hxxp://o | Triage

Analysis

max time kernel
207s
max time network
208s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
02-04-2023 02:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://o

Score

8^/10

bootkit persistence

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

MEMZ.exeMEMZ.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	MEMZ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	MEMZ.exe

Executes dropped EXE 7 IoCs

Processes:

MEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exe

pid process

3912 MEMZ.exe
1328 MEMZ.exe
4912 MEMZ.exe
1548 MEMZ.exe
4572 MEMZ.exe
4844 MEMZ.exe
552 MEMZ.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

MEMZ.exe

description ioc process

File opened for modification \??\PhysicalDrive0 MEMZ.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
3912	MEMZ.exe
1328	MEMZ.exe
4912	MEMZ.exe
1548	MEMZ.exe
4572	MEMZ.exe
4844	MEMZ.exe
552	MEMZ.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	MEMZ.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133248850774537937"	chrome.exe

Modifies registry class 64 IoCs

Processes:

explorer.execontrol.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\powercpl.dll,-1#immutable1 = "Power Options"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\RADCUI.dll,-15300#immutable1 = "RemoteApp and Desktop Connections"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\intl.cpl,-3#immutable1 = "Region"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\main.cpl,-100#immutable1 = "Mouse"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\netcenter.dll,-2#immutable1 = "Check network status, change network settings and set preferences for sharing files and printers."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\autoplay.dll,-1#immutable1 = "AutoPlay"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\sdcpl.dll,-101#immutable1 = "Backup and Restore (Windows 7)"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\system32\Vault.dll,-1#immutable1 = "Credential Manager"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\sud.dll,-1#immutable1 = "Default Programs"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\Speech\SpeechUX\speechuxcpl.dll,-1#immutable1 = "Speech Recognition"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\srchadmin.dll,-601#immutable1 = "Indexing Options"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\netcenter.dll,-1#immutable1 = "Network and Sharing Center"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\system32\colorcpl.exe,-7#immutable1 = "Change advanced color management settings for displays, scanners, and printers."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\powercpl.dll,-2#immutable1 = "Conserve energy or maximize performance by choosing how your computer manages power."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\systemcpl.dll,-1#immutable1 = "System"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\systemcpl.dll,-2#immutable1 = "View information about your computer, and change settings for hardware, performance, and remote connections."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\sud.dll,-10#immutable1 = "Choose which programs you want Windows to use for activities like web browsing, editing photos, sending e-mail, and playing music."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\main.cpl,-102#immutable1 = "Keyboard"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\main.cpl,-103#immutable1 = "Customize your keyboard settings, such as the cursor blink rate and the character repeat rate."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\devmgr.dll,-5#immutable1 = "View and update your device hardware settings and driver software."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\SyncCenter.dll,-3000#immutable1 = "Sync Center"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\system32\DeviceCenter.dll,-1000#immutable1 = "Devices and Printers"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\mmsys.cpl,-300#immutable1 = "Sound"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\recovery.dll,-2#immutable1 = "Recovery"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\inetcpl.cpl,-4312#immutable1 = "Internet Options"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\sdcpl.dll,-100#immutable1 = "Recover copies of your files backed up in Windows 7"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\DiagCpl.dll,-1#immutable1 = "Troubleshooting"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\DiagCpl.dll,-15#immutable1 = "Troubleshoot and fix common computer problems."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\accessibilitycpl.dll,-45#immutable1 = "Make your computer easier to use."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\RADCUI.dll,-15301#immutable1 = "Manage your RemoteApp and Desktop Connections"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\usercpl.dll,-2#immutable1 = "Change user account settings and passwords for people who share this computer."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\system32\appwiz.cpl,-159#immutable1 = "Programs and Features"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\system32\appwiz.cpl,-160#immutable1 = "Uninstall or change programs on your computer."	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\telephon.cpl,-2#immutable1 = "Configure your telephone dialing rules and modem settings."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\autoplay.dll,-2#immutable1 = "Change default settings for CDs, DVDs, and devices so that you can automatically play music, view pictures, install software, and play games."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\fvecpl.dll,-2#immutable1 = "Protect your PC using BitLocker Drive Encryption."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\timedate.cpl,-52#immutable1 = "Set the date, time, and time zone for your computer."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\FirewallControlPanel.dll,-12123#immutable1 = "Set firewall security options to help protect your computer from hackers and malicious software."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\intl.cpl,-2#immutable1 = "Customize settings for the display of languages, numbers, times, and dates."	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings	control.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\inetcpl.cpl,-4313#immutable1 = "Configure your Internet display and connection settings."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\accessibilitycpl.dll,-10#immutable1 = "Ease of Access Center"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\fhcpl.dll,-2#immutable1 = "Keep a history of your files"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\fhcpl.dll,-52#immutable1 = "File History"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\devmgr.dll,-4#immutable1 = "Device Manager"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\main.cpl,-101#immutable1 = "Customize your mouse settings, such as the button configuration, double-click speed, mouse pointers, and motion speed."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\SyncCenter.dll,-3001#immutable1 = "Sync files between your computer and network folders"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\timedate.cpl,-51#immutable1 = "Date and Time"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\mmsys.cpl,-301#immutable1 = "Configure your audio devices or change the sound scheme for your computer."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\FirewallControlPanel.dll,-12122#immutable1 = "Windows Defender Firewall"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\recovery.dll,-101#immutable1 = "Recovery"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\system32\DeviceCenter.dll,-2000#immutable1 = "View and manage devices, printers, and print jobs"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\system32\colorcpl.exe,-6#immutable1 = "Color Management"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\fvecpl.dll,-1#immutable1 = "BitLocker Drive Encryption"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\system32\Vault.dll,-2#immutable1 = "Manage your Windows credentials."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\telephon.cpl,-1#immutable1 = "Phone and Modem"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\Speech\SpeechUX\speechuxcpl.dll,-2#immutable1 = "Configure how speech recognition works on your computer."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\usercpl.dll,-1#immutable1 = "User Accounts"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\srchadmin.dll,-602#immutable1 = "Change how Windows indexes to search faster"	explorer.exe

Runs regedit.exe 1 IoCs

Processes:

regedit.exe

pid process

824 regedit.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

explorer.exe

pid process

1812 explorer.exe

pid	process
824	regedit.exe

pid	process
1812	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

chrome.exechrome.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exe

pid	process
396	chrome.exe
396	chrome.exe
3892	chrome.exe
3892	chrome.exe
1328	MEMZ.exe
1328	MEMZ.exe
1328	MEMZ.exe
1328	MEMZ.exe
1548	MEMZ.exe
1548	MEMZ.exe
4912	MEMZ.exe
4912	MEMZ.exe
1328	MEMZ.exe
1328	MEMZ.exe
4844	MEMZ.exe
4844	MEMZ.exe
4912	MEMZ.exe
4912	MEMZ.exe
1548	MEMZ.exe
1548	MEMZ.exe
4572	MEMZ.exe
4572	MEMZ.exe
4844	MEMZ.exe
4844	MEMZ.exe
1328	MEMZ.exe
1328	MEMZ.exe
4912	MEMZ.exe
4912	MEMZ.exe
4572	MEMZ.exe
4572	MEMZ.exe
1548	MEMZ.exe
1548	MEMZ.exe
1328	MEMZ.exe
1328	MEMZ.exe
4844	MEMZ.exe
4844	MEMZ.exe
1548	MEMZ.exe
4912	MEMZ.exe
4912	MEMZ.exe
1548	MEMZ.exe
4572	MEMZ.exe
4572	MEMZ.exe
4912	MEMZ.exe
4912	MEMZ.exe
1548	MEMZ.exe
1548	MEMZ.exe
4844	MEMZ.exe
4844	MEMZ.exe
1328	MEMZ.exe
1328	MEMZ.exe
1548	MEMZ.exe
1548	MEMZ.exe
4572	MEMZ.exe
4572	MEMZ.exe
4572	MEMZ.exe
4572	MEMZ.exe
1548	MEMZ.exe
1548	MEMZ.exe
4912	MEMZ.exe
4912	MEMZ.exe
1328	MEMZ.exe
1328	MEMZ.exe
4844	MEMZ.exe
4844	MEMZ.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

Processes:

chrome.exe

pid process

396 chrome.exe
396 chrome.exe
396 chrome.exe
396 chrome.exe
396 chrome.exe
396 chrome.exe
396 chrome.exe
396 chrome.exe
396 chrome.exe
396 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	396	chrome.exe
Token: SeCreatePagefilePrivilege	396	chrome.exe
Token: SeShutdownPrivilege	396	chrome.exe
Token: SeCreatePagefilePrivilege	396	chrome.exe
Token: SeShutdownPrivilege	396	chrome.exe
Token: SeCreatePagefilePrivilege	396	chrome.exe
Token: SeShutdownPrivilege	396	chrome.exe
Token: SeCreatePagefilePrivilege	396	chrome.exe
Token: SeShutdownPrivilege	396	chrome.exe
Token: SeCreatePagefilePrivilege	396	chrome.exe
Token: SeShutdownPrivilege	396	chrome.exe
Token: SeCreatePagefilePrivilege	396	chrome.exe
Token: SeShutdownPrivilege	396	chrome.exe
Token: SeCreatePagefilePrivilege	396	chrome.exe
Token: SeShutdownPrivilege	396	chrome.exe
Token: SeCreatePagefilePrivilege	396	chrome.exe
Token: SeShutdownPrivilege	396	chrome.exe
Token: SeCreatePagefilePrivilege	396	chrome.exe
Token: SeShutdownPrivilege	396	chrome.exe
Token: SeCreatePagefilePrivilege	396	chrome.exe
Token: SeShutdownPrivilege	396	chrome.exe
Token: SeCreatePagefilePrivilege	396	chrome.exe
Token: SeShutdownPrivilege	396	chrome.exe
Token: SeCreatePagefilePrivilege	396	chrome.exe
Token: SeShutdownPrivilege	396	chrome.exe
Token: SeCreatePagefilePrivilege	396	chrome.exe
Token: SeShutdownPrivilege	396	chrome.exe
Token: SeCreatePagefilePrivilege	396	chrome.exe
Token: SeShutdownPrivilege	396	chrome.exe
Token: SeCreatePagefilePrivilege	396	chrome.exe
Token: SeShutdownPrivilege	396	chrome.exe
Token: SeCreatePagefilePrivilege	396	chrome.exe
Token: SeShutdownPrivilege	396	chrome.exe
Token: SeCreatePagefilePrivilege	396	chrome.exe
Token: SeShutdownPrivilege	396	chrome.exe
Token: SeCreatePagefilePrivilege	396	chrome.exe
Token: SeShutdownPrivilege	396	chrome.exe
Token: SeCreatePagefilePrivilege	396	chrome.exe
Token: SeShutdownPrivilege	396	chrome.exe
Token: SeCreatePagefilePrivilege	396	chrome.exe
Token: SeShutdownPrivilege	396	chrome.exe
Token: SeCreatePagefilePrivilege	396	chrome.exe
Token: SeShutdownPrivilege	396	chrome.exe
Token: SeCreatePagefilePrivilege	396	chrome.exe
Token: SeShutdownPrivilege	396	chrome.exe
Token: SeCreatePagefilePrivilege	396	chrome.exe
Token: SeShutdownPrivilege	396	chrome.exe
Token: SeCreatePagefilePrivilege	396	chrome.exe
Token: SeShutdownPrivilege	396	chrome.exe
Token: SeCreatePagefilePrivilege	396	chrome.exe
Token: SeShutdownPrivilege	396	chrome.exe
Token: SeCreatePagefilePrivilege	396	chrome.exe
Token: SeShutdownPrivilege	396	chrome.exe
Token: SeCreatePagefilePrivilege	396	chrome.exe
Token: SeShutdownPrivilege	396	chrome.exe
Token: SeCreatePagefilePrivilege	396	chrome.exe
Token: SeShutdownPrivilege	396	chrome.exe
Token: SeCreatePagefilePrivilege	396	chrome.exe
Token: SeShutdownPrivilege	396	chrome.exe
Token: SeCreatePagefilePrivilege	396	chrome.exe
Token: SeShutdownPrivilege	396	chrome.exe
Token: SeCreatePagefilePrivilege	396	chrome.exe
Token: SeShutdownPrivilege	396	chrome.exe
Token: SeCreatePagefilePrivilege	396	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exetaskmgr.exeexplorer.exe

pid	process
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
1812	explorer.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

chrome.exetaskmgr.exe

pid	process
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

MEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exe

pid	process
1328	MEMZ.exe
4912	MEMZ.exe
1548	MEMZ.exe
4844	MEMZ.exe
4572	MEMZ.exe
4844	MEMZ.exe
4912	MEMZ.exe
1548	MEMZ.exe
1328	MEMZ.exe
4572	MEMZ.exe
1328	MEMZ.exe
4912	MEMZ.exe
1548	MEMZ.exe
4844	MEMZ.exe
4572	MEMZ.exe
4844	MEMZ.exe
1548	MEMZ.exe
1328	MEMZ.exe
4912	MEMZ.exe
4572	MEMZ.exe
1328	MEMZ.exe
4912	MEMZ.exe
1548	MEMZ.exe
4844	MEMZ.exe
4572	MEMZ.exe
1328	MEMZ.exe
4912	MEMZ.exe
1548	MEMZ.exe
4844	MEMZ.exe
4572	MEMZ.exe
1328	MEMZ.exe
4912	MEMZ.exe
1548	MEMZ.exe
4844	MEMZ.exe
4572	MEMZ.exe
1548	MEMZ.exe
4844	MEMZ.exe
4912	MEMZ.exe
1328	MEMZ.exe
4572	MEMZ.exe
1328	MEMZ.exe
4844	MEMZ.exe
4912	MEMZ.exe
1548	MEMZ.exe
4572	MEMZ.exe
1548	MEMZ.exe
4844	MEMZ.exe
4912	MEMZ.exe
1328	MEMZ.exe
4572	MEMZ.exe
1328	MEMZ.exe
4912	MEMZ.exe
4844	MEMZ.exe
1548	MEMZ.exe
4572	MEMZ.exe
1548	MEMZ.exe
4844	MEMZ.exe
4912	MEMZ.exe
1328	MEMZ.exe
4572	MEMZ.exe
1328	MEMZ.exe
4912	MEMZ.exe
4844	MEMZ.exe
1548	MEMZ.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 396 wrote to memory of 3172	396	chrome.exe	chrome.exe
PID 396 wrote to memory of 3172	396	chrome.exe	chrome.exe
PID 396 wrote to memory of 3008	396	chrome.exe	chrome.exe
PID 396 wrote to memory of 3008	396	chrome.exe	chrome.exe
PID 396 wrote to memory of 3008	396	chrome.exe	chrome.exe
PID 396 wrote to memory of 3008	396	chrome.exe	chrome.exe
PID 396 wrote to memory of 3008	396	chrome.exe	chrome.exe
PID 396 wrote to memory of 3008	396	chrome.exe	chrome.exe
PID 396 wrote to memory of 3008	396	chrome.exe	chrome.exe
PID 396 wrote to memory of 3008	396	chrome.exe	chrome.exe
PID 396 wrote to memory of 3008	396	chrome.exe	chrome.exe
PID 396 wrote to memory of 3008	396	chrome.exe	chrome.exe
PID 396 wrote to memory of 3008	396	chrome.exe	chrome.exe
PID 396 wrote to memory of 3008	396	chrome.exe	chrome.exe
PID 396 wrote to memory of 3008	396	chrome.exe	chrome.exe
PID 396 wrote to memory of 3008	396	chrome.exe	chrome.exe
PID 396 wrote to memory of 3008	396	chrome.exe	chrome.exe
PID 396 wrote to memory of 3008	396	chrome.exe	chrome.exe
PID 396 wrote to memory of 3008	396	chrome.exe	chrome.exe
PID 396 wrote to memory of 3008	396	chrome.exe	chrome.exe
PID 396 wrote to memory of 3008	396	chrome.exe	chrome.exe
PID 396 wrote to memory of 3008	396	chrome.exe	chrome.exe
PID 396 wrote to memory of 3008	396	chrome.exe	chrome.exe
PID 396 wrote to memory of 3008	396	chrome.exe	chrome.exe
PID 396 wrote to memory of 3008	396	chrome.exe	chrome.exe
PID 396 wrote to memory of 3008	396	chrome.exe	chrome.exe
PID 396 wrote to memory of 3008	396	chrome.exe	chrome.exe
PID 396 wrote to memory of 3008	396	chrome.exe	chrome.exe
PID 396 wrote to memory of 3008	396	chrome.exe	chrome.exe
PID 396 wrote to memory of 3008	396	chrome.exe	chrome.exe
PID 396 wrote to memory of 3008	396	chrome.exe	chrome.exe
PID 396 wrote to memory of 3008	396	chrome.exe	chrome.exe
PID 396 wrote to memory of 3008	396	chrome.exe	chrome.exe
PID 396 wrote to memory of 3008	396	chrome.exe	chrome.exe
PID 396 wrote to memory of 3008	396	chrome.exe	chrome.exe
PID 396 wrote to memory of 3008	396	chrome.exe	chrome.exe
PID 396 wrote to memory of 3008	396	chrome.exe	chrome.exe
PID 396 wrote to memory of 3008	396	chrome.exe	chrome.exe
PID 396 wrote to memory of 3008	396	chrome.exe	chrome.exe
PID 396 wrote to memory of 3008	396	chrome.exe	chrome.exe
PID 396 wrote to memory of 4700	396	chrome.exe	chrome.exe
PID 396 wrote to memory of 4700	396	chrome.exe	chrome.exe
PID 396 wrote to memory of 4632	396	chrome.exe	chrome.exe
PID 396 wrote to memory of 4632	396	chrome.exe	chrome.exe
PID 396 wrote to memory of 4632	396	chrome.exe	chrome.exe
PID 396 wrote to memory of 4632	396	chrome.exe	chrome.exe
PID 396 wrote to memory of 4632	396	chrome.exe	chrome.exe
PID 396 wrote to memory of 4632	396	chrome.exe	chrome.exe
PID 396 wrote to memory of 4632	396	chrome.exe	chrome.exe
PID 396 wrote to memory of 4632	396	chrome.exe	chrome.exe
PID 396 wrote to memory of 4632	396	chrome.exe	chrome.exe
PID 396 wrote to memory of 4632	396	chrome.exe	chrome.exe
PID 396 wrote to memory of 4632	396	chrome.exe	chrome.exe
PID 396 wrote to memory of 4632	396	chrome.exe	chrome.exe
PID 396 wrote to memory of 4632	396	chrome.exe	chrome.exe
PID 396 wrote to memory of 4632	396	chrome.exe	chrome.exe
PID 396 wrote to memory of 4632	396	chrome.exe	chrome.exe
PID 396 wrote to memory of 4632	396	chrome.exe	chrome.exe
PID 396 wrote to memory of 4632	396	chrome.exe	chrome.exe
PID 396 wrote to memory of 4632	396	chrome.exe	chrome.exe
PID 396 wrote to memory of 4632	396	chrome.exe	chrome.exe
PID 396 wrote to memory of 4632	396	chrome.exe	chrome.exe
PID 396 wrote to memory of 4632	396	chrome.exe	chrome.exe
PID 396 wrote to memory of 4632	396	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" http://o
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:396

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffe6709758,0x7fffe6709768,0x7fffe6709778
2⤵
PID:3172

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1808 --field-trial-handle=1824,i,4121344838293474767,12535816782275964272,131072 /prefetch:2
2⤵
PID:3008

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 --field-trial-handle=1824,i,4121344838293474767,12535816782275964272,131072 /prefetch:8
2⤵
PID:4700

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2228 --field-trial-handle=1824,i,4121344838293474767,12535816782275964272,131072 /prefetch:8
2⤵
PID:4632

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3036 --field-trial-handle=1824,i,4121344838293474767,12535816782275964272,131072 /prefetch:1
2⤵
PID:3076

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3060 --field-trial-handle=1824,i,4121344838293474767,12535816782275964272,131072 /prefetch:1
2⤵
PID:2028

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4512 --field-trial-handle=1824,i,4121344838293474767,12535816782275964272,131072 /prefetch:1
2⤵
PID:2340

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3460 --field-trial-handle=1824,i,4121344838293474767,12535816782275964272,131072 /prefetch:1
2⤵
PID:4808

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4640 --field-trial-handle=1824,i,4121344838293474767,12535816782275964272,131072 /prefetch:8
2⤵
PID:3052

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5000 --field-trial-handle=1824,i,4121344838293474767,12535816782275964272,131072 /prefetch:8
2⤵
PID:5100

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5024 --field-trial-handle=1824,i,4121344838293474767,12535816782275964272,131072 /prefetch:8
2⤵
PID:4832

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=5044 --field-trial-handle=1824,i,4121344838293474767,12535816782275964272,131072 /prefetch:1
2⤵
PID:2016

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4512 --field-trial-handle=1824,i,4121344838293474767,12535816782275964272,131072 /prefetch:1
2⤵
PID:1616

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=4944 --field-trial-handle=1824,i,4121344838293474767,12535816782275964272,131072 /prefetch:1
2⤵
PID:1788

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=744 --field-trial-handle=1824,i,4121344838293474767,12535816782275964272,131072 /prefetch:1
2⤵
PID:916

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=2792 --field-trial-handle=1824,i,4121344838293474767,12535816782275964272,131072 /prefetch:1
2⤵
PID:4820

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=5208 --field-trial-handle=1824,i,4121344838293474767,12535816782275964272,131072 /prefetch:1
2⤵
PID:1248

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3268 --field-trial-handle=1824,i,4121344838293474767,12535816782275964272,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3892

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2840 --field-trial-handle=1824,i,4121344838293474767,12535816782275964272,131072 /prefetch:8
2⤵
PID:3216

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=748 --field-trial-handle=1824,i,4121344838293474767,12535816782275964272,131072 /prefetch:8
2⤵
PID:2000

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4812 --field-trial-handle=1824,i,4121344838293474767,12535816782275964272,131072 /prefetch:8
2⤵
PID:3548

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3288 --field-trial-handle=1824,i,4121344838293474767,12535816782275964272,131072 /prefetch:8
2⤵
PID:5012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5240 --field-trial-handle=1824,i,4121344838293474767,12535816782275964272,131072 /prefetch:8
2⤵
PID:2948

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4784 --field-trial-handle=1824,i,4121344838293474767,12535816782275964272,131072 /prefetch:8
2⤵
PID:4244

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5316 --field-trial-handle=1824,i,4121344838293474767,12535816782275964272,131072 /prefetch:8
2⤵
PID:3124

C:\Users\Admin\Downloads\MEMZ.exe
"C:\Users\Admin\Downloads\MEMZ.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
PID:3912

C:\Users\Admin\Downloads\MEMZ.exe
"C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1328

C:\Users\Admin\Downloads\MEMZ.exe
"C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4912

C:\Users\Admin\Downloads\MEMZ.exe
"C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1548

C:\Users\Admin\Downloads\MEMZ.exe
"C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4572

C:\Users\Admin\Downloads\MEMZ.exe
"C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4844

C:\Users\Admin\Downloads\MEMZ.exe
"C:\Users\Admin\Downloads\MEMZ.exe" /main
3⤵
- Checks computer location settings
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:552

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\System32\notepad.exe" \note.txt
4⤵
PID:424

C:\Windows\SysWOW64\control.exe
"C:\Windows\System32\control.exe"
4⤵
- Modifies registry class
PID:3352

C:\Windows\SysWOW64\regedit.exe
"C:\Windows\System32\regedit.exe"
4⤵
- Runs regedit.exe
PID:824

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:444

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
- Checks SCSI registry key(s)
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2932

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
PID:1812

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:4812

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000004
Filesize
162KB

MD5
b81d6636c3ad72c63e532e5180eaf7f9

SHA1
ddcd059999fff6218e98af62dbe3fa9c885a0de8

SHA256
2fb4351c49b47b7cdaa9516237a8b1e690e4448339d09d70a84c658729e461ef

SHA512
4f0b87bbf60061a8efca4906554f958b7c28cf582452e01a8316d8c5ea8c98beda6c3230afff207f0b92d316c4c2e0ca1b4631e7d7364344b4a76394115af06b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
1KB

MD5
457b4971cea44fce78ed542a0af59545

SHA1
a16719a47957a70e2bc37195a44aa2f18f450efb

SHA256
6b51b959bf3e3149299c9a667f4eaa76417cef47227603a702b3e84410cd033f

SHA512
c71c21164e54433180d241645b326bc84df6b53ab1f07b447192395e31c996e8cf62da78464696ccf03937e4df9dcaf3977f1186e529f46ba3885df4f4c498a4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
4KB

MD5
1673a6a0a7ffc2ce8c2d622aef3bab80

SHA1
872a765f646278eaaf4613c1a016a22810fd3ec7

SHA256
da890b79a06c374463d62579c4780535c5110c2890e4b4a149c06e1156c47a5e

SHA512
1df9268bfa1389ffafd90fdb0d6f913a2bfd7caa2ccf40a7ec9bd9b01754e95ec700757f3fe84ce2002969069cf11f19f05eab55046536857217dc13eac8b021

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
c66ad2b18816b0cc14ed603ed300d653

SHA1
08aa5ad943a728171198b7508508752ccb051ee2

SHA256
4b4da542d127fc8a52a5464217ab990d063819c8473aec11aee2570ff9db7d4c

SHA512
6e88057fb40594e840ec59581b13714a819dc0a55b67649e9716f9b749d0f1661dae840ee66e652d6764ee7c733002aa43edac31bb21543d6a1f93a4498514bb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
f0ab69745562d4cb0eb0e84e09fd2ea1

SHA1
c08f264ba3d7efab5bc6995646a4aa2a03a53ce2

SHA256
8c35f71047898e24d423a3c6901a48f08ef3358e4034fdded5b4b98ae7d46651

SHA512
d7e79a4a962ed94168d0ff0a45315ce6909e41d91ace5cd2899cf2fbf4c1a3ac602a6cfa3608e1dffeaca31216b7f7d711722da09398af5700ae30e4585de95e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
8236a583909cf38589ecfbd66f24bf6f

SHA1
abeb44ba525c65186bfb5098cfdb35c2070553c1

SHA256
38ab14b8b50b3755f9c33ced9f25afd5769da6a76768c14497964c47b26aed57

SHA512
33ec865763fc797851cb56111a249cbf868d2492f3f149b21dd9722cac1afa2a48aeb46fce2ca569fabc63606bafac9a0637f046e426b8235e730efb6af872ea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
c83c3f5a10ad0ad4812d0b4adf409e53

SHA1
1dfffee55a7e48143c87f30922b12a47b75e083b

SHA256
981720c4324175dd084584bd5bb7398801995c8ebe1a3afd4bc1a8386e3d7f35

SHA512
d0a195b869b86dbc39808404feb5d2f062675dfc186ccce362a33b8e2c0020758a86531ea7e4c93219293c8e9d01b7471eca174c47f80f40edf0a15b724ef744

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
369B

MD5
2ecb09f9c789a5d32a4cd6a1a7c9cb67

SHA1
bdeb2dbb606388ca868af178d50711b942a5d340

SHA256
66aa8a14e33ddacf616cc463e7ff05b9a0d9b68ce7ed8c4ccc50efb015499c3a

SHA512
442c60a55f96915af3be6c06a2850f245cbcc9e0869b0b5fc82a9522cce503b8edfdd1a72e69d61d48c5919023a5c3b40f512eebdd0ffc9b991b1ae86da642b3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
e21068d645276cca41c1b14510d5386a

SHA1
7b8745d1b3229f593f4ee548b8a39b2c5f645f28

SHA256
4401f1519870b06cc5327566d79aba1659d40c4fcc605a0a0d9053e0e6e9e6f3

SHA512
2fd51203cdc3c2d02fa95691a18614e3c6450bf0a5c3ebb7322d8cc475f4f49881b84743bc1547e07652d40386cfd4755b4ccb3029d45b11abfa91238d86f059

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
506930dfa3c728f104b3497c15cbbe39

SHA1
2d1039f9d69a2c1b6117b0c3454128f32f14d620

SHA256
df62f955adfc6a51644a761fc6a37d6406c94bf71f4aa0f2dd40c899157cca6f

SHA512
48c79a76a5c3b208de03699405d38c97dc254092ed8274dc52f59c52e3133536acb02d7c019060b19b0878784d525a9ea140e00502d644bbc1146c6bad2b73ea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
2d3be2607a1b4944bc8ce50f67f727ee

SHA1
e0e22b3fd3a45cf10d1c3a1322d7a5c23c80510e

SHA256
1daa5c9b1983116e5267fb6aa57bb94409e79fde09e8f0a0f3f06a05ba6af023

SHA512
e982c712270da816585860626e7dbccc1456661109e7b8f230683fb5bcae95f3eaf3df354a751abe1bb11112542d87ba06e150e50bffdf3711bca2af8bd89ccd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
58aa07a707dc105059d6e36d961f13ea

SHA1
fd565e6b173e16991487b28e757b4af1ff977c5e

SHA256
229a040901a03f84254f6ec86690bb56d4d370f4d4be5f29c02fe47b08df72de

SHA512
c95d82f2c6b9c2b519ad5a7aaf7cdb608d7fd8d88d970cc26e0818df3e71bdea0eacf3d9c4d83ae01e3f369ad83ca6b7878b65fc69495967763a72d376963e37

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
78c359df20760b2ee4d0f801f285fe68

SHA1
daf860b421af0917c122e77510e2c24b98e04a79

SHA256
f499519c4ef3bf38c6003fd1c99d35ddf933d204fc126d766c3db4dd75ce2381

SHA512
b48fd8bb61f8dccc3d1a0a5791f15bf39068fc30465619951bb8b7b6896bf16db8ba53db657db9887eee4f91d9cb119741a06d2986d5e1275ca556efc499be5a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
15KB

MD5
e0fa884490fb0c40ac1d5f377dda97f4

SHA1
7a223e8d3168a788af2827fc57f7afea2bacb888

SHA256
6e96a716b01ce7479f88d2e51a327f7ed73d184f02dd9283dc0bc660a3de11f3

SHA512
079984b63b9a3fca87bb4c98aea54e91ce2c08c6f0166f5140bf1b463e06da52f4dbdc1b9f720812146cdab10d8c10302d64e5c46a7b3b210f6800996aa17ead

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize
56B

MD5
ae1bccd6831ebfe5ad03b482ee266e4f

SHA1
01f4179f48f1af383b275d7ee338dd160b6f558a

SHA256
1b11047e738f76c94c9d15ee981ec46b286a54def1a7852ca1ade7f908988649

SHA512
baf7ff6747f30e542c254f46a9678b9dbf42312933962c391b79eca6fcb615e4ba9283c00f554d6021e594f18c087899bc9b5362c41c0d6f862bba7fb9f83038

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe579357.TMP
Filesize
120B

MD5
782f32e3acac232cb79fbbe8ee309176

SHA1
906a106f0d3e1e3ee02057d7bccf62311f7876cc

SHA256
0b5ae0444c8c007d381bfe3d8601bf863bdf5e1335e3f935e493f67afd5e6ec7

SHA512
f79924dbfe3fb7684a22cd076bf7d512cc928846ec2d695397e78408531e8cf7838754c1be281b94c1bae6539d6534fd52b632f8a6767e47bdfd36bd6da04913

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
173KB

MD5
aa1830fe9f646e956352a95aaf43f25d

SHA1
476e50d0d79621c96e8fd307212f3d508d9bc75f

SHA256
3eca15ef36344ed71a71334c5b48eeb2091dd105442e556139b99430974d72b2

SHA512
2490361cc8dfec0728940f81a7df9e9a67e3397ab81ec6d7661e1fe12e31091eef634d55a66458f07a0aa2fd7a114f805795c47d2b8732475ab8b0e02eb1e1d1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
110KB

MD5
42bd4c11f884ecf66d818da5600482cf

SHA1
47a2b6ef19dca20c7b2be7fbddce9f02aba656d0

SHA256
317c6c88abf2f87c4f019b3e37871e43c697dd8117e555c416d5e35ea2e4c8fa

SHA512
424aac0045f14851d25e7cbd93c86275a762f9343f71a9258938f7c03a7ae2e4b2a6374e2d191375331230f0091ad0180924c0bf3128dd45523b9ce4e7a6541a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe58b418.TMP
Filesize
96KB

MD5
f9e9b5e61122ce215ab963d5c60978b7

SHA1
02960088b4cbf3d7a6dca3ab3f8f29ed1731b89d

SHA256
d3383d25feed35f51f0a9ed51d5716657aebb2b06e2ea086cff8166b0b839b65

SHA512
5422ec33d2386513c02800a69f46bab70776829e8204ac12701165fb2a502b071e47d5a5f292c5bd533b7154126d336092d1fbdc24369298a42b24686adeae51

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db
Filesize
28KB

MD5
7db86bc540da62978558bbfe262368e2

SHA1
6d99ea753aff05b7bd7c1f012ef98ff4db96e640

SHA256
14df2d22a4cfbda222b192b52a118252b44e4dd681df7e9a908959aa182e8f58

SHA512
2344795f8d388d02185efb1a7ab6fc09c6cdbf2bc63e17d1a85a6839d2f08f745944112a5f5b61b8dfdcea70452269582bf9b8697a608ca1b18a260793e325e6

Download Submit
C:\Users\Admin\Downloads\MEMZ.exe
Filesize
16KB

MD5
1d5ad9c8d3fee874d0feb8bfac220a11

SHA1
ca6d3f7e6c784155f664a9179ca64e4034df9595

SHA256
3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff

SHA512
c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1

Download Submit
C:\Users\Admin\Downloads\MEMZ.exe
Filesize
16KB

MD5
1d5ad9c8d3fee874d0feb8bfac220a11

SHA1
ca6d3f7e6c784155f664a9179ca64e4034df9595

SHA256
3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff

SHA512
c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1

Download Submit
C:\Users\Admin\Downloads\MEMZ.exe
Filesize
16KB

MD5
1d5ad9c8d3fee874d0feb8bfac220a11

SHA1
ca6d3f7e6c784155f664a9179ca64e4034df9595

SHA256
3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff

SHA512
c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1

Download Submit
C:\Users\Admin\Downloads\MEMZ.exe
Filesize
16KB

MD5
1d5ad9c8d3fee874d0feb8bfac220a11

SHA1
ca6d3f7e6c784155f664a9179ca64e4034df9595

SHA256
3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff

SHA512
c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1

Download Submit
C:\Users\Admin\Downloads\MEMZ.exe
Filesize
16KB

MD5
1d5ad9c8d3fee874d0feb8bfac220a11

SHA1
ca6d3f7e6c784155f664a9179ca64e4034df9595

SHA256
3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff

SHA512
c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1

Download Submit
C:\Users\Admin\Downloads\MEMZ.exe
Filesize
16KB

MD5
1d5ad9c8d3fee874d0feb8bfac220a11

SHA1
ca6d3f7e6c784155f664a9179ca64e4034df9595

SHA256
3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff

SHA512
c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1

Download Submit
C:\Users\Admin\Downloads\MEMZ.exe
Filesize
16KB

MD5
1d5ad9c8d3fee874d0feb8bfac220a11

SHA1
ca6d3f7e6c784155f664a9179ca64e4034df9595

SHA256
3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff

SHA512
c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1

Download Submit
C:\Users\Admin\Downloads\MEMZ.exe
Filesize
16KB

MD5
1d5ad9c8d3fee874d0feb8bfac220a11

SHA1
ca6d3f7e6c784155f664a9179ca64e4034df9595

SHA256
3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff

SHA512
c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1

Download Submit
C:\Users\Admin\Downloads\MEMZ.exe
Filesize
16KB

MD5
1d5ad9c8d3fee874d0feb8bfac220a11

SHA1
ca6d3f7e6c784155f664a9179ca64e4034df9595

SHA256
3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff

SHA512
c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1

Download Submit
C:\note.txt
Filesize
218B

MD5
afa6955439b8d516721231029fb9ca1b

SHA1
087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

SHA256
8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

SHA512
5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

Download Submit
\??\pipe\crashpad_396_YDDTUGEDNWXKCFFV
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2932-514-0x0000013A0B4D0000-0x0000013A0B4D1000-memory.dmp

Filesize
4KB

Download
memory/2932-515-0x0000013A0B4D0000-0x0000013A0B4D1000-memory.dmp

Filesize
4KB

Download
memory/2932-516-0x0000013A0B4D0000-0x0000013A0B4D1000-memory.dmp

Filesize
4KB

Download
memory/2932-520-0x0000013A0B4D0000-0x0000013A0B4D1000-memory.dmp

Filesize
4KB

Download
memory/2932-523-0x0000013A0B4D0000-0x0000013A0B4D1000-memory.dmp

Filesize
4KB

Download
memory/2932-524-0x0000013A0B4D0000-0x0000013A0B4D1000-memory.dmp

Filesize
4KB

Download
memory/2932-521-0x0000013A0B4D0000-0x0000013A0B4D1000-memory.dmp

Filesize
4KB

Download
memory/2932-522-0x0000013A0B4D0000-0x0000013A0B4D1000-memory.dmp

Filesize
4KB

Download
memory/2932-526-0x0000013A0B4D0000-0x0000013A0B4D1000-memory.dmp

Filesize
4KB

Download
memory/2932-525-0x0000013A0B4D0000-0x0000013A0B4D1000-memory.dmp

Filesize
4KB

Download