hxxps://github[.]com/Endermanch/MalwareDatabase/blob/master/trojans/MEMZ[.]zip

Analysis

max time kernel
96s
max time network
93s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
06/06/2024, 15:30

Sharing

Copy URL Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://github.com/Endermanch/MalwareDatabase/blob/master/trojans/MEMZ.zip

Score

6^/10

bootkit persistence

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
15	raw.githubusercontent.com
26	raw.githubusercontent.com

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	[email protected]

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133621614492583537"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings	chrome.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\MEMZ.zip:Zone.Identifier	chrome.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1532	chrome.exe
1532	chrome.exe
3160	[email protected]
3160	[email protected]
3160	[email protected]
3160	[email protected]
3160	[email protected]
3160	[email protected]
3160	[email protected]
3160	[email protected]
3160	[email protected]
3160	[email protected]
3160	[email protected]
3160	[email protected]
3160	[email protected]
3160	[email protected]
3160	[email protected]
3160	[email protected]
3160	[email protected]
3160	[email protected]
3160	[email protected]
3160	[email protected]
3160	[email protected]
3160	[email protected]
3160	[email protected]
3160	[email protected]
3160	[email protected]
3160	[email protected]
3160	[email protected]
3160	[email protected]
3160	[email protected]
3160	[email protected]
3160	[email protected]
3160	[email protected]
3160	[email protected]
3160	[email protected]
3160	[email protected]
3160	[email protected]
3160	[email protected]
3160	[email protected]
3160	[email protected]
3160	[email protected]
3160	[email protected]
3160	[email protected]
3160	[email protected]
3160	[email protected]
3160	[email protected]
3160	[email protected]
3160	[email protected]
3160	[email protected]
3160	[email protected]
3160	[email protected]
3160	[email protected]
3160	[email protected]
3160	[email protected]
3160	[email protected]
3160	[email protected]
3160	[email protected]
3160	[email protected]
3160	[email protected]
3160	[email protected]
3160	[email protected]
3160	[email protected]
3160	[email protected]

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
1532	chrome.exe
1532	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe

Suspicious use of SetWindowsHookEx 47 IoCs

pid	Process
3316	[email protected]
3160	[email protected]
4344	[email protected]
4856	[email protected]
664	[email protected]
2452	[email protected]
1740	[email protected]
3160	[email protected]
4344	[email protected]
4344	[email protected]
3160	[email protected]
3160	[email protected]
4344	[email protected]
4344	[email protected]
3160	[email protected]
3160	[email protected]
4344	[email protected]
4344	[email protected]
3160	[email protected]
3160	[email protected]
4344	[email protected]
4344	[email protected]
3160	[email protected]
3160	[email protected]
4344	[email protected]
4344	[email protected]
3160	[email protected]
3160	[email protected]
4344	[email protected]
4344	[email protected]
3160	[email protected]
3160	[email protected]
4344	[email protected]
4344	[email protected]
3160	[email protected]
4344	[email protected]
3160	[email protected]
3160	[email protected]
4344	[email protected]
4344	[email protected]
3160	[email protected]
3160	[email protected]
4344	[email protected]
3160	[email protected]
4344	[email protected]
3160	[email protected]
4344	[email protected]

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1532 wrote to memory of 4380	1532	chrome.exe	78
PID 1532 wrote to memory of 4380	1532	chrome.exe	78
PID 1532 wrote to memory of 3068	1532	chrome.exe	79
PID 1532 wrote to memory of 3068	1532	chrome.exe	79
PID 1532 wrote to memory of 3068	1532	chrome.exe	79
PID 1532 wrote to memory of 3068	1532	chrome.exe	79
PID 1532 wrote to memory of 3068	1532	chrome.exe	79
PID 1532 wrote to memory of 3068	1532	chrome.exe	79
PID 1532 wrote to memory of 3068	1532	chrome.exe	79
PID 1532 wrote to memory of 3068	1532	chrome.exe	79
PID 1532 wrote to memory of 3068	1532	chrome.exe	79
PID 1532 wrote to memory of 3068	1532	chrome.exe	79
PID 1532 wrote to memory of 3068	1532	chrome.exe	79
PID 1532 wrote to memory of 3068	1532	chrome.exe	79
PID 1532 wrote to memory of 3068	1532	chrome.exe	79
PID 1532 wrote to memory of 3068	1532	chrome.exe	79
PID 1532 wrote to memory of 3068	1532	chrome.exe	79
PID 1532 wrote to memory of 3068	1532	chrome.exe	79
PID 1532 wrote to memory of 3068	1532	chrome.exe	79
PID 1532 wrote to memory of 3068	1532	chrome.exe	79
PID 1532 wrote to memory of 3068	1532	chrome.exe	79
PID 1532 wrote to memory of 3068	1532	chrome.exe	79
PID 1532 wrote to memory of 3068	1532	chrome.exe	79
PID 1532 wrote to memory of 3068	1532	chrome.exe	79
PID 1532 wrote to memory of 3068	1532	chrome.exe	79
PID 1532 wrote to memory of 3068	1532	chrome.exe	79
PID 1532 wrote to memory of 3068	1532	chrome.exe	79
PID 1532 wrote to memory of 3068	1532	chrome.exe	79
PID 1532 wrote to memory of 3068	1532	chrome.exe	79
PID 1532 wrote to memory of 3068	1532	chrome.exe	79
PID 1532 wrote to memory of 3068	1532	chrome.exe	79
PID 1532 wrote to memory of 3068	1532	chrome.exe	79
PID 1532 wrote to memory of 3068	1532	chrome.exe	79
PID 1532 wrote to memory of 2728	1532	chrome.exe	80
PID 1532 wrote to memory of 2728	1532	chrome.exe	80
PID 1532 wrote to memory of 3260	1532	chrome.exe	81
PID 1532 wrote to memory of 3260	1532	chrome.exe	81
PID 1532 wrote to memory of 3260	1532	chrome.exe	81
PID 1532 wrote to memory of 3260	1532	chrome.exe	81
PID 1532 wrote to memory of 3260	1532	chrome.exe	81
PID 1532 wrote to memory of 3260	1532	chrome.exe	81
PID 1532 wrote to memory of 3260	1532	chrome.exe	81
PID 1532 wrote to memory of 3260	1532	chrome.exe	81
PID 1532 wrote to memory of 3260	1532	chrome.exe	81
PID 1532 wrote to memory of 3260	1532	chrome.exe	81
PID 1532 wrote to memory of 3260	1532	chrome.exe	81
PID 1532 wrote to memory of 3260	1532	chrome.exe	81
PID 1532 wrote to memory of 3260	1532	chrome.exe	81
PID 1532 wrote to memory of 3260	1532	chrome.exe	81
PID 1532 wrote to memory of 3260	1532	chrome.exe	81
PID 1532 wrote to memory of 3260	1532	chrome.exe	81
PID 1532 wrote to memory of 3260	1532	chrome.exe	81
PID 1532 wrote to memory of 3260	1532	chrome.exe	81
PID 1532 wrote to memory of 3260	1532	chrome.exe	81
PID 1532 wrote to memory of 3260	1532	chrome.exe	81
PID 1532 wrote to memory of 3260	1532	chrome.exe	81
PID 1532 wrote to memory of 3260	1532	chrome.exe	81
PID 1532 wrote to memory of 3260	1532	chrome.exe	81
PID 1532 wrote to memory of 3260	1532	chrome.exe	81
PID 1532 wrote to memory of 3260	1532	chrome.exe	81
PID 1532 wrote to memory of 3260	1532	chrome.exe	81
PID 1532 wrote to memory of 3260	1532	chrome.exe	81
PID 1532 wrote to memory of 3260	1532	chrome.exe	81
PID 1532 wrote to memory of 3260	1532	chrome.exe	81

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/Endermanch/MalwareDatabase/blob/master/trojans/MEMZ.zip
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff3042ab58,0x7fff3042ab68,0x7fff3042ab78
  2⤵
  PID:4380
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1652 --field-trial-handle=1800,i,2367618249841113662,11106127381575150120,131072 /prefetch:2
  2⤵
  PID:3068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2088 --field-trial-handle=1800,i,2367618249841113662,11106127381575150120,131072 /prefetch:8
  2⤵
  PID:2728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2152 --field-trial-handle=1800,i,2367618249841113662,11106127381575150120,131072 /prefetch:8
  2⤵
  PID:3260
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3000 --field-trial-handle=1800,i,2367618249841113662,11106127381575150120,131072 /prefetch:1
  2⤵
  PID:4116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3008 --field-trial-handle=1800,i,2367618249841113662,11106127381575150120,131072 /prefetch:1
  2⤵
  PID:4492
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4332 --field-trial-handle=1800,i,2367618249841113662,11106127381575150120,131072 /prefetch:8
  2⤵
  PID:4456
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4492 --field-trial-handle=1800,i,2367618249841113662,11106127381575150120,131072 /prefetch:8
  2⤵
  PID:2840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4816 --field-trial-handle=1800,i,2367618249841113662,11106127381575150120,131072 /prefetch:8
  2⤵
  - NTFS ADS
  PID:2236

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:4224

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4700

C:\Users\Admin\Downloads\MEMZ\[email protected]
"C:\Users\Admin\Downloads\MEMZ\[email protected]"
1⤵
- Suspicious use of SetWindowsHookEx
PID:3316
- C:\Users\Admin\Downloads\MEMZ\[email protected]
  "C:\Users\Admin\Downloads\MEMZ\[email protected]" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:3160
- C:\Users\Admin\Downloads\MEMZ\[email protected]
  "C:\Users\Admin\Downloads\MEMZ\[email protected]" /watchdog
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:4344
- C:\Users\Admin\Downloads\MEMZ\[email protected]
  "C:\Users\Admin\Downloads\MEMZ\[email protected]" /watchdog
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:4856
- C:\Users\Admin\Downloads\MEMZ\[email protected]
  "C:\Users\Admin\Downloads\MEMZ\[email protected]" /watchdog
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:664
- C:\Users\Admin\Downloads\MEMZ\[email protected]
  "C:\Users\Admin\Downloads\MEMZ\[email protected]" /watchdog
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2452
- C:\Users\Admin\Downloads\MEMZ\[email protected]
  "C:\Users\Admin\Downloads\MEMZ\[email protected]" /main
  2⤵
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of SetWindowsHookEx
  PID:1740
- - C:\Windows\SysWOW64\notepad.exe
    "C:\Windows\System32\notepad.exe" \note.txt
    3⤵
    PID:1476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
5c1a5eead650b5efd95d07c0791d13eb

SHA1
2ba1664d11c80381745cd18c102a07d3a5d1a672

SHA256
e8f1b6317b9a71f960a9b908e33337cd7888088d233fe37836b9bc5a6ad2ee51

SHA512
19dbf5368278e140a892fd735b942416204430adad8c6b6e007fd128d3bde801232d7f533d45c3de6faf92d86998baf64b04403ab00cf86357287ed38e1c0e10

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f370ef74d826d54c353d301a42b451a1

SHA1
5c849062ce0fb747d2849351479cdb742b33b15e

SHA256
dd95be142e26a5f8ffd7c7de120caeb8b32117a3b1795f4e7c27929a4350c477

SHA512
8bf5e1e10f74f28a33ba0cf8fc14cea43aebdf154328c21827e5190737ba402bd689dc36ad49201ea4a2f5c175307853366baf3ca4ec90c910509af23657823a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
1ab856d731f358972567ed683b51a067

SHA1
4bccc5af374c855c31bcc3582681ea3800e9f25c

SHA256
e43fdcf3044661c0b7da960a5c939b33d6654a56031af1c772cbcfb6e66dc58c

SHA512
8ae87c579a70b6a297b43b8740d8a56c9bcc5bcb277d731a3bf82ec57f0d3b2c161ad0394defdb770039315506bf94fa419c8f39f05c8dc2f7f5ef9ef905633d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
849f283c2a221e8f29d3f11207c6884a

SHA1
83d646be57f9bea08ac732213259bc9a24c05b6f

SHA256
9f23540d14fcbca913e5e7cfb6f26e53c35ebddb39fc74d7482e5435f73b876d

SHA512
887ed599e4ad3d9d51e4a65ee2ec99a32ed8d946ab852dd9b4a02fc9e0af20758e61ec70e35bd43ac2beed5f3ff422a6625091e877b92274abd27f0366ea78ad

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
e29a065c9e5a84d17cf9cc7876b5c7ea

SHA1
d38ad19ec0bf6b22326c36224d49520126d51a09

SHA256
aeb8683b1b2c6e09648bc4667d394d6ba6d250a8d09d603ae500f9e514ee52a1

SHA512
8538040d7ee647d30df370ab66c7d959b7a25d99264d32e73f3c77e8a00dce87c858d4bbab82d31b93460c0fb930501bb8f027a9a0b75dbd548cb03d6fe0e35d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
7486124e3a92da4b2a6c234bf7b4ff71

SHA1
01bfc0c440fee51bd300db93279aeb117f4b74cc

SHA256
95be6704ebec11871e09497cf565e21bf51cc91b6909f0564d2589d586416b8e

SHA512
a63c88f5be9ff39fe23f0ffb19f03b15d3de321d025cb70f3fb9176ef084a92400db9e4207945dad6190b9e4a1942b9cdbfcf7d0318ccedd2a854ce86da4ccf0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
130KB

MD5
1f005c42cdfe88e4a23e1d1d284ada2f

SHA1
57d3b56f7308074d8306b8f1ca4d9f0f2b69043f

SHA256
4e469d99e2222bd96ea12e951a1e2ab74271308120402019e62e4ab93271633e

SHA512
fc9365b70b75544f7fd86aa7f9743ec38d0932f6df9df1bd64034d76bae5d4d1e7398a21d3ef6a54771726f85e56c0bb392bf17212ad6765f7be812b5d2537a6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
130KB

MD5
3e9558b0f48ae87cf5174cbd35ad6462

SHA1
6d11b47121f74534375557906a43c2450e457966

SHA256
d78fc7f1efe7c3536344b9e9a232e8f92c93c2dbbaf83e610c0f3ab7d0d907aa

SHA512
d970b6954455e2a0c74ede8055b67c475a6a8f10c7f5245c5f8c78107df081747fbc22c3eefc965948a4b0c62fcc042cb8fdd62de194b39a67313dd3453907da

Download Submit
C:\Users\Admin\Downloads\MEMZ.zip

Filesize
8KB

MD5
69977a5d1c648976d47b69ea3aa8fcaa

SHA1
4630cc15000c0d3149350b9ecda6cfc8f402938a

SHA256
61ca4d8dd992c763b47bebb9b5facb68a59ff0a594c2ff215aa4143b593ae9dc

SHA512
ba0671c72cd4209fabe0ee241b71e95bd9d8e78d77a893c94f87de5735fd10ea8b389cf4c48462910042c312ddff2f527999cd2f845d0c19a8673dbceda369fd

Download Submit
C:\Users\Admin\Downloads\MEMZ.zip:Zone.Identifier

Filesize
55B

MD5
0f98a5550abe0fb880568b1480c96a1c

SHA1
d2ce9f7057b201d31f79f3aee2225d89f36be07d

SHA256
2dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1

SHA512
dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6

Download Submit
C:\note.txt

Filesize
218B

MD5
afa6955439b8d516721231029fb9ca1b

SHA1
087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

SHA256
8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

SHA512
5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

Download Submit

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads