0b7f3c79786d3ccee94b43fe28afeb0a469f02931e77f30672d0d6af49547d95

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
19/02/2024, 15:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

y2mate.is - Theme From The Big Bang Theory Original Television Version -20i5eqwK178-1080pp-1708288557.mp4
Size

1.6MB
MD5

8fd86674660fafb3f475547cdef12be4
SHA1

0c5756e3cb2224387898e40cb923d61e90a5db28
SHA256

0b7f3c79786d3ccee94b43fe28afeb0a469f02931e77f30672d0d6af49547d95
SHA512

76a05d57c50f4f8c718c6fd286c61e5e2abca5bc03b49da6d220c5f308990be8369dec302fd52e4afdc38bb89b3b92cf20fbdee3b88a31553b7568934ff00e15
SSDEEP

49152:Rvv1wM8VSoHr5+svv1wM8VSoHVl/UGvv1wM8VSoHKDYkvv1wM8VSoHvJdkCVW:Rvv1wMwTHJvv1wMwTHfvv1wMwTHwDvv5

Score

8^/10

bootkit persistence

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	MEMZ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	MEMZ.exe

Executes dropped EXE 7 IoCs

pid	Process
628	MEMZ.exe
1420	MEMZ.exe
2336	MEMZ.exe
2372	MEMZ.exe
3332	MEMZ.exe
4424	MEMZ.exe
3228	MEMZ.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\X:	unregmp2.exe
File opened (read-only)	\??\G:	unregmp2.exe
File opened (read-only)	\??\H:	unregmp2.exe
File opened (read-only)	\??\K:	unregmp2.exe
File opened (read-only)	\??\R:	unregmp2.exe
File opened (read-only)	\??\T:	unregmp2.exe
File opened (read-only)	\??\W:	unregmp2.exe
File opened (read-only)	\??\M:	unregmp2.exe
File opened (read-only)	\??\N:	unregmp2.exe
File opened (read-only)	\??\O:	unregmp2.exe
File opened (read-only)	\??\S:	unregmp2.exe
File opened (read-only)	\??\V:	unregmp2.exe
File opened (read-only)	\??\Z:	unregmp2.exe
File opened (read-only)	\??\B:	unregmp2.exe
File opened (read-only)	\??\J:	unregmp2.exe
File opened (read-only)	\??\L:	unregmp2.exe
File opened (read-only)	\??\P:	unregmp2.exe
File opened (read-only)	\??\U:	unregmp2.exe
File opened (read-only)	\??\Y:	unregmp2.exe
File opened (read-only)	\??\A:	unregmp2.exe
File opened (read-only)	\??\E:	unregmp2.exe
File opened (read-only)	\??\I:	unregmp2.exe
File opened (read-only)	\??\Q:	unregmp2.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
136	raw.githubusercontent.com
137	raw.githubusercontent.com

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	MEMZ.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133528311497537668"	chrome.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2040	chrome.exe
2040	chrome.exe
1420	MEMZ.exe
1420	MEMZ.exe
2336	MEMZ.exe
2336	MEMZ.exe
2372	MEMZ.exe
2372	MEMZ.exe
1420	MEMZ.exe
1420	MEMZ.exe
4424	MEMZ.exe
4424	MEMZ.exe
3332	MEMZ.exe
3332	MEMZ.exe
2336	MEMZ.exe
2336	MEMZ.exe
1420	MEMZ.exe
2372	MEMZ.exe
1420	MEMZ.exe
2372	MEMZ.exe
2336	MEMZ.exe
2336	MEMZ.exe
3332	MEMZ.exe
3332	MEMZ.exe
4424	MEMZ.exe
4424	MEMZ.exe
4424	MEMZ.exe
4424	MEMZ.exe
3332	MEMZ.exe
3332	MEMZ.exe
2336	MEMZ.exe
2336	MEMZ.exe
2372	MEMZ.exe
2372	MEMZ.exe
1420	MEMZ.exe
1420	MEMZ.exe
1420	MEMZ.exe
1420	MEMZ.exe
2372	MEMZ.exe
2372	MEMZ.exe
2336	MEMZ.exe
2336	MEMZ.exe
3332	MEMZ.exe
3332	MEMZ.exe
4424	MEMZ.exe
4424	MEMZ.exe
2336	MEMZ.exe
2372	MEMZ.exe
2336	MEMZ.exe
2372	MEMZ.exe
1420	MEMZ.exe
1420	MEMZ.exe
1420	MEMZ.exe
1420	MEMZ.exe
2372	MEMZ.exe
2372	MEMZ.exe
2336	MEMZ.exe
2336	MEMZ.exe
4424	MEMZ.exe
4424	MEMZ.exe
3332	MEMZ.exe
3332	MEMZ.exe
4424	MEMZ.exe
4424	MEMZ.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4824	unregmp2.exe
Token: SeCreatePagefilePrivilege	4824	unregmp2.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeCreatePagefilePrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeCreatePagefilePrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeCreatePagefilePrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeCreatePagefilePrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeCreatePagefilePrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeCreatePagefilePrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeCreatePagefilePrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeCreatePagefilePrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeCreatePagefilePrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeCreatePagefilePrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeCreatePagefilePrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeCreatePagefilePrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeCreatePagefilePrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeCreatePagefilePrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeCreatePagefilePrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeCreatePagefilePrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeCreatePagefilePrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeCreatePagefilePrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeCreatePagefilePrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeCreatePagefilePrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeCreatePagefilePrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeCreatePagefilePrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeCreatePagefilePrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeCreatePagefilePrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeCreatePagefilePrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeCreatePagefilePrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeCreatePagefilePrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeCreatePagefilePrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeCreatePagefilePrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeCreatePagefilePrivilege	2040	chrome.exe
Token: SeShutdownPrivilege	2040	chrome.exe
Token: SeCreatePagefilePrivilege	2040	chrome.exe

Suspicious use of FindShellTrayWindow 36 IoCs

pid	Process
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
60	notepad.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe
2040	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3716 wrote to memory of 4112	3716	wmplayer.exe	86
PID 3716 wrote to memory of 4112	3716	wmplayer.exe	86
PID 3716 wrote to memory of 4112	3716	wmplayer.exe	86
PID 3716 wrote to memory of 4124	3716	wmplayer.exe	87
PID 3716 wrote to memory of 4124	3716	wmplayer.exe	87
PID 3716 wrote to memory of 4124	3716	wmplayer.exe	87
PID 4124 wrote to memory of 4824	4124	unregmp2.exe	88
PID 4124 wrote to memory of 4824	4124	unregmp2.exe	88
PID 2040 wrote to memory of 4328	2040	chrome.exe	92
PID 2040 wrote to memory of 4328	2040	chrome.exe	92
PID 2040 wrote to memory of 2180	2040	chrome.exe	94
PID 2040 wrote to memory of 2180	2040	chrome.exe	94
PID 2040 wrote to memory of 2180	2040	chrome.exe	94
PID 2040 wrote to memory of 2180	2040	chrome.exe	94
PID 2040 wrote to memory of 2180	2040	chrome.exe	94
PID 2040 wrote to memory of 2180	2040	chrome.exe	94
PID 2040 wrote to memory of 2180	2040	chrome.exe	94
PID 2040 wrote to memory of 2180	2040	chrome.exe	94
PID 2040 wrote to memory of 2180	2040	chrome.exe	94
PID 2040 wrote to memory of 2180	2040	chrome.exe	94
PID 2040 wrote to memory of 2180	2040	chrome.exe	94
PID 2040 wrote to memory of 2180	2040	chrome.exe	94
PID 2040 wrote to memory of 2180	2040	chrome.exe	94
PID 2040 wrote to memory of 2180	2040	chrome.exe	94
PID 2040 wrote to memory of 2180	2040	chrome.exe	94
PID 2040 wrote to memory of 2180	2040	chrome.exe	94
PID 2040 wrote to memory of 2180	2040	chrome.exe	94
PID 2040 wrote to memory of 2180	2040	chrome.exe	94
PID 2040 wrote to memory of 2180	2040	chrome.exe	94
PID 2040 wrote to memory of 2180	2040	chrome.exe	94
PID 2040 wrote to memory of 2180	2040	chrome.exe	94
PID 2040 wrote to memory of 2180	2040	chrome.exe	94
PID 2040 wrote to memory of 2180	2040	chrome.exe	94
PID 2040 wrote to memory of 2180	2040	chrome.exe	94
PID 2040 wrote to memory of 2180	2040	chrome.exe	94
PID 2040 wrote to memory of 2180	2040	chrome.exe	94
PID 2040 wrote to memory of 2180	2040	chrome.exe	94
PID 2040 wrote to memory of 2180	2040	chrome.exe	94
PID 2040 wrote to memory of 2180	2040	chrome.exe	94
PID 2040 wrote to memory of 2180	2040	chrome.exe	94
PID 2040 wrote to memory of 2180	2040	chrome.exe	94
PID 2040 wrote to memory of 2180	2040	chrome.exe	94
PID 2040 wrote to memory of 2180	2040	chrome.exe	94
PID 2040 wrote to memory of 2180	2040	chrome.exe	94
PID 2040 wrote to memory of 2180	2040	chrome.exe	94
PID 2040 wrote to memory of 2180	2040	chrome.exe	94
PID 2040 wrote to memory of 2180	2040	chrome.exe	94
PID 2040 wrote to memory of 2180	2040	chrome.exe	94
PID 2040 wrote to memory of 3912	2040	chrome.exe	95
PID 2040 wrote to memory of 3912	2040	chrome.exe	95
PID 2040 wrote to memory of 3284	2040	chrome.exe	96
PID 2040 wrote to memory of 3284	2040	chrome.exe	96
PID 2040 wrote to memory of 3284	2040	chrome.exe	96
PID 2040 wrote to memory of 3284	2040	chrome.exe	96
PID 2040 wrote to memory of 3284	2040	chrome.exe	96
PID 2040 wrote to memory of 3284	2040	chrome.exe	96
PID 2040 wrote to memory of 3284	2040	chrome.exe	96
PID 2040 wrote to memory of 3284	2040	chrome.exe	96
PID 2040 wrote to memory of 3284	2040	chrome.exe	96
PID 2040 wrote to memory of 3284	2040	chrome.exe	96
PID 2040 wrote to memory of 3284	2040	chrome.exe	96
PID 2040 wrote to memory of 3284	2040	chrome.exe	96
PID 2040 wrote to memory of 3284	2040	chrome.exe	96
PID 2040 wrote to memory of 3284	2040	chrome.exe	96

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\y2mate.is - Theme From The Big Bang Theory Original Television Version -20i5eqwK178-1080pp-1708288557.mp4"
1⤵
- Suspicious use of WriteProcessMemory
PID:3716
- C:\Program Files (x86)\Windows Media Player\setup_wm.exe
  "C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\y2mate.is - Theme From The Big Bang Theory Original Television Version -20i5eqwK178-1080pp-1708288557.mp4"
  2⤵
  PID:4112
- C:\Windows\SysWOW64\unregmp2.exe
  "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4124
- - C:\Windows\system32\unregmp2.exe
    "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
    3⤵
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    PID:4824

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffae5599758,0x7ffae5599768,0x7ffae5599778
  2⤵
  PID:4328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1772 --field-trial-handle=1980,i,11962984410125249265,11959482798807425949,131072 /prefetch:2
  2⤵
  PID:2180
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1984 --field-trial-handle=1980,i,11962984410125249265,11959482798807425949,131072 /prefetch:8
  2⤵
  PID:3912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2032 --field-trial-handle=1980,i,11962984410125249265,11959482798807425949,131072 /prefetch:8
  2⤵
  PID:3284
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3048 --field-trial-handle=1980,i,11962984410125249265,11959482798807425949,131072 /prefetch:1
  2⤵
  PID:5044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3040 --field-trial-handle=1980,i,11962984410125249265,11959482798807425949,131072 /prefetch:1
  2⤵
  PID:620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4640 --field-trial-handle=1980,i,11962984410125249265,11959482798807425949,131072 /prefetch:1
  2⤵
  PID:4440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5108 --field-trial-handle=1980,i,11962984410125249265,11959482798807425949,131072 /prefetch:8
  2⤵
  PID:3820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5220 --field-trial-handle=1980,i,11962984410125249265,11959482798807425949,131072 /prefetch:8
  2⤵
  PID:4220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5384 --field-trial-handle=1980,i,11962984410125249265,11959482798807425949,131072 /prefetch:8
  2⤵
  PID:3824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=5140 --field-trial-handle=1980,i,11962984410125249265,11959482798807425949,131072 /prefetch:1
  2⤵
  PID:1612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3808 --field-trial-handle=1980,i,11962984410125249265,11959482798807425949,131072 /prefetch:1
  2⤵
  PID:4136
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=5668 --field-trial-handle=1980,i,11962984410125249265,11959482798807425949,131072 /prefetch:1
  2⤵
  PID:3260
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4980 --field-trial-handle=1980,i,11962984410125249265,11959482798807425949,131072 /prefetch:8
  2⤵
  PID:2828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5576 --field-trial-handle=1980,i,11962984410125249265,11959482798807425949,131072 /prefetch:8
  2⤵
  PID:4716
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5588 --field-trial-handle=1980,i,11962984410125249265,11959482798807425949,131072 /prefetch:8
  2⤵
  PID:216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4728 --field-trial-handle=1980,i,11962984410125249265,11959482798807425949,131072 /prefetch:8
  2⤵
  PID:3200
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4752 --field-trial-handle=1980,i,11962984410125249265,11959482798807425949,131072 /prefetch:8
  2⤵
  PID:1644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4680 --field-trial-handle=1980,i,11962984410125249265,11959482798807425949,131072 /prefetch:8
  2⤵
  PID:3764
- C:\Users\Admin\Downloads\MEMZ.exe
  "C:\Users\Admin\Downloads\MEMZ.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:628
- - C:\Users\Admin\Downloads\MEMZ.exe
    "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2336
- - C:\Users\Admin\Downloads\MEMZ.exe
    "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1420
- - C:\Users\Admin\Downloads\MEMZ.exe
    "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2372
- - C:\Users\Admin\Downloads\MEMZ.exe
    "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:3332
- - C:\Users\Admin\Downloads\MEMZ.exe
    "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:4424
- - C:\Users\Admin\Downloads\MEMZ.exe
    "C:\Users\Admin\Downloads\MEMZ.exe" /main
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    PID:3228
  - - C:\Windows\SysWOW64\notepad.exe
      "C:\Windows\System32\notepad.exe" \note.txt
      4⤵
      Suspicious use of FindShellTrayWindow
      PID:60
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=internet+explorer+is+the+best+browser
      4⤵
      PID:3132
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffaf4a946f8,0x7ffaf4a94708,0x7ffaf4a94718
        5⤵
        
        PID:3380

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000006

Filesize
194KB

MD5
ac84f1282f8542dee07f8a1af421f2a7

SHA1
261885284826281a99ff982428a765be30de9029

SHA256
193b8f571f3fd65b98dc39601431ff6e91ade5f90ee7790bfc1fba8f7580a4b0

SHA512
9f4f58ab43ddadad903cea3454d79b99a750f05e4d850de5f25371d5bec16fc312015a875b8f418154f1124c400ae1c82e2efd862870cd35c3f0961426c8cd82

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
06cb985176017d1663daf9f9ebf1eae7

SHA1
e190415451caf159f68d5c8b5e32919f4edfd090

SHA256
4a3d810b9e09dee392f2a26c96eb0c280d0049931600275dabba1b1d8cb1e98b

SHA512
aeee50f4ae70df5578e1ae75fd5e9a5e9480330c02754f82f75008148c1814cd042870efb4310a34ed65a30ecbed946e5c792cae14af542e8e82069a4d15f5db

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
52c3f5b06a28e53e77cdbee92fb92a6f

SHA1
51a99ddebc35b6272e3b6bfaab68d2cb59e0278f

SHA256
37d0514203e0d9ec676d53db511234ae5c5839bdda8fb2be09b001b386f43a3a

SHA512
6c14a85a18327bfdbaf9c732c5a09696b21e7e3f63f8648e7763b0e8bed1179d6cb56e9de043ad16e49113fe291505433a7b7dea08f4155a3e613e8c5f4de3e8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
3bc967f1be9e4bb077fcf1a08d49cafa

SHA1
60b50a3da361605007738ebfc0de717e841ec4fd

SHA256
21cf3d484f872acbae605c656f442d3501d457bd3378651755c13be5c46e64b7

SHA512
d5341b172cf92f1de1c326d49d833d0604da70f23f97c78ba285617a59b0eba33d488d86e8dea06f165b68343109942b7807883059347d3b6640a1a647295a57

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
155ba5b0c3ab6a0d036448d035e5a0a4

SHA1
9ef36738ec860691867a928a91c6dc03ac008dd1

SHA256
87e3b76f2736c3ac7fcec6171d8f89be70d8aa2299b898494642c1d526632a3a

SHA512
babf7068fb532da3047d62c7aeac2412dff188d828860812c0921ff80da6eaaaf49a2296469a1c90c101fbb5d2ddf9c905b43aa559180452346a675cd775ae14

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
96d87cca55f1b4bee35783f3009af283

SHA1
270625dba35fa7715bf605658f85de6c41a08707

SHA256
942437c76450069f909ba27940cc0697ae10d92f036d9404bbcf3df84b3cdfba

SHA512
6798005ca98d85a04b2076fabf2f0d4a254db886974128fd8c7762d3969dcee2734990bea16e7a63053c81c98529404e4aee8cc5f60915458323d00a736a1502

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
a9f3269efdb5978f6c63e652b6346d90

SHA1
7c677ef61b8ef59f1576bba6aa0c2fa539906db2

SHA256
4b5bc1de5064acd628390edadcb131489a492bc78def2239b9df56045b457ec4

SHA512
3509b615771f55c12e141009c6395a923a9361f219a83a6c7d72fd47b84530cca7de56a6d7098e5b9142285ec72d299e2db206813fb94679c542b3d6adabbe8b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
371B

MD5
ba067fa8160c0f2e3aba9efacf8fe644

SHA1
4f6b8f69ae0ffcfefe445a4fb8f4f0f7ae45ec27

SHA256
4ff19a9d5625de9b76a02a8a04fb967871e33e2f02e4a338281aa5f3b4bf7b04

SHA512
bede9e107bbc53de0c4e6ce3d1b79bb6f0fb83c53967e7f69ee511dac10418d9374fa650bbb0a06840fc8088e347ad7f6c1e1c06d90baac1d1e34846c9e1e7cd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
29fe724012f97b3dbeef0c9b5bc7089a

SHA1
15a2a327808e720fa7383971dfb0ddab4060af59

SHA256
733b2dbeca3267f576bbde418987eb1fd2b0aa7c2468c520408d83e55717d964

SHA512
c366cc5ca7a47456d5bbdcbb999c4f695b5ab9bb8e810bfadce87b0746df7f0ee11460575fef4698233d48092f844457f358c9cb30c76c903a5ca174653fb25e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
371B

MD5
54f29c65aac6ae419cd2697afd9c863b

SHA1
392da9a748dec565891a3e529efee0ef27b892de

SHA256
5a95427403a9684d92769ddca4cfabf45f3c3bd5f35834c12acc6d501c45c0e0

SHA512
fcea26e3b9b6e8c0719e27e8108f9517173e7aa2df100be42b6dbe2842bc795b49b06ee83df903811facdc001b44d7f7d2e54db7756097a14398197194ed37b7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
97c577fd4168b008e0a2f040b14ec8ff

SHA1
529aec9a38cc7ed3d09af49796033f36a80a4906

SHA256
edb60d789c3e6690855588c5f824b349e01e0a13f213dd873c0e6a7791aedcdc

SHA512
46cb242fcde700f809143047031a3e0696b280b424c7beb68e9f6d7bca7c44d8e49bdd9a4ae975eba45c73dfbd97d884cc133f0ff9907a8dcdab4985a707f2b5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
ddb6e8453afed3845a5ccbce74761758

SHA1
abf10c9c3d29305b41c16e2b3acd81556e5801c9

SHA256
9c4bbfcd0bca9098132c37eed60d6343d3e98537f58966392c2524e57d1a3e95

SHA512
59bb368ccec360ed34533a73f6119369f93fe61113c24d9088ccfb5f1c550116bf68f9d850317f0ab011450aaf6e80eed4f6db792498ca54f6c90819c26cf8d6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
8dd8618018f6784667bf29da892be351

SHA1
46f89b5c9af4b4f60e9124a998c47b1e2f6764ac

SHA256
01476d4d5ed4ffe1550fe07dd3f2aa27b16efff2ccc14c7c052814538d7046b6

SHA512
fb89ed2149d65a9256440a68e2148951fb8b9a8321fb4ecfd78b63d2bcb7a7ee51eb82963201074f5c772d573de930545b13aab11708806c55f08245f612aa28

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
ef7ce61a4f5dcc1d48ecc98ef21042d6

SHA1
e84e24d03f46b6082277aba3415833b14e948f7c

SHA256
53b9cc89f5050c802418b73b9d45efaa7edcc8081b9f6d6c0c34de7f610d2c6e

SHA512
5fd2b40f4b8d2ee4eaf2fc3a7ce0b7b46c8624aa192a5dd1fc78fd156397879170b97151a09f70827f8e5226aa244140777bf2fecc827ac3f8ae48c36c6b8ce7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
e13c5e432d3fe5d001a1de677197453e

SHA1
3c314d1ff21cad9ae0f49082e37ee61ddab83981

SHA256
f073dc65fd5551b9b6af662abcd9f0b02abdc95a46f877ec553a96f30490fe0f

SHA512
03521c711d3186fb50001aae425fcb7dd1961a8a22f23eea2f066fbeff0bf9f5cb1ac7762dbee78b85b0d4a0a8a39dfd90e6ccae77bafd0cdca2608ae73b6414

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
900f2e5daffd8bcd7d285b00fc195cdf

SHA1
9d0f56770efdad758bd5c029468856630c5311c3

SHA256
e0f26ac0fc5bc79eeec42fcc9316ecbfa07dd80b8d05ecc5f69c0f476ff3d6f8

SHA512
8a5f01cf9754fdbb8b5637116e05f0f0375b47f1eb6e75142610f5971dd586923050cebde1909ed7cb18cbdcf09004644e5b74f593bcf6ee86bb94d249874874

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
3db637a09c141ba53a7270592ec421b7

SHA1
274a9ada548ee98e0bcf0f6aae9ceefca47ff20f

SHA256
d284fbd4bf1304eab876b63953459aec87dd138c516472500fbfa053a94e3196

SHA512
cd40247029ac0f410cb452d4637f479318ffb29cf537fca6995dfc4e6af75a6f8fdd1c17d997a87a9f93a0515629b8c13402e101fcc53fb02b808c4730aa0667

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
240KB

MD5
05fe8895e865d4fc65194acae7c73bf6

SHA1
9fe7f138b241c91b97505b28033422f0a5e27bd0

SHA256
278e153e2642d6b9862aaf08e017a21f11e250190c78e75e6e7302ff6bea11f3

SHA512
abf44b2c29623a48a3ece8959d760f5a241d12fba176ab9110a011d80a7e00d3bc8b46ed85eeec06e0af8c9a425556d725c369a7f777c35c81e487e9e42008a3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
240KB

MD5
29f741e3adb85b6d1e6d3c4e88c1f6a0

SHA1
dd46eae138ce8e0cf584fc33b409ab250299c8fa

SHA256
c645fd995069c99015da4f0ca466ccbdc25245d534c77b939c9f2fed6e83ccae

SHA512
752c44c4757b3838e2c3f315f65869098fff81d3c172e76b8aaeedd358d22905c5f49c8ca5d60b1102dfec95299a685a85fa24d9dba8137b6b6d2ff98c3ecaad

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1386433ecc349475d39fb1e4f9e149a0

SHA1
f04f71ac77cb30f1d04fd16d42852322a8b2680f

SHA256
a7c79320a37d3516823f533e0ca73ed54fc4cdade9999b9827d06ea9f8916bbc

SHA512
fcd5449c58ead25955d01739929c42ffc89b9007bc2c8779c05271f2d053be66e05414c410738c35572ef31811aff908e7fe3dd7a9cef33c27acb308a420280e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
64KB

MD5
987a07b978cfe12e4ce45e513ef86619

SHA1
22eec9a9b2e83ad33bedc59e3205f86590b7d40c

SHA256
f1a4a978ce1c4731df1594043135cf58d084fdf129dd1c8e4507c9e06eac5ea8

SHA512
39b86540e4d35c84609ef66537b5aa02058e3d4293f902127c7d4eac8ffc65920cb5c69a77552fc085687eed66e38367f83c177046d0ecb8e6d135463cc142aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log

Filesize
1KB

MD5
e10e78121d5417804d21415ac2ddf637

SHA1
5362ea45df66f6dd65ed7a812d25fa4dd2010d0d

SHA256
415beb3ce6941b7e0241485be208dd752dd276b3ba37dcd1b8b6ac9b8bc1f0cd

SHA512
57d56c7db9dde7c2c63b80b1707ec84af7fa025ae399747ae8b5e0623b74f45bb3d980bfcd0ec97e0c0ba086aa35eb5223b87fab71809024bf1be2cb96402acf

Download Submit
C:\Users\Admin\Downloads\MEMZ.exe

Filesize
16KB

MD5
1d5ad9c8d3fee874d0feb8bfac220a11

SHA1
ca6d3f7e6c784155f664a9179ca64e4034df9595

SHA256
3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff

SHA512
c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1

Download Submit
C:\note.txt

Filesize
218B

MD5
afa6955439b8d516721231029fb9ca1b

SHA1
087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

SHA256
8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

SHA512
5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

Download Submit