751bfa320057b876376f3ab2c3f532324ab2782c0f0d8578d92edd6ea86f15c8

Resubmissions

05-04-2023 21:00

230405-zts9yabe71 3

05-04-2023 20:49

230405-zmd7fabe4w 8

Analysis

max time kernel
1795s
max time network
1617s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
05-04-2023 20:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

download (74).jpg
Size

11KB
MD5

773c727f5bdd0870602c2bbc81e2d9de
SHA1

cb866613f048351b4dc7f493ed73a6506ace0539
SHA256

751bfa320057b876376f3ab2c3f532324ab2782c0f0d8578d92edd6ea86f15c8
SHA512

128a5c5a2f8f7290847b612a218d2f04ec7f8b771e8ec6a310c043342ffaa6e4910cb9be6528dfc4608db72327f4986f2dc5e34121ed1cf17d1a59bb69dd264b
SSDEEP

192:fxZ4EDPy7DGgJ146Tf+77d60Nv4kSJTCIn8u6r278sPVw5XYdQ6ZLHtAOB9k:fxWEDPyGA46r07d6Bvtki78CVUobN3k

Score

8^/10

bootkit persistence

Malware Config

Signatures

Downloads MZ/PE file
Executes dropped EXE 7 IoCs

Processes:

MEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exe

pid process

3060 MEMZ.exe
1760 MEMZ.exe
1448 MEMZ.exe
1056 MEMZ.exe
1732 MEMZ.exe
1416 MEMZ.exe
2376 MEMZ.exe
Loads dropped DLL 1 IoCs

Processes:

MEMZ.exe

pid process

3060 MEMZ.exe
Adds Run key to start application 2 TTPs 1 IoCs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Processes:

chrome.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows\CurrentVersion\Run chrome.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

MEMZ.exe

description ioc process

File opened for modification \??\PhysicalDrive0 MEMZ.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
3060	MEMZ.exe
1760	MEMZ.exe
1448	MEMZ.exe
1056	MEMZ.exe
1732	MEMZ.exe
1416	MEMZ.exe
2376	MEMZ.exe

pid	process
3060	MEMZ.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows\CurrentVersion\Run	chrome.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	MEMZ.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer settings 1 TTPs 38 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{5D01F3B1-D407-11ED-B1DF-CEF47884BE6D} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "387501335"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 402995361468d901	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c8a3886e844ee04ca528537b5bc45899000000000200000000001066000000010000200000002b07a2c0f55aa501b196f9d1e6bd54ef7da3c12a6b2280bde1f0c03d945fd446000000000e8000000002000020000000f289dc677f8e2cf0581cfbe6658a8c2c59e7833406edd2bc4daccfee91345c8390000000899e44b9367c6f3be3f8259166646a18ae1199c8b91c64a3dab97f4b0ed66eff551a7de55ecfd0fe770fc50df16ede806cda3c35f0085292eae776006d2a625299ba0a4216de1004d942a09386d0ef8871b78e84370d7c0cd817bf7f7d884aabc044da78e17a687640c75181a53447bd12bb3375b4606f2f5d88a3f18f43265a2c433f415aa9ce7b2c57c5ff3e1e246c400000001d5980fd8480c025111e95c70b5591aab8eb1fd72a6582694b26ec152c4a503937a6f5f66cb29c3a7ce1e4b3b4ffaec473a06ea95a89f9cf12c03a2dff612802	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c8a3886e844ee04ca528537b5bc45899000000000200000000001066000000010000200000002792ccbdbc80df3841cfa756731964239fba6106d83067908bbaee55e035b583000000000e8000000002000020000000a91d7139bef9998046f2301e663651b88a354305ed720f01ebc3aa6b734a22c720000000be765939cc88e0d8ba6badd0399e3c0eb478631e1c72b13beb5a14078c23aeb840000000e2dcd55a15148bfbb6aaaf5afd821383443d2bcddd998e50f4a3733056d0e998671bd9eaa21b7262a0bbb6ee730429e43b32b99fb6b7fdba8bacc3f78d26eef7	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

chrome.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exe

pid	process
1212	chrome.exe
1212	chrome.exe
1212	chrome.exe
1212	chrome.exe
1760	MEMZ.exe
1448	MEMZ.exe
1056	MEMZ.exe
1732	MEMZ.exe
1416	MEMZ.exe
1760	MEMZ.exe
1056	MEMZ.exe
1732	MEMZ.exe
1448	MEMZ.exe
1416	MEMZ.exe
1056	MEMZ.exe
1760	MEMZ.exe
1448	MEMZ.exe
1732	MEMZ.exe
1416	MEMZ.exe
1448	MEMZ.exe
1760	MEMZ.exe
1056	MEMZ.exe
1416	MEMZ.exe
1732	MEMZ.exe
1760	MEMZ.exe
1448	MEMZ.exe
1056	MEMZ.exe
1416	MEMZ.exe
1732	MEMZ.exe
1760	MEMZ.exe
1448	MEMZ.exe
1056	MEMZ.exe
1416	MEMZ.exe
1732	MEMZ.exe
1760	MEMZ.exe
1416	MEMZ.exe
1056	MEMZ.exe
1448	MEMZ.exe
1732	MEMZ.exe
1760	MEMZ.exe
1732	MEMZ.exe
1448	MEMZ.exe
1056	MEMZ.exe
1416	MEMZ.exe
1760	MEMZ.exe
1732	MEMZ.exe
1448	MEMZ.exe
1056	MEMZ.exe
1416	MEMZ.exe
1732	MEMZ.exe
1760	MEMZ.exe
1448	MEMZ.exe
1056	MEMZ.exe
1416	MEMZ.exe
1732	MEMZ.exe
1448	MEMZ.exe
1760	MEMZ.exe
1416	MEMZ.exe
1056	MEMZ.exe
1732	MEMZ.exe
1448	MEMZ.exe
1760	MEMZ.exe
1416	MEMZ.exe
1056	MEMZ.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	1212	chrome.exe
Token: SeShutdownPrivilege	1212	chrome.exe
Token: SeShutdownPrivilege	1212	chrome.exe
Token: SeShutdownPrivilege	1212	chrome.exe
Token: SeShutdownPrivilege	1212	chrome.exe
Token: SeShutdownPrivilege	1212	chrome.exe
Token: SeShutdownPrivilege	1212	chrome.exe
Token: SeShutdownPrivilege	1212	chrome.exe
Token: SeShutdownPrivilege	1212	chrome.exe
Token: SeShutdownPrivilege	1212	chrome.exe
Token: SeShutdownPrivilege	1212	chrome.exe
Token: SeShutdownPrivilege	1212	chrome.exe
Token: SeShutdownPrivilege	1212	chrome.exe
Token: SeShutdownPrivilege	1212	chrome.exe
Token: SeShutdownPrivilege	1212	chrome.exe
Token: SeShutdownPrivilege	1212	chrome.exe
Token: SeShutdownPrivilege	1212	chrome.exe
Token: SeShutdownPrivilege	1212	chrome.exe
Token: SeShutdownPrivilege	1212	chrome.exe
Token: SeShutdownPrivilege	1212	chrome.exe
Token: SeShutdownPrivilege	1212	chrome.exe
Token: SeShutdownPrivilege	1212	chrome.exe
Token: SeShutdownPrivilege	1212	chrome.exe
Token: SeShutdownPrivilege	1212	chrome.exe
Token: SeShutdownPrivilege	1212	chrome.exe
Token: SeShutdownPrivilege	1212	chrome.exe
Token: SeShutdownPrivilege	1212	chrome.exe
Token: SeShutdownPrivilege	1212	chrome.exe
Token: SeShutdownPrivilege	1212	chrome.exe
Token: SeShutdownPrivilege	1212	chrome.exe
Token: SeShutdownPrivilege	1212	chrome.exe
Token: SeShutdownPrivilege	1212	chrome.exe
Token: SeShutdownPrivilege	1212	chrome.exe
Token: SeShutdownPrivilege	1212	chrome.exe
Token: SeShutdownPrivilege	1212	chrome.exe
Token: SeShutdownPrivilege	1212	chrome.exe
Token: SeShutdownPrivilege	1212	chrome.exe
Token: SeShutdownPrivilege	1212	chrome.exe
Token: SeShutdownPrivilege	1212	chrome.exe
Token: SeShutdownPrivilege	1212	chrome.exe
Token: SeShutdownPrivilege	1212	chrome.exe
Token: SeShutdownPrivilege	1212	chrome.exe
Token: SeShutdownPrivilege	1212	chrome.exe
Token: SeShutdownPrivilege	1212	chrome.exe
Token: SeShutdownPrivilege	1212	chrome.exe
Token: SeShutdownPrivilege	1212	chrome.exe
Token: SeShutdownPrivilege	1212	chrome.exe
Token: SeShutdownPrivilege	1212	chrome.exe
Token: SeShutdownPrivilege	1212	chrome.exe
Token: SeShutdownPrivilege	1212	chrome.exe
Token: SeShutdownPrivilege	1212	chrome.exe
Token: SeShutdownPrivilege	1212	chrome.exe
Token: SeShutdownPrivilege	1212	chrome.exe
Token: SeShutdownPrivilege	1212	chrome.exe
Token: SeShutdownPrivilege	1212	chrome.exe
Token: SeShutdownPrivilege	1212	chrome.exe
Token: SeShutdownPrivilege	1212	chrome.exe
Token: SeShutdownPrivilege	1212	chrome.exe
Token: SeShutdownPrivilege	1212	chrome.exe
Token: SeShutdownPrivilege	1212	chrome.exe
Token: SeShutdownPrivilege	1212	chrome.exe
Token: SeShutdownPrivilege	1212	chrome.exe
Token: SeShutdownPrivilege	1212	chrome.exe
Token: SeShutdownPrivilege	1212	chrome.exe

