2e67d5e7d96aec62a9dda4c0259167a44908af863c2b3af2a019723205abba9e

Analysis

max time kernel
67s
max time network
82s
platform
windows11-21h2_x64
resource
win11-20240412-en
resource tags

arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system
submitted
20-04-2024 01:24

Sharing

Reason

Machine shutdown: "{\"level\":\"info\",\"time\":\"2024-04-20T01:26:31Z\",\"message\":\"Dirty snapshot: /var/lib/sandbox/hatchvm/win11-20240412-en/instance_8-dirty.qcow2\"}"

Report Analysis Logs

General

Target

AutoClicker-3.0.exe
Size

844KB
MD5

7ecfc8cd7455dd9998f7dad88f2a8a9d
SHA1

1751d9389adb1e7187afa4938a3559e58739dce6
SHA256

2e67d5e7d96aec62a9dda4c0259167a44908af863c2b3af2a019723205abba9e
SHA512

cb05e82b17c0f7444d1259b661f0c1e6603d8a959da7475f35078a851d528c630366916c17a37db1a2490af66e5346309177c9e31921d09e7e795492868e678d
SSDEEP

12288:GaWzgMg7v3qnCiWErQohh0F49CJ8lnybQg9BFg9UmTRHlM:BaHMv6CGrjBnybQg+mmhG

Score

8^/10

bootkit persistence

Malware Config

Signatures

Downloads MZ/PE file
Executes dropped EXE 7 IoCs

Processes:

MEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exe

pid process

4616 MEMZ.exe
4260 MEMZ.exe
2824 MEMZ.exe
4564 MEMZ.exe
2680 MEMZ.exe
3848 MEMZ.exe
2296 MEMZ.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

50 raw.githubusercontent.com
51 raw.githubusercontent.com
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

MEMZ.exe

description ioc process

File opened for modification \??\PhysicalDrive0 MEMZ.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
4616	MEMZ.exe
4260	MEMZ.exe
2824	MEMZ.exe
4564	MEMZ.exe
2680	MEMZ.exe
3848	MEMZ.exe
2296	MEMZ.exe

flow	ioc
50	raw.githubusercontent.com
51	raw.githubusercontent.com

description	ioc	process
File opened for modification	\??\PhysicalDrive0	MEMZ.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133580499194604208"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

NTFS ADS 1 IoCs

Processes:

chrome.exe

description ioc process

File opened for modification C:\Users\Admin\Downloads\MEMZ.exe:Zone.Identifier chrome.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\MEMZ.exe:Zone.Identifier	chrome.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

chrome.exeMEMZ.exe

pid	process
3064	chrome.exe
3064	chrome.exe
4260	MEMZ.exe
4260	MEMZ.exe
4260	MEMZ.exe
4260	MEMZ.exe
4260	MEMZ.exe
4260	MEMZ.exe
4260	MEMZ.exe
4260	MEMZ.exe
4260	MEMZ.exe
4260	MEMZ.exe
4260	MEMZ.exe
4260	MEMZ.exe
4260	MEMZ.exe
4260	MEMZ.exe
4260	MEMZ.exe
4260	MEMZ.exe
4260	MEMZ.exe
4260	MEMZ.exe
4260	MEMZ.exe
4260	MEMZ.exe
4260	MEMZ.exe
4260	MEMZ.exe
4260	MEMZ.exe
4260	MEMZ.exe
4260	MEMZ.exe
4260	MEMZ.exe
4260	MEMZ.exe
4260	MEMZ.exe
4260	MEMZ.exe
4260	MEMZ.exe
4260	MEMZ.exe
4260	MEMZ.exe
4260	MEMZ.exe
4260	MEMZ.exe
4260	MEMZ.exe
4260	MEMZ.exe
4260	MEMZ.exe
4260	MEMZ.exe
4260	MEMZ.exe
4260	MEMZ.exe
4260	MEMZ.exe
4260	MEMZ.exe
4260	MEMZ.exe
4260	MEMZ.exe
4260	MEMZ.exe
4260	MEMZ.exe
4260	MEMZ.exe
4260	MEMZ.exe
4260	MEMZ.exe
4260	MEMZ.exe
4260	MEMZ.exe
4260	MEMZ.exe
4260	MEMZ.exe
4260	MEMZ.exe
4260	MEMZ.exe
4260	MEMZ.exe
4260	MEMZ.exe
4260	MEMZ.exe
4260	MEMZ.exe
4260	MEMZ.exe
4260	MEMZ.exe
4260	MEMZ.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

AutoClicker-3.0.exe

pid process

3632 AutoClicker-3.0.exe

pid	process
3632	AutoClicker-3.0.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

Processes:

chrome.exe

pid	process
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	3064	chrome.exe
Token: SeCreatePagefilePrivilege	3064	chrome.exe
Token: SeShutdownPrivilege	3064	chrome.exe
Token: SeCreatePagefilePrivilege	3064	chrome.exe
Token: SeShutdownPrivilege	3064	chrome.exe
Token: SeCreatePagefilePrivilege	3064	chrome.exe
Token: SeShutdownPrivilege	3064	chrome.exe
Token: SeCreatePagefilePrivilege	3064	chrome.exe
Token: SeShutdownPrivilege	3064	chrome.exe
Token: SeCreatePagefilePrivilege	3064	chrome.exe
Token: SeShutdownPrivilege	3064	chrome.exe
Token: SeCreatePagefilePrivilege	3064	chrome.exe
Token: SeShutdownPrivilege	3064	chrome.exe
Token: SeCreatePagefilePrivilege	3064	chrome.exe
Token: SeShutdownPrivilege	3064	chrome.exe
Token: SeCreatePagefilePrivilege	3064	chrome.exe
Token: SeShutdownPrivilege	3064	chrome.exe
Token: SeCreatePagefilePrivilege	3064	chrome.exe
Token: SeShutdownPrivilege	3064	chrome.exe
Token: SeCreatePagefilePrivilege	3064	chrome.exe
Token: SeShutdownPrivilege	3064	chrome.exe
Token: SeCreatePagefilePrivilege	3064	chrome.exe
Token: SeShutdownPrivilege	3064	chrome.exe
Token: SeCreatePagefilePrivilege	3064	chrome.exe
Token: SeShutdownPrivilege	3064	chrome.exe
Token: SeCreatePagefilePrivilege	3064	chrome.exe
Token: SeShutdownPrivilege	3064	chrome.exe
Token: SeCreatePagefilePrivilege	3064	chrome.exe
Token: SeShutdownPrivilege	3064	chrome.exe
Token: SeCreatePagefilePrivilege	3064	chrome.exe
Token: SeShutdownPrivilege	3064	chrome.exe
Token: SeCreatePagefilePrivilege	3064	chrome.exe
Token: SeShutdownPrivilege	3064	chrome.exe
Token: SeCreatePagefilePrivilege	3064	chrome.exe
Token: SeShutdownPrivilege	3064	chrome.exe
Token: SeCreatePagefilePrivilege	3064	chrome.exe
Token: SeShutdownPrivilege	3064	chrome.exe
Token: SeCreatePagefilePrivilege	3064	chrome.exe
Token: SeShutdownPrivilege	3064	chrome.exe
Token: SeCreatePagefilePrivilege	3064	chrome.exe
Token: SeShutdownPrivilege	3064	chrome.exe
Token: SeCreatePagefilePrivilege	3064	chrome.exe
Token: SeShutdownPrivilege	3064	chrome.exe
Token: SeCreatePagefilePrivilege	3064	chrome.exe
Token: SeShutdownPrivilege	3064	chrome.exe
Token: SeCreatePagefilePrivilege	3064	chrome.exe
Token: SeShutdownPrivilege	3064	chrome.exe
Token: SeCreatePagefilePrivilege	3064	chrome.exe
Token: SeShutdownPrivilege	3064	chrome.exe
Token: SeCreatePagefilePrivilege	3064	chrome.exe
Token: SeShutdownPrivilege	3064	chrome.exe
Token: SeCreatePagefilePrivilege	3064	chrome.exe
Token: SeShutdownPrivilege	3064	chrome.exe
Token: SeCreatePagefilePrivilege	3064	chrome.exe
Token: SeShutdownPrivilege	3064	chrome.exe
Token: SeCreatePagefilePrivilege	3064	chrome.exe
Token: SeShutdownPrivilege	3064	chrome.exe
Token: SeCreatePagefilePrivilege	3064	chrome.exe
Token: SeShutdownPrivilege	3064	chrome.exe
Token: SeCreatePagefilePrivilege	3064	chrome.exe
Token: SeShutdownPrivilege	3064	chrome.exe
Token: SeCreatePagefilePrivilege	3064	chrome.exe
Token: SeShutdownPrivilege	3064	chrome.exe
Token: SeCreatePagefilePrivilege	3064	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

Processes:

chrome.exe

pid	process
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

Processes:

chrome.exe

pid	process
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

MEMZ.exeMEMZ.exeMEMZ.exe

pid process

4260 MEMZ.exe
2680 MEMZ.exe
2824 MEMZ.exe

pid	process
4260	MEMZ.exe
2680	MEMZ.exe
2824	MEMZ.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 3064 wrote to memory of 3880	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 3880	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 2876	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 2876	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 2876	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 2876	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 2876	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 2876	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 2876	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 2876	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 2876	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 2876	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 2876	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 2876	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 2876	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 2876	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 2876	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 2876	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 2876	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 2876	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 2876	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 2876	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 2876	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 2876	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 2876	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 2876	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 2876	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 2876	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 2876	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 2876	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 2876	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 2876	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 2876	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 1748	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 1748	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 3564	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 3564	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 3564	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 3564	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 3564	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 3564	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 3564	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 3564	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 3564	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 3564	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 3564	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 3564	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 3564	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 3564	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 3564	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 3564	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 3564	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 3564	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 3564	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 3564	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 3564	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 3564	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 3564	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 3564	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 3564	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 3564	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 3564	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 3564	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 3564	3064	chrome.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\AutoClicker-3.0.exe
"C:\Users\Admin\AppData\Local\Temp\AutoClicker-3.0.exe"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:3632

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3064

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8feb8ab58,0x7ff8feb8ab68,0x7ff8feb8ab78
2⤵
PID:3880

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1572 --field-trial-handle=1820,i,14423216955904383802,2907513870235107809,131072 /prefetch:2
2⤵
PID:2876

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2124 --field-trial-handle=1820,i,14423216955904383802,2907513870235107809,131072 /prefetch:8
2⤵
PID:1748

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2204 --field-trial-handle=1820,i,14423216955904383802,2907513870235107809,131072 /prefetch:8
2⤵
PID:3564

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3080 --field-trial-handle=1820,i,14423216955904383802,2907513870235107809,131072 /prefetch:1
2⤵
PID:2172

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3128 --field-trial-handle=1820,i,14423216955904383802,2907513870235107809,131072 /prefetch:1
2⤵
PID:2176

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4296 --field-trial-handle=1820,i,14423216955904383802,2907513870235107809,131072 /prefetch:1
2⤵
PID:2372

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4048 --field-trial-handle=1820,i,14423216955904383802,2907513870235107809,131072 /prefetch:8
2⤵
PID:1324

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4112 --field-trial-handle=1820,i,14423216955904383802,2907513870235107809,131072 /prefetch:8
2⤵
PID:3356

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4020 --field-trial-handle=1820,i,14423216955904383802,2907513870235107809,131072 /prefetch:8
2⤵
PID:2024

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4412 --field-trial-handle=1820,i,14423216955904383802,2907513870235107809,131072 /prefetch:8
2⤵
PID:3160

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4152 --field-trial-handle=1820,i,14423216955904383802,2907513870235107809,131072 /prefetch:8
2⤵
PID:3556

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4824 --field-trial-handle=1820,i,14423216955904383802,2907513870235107809,131072 /prefetch:1
2⤵
PID:4912

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=5052 --field-trial-handle=1820,i,14423216955904383802,2907513870235107809,131072 /prefetch:1
2⤵
PID:3548

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=4964 --field-trial-handle=1820,i,14423216955904383802,2907513870235107809,131072 /prefetch:1
2⤵
PID:2544

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=3244 --field-trial-handle=1820,i,14423216955904383802,2907513870235107809,131072 /prefetch:1
2⤵
PID:4180

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3296 --field-trial-handle=1820,i,14423216955904383802,2907513870235107809,131072 /prefetch:8
2⤵
PID:5000

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4308 --field-trial-handle=1820,i,14423216955904383802,2907513870235107809,131072 /prefetch:8
2⤵
PID:1376

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=5124 --field-trial-handle=1820,i,14423216955904383802,2907513870235107809,131072 /prefetch:1
2⤵
PID:2848

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=4644 --field-trial-handle=1820,i,14423216955904383802,2907513870235107809,131072 /prefetch:1
2⤵
PID:2964

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=4996 --field-trial-handle=1820,i,14423216955904383802,2907513870235107809,131072 /prefetch:1
2⤵
PID:4668

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2324 --field-trial-handle=1820,i,14423216955904383802,2907513870235107809,131072 /prefetch:8
2⤵
PID:2544

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4184 --field-trial-handle=1820,i,14423216955904383802,2907513870235107809,131072 /prefetch:8
2⤵
PID:3664

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3360 --field-trial-handle=1820,i,14423216955904383802,2907513870235107809,131072 /prefetch:8
2⤵
PID:3332

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5212 --field-trial-handle=1820,i,14423216955904383802,2907513870235107809,131072 /prefetch:8
2⤵
- NTFS ADS
PID:3296

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3376 --field-trial-handle=1820,i,14423216955904383802,2907513870235107809,131072 /prefetch:8
2⤵
PID:3740

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4292 --field-trial-handle=1820,i,14423216955904383802,2907513870235107809,131072 /prefetch:8
2⤵
PID:1916

C:\Users\Admin\Downloads\MEMZ.exe
"C:\Users\Admin\Downloads\MEMZ.exe"
2⤵
- Executes dropped EXE
PID:4616

C:\Users\Admin\Downloads\MEMZ.exe
"C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4260

C:\Users\Admin\Downloads\MEMZ.exe
"C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2824

C:\Users\Admin\Downloads\MEMZ.exe
"C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
3⤵
- Executes dropped EXE
PID:4564

C:\Users\Admin\Downloads\MEMZ.exe
"C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2680

C:\Users\Admin\Downloads\MEMZ.exe
"C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
3⤵
- Executes dropped EXE
PID:3848

C:\Users\Admin\Downloads\MEMZ.exe
"C:\Users\Admin\Downloads\MEMZ.exe" /main
3⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:2296

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\System32\notepad.exe" \note.txt
4⤵
PID:1324

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:3116

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:404

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000a
Filesize
198KB

MD5
319e0c36436ee0bf24476acbcc83565c

SHA1
fb2658d5791fe5b37424119557ab8cee30acdc54

SHA256
f6562ea52e056b979d6f52932ae57b7afb04486b10b0ebde22c5b51f502c69d1

SHA512
ad902b9a010cf99bdedba405cad0387890a9ff90a9c91f6a3220cdceec1b08ecb97a326aef01b28d8d0aacb5f2a16f02f673e196bdb69fc68b3f636139059902

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
2KB

MD5
14f3a8fbda703e6eba0ba7fb29f15eb5

SHA1
d54bb064cbb43b3eff7e07e75f6032e89232c974

SHA256
77de03c7289a831b24e2185af260f296f3ab62dd22a7f14fed77ad8a09ebf84b

SHA512
1e41da0af04ea127a48816c1b8ef025bd189cee7534045488c3b3f65f1c29db00491407042c45685a8203e5dd12cb0fb06a15eba0b7288ee7740e92446c9c27a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
522B

MD5
1348b026aa558a89a948c01750cdb164

SHA1
81e9e777724b0301488d3cd15ded9c9148bb97fc

SHA256
c6c793537aa9001d77a514b9aad8434a27b2679e2b2e86f2a206b8762723c9b8

SHA512
f3ccbc0cabeecb88b800106816701220d165d64ae977784cd9ab2cddd16fd85bc4515f144eb3c39985ff11a776214736a972739f03b819e43b9c75cd27029dfa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
b0d105e6bdb2d6d81468d972f67935ec

SHA1
c98f40725f50e03f7478763dc46b20f02a0b6994

SHA256
da1f36883eef807802a47b256eb665b73a06fac2945ed891a5f718cb6874864b

SHA512
29a3c4a2f23f4305fdc2ae4acf598fea665696340dbda6c9aecf34c38865a96def24029f2e1ba8a77d32c2da01fee6e9de792b4fd90cbe33ead8a216edba0503

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
e8a035967bc72d18973170de91ae1103

SHA1
21fbb86d5c02f25bdc93d722ed065e899c050d17

SHA256
68cab8762f1857d006a97ac5b1184aff0fb4cca5bfa82a6b241edcbb7e896007

SHA512
dced9086c0b84f58a831f68f3bf2995a9f39623bf67d53d31796b70f4fa25bfe955dfa1c42379c3e5fe683628a279af195629db943df4baab910e25774994026

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
522B

MD5
f15599e84f046a6007797420e7314855

SHA1
eec7825685471c05cf971c42350d582d69710fce

SHA256
2cdefffaf506a19e81154008575fb4ba73bef77f65f0f5c5d06bf0abd447006f

SHA512
69318453bb6c94513d7f5fa09198511ec842c673065ddb702df08be107f58465b40da35689e7702585e6a37020170f59dc6945b75e02a4688fb6b626d655af50

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
1de3b20c973e7a80eaebce05dd482899

SHA1
08ad08e9b46511906a7caa02ef179386351fb7f1

SHA256
d699efbf188e5c9d4d042320ce4c72b615722b25655fbb29129358a30926fa3e

SHA512
bde89a5d0e46a431e001fc1fc25cc8ad561ff3a3d067d6d21ad4478ea0b2bf2bf5203f5938fad92f91c2a799ef9659d9431164dc7ddb36990c1544e0bb1093c2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
f4c1a647c7212eee093ea2eed0a7de59

SHA1
8277d2158f3f73181f41c5a4684add8c97018c31

SHA256
5051ec471373f0eebd4f2f0e66c39cb8f49fee3751bccc987e8b2726d00cb053

SHA512
1bdfc69b065257602f2ceb0091ec3e10f71018f294cb26ec9c8858105bf4acf5376d89681e3cf6af666d68bf9fb027929ac781a57965761f5826525cec9211e8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
fcd10ddff186d5f77b49953a8c94b9b5

SHA1
22466ff7de24cf41023f14b039e56041a53922c9

SHA256
03ae25dede1224d32fc82e132b28af2397875bc5dedb350303d85cc3adc49a8a

SHA512
ad977975d776fd111f500229bd0b972f895e3a63feab8af151ec5fbe26a07b584de00e41ad44998dd906d8382b5e2624d3e37ca8e4c09e58eaf6059550c3d8f3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
a902743acb167ed85d5a0e21250be590

SHA1
d4f564644a98ad2e406652d481281c3e6c30a3e3

SHA256
7fe955856bba0e96b58c302264d6604ebf1bc9335b7997e351da8cb98b14488c

SHA512
a1c63fa6a515dcb254bad300c5f547b6b9e517c996562f9035ce59031c1f469e3bb7609197c9f9f3557e330e08a14a46dbfd482912b324dfa35db2d0d90bdc71

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
16KB

MD5
d1a0c1d3827f3502da45ae23978f4b31

SHA1
06466e47520c02676b3404eb4e1889cf66ce4b51

SHA256
e5991b8074722307526f5d5701896d73d793ede8021e3ed216167c8451d0f5e3

SHA512
cbf9d0e51c56c91393cc46bf464e518b4bb0dd8bdf71358c89c6ce04adbc2538cd4ea653a39939e1fd09d7462517a2e737f8f7be3ea8ca3bee6cf2e70b6839e9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
252KB

MD5
7288b4c76575cf454eea4f791421c5f3

SHA1
67bbc132da81043e9cefffd120e4bee804461736

SHA256
704cfb554772044203a4847022ce096d22b231b98089fb62c0bf66eba3f08141

SHA512
ddbef2c2ad6fe7356ea28ce1abd572ab2b263dc42d15e56ee78fbe9004a0f68ef7aee6f0aea95d79edddbfbb9635e6c3a4e90243b1d1fe8a2e3f25e1285acf8e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
252KB

MD5
a46b9b7b0498247415c3d266f9679242

SHA1
f3a1e10be6cf33c044d2f9d443c1221709500fc9

SHA256
88aa8919a73aeb07a4727521fe914f3cc07e2a24af1e914a92ae0a518fe15d60

SHA512
84f87f62a8d61db9de46049cad2e004c4dd470a1059f9c9928017e8297bff9e984ea34a597a495f7f31345297559e7f321c6582b78084c743f7f5d97aa67bc12

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
98KB

MD5
98f3045f87533be0ee68ae755433b607

SHA1
4d1d8c88c83b788907da8eb766795de587ec94b8

SHA256
688a5cc7ed9fc147fc4187654bdcacda9bcd2f944a82125f3f6c91f64413fb98

SHA512
7a76ae1e2c05e9712721ee3e9db0c78396b89e5f808b15499c3662ea19a68847eca0a4c50f72c812ab4f2b725a3f62689514dbc04e0c907b92eab2f0815b0690

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe584d40.TMP
Filesize
83KB

MD5
8cb4765f0816dd4eb5df5604740c75b7

SHA1
f39f126ea70ab27f1eac6ad9d6783f86427c5d5f

SHA256
b77949ad8d4dcf5a263c1a9b46543e0dff10fe0cd7138610526e43ad40849350

SHA512
2f6e01877391725fecb76cac7902df61236d180051be92969ba1fa8e86b2d7106fde9e12e10bd946839b80b0d2a4d1e9b5c3af4e71eddf77698cb1cbca3734f1

Download Submit
C:\Users\Admin\Downloads\MEMZ.exe
Filesize
16KB

MD5
1d5ad9c8d3fee874d0feb8bfac220a11

SHA1
ca6d3f7e6c784155f664a9179ca64e4034df9595

SHA256
3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff

SHA512
c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1

Download Submit
C:\Users\Admin\Downloads\MEMZ.exe:Zone.Identifier
Filesize
55B

MD5
0f98a5550abe0fb880568b1480c96a1c

SHA1
d2ce9f7057b201d31f79f3aee2225d89f36be07d

SHA256
2dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1

SHA512
dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6

Download Submit
C:\note.txt
Filesize
218B

MD5
afa6955439b8d516721231029fb9ca1b

SHA1
087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

SHA256
8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

SHA512
5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

Download Submit
\??\pipe\crashpad_3064_AFZSZDIBRDXIDQTS
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads