e5c2683f7a605712f83903c9272d7d4bc0b03d8399595d7ae88189b38db2ae84

Resubmissions

29/06/2023, 02:37

230629-c36v3acf8y 8

04/06/2023, 17:51

230604-we6pyadf2s 7

04/06/2023, 17:49

230604-weeapada36 7

04/06/2023, 17:36

230604-v6lcmsde5w 8

Analysis

max time kernel
60s
max time network
69s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
04/06/2023, 17:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MEMZ × ADZP 20 Complex.exe
Size

387KB
MD5

580ccf644a5efb8b9d0157ea6b0049ab
SHA1

dd4433c9c670cef10344f3d52a4397a520404a7e
SHA256

e5c2683f7a605712f83903c9272d7d4bc0b03d8399595d7ae88189b38db2ae84
SHA512

402497966cc73cb3d87d3ce72fc08372c996b790c6535253d01604b007b57d9efdcb2bf8e96f9a1418dd23632bb314d9de3c7fcc552d42fab3c11ee47fdd9136
SSDEEP

12288:actEagGmcl4gBF1BRnI6hAVebOe1gsT+tcVtQ:TR+cl7X1BRnI6hmebOe1gmLQ

Score

7^/10

bootkit persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	MEMZ × ADZP 20 Complex.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	MEMZ-Destructive.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	MEMZ-Destructive.exe

Executes dropped EXE 7 IoCs

pid	Process
4612	MEMZ-Destructive.exe
1924	MEMZ-Destructive.exe
4556	MEMZ-Destructive.exe
4676	MEMZ-Destructive.exe
3648	MEMZ-Destructive.exe
4632	MEMZ-Destructive.exe
820	MEMZ-Destructive.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	MEMZ-Destructive.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 9 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	msinfo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	msinfo32.exe

Enumerates system info in registry 2 TTPs 7 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\ECFirmwareMajorRelease	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\ECFirmwareMinorRelease	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msinfo32.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133303746426111115"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings	MEMZ × ADZP 20 Complex.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
1924	MEMZ-Destructive.exe
1924	MEMZ-Destructive.exe
1924	MEMZ-Destructive.exe
1924	MEMZ-Destructive.exe
4556	MEMZ-Destructive.exe
4556	MEMZ-Destructive.exe
1924	MEMZ-Destructive.exe
1924	MEMZ-Destructive.exe
4556	MEMZ-Destructive.exe
4556	MEMZ-Destructive.exe
1924	MEMZ-Destructive.exe
1924	MEMZ-Destructive.exe
4676	MEMZ-Destructive.exe
4676	MEMZ-Destructive.exe
1924	MEMZ-Destructive.exe
1924	MEMZ-Destructive.exe
4556	MEMZ-Destructive.exe
4556	MEMZ-Destructive.exe
4632	MEMZ-Destructive.exe
4632	MEMZ-Destructive.exe
3648	MEMZ-Destructive.exe
3648	MEMZ-Destructive.exe
1924	MEMZ-Destructive.exe
1924	MEMZ-Destructive.exe
4676	MEMZ-Destructive.exe
4676	MEMZ-Destructive.exe
4632	MEMZ-Destructive.exe
4556	MEMZ-Destructive.exe
4632	MEMZ-Destructive.exe
4556	MEMZ-Destructive.exe
4676	MEMZ-Destructive.exe
1924	MEMZ-Destructive.exe
4676	MEMZ-Destructive.exe
1924	MEMZ-Destructive.exe
3648	MEMZ-Destructive.exe
3648	MEMZ-Destructive.exe
4632	MEMZ-Destructive.exe
4632	MEMZ-Destructive.exe
4556	MEMZ-Destructive.exe
4556	MEMZ-Destructive.exe
4676	MEMZ-Destructive.exe
3648	MEMZ-Destructive.exe
4676	MEMZ-Destructive.exe
3648	MEMZ-Destructive.exe
1924	MEMZ-Destructive.exe
1924	MEMZ-Destructive.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
488	msinfo32.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4916	chrome.exe
4916	chrome.exe
4916	chrome.exe

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeDebugPrivilege	2648	taskmgr.exe
Token: SeSystemProfilePrivilege	2648	taskmgr.exe
Token: SeCreateGlobalPrivilege	2648	taskmgr.exe
Token: 33	2648	taskmgr.exe
Token: SeIncBasePriorityPrivilege	2648	taskmgr.exe
Token: SeShutdownPrivilege	4916	chrome.exe
Token: SeCreatePagefilePrivilege	4916	chrome.exe
Token: SeShutdownPrivilege	4916	chrome.exe
Token: SeCreatePagefilePrivilege	4916	chrome.exe
Token: SeShutdownPrivilege	4916	chrome.exe
Token: SeCreatePagefilePrivilege	4916	chrome.exe
Token: SeShutdownPrivilege	4916	chrome.exe
Token: SeCreatePagefilePrivilege	4916	chrome.exe
Token: SeShutdownPrivilege	4916	chrome.exe
Token: SeCreatePagefilePrivilege	4916	chrome.exe
Token: SeShutdownPrivilege	4916	chrome.exe
Token: SeCreatePagefilePrivilege	4916	chrome.exe
Token: SeShutdownPrivilege	4916	chrome.exe
Token: SeCreatePagefilePrivilege	4916	chrome.exe
Token: SeShutdownPrivilege	4916	chrome.exe
Token: SeCreatePagefilePrivilege	4916	chrome.exe
Token: SeShutdownPrivilege	4916	chrome.exe
Token: SeCreatePagefilePrivilege	4916	chrome.exe
Token: SeShutdownPrivilege	4916	chrome.exe
Token: SeCreatePagefilePrivilege	4916	chrome.exe
Token: SeShutdownPrivilege	4916	chrome.exe
Token: SeCreatePagefilePrivilege	4916	chrome.exe
Token: SeShutdownPrivilege	4916	chrome.exe
Token: SeCreatePagefilePrivilege	4916	chrome.exe
Token: SeShutdownPrivilege	4916	chrome.exe
Token: SeCreatePagefilePrivilege	4916	chrome.exe
Token: SeShutdownPrivilege	4916	chrome.exe
Token: SeCreatePagefilePrivilege	4916	chrome.exe
Token: SeShutdownPrivilege	4916	chrome.exe
Token: SeCreatePagefilePrivilege	4916	chrome.exe
Token: SeShutdownPrivilege	4916	chrome.exe
Token: SeCreatePagefilePrivilege	4916	chrome.exe
Token: SeShutdownPrivilege	4916	chrome.exe
Token: SeCreatePagefilePrivilege	4916	chrome.exe
Token: SeShutdownPrivilege	4916	chrome.exe
Token: SeCreatePagefilePrivilege	4916	chrome.exe
Token: SeShutdownPrivilege	4916	chrome.exe
Token: SeCreatePagefilePrivilege	4916	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
4612	MEMZ-Destructive.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
4916	chrome.exe
4916	chrome.exe
4916	chrome.exe
4916	chrome.exe
4916	chrome.exe
4916	chrome.exe
4916	chrome.exe
4916	chrome.exe
4916	chrome.exe
4916	chrome.exe
4916	chrome.exe
4916	chrome.exe
4916	chrome.exe
4916	chrome.exe
4916	chrome.exe
4916	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
2648	taskmgr.exe
4916	chrome.exe
4916	chrome.exe
4916	chrome.exe
4916	chrome.exe
4916	chrome.exe
4916	chrome.exe
4916	chrome.exe
4916	chrome.exe
4916	chrome.exe
4916	chrome.exe
4916	chrome.exe
4916	chrome.exe
4916	chrome.exe
4916	chrome.exe
4916	chrome.exe
4916	chrome.exe
4916	chrome.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
4612	MEMZ-Destructive.exe
1924	MEMZ-Destructive.exe
4556	MEMZ-Destructive.exe
4676	MEMZ-Destructive.exe
3648	MEMZ-Destructive.exe
4632	MEMZ-Destructive.exe
820	MEMZ-Destructive.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4832 wrote to memory of 4612	4832	MEMZ × ADZP 20 Complex.exe	85
PID 4832 wrote to memory of 4612	4832	MEMZ × ADZP 20 Complex.exe	85
PID 4832 wrote to memory of 4612	4832	MEMZ × ADZP 20 Complex.exe	85
PID 4832 wrote to memory of 3392	4832	MEMZ × ADZP 20 Complex.exe	87
PID 4832 wrote to memory of 3392	4832	MEMZ × ADZP 20 Complex.exe	87
PID 4612 wrote to memory of 1924	4612	MEMZ-Destructive.exe	93
PID 4612 wrote to memory of 1924	4612	MEMZ-Destructive.exe	93
PID 4612 wrote to memory of 1924	4612	MEMZ-Destructive.exe	93
PID 4612 wrote to memory of 4556	4612	MEMZ-Destructive.exe	94
PID 4612 wrote to memory of 4556	4612	MEMZ-Destructive.exe	94
PID 4612 wrote to memory of 4556	4612	MEMZ-Destructive.exe	94
PID 4612 wrote to memory of 4676	4612	MEMZ-Destructive.exe	95
PID 4612 wrote to memory of 4676	4612	MEMZ-Destructive.exe	95
PID 4612 wrote to memory of 4676	4612	MEMZ-Destructive.exe	95
PID 4612 wrote to memory of 3648	4612	MEMZ-Destructive.exe	96
PID 4612 wrote to memory of 3648	4612	MEMZ-Destructive.exe	96
PID 4612 wrote to memory of 3648	4612	MEMZ-Destructive.exe	96
PID 4612 wrote to memory of 4632	4612	MEMZ-Destructive.exe	97
PID 4612 wrote to memory of 4632	4612	MEMZ-Destructive.exe	97
PID 4612 wrote to memory of 4632	4612	MEMZ-Destructive.exe	97
PID 4612 wrote to memory of 820	4612	MEMZ-Destructive.exe	98
PID 4612 wrote to memory of 820	4612	MEMZ-Destructive.exe	98
PID 4612 wrote to memory of 820	4612	MEMZ-Destructive.exe	98
PID 820 wrote to memory of 4616	820	MEMZ-Destructive.exe	99
PID 820 wrote to memory of 4616	820	MEMZ-Destructive.exe	99
PID 820 wrote to memory of 4616	820	MEMZ-Destructive.exe	99
PID 4916 wrote to memory of 3216	4916	chrome.exe	104
PID 4916 wrote to memory of 3216	4916	chrome.exe	104
PID 4916 wrote to memory of 3956	4916	chrome.exe	105
PID 4916 wrote to memory of 3956	4916	chrome.exe	105
PID 4916 wrote to memory of 3956	4916	chrome.exe	105
PID 4916 wrote to memory of 3956	4916	chrome.exe	105
PID 4916 wrote to memory of 3956	4916	chrome.exe	105
PID 4916 wrote to memory of 3956	4916	chrome.exe	105
PID 4916 wrote to memory of 3956	4916	chrome.exe	105
PID 4916 wrote to memory of 3956	4916	chrome.exe	105
PID 4916 wrote to memory of 3956	4916	chrome.exe	105
PID 4916 wrote to memory of 3956	4916	chrome.exe	105
PID 4916 wrote to memory of 3956	4916	chrome.exe	105
PID 4916 wrote to memory of 3956	4916	chrome.exe	105
PID 4916 wrote to memory of 3956	4916	chrome.exe	105
PID 4916 wrote to memory of 3956	4916	chrome.exe	105
PID 4916 wrote to memory of 3956	4916	chrome.exe	105
PID 4916 wrote to memory of 3956	4916	chrome.exe	105
PID 4916 wrote to memory of 3956	4916	chrome.exe	105
PID 4916 wrote to memory of 3956	4916	chrome.exe	105
PID 4916 wrote to memory of 3956	4916	chrome.exe	105
PID 4916 wrote to memory of 3956	4916	chrome.exe	105
PID 4916 wrote to memory of 3956	4916	chrome.exe	105
PID 4916 wrote to memory of 3956	4916	chrome.exe	105
PID 4916 wrote to memory of 3956	4916	chrome.exe	105
PID 4916 wrote to memory of 3956	4916	chrome.exe	105
PID 4916 wrote to memory of 3956	4916	chrome.exe	105
PID 4916 wrote to memory of 3956	4916	chrome.exe	105
PID 4916 wrote to memory of 3956	4916	chrome.exe	105
PID 4916 wrote to memory of 3956	4916	chrome.exe	105
PID 4916 wrote to memory of 3956	4916	chrome.exe	105
PID 4916 wrote to memory of 3956	4916	chrome.exe	105
PID 4916 wrote to memory of 3956	4916	chrome.exe	105
PID 4916 wrote to memory of 3956	4916	chrome.exe	105
PID 4916 wrote to memory of 3956	4916	chrome.exe	105
PID 4916 wrote to memory of 3956	4916	chrome.exe	105
PID 4916 wrote to memory of 3956	4916	chrome.exe	105
PID 4916 wrote to memory of 3956	4916	chrome.exe	105

C:\Users\Admin\AppData\Local\Temp\MEMZ × ADZP 20 Complex.exe
"C:\Users\Admin\AppData\Local\Temp\MEMZ × ADZP 20 Complex.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4832
- C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe
  "C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4612
- - C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe
    "C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1924
- - C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe
    "C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4556
- - C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe
    "C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4676
- - C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe
    "C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3648
- - C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe
    "C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4632
- - C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe
    "C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe" /main
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:820
  - - C:\Windows\SysWOW64\notepad.exe
      "C:\Windows\System32\notepad.exe" \note.txt
      4⤵
      PID:4616
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=bonzi+buddy+download+free
      4⤵
      PID:4516
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xf0,0x12c,0x7ffb43b646f8,0x7ffb43b64708,0x7ffb43b64718
        5⤵
        
        PID:1568
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2180,3781283635770663924,6979566631662101748,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2276 /prefetch:3
        5⤵
        
        PID:4128
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2180,3781283635770663924,6979566631662101748,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2208 /prefetch:2
        5⤵
        
        PID:4560
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2180,3781283635770663924,6979566631662101748,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2852 /prefetch:8
        5⤵
        
        PID:216
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,3781283635770663924,6979566631662101748,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
        5⤵
        
        PID:5256
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,3781283635770663924,6979566631662101748,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
        5⤵
        
        PID:5268
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,3781283635770663924,6979566631662101748,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5264 /prefetch:1
        5⤵
        
        PID:5876
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex-Destructive.vbs"
  2⤵
  PID:3392

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2648

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb47d59758,0x7ffb47d59768,0x7ffb47d59778
  2⤵
  PID:3216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1808 --field-trial-handle=1764,i,13037063030902304326,10611615177336290775,131072 /prefetch:2
  2⤵
  PID:3956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 --field-trial-handle=1764,i,13037063030902304326,10611615177336290775,131072 /prefetch:8
  2⤵
  PID:3116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2216 --field-trial-handle=1764,i,13037063030902304326,10611615177336290775,131072 /prefetch:8
  2⤵
  PID:2240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3124 --field-trial-handle=1764,i,13037063030902304326,10611615177336290775,131072 /prefetch:1
  2⤵
  PID:800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3252 --field-trial-handle=1764,i,13037063030902304326,10611615177336290775,131072 /prefetch:1
  2⤵
  PID:2276
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4412 --field-trial-handle=1764,i,13037063030902304326,10611615177336290775,131072 /prefetch:1
  2⤵
  PID:4308
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4584 --field-trial-handle=1764,i,13037063030902304326,10611615177336290775,131072 /prefetch:8
  2⤵
  PID:4296
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4720 --field-trial-handle=1764,i,13037063030902304326,10611615177336290775,131072 /prefetch:8
  2⤵
  PID:2272
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4928 --field-trial-handle=1764,i,13037063030902304326,10611615177336290775,131072 /prefetch:8
  2⤵
  PID:3096
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3748 --field-trial-handle=1764,i,13037063030902304326,10611615177336290775,131072 /prefetch:8
  2⤵
  PID:3456

C:\Windows\system32\msinfo32.exe
"C:\Windows\system32\msinfo32.exe" "C:\Users\Admin\Desktop\UnpublishExpand.nfo"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Suspicious behavior: GetForegroundWindowSpam
PID:488

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4392

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1564

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1014B

MD5
85143806bc7c33adf167272179da6603

SHA1
1a472e584f4c8745f8f6544338a20fee019d0393

SHA256
c7bd1f6ba951a1045734517168ebc73cb94867c73d961b8092faf80d12419636

SHA512
a518360c241328d1e1d33f34104731a54f83a6cd8cf67f5ecb554d1a1fd0bb0cdbf0600331831cee78b3b0bd82692a5f0527f503b575adfbdeb62c3310ce6523

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
371B

MD5
efa1d226227d552e342553426674a306

SHA1
36d5c479493e4f60ca82a5e8f1a2b8285fdc09de

SHA256
1153016ec1911e14e76ff599b1922451c98645415fcc4b44ce7583ecb58f5fe2

SHA512
0e92da047d0f7e5965974d83c9c5672885f4c0edb194f5e9597cdcb5f95bf2f74e92fd8a3ed1fda985a734b09f233f3b96d8844f61d35a0629a75d05e7a4312f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
8147beb5a9f5b9f6b435b1e5b5a068d0

SHA1
609aae272c06363010ca66c879753fa5f58abcd1

SHA256
9f7ddf2e59f15d0e96563c2d27c7afecc99a6e8b46a76d71b82ebf10ecc25204

SHA512
2433898b1fc23313168de98cdb417e47703e43f3592f76093cacfcd0dfca11d389146084120a9548c0869f90de9536ab7ed35c985fcc1c083ea8877e3ceecbf2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
df2625e33560105285e4c73f7e0c032b

SHA1
e7067041fb2beec3966abb8faf4c3aa70af0fdfd

SHA256
7fbb16a80c7d3e538adba8d91b1b95d454260beb7d2a5fb0bd1ee5c85096b61d

SHA512
6ff4d967f6a9dc284132a0973c891440b9011eb1d7a70fb972449a0a0058813ff0b83ba578d0216b38f361b123edb3a03eac3dc2d72dce8cf051486a454654bd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
158KB

MD5
347cd953264968fb526c05a7c5e302f5

SHA1
0d22f8cbb8c7787786968470d668900e23a3bab2

SHA256
79b923a0ba3931a9f3d21598fbd0cea83ebcfd04c51eb88f68bf8477379f9053

SHA512
7688851070da0fd8ad8a1a3f16c61193e28d71d7c676554b5d03170c9e0ba5e75413ae6edd60c84d4315563d01fb3c2a2db4c03f95a4a0d8a3353372aff8b711

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
158KB

MD5
347cd953264968fb526c05a7c5e302f5

SHA1
0d22f8cbb8c7787786968470d668900e23a3bab2

SHA256
79b923a0ba3931a9f3d21598fbd0cea83ebcfd04c51eb88f68bf8477379f9053

SHA512
7688851070da0fd8ad8a1a3f16c61193e28d71d7c676554b5d03170c9e0ba5e75413ae6edd60c84d4315563d01fb3c2a2db4c03f95a4a0d8a3353372aff8b711

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
158KB

MD5
444ba6dc33f191d0ada705f559b7c782

SHA1
3b44232f3f4c7925b9695cbf57d995b54f3b9803

SHA256
b9568c9f02e414fe13f95267178f5036601cb90d5944ee824f947cc8242beb72

SHA512
202b34cc50f071bc46544405350ca4990a17bd2235e8ba9781d5be85aa768ea949a4ff54dc1d83b8db44e451b683554687a87a5add6e862c1b7963aadf61edc5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b8c9383861d9295966a7f745d7b76a13

SHA1
d77273648971ec19128c344f78a8ffeb8a246645

SHA256
b75207c223dfc38fbb3dbf03107043a7dce74129d88053c9316350c97ac26d2e

SHA512
094e6978e09a6e762022e8ff57935a26b3171a0627639ca91a373bddd06092241d695b9f3b609ba60bc28e78a5c78cf0f072d79cd5769f1b9f6d873169f0df14

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
91fa8f2ee8bf3996b6df4639f7ca34f7

SHA1
221b470deb37961c3ebbcc42a1a63e76fb3fe830

SHA256
e8e0588b16d612fa9d9989d16b729c082b4dd9bfca62564050cdb8ed03dd7068

SHA512
5415cd41f2f3bb5d9c7dadc59e347994444321cf8abe346b08e8c5a3fc6a5adae910eda43b4251ba4e317fbb7696c45dba9fd5e7fa61144c9b947206c7b999c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Microsoft Edge.lnk

Filesize
2KB

MD5
d93eb54c96fcc01017a870dfc3494068

SHA1
0978df8f54137ce9301a9d34ef94f49b3a972016

SHA256
b22a2745b6590584862d933ba0938cc5ef0713473c95893b4f6e4760d12b106a

SHA512
1283cdc0ca40ec57191277e8e8b0198be0f583b3428cbda916df4f03a5b73a43f890e05cfb2faa9e7537903f3e6bbb2f77c7741d3813ee57c5d9160a2330edc4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
255B

MD5
97cd216f564251fcde7aef950367ca83

SHA1
5c348a1ef774294f38cbfe8063554febb64b5fdb

SHA256
de489a43d184e289370dedfd98645a0a508013fd9093cf234c7c080e82ed05b7

SHA512
a35b98e2a54a3934e1e4892e169c92adb9fe5d77a04c1f1a3848cd5d03737f81a0a1cdc645e6c1714fb6dfd2ac86b41e1122b249718e3282cb1548a4db05ad07

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
4KB

MD5
80b1876aacff8738ce4177662757ff8c

SHA1
2b2a7543425d212410505731aba5925d405c6b46

SHA256
a8fa49308469690f905412283fcfc7527e2b572264d974fba4e16fcbfc0b5501

SHA512
890ebe578ed69917b919d3d45acaa8c01e7876e8426b10d1cf913215fea257c79e5abe92ae0a1bc4daeb0f95c0d40ad1e45030d7f1474051f26151c20d3137b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
96039dbbf4fc6c0a62afe62fd97b0952

SHA1
5373ec2a1d041f59773de1c919582dba265f3c3c

SHA256
927b6d06bd453b8046505b8e9a59f1e763bafa8d4b1f1eaa07faf107af323a68

SHA512
7b912e3977170ceb52863e62db72d463ee13e4af07fb106d28a8203dfc3d0b6a3a9e8321c9127e1fcc639b36ff9a44d6e40d5306054714241511c948997b8c8b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
60b345592703258c513cb5fc34a2f835

SHA1
39991bd7ea37e2fc394be3b253ef96ce04088a6d

SHA256
7e358b4f7553c9385e8eb2c5692d426bc257bbd4c0213e6c69294459734f6300

SHA512
0346fb4096eb285ab0fdf7e7ec38c4daf7bbb0c506f09975eb2290121d169a34c886fca342c3e06371cb697f2753a697ca4f72af7817ed340eee6063897110a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
1128df97dd5642ab9d43159c9d5f6226

SHA1
9ca10e504cf15362f4ebd932a500b4ac12a9b87c

SHA256
f1e66a4077574f873027baf9a9e4ab234b1e1b44d7ad21e529858404d23be268

SHA512
601534fb98c76739feb94b56992a8554b9ad3eab5f50e904112c4e4e7306b86868d093578450bcfc05479cdfa9c5a05395461d26da75f4af686773549397463b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
9KB

MD5
47ce2d8c54c24fe607a122da59885e59

SHA1
1076b55303f9fc26cfdbfcf972a237448d4f3b10

SHA256
34930bf5e8a6aec44d5e2fcffef3c44446daa636c098036226e2ef9a4bf07b9e

SHA512
6a22ed1204fd7527bb3ea6d64c08d4dbb95b7b638eb977d1e7037b92098fd09e3b15b13c5389148f1da2314d1f091a8dbadc247ffe0652d42fdb1c28cb2566d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex-Destructive.vbs

Filesize
32KB

MD5
268ad0d0582547195a60ebe86948e93a

SHA1
7bbf897816101572fc0111a94b7f36ed59bd1ff2

SHA256
59bbca836c4db770d30c3be2713733629709ac3f573e2037bfc6507820284589

SHA512
93493ddc7cb360f3a02ea53d1c1efa5d9c86d37163ea13f2e9c172e9158a8e51026ed0554b05d13a7039f6ab0f3f485e4fa4515797eaa32e5141ef4ee6326d68

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe

Filesize
14KB

MD5
19dbec50735b5f2a72d4199c4e184960

SHA1
6fed7732f7cb6f59743795b2ab154a3676f4c822

SHA256
a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d

SHA512
aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe

Filesize
14KB

MD5
19dbec50735b5f2a72d4199c4e184960

SHA1
6fed7732f7cb6f59743795b2ab154a3676f4c822

SHA256
a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d

SHA512
aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe

Filesize
14KB

MD5
19dbec50735b5f2a72d4199c4e184960

SHA1
6fed7732f7cb6f59743795b2ab154a3676f4c822

SHA256
a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d

SHA512
aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe

Filesize
14KB

MD5
19dbec50735b5f2a72d4199c4e184960

SHA1
6fed7732f7cb6f59743795b2ab154a3676f4c822

SHA256
a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d

SHA512
aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe

Filesize
14KB

MD5
19dbec50735b5f2a72d4199c4e184960

SHA1
6fed7732f7cb6f59743795b2ab154a3676f4c822

SHA256
a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d

SHA512
aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe

Filesize
14KB

MD5
19dbec50735b5f2a72d4199c4e184960

SHA1
6fed7732f7cb6f59743795b2ab154a3676f4c822

SHA256
a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d

SHA512
aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe

Filesize
14KB

MD5
19dbec50735b5f2a72d4199c4e184960

SHA1
6fed7732f7cb6f59743795b2ab154a3676f4c822

SHA256
a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d

SHA512
aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe

Filesize
14KB

MD5
19dbec50735b5f2a72d4199c4e184960

SHA1
6fed7732f7cb6f59743795b2ab154a3676f4c822

SHA256
a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d

SHA512
aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe

Filesize
14KB

MD5
19dbec50735b5f2a72d4199c4e184960

SHA1
6fed7732f7cb6f59743795b2ab154a3676f4c822

SHA256
a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d

SHA512
aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d

Download Submit
C:\note.txt

Filesize
218B

MD5
afa6955439b8d516721231029fb9ca1b

SHA1
087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

SHA256
8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

SHA512
5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

Download Submit
memory/2648-159-0x00000187277A0000-0x00000187277A1000-memory.dmp

Filesize
4KB

Download
memory/2648-158-0x00000187277A0000-0x00000187277A1000-memory.dmp

Filesize
4KB

Download
memory/2648-157-0x00000187277A0000-0x00000187277A1000-memory.dmp

Filesize
4KB

Download
memory/2648-156-0x00000187277A0000-0x00000187277A1000-memory.dmp

Filesize
4KB

Download
memory/2648-155-0x00000187277A0000-0x00000187277A1000-memory.dmp

Filesize
4KB

Download
memory/2648-154-0x00000187277A0000-0x00000187277A1000-memory.dmp

Filesize
4KB

Download
memory/2648-153-0x00000187277A0000-0x00000187277A1000-memory.dmp

Filesize
4KB

Download
memory/2648-149-0x00000187277A0000-0x00000187277A1000-memory.dmp

Filesize
4KB

Download
memory/2648-148-0x00000187277A0000-0x00000187277A1000-memory.dmp

Filesize
4KB

Download
memory/2648-147-0x00000187277A0000-0x00000187277A1000-memory.dmp

Filesize
4KB

Download