Suspicious use of FindShellTrayWindow 44 IoCs

Processes:

chrome.exeiexplore.exe

pid	process
1212	chrome.exe
1212	chrome.exe
1212	chrome.exe
1212	chrome.exe
1212	chrome.exe
1212	chrome.exe
1212	chrome.exe
1212	chrome.exe
1212	chrome.exe
1212	chrome.exe
1212	chrome.exe
1212	chrome.exe
1212	chrome.exe
1212	chrome.exe
1212	chrome.exe
1212	chrome.exe
1212	chrome.exe
1212	chrome.exe
1212	chrome.exe
1212	chrome.exe
1212	chrome.exe
1212	chrome.exe
1212	chrome.exe
1212	chrome.exe
1212	chrome.exe
1212	chrome.exe
1212	chrome.exe
1212	chrome.exe
1212	chrome.exe
1212	chrome.exe
1212	chrome.exe
1212	chrome.exe
1212	chrome.exe
1212	chrome.exe
1212	chrome.exe
1212	chrome.exe
1212	chrome.exe
1212	chrome.exe
1212	chrome.exe
1212	chrome.exe
1212	chrome.exe
1212	chrome.exe
1212	chrome.exe
2880	iexplore.exe

Suspicious use of SendNotifyMessage 32 IoCs

Processes:

chrome.exe

pid	process
1212	chrome.exe
1212	chrome.exe
1212	chrome.exe
1212	chrome.exe
1212	chrome.exe
1212	chrome.exe
1212	chrome.exe
1212	chrome.exe
1212	chrome.exe
1212	chrome.exe
1212	chrome.exe
1212	chrome.exe
1212	chrome.exe
1212	chrome.exe
1212	chrome.exe
1212	chrome.exe
1212	chrome.exe
1212	chrome.exe
1212	chrome.exe
1212	chrome.exe
1212	chrome.exe
1212	chrome.exe
1212	chrome.exe
1212	chrome.exe
1212	chrome.exe
1212	chrome.exe
1212	chrome.exe
1212	chrome.exe
1212	chrome.exe
1212	chrome.exe
1212	chrome.exe
1212	chrome.exe

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

MEMZ.exeiexplore.exeIEXPLORE.EXE

pid process

2376 MEMZ.exe
2880 iexplore.exe
2880 iexplore.exe
944 IEXPLORE.EXE
944 IEXPLORE.EXE
944 IEXPLORE.EXE
944 IEXPLORE.EXE
2376 MEMZ.exe

pid	process
2376	MEMZ.exe
2880	iexplore.exe
2880	iexplore.exe
944	IEXPLORE.EXE
944	IEXPLORE.EXE
944	IEXPLORE.EXE
944	IEXPLORE.EXE
2376	MEMZ.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 1212 wrote to memory of 544	1212	chrome.exe	chrome.exe
PID 1212 wrote to memory of 544	1212	chrome.exe	chrome.exe
PID 1212 wrote to memory of 544	1212	chrome.exe	chrome.exe
PID 1212 wrote to memory of 1540	1212	chrome.exe	chrome.exe
PID 1212 wrote to memory of 1540	1212	chrome.exe	chrome.exe
PID 1212 wrote to memory of 1540	1212	chrome.exe	chrome.exe
PID 1212 wrote to memory of 1540	1212	chrome.exe	chrome.exe
PID 1212 wrote to memory of 1540	1212	chrome.exe	chrome.exe
PID 1212 wrote to memory of 1540	1212	chrome.exe	chrome.exe
PID 1212 wrote to memory of 1540	1212	chrome.exe	chrome.exe
PID 1212 wrote to memory of 1540	1212	chrome.exe	chrome.exe
PID 1212 wrote to memory of 1540	1212	chrome.exe	chrome.exe
PID 1212 wrote to memory of 1540	1212	chrome.exe	chrome.exe
PID 1212 wrote to memory of 1540	1212	chrome.exe	chrome.exe
PID 1212 wrote to memory of 1540	1212	chrome.exe	chrome.exe
PID 1212 wrote to memory of 1540	1212	chrome.exe	chrome.exe
PID 1212 wrote to memory of 1540	1212	chrome.exe	chrome.exe
PID 1212 wrote to memory of 1540	1212	chrome.exe	chrome.exe
PID 1212 wrote to memory of 1540	1212	chrome.exe	chrome.exe
PID 1212 wrote to memory of 1540	1212	chrome.exe	chrome.exe
PID 1212 wrote to memory of 1540	1212	chrome.exe	chrome.exe
PID 1212 wrote to memory of 1540	1212	chrome.exe	chrome.exe
PID 1212 wrote to memory of 1540	1212	chrome.exe	chrome.exe
PID 1212 wrote to memory of 1540	1212	chrome.exe	chrome.exe
PID 1212 wrote to memory of 1540	1212	chrome.exe	chrome.exe
PID 1212 wrote to memory of 1540	1212	chrome.exe	chrome.exe
PID 1212 wrote to memory of 1540	1212	chrome.exe	chrome.exe
PID 1212 wrote to memory of 1540	1212	chrome.exe	chrome.exe
PID 1212 wrote to memory of 1540	1212	chrome.exe	chrome.exe
PID 1212 wrote to memory of 1540	1212	chrome.exe	chrome.exe
PID 1212 wrote to memory of 1540	1212	chrome.exe	chrome.exe
PID 1212 wrote to memory of 1540	1212	chrome.exe	chrome.exe
PID 1212 wrote to memory of 1540	1212	chrome.exe	chrome.exe
PID 1212 wrote to memory of 1540	1212	chrome.exe	chrome.exe
PID 1212 wrote to memory of 1540	1212	chrome.exe	chrome.exe
PID 1212 wrote to memory of 1540	1212	chrome.exe	chrome.exe
PID 1212 wrote to memory of 1540	1212	chrome.exe	chrome.exe
PID 1212 wrote to memory of 1540	1212	chrome.exe	chrome.exe
PID 1212 wrote to memory of 1540	1212	chrome.exe	chrome.exe
PID 1212 wrote to memory of 1540	1212	chrome.exe	chrome.exe
PID 1212 wrote to memory of 1540	1212	chrome.exe	chrome.exe
PID 1212 wrote to memory of 1540	1212	chrome.exe	chrome.exe
PID 1212 wrote to memory of 1956	1212	chrome.exe	chrome.exe
PID 1212 wrote to memory of 1956	1212	chrome.exe	chrome.exe
PID 1212 wrote to memory of 1956	1212	chrome.exe	chrome.exe
PID 1212 wrote to memory of 1216	1212	chrome.exe	chrome.exe
PID 1212 wrote to memory of 1216	1212	chrome.exe	chrome.exe
PID 1212 wrote to memory of 1216	1212	chrome.exe	chrome.exe
PID 1212 wrote to memory of 1216	1212	chrome.exe	chrome.exe
PID 1212 wrote to memory of 1216	1212	chrome.exe	chrome.exe
PID 1212 wrote to memory of 1216	1212	chrome.exe	chrome.exe
PID 1212 wrote to memory of 1216	1212	chrome.exe	chrome.exe
PID 1212 wrote to memory of 1216	1212	chrome.exe	chrome.exe
PID 1212 wrote to memory of 1216	1212	chrome.exe	chrome.exe
PID 1212 wrote to memory of 1216	1212	chrome.exe	chrome.exe
PID 1212 wrote to memory of 1216	1212	chrome.exe	chrome.exe
PID 1212 wrote to memory of 1216	1212	chrome.exe	chrome.exe
PID 1212 wrote to memory of 1216	1212	chrome.exe	chrome.exe
PID 1212 wrote to memory of 1216	1212	chrome.exe	chrome.exe
PID 1212 wrote to memory of 1216	1212	chrome.exe	chrome.exe
PID 1212 wrote to memory of 1216	1212	chrome.exe	chrome.exe
PID 1212 wrote to memory of 1216	1212	chrome.exe	chrome.exe
PID 1212 wrote to memory of 1216	1212	chrome.exe	chrome.exe
PID 1212 wrote to memory of 1216	1212	chrome.exe	chrome.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe "C:\Program Files\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen "C:\Users\Admin\AppData\Local\Temp\download (74).jpg"
1⤵
PID:924

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Adds Run key to start application
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1212

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6fc9758,0x7fef6fc9768,0x7fef6fc9778
2⤵
PID:544

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1168 --field-trial-handle=1224,i,15221021571981479772,16079331700382591178,131072 /prefetch:2
2⤵
PID:1540

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1476 --field-trial-handle=1224,i,15221021571981479772,16079331700382591178,131072 /prefetch:8
2⤵
PID:1956

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1600 --field-trial-handle=1224,i,15221021571981479772,16079331700382591178,131072 /prefetch:8
2⤵
PID:1216

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2112 --field-trial-handle=1224,i,15221021571981479772,16079331700382591178,131072 /prefetch:1
2⤵
PID:1996

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2124 --field-trial-handle=1224,i,15221021571981479772,16079331700382591178,131072 /prefetch:1
2⤵
PID:1880

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=3728 --field-trial-handle=1224,i,15221021571981479772,16079331700382591178,131072 /prefetch:2
2⤵
PID:2056

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1532 --field-trial-handle=1224,i,15221021571981479772,16079331700382591178,131072 /prefetch:1
2⤵
PID:2132

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3940 --field-trial-handle=1224,i,15221021571981479772,16079331700382591178,131072 /prefetch:8
2⤵
PID:2192

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3916 --field-trial-handle=1224,i,15221021571981479772,16079331700382591178,131072 /prefetch:8
2⤵
PID:2224

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3976 --field-trial-handle=1224,i,15221021571981479772,16079331700382591178,131072 /prefetch:8
2⤵
PID:2576

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=4020 --field-trial-handle=1224,i,15221021571981479772,16079331700382591178,131072 /prefetch:1
2⤵
PID:2788

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=2340 --field-trial-handle=1224,i,15221021571981479772,16079331700382591178,131072 /prefetch:1
2⤵
PID:1808

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3452 --field-trial-handle=1224,i,15221021571981479772,16079331700382591178,131072 /prefetch:8
2⤵
PID:1432

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=1768 --field-trial-handle=1224,i,15221021571981479772,16079331700382591178,131072 /prefetch:8
2⤵
PID:1924

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=760 --field-trial-handle=1224,i,15221021571981479772,16079331700382591178,131072 /prefetch:8
2⤵
PID:1668

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2504 --field-trial-handle=1224,i,15221021571981479772,16079331700382591178,131072 /prefetch:8
2⤵
PID:2148

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4208 --field-trial-handle=1224,i,15221021571981479772,16079331700382591178,131072 /prefetch:8
2⤵
PID:2924

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=1784 --field-trial-handle=1224,i,15221021571981479772,16079331700382591178,131072 /prefetch:8
2⤵
PID:2940

C:\Users\Admin\Downloads\MEMZ.exe
"C:\Users\Admin\Downloads\MEMZ.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3060

C:\Users\Admin\Downloads\MEMZ.exe
"C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1760

C:\Users\Admin\Downloads\MEMZ.exe
"C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1448

C:\Users\Admin\Downloads\MEMZ.exe
"C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1056

C:\Users\Admin\Downloads\MEMZ.exe
"C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1732

C:\Users\Admin\Downloads\MEMZ.exe
"C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1416

C:\Users\Admin\Downloads\MEMZ.exe
"C:\Users\Admin\Downloads\MEMZ.exe" /main
3⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetWindowsHookEx
PID:2376

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\System32\notepad.exe" \note.txt
4⤵
PID:1316

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
4⤵
PID:2908

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://google.co.ck/search?q=g3t+r3kt
4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2880

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2880 CREDAT:275457 /prefetch:2
5⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:944

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3420 --field-trial-handle=1224,i,15221021571981479772,16079331700382591178,131072 /prefetch:8
2⤵
PID:2236

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1172

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2e4
1⤵
PID:540

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Bootkit

T1067

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
61KB

MD5
e71c8443ae0bc2e282c73faead0a6dd3

SHA1
0c110c1b01e68edfacaeae64781a37b1995fa94b

SHA256
95b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72

SHA512
b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
a47fc6955b209d2c8fd79b9f4f31402e

SHA1
3dd1094f9379fe79e8f705360f77a5d3e7ad84ff

SHA256
7bdeaae587b6f1d140216d1871d9d1c6ffbf529609cf7d2a3f199f13836b0a49

SHA512
dfc8c25ea5e1148785a429a83a231a81cf8ab14016c6986a03af07d9fef87371dc6288800121f7ba8c431cdd604a5885a29c3642ffd062ef7c29bcea07ac2427

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\33b66df8-33d4-458d-b814-f82a9c48a779.tmp
Filesize
199KB

MD5
9bb73888942da6ff07aa7e0d0600d9b7

SHA1
58467266f6cdfd77598edfd564f499b0dbfb36ad

SHA256
bf9b99f8f6ff19b05c6608709318e1cc5be0569811f7aa7fa7401ec16ea6ae35

SHA512
2f677d3be6361ed946c15df276128674f66f38c1ad3e5d4d78c0b7b08cd5d5f567638c18014a1b24da7871327f68eb38e16e904b691c5bef1187c6d557201696

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\CURRENT~RF6dd940.TMP
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1
Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1015B

MD5
06170e8ceee6d0d9241b9c5f54c1a1f8

SHA1
5a90313b7be208ef0b05fd91563a3b2ce9396656

SHA256
a52f141a73728b8c12d4e75fcbfd5f72425189ac8f25c158072778b497f0389a

SHA512
b1711808400e0ac3bc9935f5cf886c3b1d32f673c5da4bd67525beb8959a33d1849b1ceaf1488de51c0217b296294b9ecd83ae35fe41b6cf74d3606b2e86cbde

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
363B

MD5
fad81347a9d0f62acbe2853a520b3eef

SHA1
9d975bb31a2f3b86486ecaaf0016390ca6501a7a

SHA256
d67356e3b112c22fa0ff505fbcd0b3312e117969235df1b9338701fba53290ce

SHA512
057fd0f9383669a53f00a3b706363af5f52267acf3d1e05f80c5383faf91b595e975a0ac80c6b3485d614d5568cc7ea91ac5dbe4198c69598c0acf30c0a6940f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
854B

MD5
8698563b24f158db442ad8b98ef963f8

SHA1
a90cfeb5e98ac89b909fb872f562a6e2aae65880

SHA256
10e117e2d3049586d02a878394a20bfa8780524f58a6b3216e919d64c6f8ee7f

SHA512
8e43b15c5b757b783aca8be74ec97d7da845b0f831c2478b633202e3bbba76a5fccda41804645dd856fa48e24693e28343a07359d1f173feee9df86997045959

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
a40385fdf242c50858aab0564c6e1616

SHA1
6c9b9c04f125cf664438a61ae1d35dcc1653ce54

SHA256
94ed91d79f943db4ab4456852f4291f31f28b2d0a0540ead0596cbd6955116d6

SHA512
35a0e7c7399ee0c7a59e1c3e8b99ee60c2ac0fcb2708488c3f995fcd87c8a832cd7e0018c2d61adef60f6cf06986c7eddec1a02a92af834f36a6922bb9a600cb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
4KB

MD5
f86262f40210968c9bb6903e67c21760

SHA1
44a5ba864eff02e51e8ac55a96dc0894b912cc47

SHA256
00dcd44312770dc75b574b18fa458523354f1cbfcf79e7ae8396f21b27b22581

SHA512
1f2c4f3b5e74b6969408a9209b42524632d805fc289be6238649712b7ea901eca69c5bbe30ef51b3f49a84fd52fc2910fb77b0ea4ff14ed1640191a5a981b096

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
4KB

MD5
540d94769176a3f6a591115b36c93eba

SHA1
0e11eb31f1413fd23ac95c1825b4da3251abccda

SHA256
4a0f937db121e3781492f3cfc1aa3e379664ca951b9623d6f85e4b631a2bddac

SHA512
500224fb3c14e28cbe4b4aa05114130d26d658b00a9716bc07484329ac39efa06af1d46423b20bcde9465598003bab0365640d9b460dea79b930e751ff203d2c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
95260fb33e98a8d384f1d9ba9d9d04a4

SHA1
a994fe5e08479ec55b752a91ee23fe4a0ea5f76e

SHA256
f70c23ec089327e1737e13707f5637b91e41aff0fb9813dbe83bf731c9327dd7

SHA512
0bc720ed928832e47ee48bdccfb4d3d115e6caede18545dc58838de4d4603f34d2b36c8480635d5cafb8f17074fc7efa38f621a8f469e2e6328b1042e24bd64b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
4KB

MD5
3e53a6798b3b868f8c62dab9653ef695

SHA1
16bcc77271555cbdfde577b848e77d4c2b0e7988

SHA256
db306dba0ddb66825452216ea90ff7c68224362814c6b128b14d96a32fd48f33

SHA512
46c7baedc1d3e8155c9f6ee6e16a08d6f4490aa98694d1c9e02b3d2bd6db942fcc8293c63a4f11fa9060ff07bf6a2be9499b95de768610ecbb7f2d366ef8b4b3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000004.dbtmp
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\d7aa745b-8962-4071-a4c3-621152cfe203.tmp
Filesize
5KB

MD5
562df2693cb628fd9dc0aabcfa7f6e4b

SHA1
3244813c57b023c91543d6e995bcbdd18a16be14

SHA256
ab63c7172af892c44ff88d9dc970a62084cb34dbf579adbbcb2cc433ef0d859b

SHA512
93a57fcabca7589f7fe75916a5cc07f5cff55fe63cbed5ffc6fa235aa3d4b5dcc54f969f577d481d4681f8e9459edfbb2b29973332e8fe93ea605dd744781256

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
199KB

MD5
3b13e7f83840effa0bc128ae075fb85e

SHA1
1ebf752e475d3fb0568d08798511a91169610f6d

SHA256
bd44af5fd90b1a3c8c5e241ef56762067f4573edfff91f0948107a08fcfa106f

SHA512
4865538d6ebea1e2cac6f2c443dff5c78f3114b355b8e757980e051f030ed25c0ea1f75a78762fc1768a07fd80b54c125a46e005876154673355311357375616

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\jo5ozfo\imagestore.dat
Filesize
9KB

MD5
a3ef28b2d1aeaa2f7a6a6f8afdc100b8

SHA1
0137bdf0a0c0c0ef1af5accc886e20b23883f6ea

SHA256
ccc712844697f251d4149f812ffaa22ad2650120aeb4f2c0e6e4fab70f41dd72

SHA512
b5ad0252b819a4600a91680e2669a2e9b2c54a04bc958cd99b618233a439f0098d7a12abd0cad9800ba72e04a13e5d4771bac4fd3cd31f998ac090f2ee374df2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RYXN1WWD\suggestions[1].en-US
Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TOS3MI7U\favicon[1].ico
Filesize
5KB

MD5
f3418a443e7d841097c714d69ec4bcb8

SHA1
49263695f6b0cdd72f45cf1b775e660fdc36c606

SHA256
6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770

SHA512
82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab20FD.tmp
Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar20FC.tmp
Filesize
161KB

MD5
73b4b714b42fc9a6aaefd0ae59adb009

SHA1
efdaffd5b0ad21913d22001d91bf6c19ecb4ac41

SHA256
c0cf8cc04c34b5b80a2d86ad0eafb2dd71436f070c86b0321fba0201879625fd

SHA512
73af3c51b15f89237552b1718bef21fd80788fa416bab2cb2e7fb3a60d56249a716eda0d2dd68ab643752272640e7eaaaf57ce64bcb38373ddc3d035fb8d57cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar221D.tmp
Filesize
161KB

MD5
be2bec6e8c5653136d3e72fe53c98aa3

SHA1
a8182d6db17c14671c3d5766c72e58d87c0810de

SHA256
1919aab2a820642490169bdc4e88bd1189e22f83e7498bf8ebdfb62ec7d843fd

SHA512
0d1424ccdf0d53faf3f4e13d534e12f22388648aa4c23edbc503801e3c96b7f73c7999b760b5bef4b5e9dd923dffe21a21889b1ce836dd428420bf0f4f5327ff

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\1YOKSJO8.txt
Filesize
607B

MD5
0f8ab53a24ab176dffe4d0da0b5b1264

SHA1
f5d33327baa0496bc73560c3f3ca0b467849ebec

SHA256
05111d0adf30cfdb4a70605c19261257b5b1fa5192e0d39f9ac2f39617911f26

SHA512
bfe1ba523495b45a7255b61233bc502444ac10be0a8a19f7f35ba4411f2e343533f6c8271397a0ee2da632e32ff09f7c32db9f16add092d8b87042d4e451a622

Download Submit
C:\Users\Admin\Downloads\MEMZ.exe
Filesize
16KB

MD5
1d5ad9c8d3fee874d0feb8bfac220a11

SHA1
ca6d3f7e6c784155f664a9179ca64e4034df9595

SHA256
3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff

SHA512
c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1

Download Submit
C:\Users\Admin\Downloads\MEMZ.exe
Filesize
16KB

MD5
1d5ad9c8d3fee874d0feb8bfac220a11

SHA1
ca6d3f7e6c784155f664a9179ca64e4034df9595

SHA256
3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff

SHA512
c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1

Download Submit
C:\Users\Admin\Downloads\MEMZ.exe
Filesize
16KB

MD5
1d5ad9c8d3fee874d0feb8bfac220a11

SHA1
ca6d3f7e6c784155f664a9179ca64e4034df9595

SHA256
3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff

SHA512
c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1

Download Submit
C:\Users\Admin\Downloads\MEMZ.exe
Filesize
16KB

MD5
1d5ad9c8d3fee874d0feb8bfac220a11

SHA1
ca6d3f7e6c784155f664a9179ca64e4034df9595

SHA256
3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff

SHA512
c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1

Download Submit
C:\Users\Admin\Downloads\MEMZ.exe
Filesize
16KB

MD5
1d5ad9c8d3fee874d0feb8bfac220a11

SHA1
ca6d3f7e6c784155f664a9179ca64e4034df9595

SHA256
3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff

SHA512
c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1

Download Submit
C:\Users\Admin\Downloads\MEMZ.exe
Filesize
16KB

MD5
1d5ad9c8d3fee874d0feb8bfac220a11

SHA1
ca6d3f7e6c784155f664a9179ca64e4034df9595

SHA256
3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff

SHA512
c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1

Download Submit
C:\Users\Admin\Downloads\MEMZ.exe
Filesize
16KB

MD5
1d5ad9c8d3fee874d0feb8bfac220a11

SHA1
ca6d3f7e6c784155f664a9179ca64e4034df9595

SHA256
3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff

SHA512
c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1

Download Submit
C:\Users\Admin\Downloads\MEMZ.exe
Filesize
16KB

MD5
1d5ad9c8d3fee874d0feb8bfac220a11

SHA1
ca6d3f7e6c784155f664a9179ca64e4034df9595

SHA256
3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff

SHA512
c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1

Download Submit
C:\Users\Admin\Downloads\MEMZ.exe
Filesize
16KB

MD5
1d5ad9c8d3fee874d0feb8bfac220a11

SHA1
ca6d3f7e6c784155f664a9179ca64e4034df9595

SHA256
3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff

SHA512
c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1

Download Submit
C:\note.txt
Filesize
218B

MD5
afa6955439b8d516721231029fb9ca1b

SHA1
087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

SHA256
8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

SHA512
5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

Download Submit
\??\pipe\crashpad_1212_CVBTTTXIIMCLKBDG
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\Downloads\MEMZ.exe
Filesize
16KB

MD5
1d5ad9c8d3fee874d0feb8bfac220a11

SHA1
ca6d3f7e6c784155f664a9179ca64e4034df9595

SHA256
3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff

SHA512
c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1

Download Submit