Analysis
-
max time kernel
80s -
max time network
93s -
platform
windows11-21h2_x64 -
resource
win11-20240611-en -
resource tags
arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system -
submitted
20-06-2024 13:16
Static task
static1
Behavioral task
behavioral1
Sample
zuizhz1rr5761.webp
Resource
win11-20240611-en
Errors
General
-
Target
zuizhz1rr5761.webp
-
Size
77KB
-
MD5
4eef815a57881bd5e2b46d81128fdf6f
-
SHA1
82b22594624e6dd9c6118f3c8fe24f0b6342a5f5
-
SHA256
24182e86a5c36b8283f96ddf34b4d1c0bef4a85922deb51c03636b1c8d67b684
-
SHA512
8d9d9a325c1a8fabfdc54ef83dae950117ca027cb04b9c6b6652ac278b6f8e9975402648a06745f28783f9a2c509b89db612c152ceb7f5f2b1bb0013527d348e
-
SSDEEP
1536:aAR4m2sCMQKO6GJn60J8lWmjFsWz5LgsX9jdCCaKv4m50Cu/383Ewvl:N27MmxnPJcZL5LgsX9jdvjwm5Bu/3SEo
Malware Config
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 7 IoCs
pid Process 1568 MEMZ.exe 4232 MEMZ.exe 1044 MEMZ.exe 4680 MEMZ.exe 1300 MEMZ.exe 112 MEMZ.exe 2940 MEMZ.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 31 raw.githubusercontent.com 37 raw.githubusercontent.com -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 MEMZ.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133633630173396897" chrome.exe -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\MEMZ.exe:Zone.Identifier chrome.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2388 chrome.exe 2388 chrome.exe 2388 chrome.exe 2388 chrome.exe 4232 MEMZ.exe 4232 MEMZ.exe 4232 MEMZ.exe 4232 MEMZ.exe 4232 MEMZ.exe 4232 MEMZ.exe 4232 MEMZ.exe 4232 MEMZ.exe 4232 MEMZ.exe 4232 MEMZ.exe 4232 MEMZ.exe 4232 MEMZ.exe 4232 MEMZ.exe 4232 MEMZ.exe 4232 MEMZ.exe 4232 MEMZ.exe 4232 MEMZ.exe 4232 MEMZ.exe 4232 MEMZ.exe 4232 MEMZ.exe 4232 MEMZ.exe 4232 MEMZ.exe 4232 MEMZ.exe 4232 MEMZ.exe 4232 MEMZ.exe 4232 MEMZ.exe 4232 MEMZ.exe 4232 MEMZ.exe 4232 MEMZ.exe 4232 MEMZ.exe 4232 MEMZ.exe 4232 MEMZ.exe 4232 MEMZ.exe 4232 MEMZ.exe 4232 MEMZ.exe 4232 MEMZ.exe 4232 MEMZ.exe 4232 MEMZ.exe 4232 MEMZ.exe 4232 MEMZ.exe 4232 MEMZ.exe 4232 MEMZ.exe 4232 MEMZ.exe 4232 MEMZ.exe 4232 MEMZ.exe 4232 MEMZ.exe 4232 MEMZ.exe 4232 MEMZ.exe 4232 MEMZ.exe 4232 MEMZ.exe 4232 MEMZ.exe 4232 MEMZ.exe 4232 MEMZ.exe 4232 MEMZ.exe 4232 MEMZ.exe 4232 MEMZ.exe 4232 MEMZ.exe 4232 MEMZ.exe 4232 MEMZ.exe 4232 MEMZ.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
pid Process 2388 chrome.exe 2388 chrome.exe 2388 chrome.exe 2388 chrome.exe 2388 chrome.exe 2388 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 2388 chrome.exe Token: SeCreatePagefilePrivilege 2388 chrome.exe Token: SeShutdownPrivilege 2388 chrome.exe Token: SeCreatePagefilePrivilege 2388 chrome.exe Token: SeShutdownPrivilege 2388 chrome.exe Token: SeCreatePagefilePrivilege 2388 chrome.exe Token: SeShutdownPrivilege 2388 chrome.exe Token: SeCreatePagefilePrivilege 2388 chrome.exe Token: SeShutdownPrivilege 2388 chrome.exe Token: SeCreatePagefilePrivilege 2388 chrome.exe Token: SeShutdownPrivilege 2388 chrome.exe Token: SeCreatePagefilePrivilege 2388 chrome.exe Token: SeShutdownPrivilege 2388 chrome.exe Token: SeCreatePagefilePrivilege 2388 chrome.exe Token: SeShutdownPrivilege 2388 chrome.exe Token: SeCreatePagefilePrivilege 2388 chrome.exe Token: SeShutdownPrivilege 2388 chrome.exe Token: SeCreatePagefilePrivilege 2388 chrome.exe Token: SeShutdownPrivilege 2388 chrome.exe Token: SeCreatePagefilePrivilege 2388 chrome.exe Token: SeShutdownPrivilege 2388 chrome.exe Token: SeCreatePagefilePrivilege 2388 chrome.exe Token: SeShutdownPrivilege 2388 chrome.exe Token: SeCreatePagefilePrivilege 2388 chrome.exe Token: SeShutdownPrivilege 2388 chrome.exe Token: SeCreatePagefilePrivilege 2388 chrome.exe Token: SeShutdownPrivilege 2388 chrome.exe Token: SeCreatePagefilePrivilege 2388 chrome.exe Token: SeShutdownPrivilege 2388 chrome.exe Token: SeCreatePagefilePrivilege 2388 chrome.exe Token: SeShutdownPrivilege 2388 chrome.exe Token: SeCreatePagefilePrivilege 2388 chrome.exe Token: SeShutdownPrivilege 2388 chrome.exe Token: SeCreatePagefilePrivilege 2388 chrome.exe Token: SeShutdownPrivilege 2388 chrome.exe Token: SeCreatePagefilePrivilege 2388 chrome.exe Token: SeShutdownPrivilege 2388 chrome.exe Token: SeCreatePagefilePrivilege 2388 chrome.exe Token: SeShutdownPrivilege 2388 chrome.exe Token: SeCreatePagefilePrivilege 2388 chrome.exe Token: SeShutdownPrivilege 2388 chrome.exe Token: SeCreatePagefilePrivilege 2388 chrome.exe Token: SeShutdownPrivilege 2388 chrome.exe Token: SeCreatePagefilePrivilege 2388 chrome.exe Token: SeShutdownPrivilege 2388 chrome.exe Token: SeCreatePagefilePrivilege 2388 chrome.exe Token: SeShutdownPrivilege 2388 chrome.exe Token: SeCreatePagefilePrivilege 2388 chrome.exe Token: SeShutdownPrivilege 2388 chrome.exe Token: SeCreatePagefilePrivilege 2388 chrome.exe Token: SeShutdownPrivilege 2388 chrome.exe Token: SeCreatePagefilePrivilege 2388 chrome.exe Token: SeShutdownPrivilege 2388 chrome.exe Token: SeCreatePagefilePrivilege 2388 chrome.exe Token: SeShutdownPrivilege 2388 chrome.exe Token: SeCreatePagefilePrivilege 2388 chrome.exe Token: SeShutdownPrivilege 2388 chrome.exe Token: SeCreatePagefilePrivilege 2388 chrome.exe Token: SeShutdownPrivilege 2388 chrome.exe Token: SeCreatePagefilePrivilege 2388 chrome.exe Token: SeShutdownPrivilege 2388 chrome.exe Token: SeCreatePagefilePrivilege 2388 chrome.exe Token: SeShutdownPrivilege 2388 chrome.exe Token: SeCreatePagefilePrivilege 2388 chrome.exe -
Suspicious use of FindShellTrayWindow 34 IoCs
pid Process 2388 chrome.exe 2388 chrome.exe 2388 chrome.exe 2388 chrome.exe 2388 chrome.exe 2388 chrome.exe 2388 chrome.exe 2388 chrome.exe 2388 chrome.exe 2388 chrome.exe 2388 chrome.exe 2388 chrome.exe 2388 chrome.exe 2388 chrome.exe 2388 chrome.exe 2388 chrome.exe 2388 chrome.exe 2388 chrome.exe 2388 chrome.exe 2388 chrome.exe 2388 chrome.exe 2388 chrome.exe 2388 chrome.exe 2388 chrome.exe 2388 chrome.exe 2388 chrome.exe 2388 chrome.exe 2388 chrome.exe 2388 chrome.exe 2388 chrome.exe 2388 chrome.exe 2388 chrome.exe 2388 chrome.exe 2388 chrome.exe -
Suspicious use of SendNotifyMessage 12 IoCs
pid Process 2388 chrome.exe 2388 chrome.exe 2388 chrome.exe 2388 chrome.exe 2388 chrome.exe 2388 chrome.exe 2388 chrome.exe 2388 chrome.exe 2388 chrome.exe 2388 chrome.exe 2388 chrome.exe 2388 chrome.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 4680 MEMZ.exe 1044 MEMZ.exe 1300 MEMZ.exe 4232 MEMZ.exe 1044 MEMZ.exe 1300 MEMZ.exe 4680 MEMZ.exe 4232 MEMZ.exe 4680 MEMZ.exe 1044 MEMZ.exe 1300 MEMZ.exe 4232 MEMZ.exe 1300 MEMZ.exe 1044 MEMZ.exe 4680 MEMZ.exe 4232 MEMZ.exe 4680 MEMZ.exe 1044 MEMZ.exe 1300 MEMZ.exe 4232 MEMZ.exe 1300 MEMZ.exe 1044 MEMZ.exe 4680 MEMZ.exe 4232 MEMZ.exe 1300 MEMZ.exe 4680 MEMZ.exe 1044 MEMZ.exe 4232 MEMZ.exe 1300 MEMZ.exe 1044 MEMZ.exe 4680 MEMZ.exe 4232 MEMZ.exe 4680 MEMZ.exe 1044 MEMZ.exe 1300 MEMZ.exe 4232 MEMZ.exe 1300 MEMZ.exe 1044 MEMZ.exe 4680 MEMZ.exe 4232 MEMZ.exe 1300 MEMZ.exe 1044 MEMZ.exe 4680 MEMZ.exe 4232 MEMZ.exe 4680 MEMZ.exe 1044 MEMZ.exe 1300 MEMZ.exe 4232 MEMZ.exe 1300 MEMZ.exe 4680 MEMZ.exe 1044 MEMZ.exe 4232 MEMZ.exe 4680 MEMZ.exe 1300 MEMZ.exe 1044 MEMZ.exe 4232 MEMZ.exe 1300 MEMZ.exe 4680 MEMZ.exe 1044 MEMZ.exe 4232 MEMZ.exe 1044 MEMZ.exe 4680 MEMZ.exe 1300 MEMZ.exe 4232 MEMZ.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4472 wrote to memory of 2388 4472 cmd.exe 78 PID 4472 wrote to memory of 2388 4472 cmd.exe 78 PID 2388 wrote to memory of 3748 2388 chrome.exe 81 PID 2388 wrote to memory of 3748 2388 chrome.exe 81 PID 2388 wrote to memory of 1180 2388 chrome.exe 82 PID 2388 wrote to memory of 1180 2388 chrome.exe 82 PID 2388 wrote to memory of 1180 2388 chrome.exe 82 PID 2388 wrote to memory of 1180 2388 chrome.exe 82 PID 2388 wrote to memory of 1180 2388 chrome.exe 82 PID 2388 wrote to memory of 1180 2388 chrome.exe 82 PID 2388 wrote to memory of 1180 2388 chrome.exe 82 PID 2388 wrote to memory of 1180 2388 chrome.exe 82 PID 2388 wrote to memory of 1180 2388 chrome.exe 82 PID 2388 wrote to memory of 1180 2388 chrome.exe 82 PID 2388 wrote to memory of 1180 2388 chrome.exe 82 PID 2388 wrote to memory of 1180 2388 chrome.exe 82 PID 2388 wrote to memory of 1180 2388 chrome.exe 82 PID 2388 wrote to memory of 1180 2388 chrome.exe 82 PID 2388 wrote to memory of 1180 2388 chrome.exe 82 PID 2388 wrote to memory of 1180 2388 chrome.exe 82 PID 2388 wrote to memory of 1180 2388 chrome.exe 82 PID 2388 wrote to memory of 1180 2388 chrome.exe 82 PID 2388 wrote to memory of 1180 2388 chrome.exe 82 PID 2388 wrote to memory of 1180 2388 chrome.exe 82 PID 2388 wrote to memory of 1180 2388 chrome.exe 82 PID 2388 wrote to memory of 1180 2388 chrome.exe 82 PID 2388 wrote to memory of 1180 2388 chrome.exe 82 PID 2388 wrote to memory of 1180 2388 chrome.exe 82 PID 2388 wrote to memory of 1180 2388 chrome.exe 82 PID 2388 wrote to memory of 1180 2388 chrome.exe 82 PID 2388 wrote to memory of 1180 2388 chrome.exe 82 PID 2388 wrote to memory of 1180 2388 chrome.exe 82 PID 2388 wrote to memory of 1180 2388 chrome.exe 82 PID 2388 wrote to memory of 1180 2388 chrome.exe 82 PID 2388 wrote to memory of 1180 2388 chrome.exe 82 PID 2388 wrote to memory of 2444 2388 chrome.exe 83 PID 2388 wrote to memory of 2444 2388 chrome.exe 83 PID 2388 wrote to memory of 4652 2388 chrome.exe 84 PID 2388 wrote to memory of 4652 2388 chrome.exe 84 PID 2388 wrote to memory of 4652 2388 chrome.exe 84 PID 2388 wrote to memory of 4652 2388 chrome.exe 84 PID 2388 wrote to memory of 4652 2388 chrome.exe 84 PID 2388 wrote to memory of 4652 2388 chrome.exe 84 PID 2388 wrote to memory of 4652 2388 chrome.exe 84 PID 2388 wrote to memory of 4652 2388 chrome.exe 84 PID 2388 wrote to memory of 4652 2388 chrome.exe 84 PID 2388 wrote to memory of 4652 2388 chrome.exe 84 PID 2388 wrote to memory of 4652 2388 chrome.exe 84 PID 2388 wrote to memory of 4652 2388 chrome.exe 84 PID 2388 wrote to memory of 4652 2388 chrome.exe 84 PID 2388 wrote to memory of 4652 2388 chrome.exe 84 PID 2388 wrote to memory of 4652 2388 chrome.exe 84 PID 2388 wrote to memory of 4652 2388 chrome.exe 84 PID 2388 wrote to memory of 4652 2388 chrome.exe 84 PID 2388 wrote to memory of 4652 2388 chrome.exe 84 PID 2388 wrote to memory of 4652 2388 chrome.exe 84 PID 2388 wrote to memory of 4652 2388 chrome.exe 84 PID 2388 wrote to memory of 4652 2388 chrome.exe 84 PID 2388 wrote to memory of 4652 2388 chrome.exe 84 PID 2388 wrote to memory of 4652 2388 chrome.exe 84 PID 2388 wrote to memory of 4652 2388 chrome.exe 84 PID 2388 wrote to memory of 4652 2388 chrome.exe 84 PID 2388 wrote to memory of 4652 2388 chrome.exe 84 PID 2388 wrote to memory of 4652 2388 chrome.exe 84
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\zuizhz1rr5761.webp1⤵
- Suspicious use of WriteProcessMemory
PID:4472 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\zuizhz1rr5761.webp2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd44b5ab58,0x7ffd44b5ab68,0x7ffd44b5ab783⤵PID:3748
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1548 --field-trial-handle=1828,i,8006771935664800173,4706139175105933707,131072 /prefetch:23⤵PID:1180
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2100 --field-trial-handle=1828,i,8006771935664800173,4706139175105933707,131072 /prefetch:83⤵PID:2444
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2128 --field-trial-handle=1828,i,8006771935664800173,4706139175105933707,131072 /prefetch:83⤵PID:4652
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3040 --field-trial-handle=1828,i,8006771935664800173,4706139175105933707,131072 /prefetch:13⤵PID:488
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3184 --field-trial-handle=1828,i,8006771935664800173,4706139175105933707,131072 /prefetch:13⤵PID:4116
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4328 --field-trial-handle=1828,i,8006771935664800173,4706139175105933707,131072 /prefetch:83⤵PID:2924
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4576 --field-trial-handle=1828,i,8006771935664800173,4706139175105933707,131072 /prefetch:83⤵PID:2944
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4140 --field-trial-handle=1828,i,8006771935664800173,4706139175105933707,131072 /prefetch:83⤵PID:892
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4728 --field-trial-handle=1828,i,8006771935664800173,4706139175105933707,131072 /prefetch:13⤵PID:3396
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4780 --field-trial-handle=1828,i,8006771935664800173,4706139175105933707,131072 /prefetch:13⤵PID:2864
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4940 --field-trial-handle=1828,i,8006771935664800173,4706139175105933707,131072 /prefetch:83⤵PID:800
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5084 --field-trial-handle=1828,i,8006771935664800173,4706139175105933707,131072 /prefetch:83⤵PID:2412
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=4568 --field-trial-handle=1828,i,8006771935664800173,4706139175105933707,131072 /prefetch:13⤵PID:4024
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4680 --field-trial-handle=1828,i,8006771935664800173,4706139175105933707,131072 /prefetch:83⤵PID:2064
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4672 --field-trial-handle=1828,i,8006771935664800173,4706139175105933707,131072 /prefetch:83⤵PID:1116
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4164 --field-trial-handle=1828,i,8006771935664800173,4706139175105933707,131072 /prefetch:83⤵PID:652
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=4636 --field-trial-handle=1828,i,8006771935664800173,4706139175105933707,131072 /prefetch:13⤵PID:3308
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2176 --field-trial-handle=1828,i,8006771935664800173,4706139175105933707,131072 /prefetch:83⤵PID:1268
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4592 --field-trial-handle=1828,i,8006771935664800173,4706139175105933707,131072 /prefetch:83⤵PID:2264
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5268 --field-trial-handle=1828,i,8006771935664800173,4706139175105933707,131072 /prefetch:83⤵PID:2004
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5316 --field-trial-handle=1828,i,8006771935664800173,4706139175105933707,131072 /prefetch:83⤵
- NTFS ADS
PID:4088
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3140 --field-trial-handle=1828,i,8006771935664800173,4706139175105933707,131072 /prefetch:83⤵PID:1368
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4724 --field-trial-handle=1828,i,8006771935664800173,4706139175105933707,131072 /prefetch:83⤵PID:3416
-
-
C:\Users\Admin\Downloads\MEMZ.exe"C:\Users\Admin\Downloads\MEMZ.exe"3⤵
- Executes dropped EXE
PID:1568 -
C:\Users\Admin\Downloads\MEMZ.exe"C:\Users\Admin\Downloads\MEMZ.exe" /watchdog4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4232
-
-
C:\Users\Admin\Downloads\MEMZ.exe"C:\Users\Admin\Downloads\MEMZ.exe" /watchdog4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1044
-
-
C:\Users\Admin\Downloads\MEMZ.exe"C:\Users\Admin\Downloads\MEMZ.exe" /watchdog4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4680
-
-
C:\Users\Admin\Downloads\MEMZ.exe"C:\Users\Admin\Downloads\MEMZ.exe" /watchdog4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1300
-
-
C:\Users\Admin\Downloads\MEMZ.exe"C:\Users\Admin\Downloads\MEMZ.exe" /watchdog4⤵
- Executes dropped EXE
PID:112
-
-
C:\Users\Admin\Downloads\MEMZ.exe"C:\Users\Admin\Downloads\MEMZ.exe" /main4⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:2940 -
C:\Windows\SysWOW64\notepad.exe"C:\Windows\System32\notepad.exe" \note.txt5⤵PID:4972
-
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5272 --field-trial-handle=1828,i,8006771935664800173,4706139175105933707,131072 /prefetch:83⤵PID:280
-
-
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵PID:908
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5ad97dad2fb96ead4b287c5a31a202354
SHA16bdf0da7c68a152bb7365b6fed95c04775bdb395
SHA256428d313147be6f53ba78c3712354f1c7b4105cd32276bd80d9a25b92e1ea20bb
SHA512c58d617237c00142c6e4a582632f3f9f7a9400ca69dc6e4eceed7d39308dd20b7cc9b2f93923244269b2ce74e34f7e2cdd6906d9029bdece96845701cb79457e
-
Filesize
72B
MD5f04092a4f722528ffe9e98e8e0a14fab
SHA132151f954426d5eb4b13a25de7b6d43252a61b64
SHA2563155635eac6f576bb9ff21986de38e300ab84dd15343fb8b9e64b16ef8cb05eb
SHA512d02e57f0b8a92e0331f7e1680da2752a29b92a8d3cdcc2d142252bbed95aefb14c1a08994b14e8caa3700ead47c9be47ec28e45c7c3d8c2b43d7c4205186c768
-
Filesize
2KB
MD5f3c49b6f4dec3c35e7ea9580befe57f5
SHA127c2daac0cff15136ede3dc3baebed93fe09d3f8
SHA256e50fdfbb67414d30e14f9b2bdaac94c28ab5510b6376af2651dc7c67d62fa18a
SHA512ce706a1adf45291fc44b49e62af4ddf0cde846b040d7ba82e9622901a02e013ac9af9e33db83bee10bc2bf427075a2b312050045fa6aca7914f170bc7a7cb741
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
1KB
MD5d08dd7b740e41796cecd545b227df544
SHA1ae6a7e1cc4607351c54a031393e1f100ee9bf885
SHA256810611499a9283c939bcfe2687da8c201b24abff62b0236779128d4450cd6121
SHA512538dfaaad912f67967f5d2341eaae057ed3397d410e2d41249c16f9d87544b015b0bddc0524934315df2081320544d52c00490571817c747b2d175b7c08ff835
-
Filesize
1KB
MD59534ca71bdd4f54c79f8770996c53b97
SHA1231e16adf21220d8fee4ae2a76d896dcc593e858
SHA256326bd6c59903e1e2f3bebdd5662dcc21a01e47a645c1ab61501be37caadd41ba
SHA512a9974a04ceb8fb696f1fb92667b193d59aa978ae4cabb710161a801d3938abb843ed4c31e3ca4efe237afd503ca2219bf2700c3c56a64532b663d080fec30995
-
Filesize
356B
MD5a491eb8886f5b7feab4c909fba26a355
SHA144af9ed867be2da50e0ca08411967675975c935d
SHA2560637753e8ae4201b9c1b1e5a714617088ca93623106f640f507f7ca182eaea08
SHA5127b9973d64a5aa94d3b68d41391ab635a4a1cdb00928f2aa8ba7112d33c566d2cc4e4747c2517ba67b08a668f87d4aae8a7430fc49034254607bf7ab9f5883686
-
Filesize
356B
MD564c7c6061f39eae990ea383655a653a4
SHA1fa88e20a58afb0b8eb6b18f248ad873b2fea277a
SHA256a508cf789c5ede64e1044f2e34117e7f4cc2b966974db7268dd05adc1369c22b
SHA512e0b9c1fece75425ab06d5857f1a25cea727ce40721b80bd2a04e2b7f8b85e62d9e388634dbbc06b9a6a4accc5ef06e7cf5f6505327fa49bed982c802c51278d7
-
Filesize
6KB
MD525380aabda74157d0d77584b62ff7f20
SHA1ae4fb89225007a2f74deafa931349d647c4c6289
SHA2561b1f0d583b0d6d0c7d6830aae0d788a3f0d81afb2e973f0cd9e0ed6a9c1106b7
SHA512f6b773cf089deea27c68de0937423596468b73f8654c5ac359f44c28cc5380be54b68bd8966d1fb6df697d64091bc69a41485ac43700c4cda5e7efd680eda345
-
Filesize
7KB
MD5074e06dbd837740f78f4bffc266abb24
SHA1ab298c75a04c20d3afe3b80d84b02f0c398355ef
SHA256b3d25297d9d36aecb883bfab617bca80ad11583046b6eda2b913f73d894d747b
SHA51275206c8bf1c79939ae73e0def0073c7bc9f1a32a3b5e589b6d324d3741ec8d80066df33f6d10f5501898ea1aa698d0cfa31c47825fa2a8e726b89159ca9baccb
-
Filesize
7KB
MD5b998d8305c29e34012c2f90ea7ebe0ed
SHA1b1ef0c8c4e9667209653360b440f5031075c7d3f
SHA25641124a77f9a83ac776906a53af9f44d2f9bdde1752509c1c66732d95c8e344c4
SHA51229f92cb37dba4ba779b02d45085a4e3ab86610d6b65766ec25291f269261a0ccff6dcb948d70b49c72b9fb2fb516da9d2c101a45dae9f63fe450a014c82b11d9
-
Filesize
7KB
MD5c6dbe4c37bcf6224a842621a90bcfc09
SHA1b9b452191bc28c285c84acf5bd52d985a2270e95
SHA256b01a52f25e8c3a27c396ae9cf4b3ab6b8e81cc882ca15397a3c30f3a0e9229bb
SHA5126b27680211e2f94d5e82f1a40ccb57d76d37420538fdfa1b24b13b412c9a68aca9e75bce4ee9915392a5733ca928719eb4eab73ad013f026f0cfc5f2459663f8
-
Filesize
16KB
MD5ae7f3f2ac15f682442f7ab8a3affdcd3
SHA1f7f7200f35740a0e1b0f6dca557517ed6279c074
SHA256bd6d4ee278437e2ba2659334063cd0ab8db4d244135f0fcaa00a818686693f9c
SHA512b9ee26cadf32c3522722b8c2bdf2dff428b343fcc723be3f52d6ad5a09fb83c5624137ba019fd3f90b7573b9d8a02297a2fde4c43840649264f04e2bc7584cb6
-
Filesize
140KB
MD5cff500ea481aa0da440f803763a8ae07
SHA152b0f9b8e21041070200bec5ea8a4ba97725a5fc
SHA256a4156a6d2e1d4bf458c3c0753e3afaaf3e1b6393b0a997f3da4b46d309855cc1
SHA512e51d244a331f66b074341dbd2a1e4af8371f8d5a6c5bb7b6b7902dcac0517dd5b83292ece6d68ae70b7485cf9c133a4cd9bed85266ed19090201bce657b8ac9e
-
Filesize
280KB
MD5a4ed00787605f6d4003d29748e0ac06a
SHA1ed11668e395018491c5290a95e3868b34c6aaf5d
SHA256550660b2dd6eb778354c4ebe05c846108221073dc7fede2fb12ff77fe202b475
SHA51229aa2304d6d20009f5d1563b393942100779f33f30bccc8d3e47cc805d480451d3041e5116fdb3d8d5c189697de69c33329af7c857799e1afd64ab1497eb5ac2
-
Filesize
353KB
MD54dcfb1e7a9ba58d8b3f6af6e5a8ba3fa
SHA1ceb0ae461f45ad0398dddf464e2787b889d2507b
SHA2564a46ed3fc9b1964e2f3e083bd6bcdccb8cee9930e6a3d3e70a95e8be3b3ea81f
SHA5124b0ed638554468fa21e7a3158aa83a2cea8d61e93378993615eb57bcd10d7140dbd2c15598bd0a8a64399c729354056e55725a3d3ed8d0851f83c52171c883bb
-
Filesize
86KB
MD528345cf5178dfbfee87d28623f59a2ef
SHA114ad9f1f0891cb74e38b4fdd25b6d0fa6e46ffab
SHA25636b0e44f69347124d89e659348d4f675630f6e43a75f5f8ccd04704fa70b25c9
SHA5128c2663bb7944dd1722f37c04335c362be5040d844ffb1afa1ec4907ce79a9792b147164b3fb906b7f2e52ecca8f30be9f14eeab0f767eae69571e401db7b2b73
-
Filesize
102KB
MD59114afca5f8b289528b96f6a914d4d1f
SHA141fe2ef68d8dcec42e8f2cd0af0c6b6e149f78f8
SHA2569a2354070189ed78af1d3e1bf12964d8ce794c74e62392a2d76137f28c11b8dc
SHA51255a75be4e8d298cd04b43c954cfe18d7f49459c434163ce9c84fa988eb6fec6998f8ce86d50fb9da14c8d83a1562de3c30a8a0d48ec7220de8d8a6b1b4c695e7
-
Filesize
83KB
MD5398d735916ef50afcafb73e0fcde36e0
SHA10d5e754ae964c3ac95f155bacf1c3a6b3cd285bf
SHA25699d0929803a3fdcceb93385c01019b2a6234640ffe0023bcac7355c5bd62ef3c
SHA5125ce41e1587e7d8a9e5154944021760cd7e939e85b265e11608f6215561c027fbfeb6a5314c8b05465527723e4246efd468779d92aa034bd19c91fc35d03d4a1a
-
Filesize
16KB
MD51d5ad9c8d3fee874d0feb8bfac220a11
SHA1ca6d3f7e6c784155f664a9179ca64e4034df9595
SHA2563872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff
SHA512c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1
-
Filesize
55B
MD50f98a5550abe0fb880568b1480c96a1c
SHA1d2ce9f7057b201d31f79f3aee2225d89f36be07d
SHA2562dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1
SHA512dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6
-
Filesize
218B
MD5afa6955439b8d516721231029fb9ca1b
SHA1087a043cc123c0c0df2ffadcf8e71e3ac86bbae9
SHA2568e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270
SHA5125da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf