a0dd6b0facc907ca6c1b1280b37c0b7e0a92a7e8cdce468047197f59b0ce611bf87

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\prefs-1.js
Filesize
6KB

MD5
381c0340afb45195604e6ae72b8a43ec

SHA1
2ca56220f74cc87dd69834531dae6a18003d358b

SHA256
04b301999e994446516e221566eb7d426668d9a40561eb2e184f380f7491530f

SHA512
b25e34fb2017dbe328017868fdcf23fdd48db478733c2134c30b3905e7865b69cda3914f45ae41825be5d3690b96f314d11ec7e4b869967c2e7c9b11db181c3a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\prefs.js
Filesize
6KB

MD5
1984b45f201f1fd79d2154406648433b

SHA1
42f082dc6d4d43333688690bf4dfa7c7f8b618ab

SHA256
000a408519010d12b94281710f9a987f822093a1efb5293bbb50ca2e4a6a9df9

SHA512
e73a00cc8994d4023168e93ff5f5b6e6b13ffeb740872b64f565787cbb57e49e64eb03e4de1d8068a6f303f0615749fb27cb47bdbc4cef3fef1290bd3a3a17cc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
1KB

MD5
cb2b0d9ae8646899311ea74c98f96584

SHA1
0659423934931ca8b92499e5d466f13c841f18a5

SHA256
88fda36006c5dfb17044498f127dc17495f75c63f296103ac6f536337b19e375

SHA512
efe0531a0e7a04adfc3253fa782c241db68ec623cb383a76d8267dd0f176a8334556dd8d35d662d66efc0c85832b9ffd45489a79591f458a4d6699ea17eb3ec4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
2KB

MD5
8c866d06cc8857cb8190ac0bff9d7722

SHA1
3ecd3d9402c305890d0fc290e4fa9c1e7066429c

SHA256
b09947e42293b177eec54f7390308e9a790eade892d08dca00412fd223b24ce4

SHA512
d23696d3fedb07ce38757905c4241cabc5e207cbfd1649dea91e0ed16d4b241e0ca1a2ce44b65ef826d0dd44a3414c8bdcb211af32e613c90808c647a3d727bd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\storage\default\https+++www.youtube.com\cache\morgue\111\{1229b3cd-53e5-458d-808d-1e26a4a7246f}.final
Filesize
3KB

MD5
d67e5f1c1b0b553abce9e0d10fa4385a

SHA1
02426e725763c00b25221a9eca7b6b5fb2d3f89f

SHA256
5034fd9197e22afaa69f8e4278bcaad0a750945f852405041009cac0cbca5198

SHA512
2c041959cb0da75519d6a220ebb05c6b0580b0f9e78fa3d416f8a9f273fcb18cab2baec1176e0258dfd3b9c89999b6a9fd2ea616b167847e8e580f79a9581d29

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\storage\default\https+++www.youtube.com\idb\1899063604yCt7-%iCt7-%r7e6s1p0o.sqlite
Filesize
48KB

MD5
2e1fcf5a556fbd8e951910be3ab272d3

SHA1
7aea9a99f28d2145e5489f40f143a85d811d48c2

SHA256
9f209fedb254e7789512e8d78a988a8903e7a19253abbe6daa652cc6e939bba6

SHA512
786541b5b4f0db022955d49af848999f518a0f77e3168af7797ca59742de95f5e25ab74b2ef0d71b8c65124b86203607b89f53f3df3c0cf9d3364562c48eed22

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\storage\default\https+++www.youtube.com\idb\3211250388sbwdpsunsohintoatciif.sqlite-wal
Filesize
40KB

MD5
990cacaf45fdb31d67b3f57ab1cce469

SHA1
57271d9bdc0f4da9955385c9dcb1d8ebd4f7b828

SHA256
07560918b8f2be21804ddf2c153d275ea72a4d35ed4e31002355aa758112c5fa

SHA512
d5131bc91283066d5250e979d85722e8371da1a64d0e745e2ecc9e1e1e3a53d04401ba50f49187d3bf6ef1af286ee6a1ea61a748dcf9ab98fcc74feae94810a7

Download Submit
C:\Users\Admin\Downloads\MEMZ.exe
Filesize
16KB

MD5
1d5ad9c8d3fee874d0feb8bfac220a11

SHA1
ca6d3f7e6c784155f664a9179ca64e4034df9595

SHA256
3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff

SHA512
c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1

Download Submit
C:\Users\Admin\Downloads\MEMZ.exe
Filesize
16KB

MD5
1d5ad9c8d3fee874d0feb8bfac220a11

SHA1
ca6d3f7e6c784155f664a9179ca64e4034df9595

SHA256
3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff

SHA512
c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1

Download Submit
C:\Users\Admin\Downloads\MEMZ.exe
Filesize
16KB

MD5
1d5ad9c8d3fee874d0feb8bfac220a11

SHA1
ca6d3f7e6c784155f664a9179ca64e4034df9595

SHA256
3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff

SHA512
c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1

Download Submit
C:\Users\Admin\Downloads\MEMZ.exe
Filesize
16KB

MD5
1d5ad9c8d3fee874d0feb8bfac220a11

SHA1
ca6d3f7e6c784155f664a9179ca64e4034df9595

SHA256
3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff

SHA512
c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1

Download Submit
C:\Users\Admin\Downloads\MEMZ.exe
Filesize
16KB

MD5
1d5ad9c8d3fee874d0feb8bfac220a11

SHA1
ca6d3f7e6c784155f664a9179ca64e4034df9595

SHA256
3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff

SHA512
c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1

Download Submit
C:\Users\Admin\Downloads\MEMZ.exe
Filesize
16KB

MD5
1d5ad9c8d3fee874d0feb8bfac220a11

SHA1
ca6d3f7e6c784155f664a9179ca64e4034df9595

SHA256
3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff

SHA512
c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1

Download Submit
C:\Users\Admin\Downloads\MEMZ.exe
Filesize
16KB

MD5
1d5ad9c8d3fee874d0feb8bfac220a11

SHA1
ca6d3f7e6c784155f664a9179ca64e4034df9595

SHA256
3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff

SHA512
c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1

Download Submit
C:\Users\Admin\Downloads\MEMZ.exe
Filesize
16KB

MD5
1d5ad9c8d3fee874d0feb8bfac220a11

SHA1
ca6d3f7e6c784155f664a9179ca64e4034df9595

SHA256
3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff

SHA512
c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1

Download Submit
C:\Users\Admin\Downloads\MEMZ.exe
Filesize
16KB

MD5
1d5ad9c8d3fee874d0feb8bfac220a11

SHA1
ca6d3f7e6c784155f664a9179ca64e4034df9595

SHA256
3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff

SHA512
c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1

Download Submit
C:\Users\Admin\Downloads\MEMZ.exe
Filesize
16KB

MD5
1d5ad9c8d3fee874d0feb8bfac220a11

SHA1
ca6d3f7e6c784155f664a9179ca64e4034df9595

SHA256
3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff

SHA512
c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1

Download Submit
C:\Users\Admin\Downloads\MEMZ.exe
Filesize
16KB

MD5
1d5ad9c8d3fee874d0feb8bfac220a11

SHA1
ca6d3f7e6c784155f664a9179ca64e4034df9595

SHA256
3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff

SHA512
c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1

Download Submit
C:\Users\Admin\Downloads\MEMZ.exe
Filesize
16KB

MD5
1d5ad9c8d3fee874d0feb8bfac220a11

SHA1
ca6d3f7e6c784155f664a9179ca64e4034df9595

SHA256
3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff

SHA512
c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1

Download Submit
C:\Users\Admin\Downloads\MEMZ.exe
Filesize
16KB

MD5
1d5ad9c8d3fee874d0feb8bfac220a11

SHA1
ca6d3f7e6c784155f664a9179ca64e4034df9595

SHA256
3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff

SHA512
c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1

Download Submit
C:\Users\Admin\Downloads\MEMZ.exe
Filesize
16KB

MD5
1d5ad9c8d3fee874d0feb8bfac220a11

SHA1
ca6d3f7e6c784155f664a9179ca64e4034df9595

SHA256
3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff

SHA512
c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1

Download Submit
C:\Users\Admin\Downloads\MEMZ.exe
Filesize
16KB

MD5
1d5ad9c8d3fee874d0feb8bfac220a11

SHA1
ca6d3f7e6c784155f664a9179ca64e4034df9595

SHA256
3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff

SHA512
c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1

Download Submit
C:\Users\Admin\Downloads\MEMZ.exe
Filesize
16KB

MD5
1d5ad9c8d3fee874d0feb8bfac220a11

SHA1
ca6d3f7e6c784155f664a9179ca64e4034df9595

SHA256
3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff

SHA512
c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1

Download Submit
C:\note.txt
Filesize
218B

MD5
afa6955439b8d516721231029fb9ca1b

SHA1
087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

SHA256
8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

SHA512
5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

Download Submit
C:\note.txt
Filesize
218B

MD5
afa6955439b8d516721231029fb9ca1b

SHA1
087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

SHA256
8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

SHA512
5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

Download Submit
\??\pipe\crashpad_3416_KNCNBKAIRTGRFELW
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit