Resubmissions
26-06-2024 04:15
240626-evbfasxcjn 826-06-2024 04:04
240626-em282stflf 1026-06-2024 04:01
240626-elpassteng 7Analysis
-
max time kernel
90s -
max time network
102s -
platform
windows11-21h2_x64 -
resource
win11-20240419-en -
resource tags
arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system -
submitted
26-06-2024 04:01
Static task
static1
Behavioral task
behavioral1
Sample
IMG_3065.jpg
Resource
win11-20240419-en
Errors
General
-
Target
IMG_3065.jpg
-
Size
402KB
-
MD5
478f0b9ab82b1ee6020658d02193c91d
-
SHA1
8d5452e21d3f9284a7ba468f414bb53e4baaca8b
-
SHA256
6416b6784c92cd55a530ed870554f165f1035ef3ce7d820de9d0fa6b13ddb4a6
-
SHA512
0220b83ddd2610c71e53bed8a30404eae7033a520c301c7dec92224b6f58589be8cbb03786ad1d40f53bd590aa18815748b258cfefe67006a58431c523359c82
-
SSDEEP
6144:I6696xbMlEggdFWFMKUN5exG1PRcYgtHl274UjFnEKVqSMPESEa5ZelA6+KAQ1:I66MbMVFpUbeABR4Hq6FSMPV8A3KAW
Malware Config
Signatures
-
Executes dropped EXE 7 IoCs
pid Process 2140 MEMZ.exe 1712 MEMZ.exe 764 MEMZ.exe 2596 MEMZ.exe 904 MEMZ.exe 1056 MEMZ.exe 452 MEMZ.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
flow ioc 37 raw.githubusercontent.com 38 raw.githubusercontent.com 1 raw.githubusercontent.com -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 MEMZ.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\SystemTemp setup.exe File opened for modification C:\Windows\SystemTemp\Crashpad\metadata setup.exe File opened for modification C:\Windows\SystemTemp\Crashpad\settings.dat setup.exe File opened for modification C:\Windows\SystemTemp chrome.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133638481495071148" chrome.exe -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\MEMZ.exe:Zone.Identifier chrome.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4960 chrome.exe 4960 chrome.exe 764 MEMZ.exe 764 MEMZ.exe 764 MEMZ.exe 764 MEMZ.exe 764 MEMZ.exe 764 MEMZ.exe 764 MEMZ.exe 764 MEMZ.exe 764 MEMZ.exe 764 MEMZ.exe 764 MEMZ.exe 764 MEMZ.exe 764 MEMZ.exe 764 MEMZ.exe 764 MEMZ.exe 764 MEMZ.exe 764 MEMZ.exe 764 MEMZ.exe 764 MEMZ.exe 764 MEMZ.exe 764 MEMZ.exe 764 MEMZ.exe 764 MEMZ.exe 764 MEMZ.exe 764 MEMZ.exe 764 MEMZ.exe 764 MEMZ.exe 764 MEMZ.exe 764 MEMZ.exe 764 MEMZ.exe 764 MEMZ.exe 764 MEMZ.exe 764 MEMZ.exe 764 MEMZ.exe 764 MEMZ.exe 764 MEMZ.exe 764 MEMZ.exe 764 MEMZ.exe 764 MEMZ.exe 764 MEMZ.exe 764 MEMZ.exe 764 MEMZ.exe 764 MEMZ.exe 764 MEMZ.exe 764 MEMZ.exe 764 MEMZ.exe 764 MEMZ.exe 764 MEMZ.exe 764 MEMZ.exe 764 MEMZ.exe 764 MEMZ.exe 764 MEMZ.exe 764 MEMZ.exe 764 MEMZ.exe 764 MEMZ.exe 764 MEMZ.exe 764 MEMZ.exe 764 MEMZ.exe 764 MEMZ.exe 764 MEMZ.exe 764 MEMZ.exe 764 MEMZ.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs
pid Process 4960 chrome.exe 4960 chrome.exe 4960 chrome.exe 4960 chrome.exe 4960 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 4960 chrome.exe Token: SeCreatePagefilePrivilege 4960 chrome.exe Token: SeShutdownPrivilege 4960 chrome.exe Token: SeCreatePagefilePrivilege 4960 chrome.exe Token: SeShutdownPrivilege 4960 chrome.exe Token: SeCreatePagefilePrivilege 4960 chrome.exe Token: SeShutdownPrivilege 4960 chrome.exe Token: SeCreatePagefilePrivilege 4960 chrome.exe Token: SeShutdownPrivilege 4960 chrome.exe Token: SeCreatePagefilePrivilege 4960 chrome.exe Token: SeShutdownPrivilege 4960 chrome.exe Token: SeCreatePagefilePrivilege 4960 chrome.exe Token: SeShutdownPrivilege 4960 chrome.exe Token: SeCreatePagefilePrivilege 4960 chrome.exe Token: SeShutdownPrivilege 4960 chrome.exe Token: SeCreatePagefilePrivilege 4960 chrome.exe Token: SeShutdownPrivilege 4960 chrome.exe Token: SeCreatePagefilePrivilege 4960 chrome.exe Token: SeShutdownPrivilege 4960 chrome.exe Token: SeCreatePagefilePrivilege 4960 chrome.exe Token: SeShutdownPrivilege 4960 chrome.exe Token: SeCreatePagefilePrivilege 4960 chrome.exe Token: SeShutdownPrivilege 4960 chrome.exe Token: SeCreatePagefilePrivilege 4960 chrome.exe Token: SeShutdownPrivilege 4960 chrome.exe Token: SeCreatePagefilePrivilege 4960 chrome.exe Token: SeShutdownPrivilege 4960 chrome.exe Token: SeCreatePagefilePrivilege 4960 chrome.exe Token: SeShutdownPrivilege 4960 chrome.exe Token: SeCreatePagefilePrivilege 4960 chrome.exe Token: SeShutdownPrivilege 4960 chrome.exe Token: SeCreatePagefilePrivilege 4960 chrome.exe Token: SeShutdownPrivilege 4960 chrome.exe Token: SeCreatePagefilePrivilege 4960 chrome.exe Token: SeShutdownPrivilege 4960 chrome.exe Token: SeCreatePagefilePrivilege 4960 chrome.exe Token: SeShutdownPrivilege 4960 chrome.exe Token: SeCreatePagefilePrivilege 4960 chrome.exe Token: SeShutdownPrivilege 4960 chrome.exe Token: SeCreatePagefilePrivilege 4960 chrome.exe Token: SeShutdownPrivilege 4960 chrome.exe Token: SeCreatePagefilePrivilege 4960 chrome.exe Token: SeShutdownPrivilege 4960 chrome.exe Token: SeCreatePagefilePrivilege 4960 chrome.exe Token: SeShutdownPrivilege 4960 chrome.exe Token: SeCreatePagefilePrivilege 4960 chrome.exe Token: SeShutdownPrivilege 4960 chrome.exe Token: SeCreatePagefilePrivilege 4960 chrome.exe Token: SeShutdownPrivilege 4960 chrome.exe Token: SeCreatePagefilePrivilege 4960 chrome.exe Token: SeShutdownPrivilege 4960 chrome.exe Token: SeCreatePagefilePrivilege 4960 chrome.exe Token: SeShutdownPrivilege 4960 chrome.exe Token: SeCreatePagefilePrivilege 4960 chrome.exe Token: SeShutdownPrivilege 4960 chrome.exe Token: SeCreatePagefilePrivilege 4960 chrome.exe Token: SeShutdownPrivilege 4960 chrome.exe Token: SeCreatePagefilePrivilege 4960 chrome.exe Token: SeShutdownPrivilege 4960 chrome.exe Token: SeCreatePagefilePrivilege 4960 chrome.exe Token: SeShutdownPrivilege 4960 chrome.exe Token: SeCreatePagefilePrivilege 4960 chrome.exe Token: SeShutdownPrivilege 4960 chrome.exe Token: SeCreatePagefilePrivilege 4960 chrome.exe -
Suspicious use of FindShellTrayWindow 34 IoCs
pid Process 4960 chrome.exe 4960 chrome.exe 4960 chrome.exe 4960 chrome.exe 4960 chrome.exe 4960 chrome.exe 4960 chrome.exe 4960 chrome.exe 4960 chrome.exe 4960 chrome.exe 4960 chrome.exe 4960 chrome.exe 4960 chrome.exe 4960 chrome.exe 4960 chrome.exe 4960 chrome.exe 4960 chrome.exe 4960 chrome.exe 4960 chrome.exe 4960 chrome.exe 4960 chrome.exe 4960 chrome.exe 4960 chrome.exe 4960 chrome.exe 4960 chrome.exe 4960 chrome.exe 4960 chrome.exe 4960 chrome.exe 4960 chrome.exe 4960 chrome.exe 4960 chrome.exe 4960 chrome.exe 4960 chrome.exe 4960 chrome.exe -
Suspicious use of SendNotifyMessage 12 IoCs
pid Process 4960 chrome.exe 4960 chrome.exe 4960 chrome.exe 4960 chrome.exe 4960 chrome.exe 4960 chrome.exe 4960 chrome.exe 4960 chrome.exe 4960 chrome.exe 4960 chrome.exe 4960 chrome.exe 4960 chrome.exe -
Suspicious use of SetWindowsHookEx 60 IoCs
pid Process 2596 MEMZ.exe 764 MEMZ.exe 904 MEMZ.exe 2596 MEMZ.exe 764 MEMZ.exe 904 MEMZ.exe 2596 MEMZ.exe 904 MEMZ.exe 764 MEMZ.exe 2596 MEMZ.exe 904 MEMZ.exe 764 MEMZ.exe 2596 MEMZ.exe 904 MEMZ.exe 764 MEMZ.exe 2596 MEMZ.exe 764 MEMZ.exe 904 MEMZ.exe 2596 MEMZ.exe 904 MEMZ.exe 764 MEMZ.exe 2596 MEMZ.exe 764 MEMZ.exe 904 MEMZ.exe 2596 MEMZ.exe 904 MEMZ.exe 764 MEMZ.exe 2596 MEMZ.exe 904 MEMZ.exe 764 MEMZ.exe 2596 MEMZ.exe 764 MEMZ.exe 904 MEMZ.exe 2596 MEMZ.exe 904 MEMZ.exe 764 MEMZ.exe 2596 MEMZ.exe 764 MEMZ.exe 904 MEMZ.exe 2596 MEMZ.exe 904 MEMZ.exe 764 MEMZ.exe 2596 MEMZ.exe 764 MEMZ.exe 904 MEMZ.exe 2596 MEMZ.exe 904 MEMZ.exe 764 MEMZ.exe 2596 MEMZ.exe 764 MEMZ.exe 904 MEMZ.exe 2596 MEMZ.exe 904 MEMZ.exe 764 MEMZ.exe 2596 MEMZ.exe 764 MEMZ.exe 904 MEMZ.exe 2596 MEMZ.exe 764 MEMZ.exe 904 MEMZ.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4960 wrote to memory of 3448 4960 chrome.exe 80 PID 4960 wrote to memory of 3448 4960 chrome.exe 80 PID 4960 wrote to memory of 3032 4960 chrome.exe 81 PID 4960 wrote to memory of 3032 4960 chrome.exe 81 PID 4960 wrote to memory of 3032 4960 chrome.exe 81 PID 4960 wrote to memory of 3032 4960 chrome.exe 81 PID 4960 wrote to memory of 3032 4960 chrome.exe 81 PID 4960 wrote to memory of 3032 4960 chrome.exe 81 PID 4960 wrote to memory of 3032 4960 chrome.exe 81 PID 4960 wrote to memory of 3032 4960 chrome.exe 81 PID 4960 wrote to memory of 3032 4960 chrome.exe 81 PID 4960 wrote to memory of 3032 4960 chrome.exe 81 PID 4960 wrote to memory of 3032 4960 chrome.exe 81 PID 4960 wrote to memory of 3032 4960 chrome.exe 81 PID 4960 wrote to memory of 3032 4960 chrome.exe 81 PID 4960 wrote to memory of 3032 4960 chrome.exe 81 PID 4960 wrote to memory of 3032 4960 chrome.exe 81 PID 4960 wrote to memory of 3032 4960 chrome.exe 81 PID 4960 wrote to memory of 3032 4960 chrome.exe 81 PID 4960 wrote to memory of 3032 4960 chrome.exe 81 PID 4960 wrote to memory of 3032 4960 chrome.exe 81 PID 4960 wrote to memory of 3032 4960 chrome.exe 81 PID 4960 wrote to memory of 3032 4960 chrome.exe 81 PID 4960 wrote to memory of 3032 4960 chrome.exe 81 PID 4960 wrote to memory of 3032 4960 chrome.exe 81 PID 4960 wrote to memory of 3032 4960 chrome.exe 81 PID 4960 wrote to memory of 3032 4960 chrome.exe 81 PID 4960 wrote to memory of 3032 4960 chrome.exe 81 PID 4960 wrote to memory of 3032 4960 chrome.exe 81 PID 4960 wrote to memory of 3032 4960 chrome.exe 81 PID 4960 wrote to memory of 3032 4960 chrome.exe 81 PID 4960 wrote to memory of 3032 4960 chrome.exe 81 PID 4960 wrote to memory of 2072 4960 chrome.exe 82 PID 4960 wrote to memory of 2072 4960 chrome.exe 82 PID 4960 wrote to memory of 2272 4960 chrome.exe 83 PID 4960 wrote to memory of 2272 4960 chrome.exe 83 PID 4960 wrote to memory of 2272 4960 chrome.exe 83 PID 4960 wrote to memory of 2272 4960 chrome.exe 83 PID 4960 wrote to memory of 2272 4960 chrome.exe 83 PID 4960 wrote to memory of 2272 4960 chrome.exe 83 PID 4960 wrote to memory of 2272 4960 chrome.exe 83 PID 4960 wrote to memory of 2272 4960 chrome.exe 83 PID 4960 wrote to memory of 2272 4960 chrome.exe 83 PID 4960 wrote to memory of 2272 4960 chrome.exe 83 PID 4960 wrote to memory of 2272 4960 chrome.exe 83 PID 4960 wrote to memory of 2272 4960 chrome.exe 83 PID 4960 wrote to memory of 2272 4960 chrome.exe 83 PID 4960 wrote to memory of 2272 4960 chrome.exe 83 PID 4960 wrote to memory of 2272 4960 chrome.exe 83 PID 4960 wrote to memory of 2272 4960 chrome.exe 83 PID 4960 wrote to memory of 2272 4960 chrome.exe 83 PID 4960 wrote to memory of 2272 4960 chrome.exe 83 PID 4960 wrote to memory of 2272 4960 chrome.exe 83 PID 4960 wrote to memory of 2272 4960 chrome.exe 83 PID 4960 wrote to memory of 2272 4960 chrome.exe 83 PID 4960 wrote to memory of 2272 4960 chrome.exe 83 PID 4960 wrote to memory of 2272 4960 chrome.exe 83 PID 4960 wrote to memory of 2272 4960 chrome.exe 83 PID 4960 wrote to memory of 2272 4960 chrome.exe 83 PID 4960 wrote to memory of 2272 4960 chrome.exe 83 PID 4960 wrote to memory of 2272 4960 chrome.exe 83 PID 4960 wrote to memory of 2272 4960 chrome.exe 83 PID 4960 wrote to memory of 2272 4960 chrome.exe 83 PID 4960 wrote to memory of 2272 4960 chrome.exe 83
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\IMG_3065.jpg1⤵PID:2668
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4960 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff2328cc40,0x7fff2328cc4c,0x7fff2328cc582⤵PID:3448
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1828,i,17698489768980254194,960148840263609788,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=1820 /prefetch:22⤵PID:3032
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2132,i,17698489768980254194,960148840263609788,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=2124 /prefetch:32⤵PID:2072
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2204,i,17698489768980254194,960148840263609788,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=2216 /prefetch:82⤵PID:2272
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3128,i,17698489768980254194,960148840263609788,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3288 /prefetch:12⤵PID:5080
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3152,i,17698489768980254194,960148840263609788,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3336 /prefetch:12⤵PID:808
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4500,i,17698489768980254194,960148840263609788,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4496 /prefetch:12⤵PID:1684
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4576,i,17698489768980254194,960148840263609788,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4580 /prefetch:82⤵PID:3468
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4512,i,17698489768980254194,960148840263609788,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4716 /prefetch:82⤵PID:1888
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4636,i,17698489768980254194,960148840263609788,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4760 /prefetch:82⤵PID:1200
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4612,i,17698489768980254194,960148840263609788,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4608 /prefetch:82⤵PID:1384
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe" --reenable-autoupdates --system-level2⤵
- Drops file in Windows directory
PID:2580 -
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0x244,0x248,0x24c,0x220,0x250,0x7ff7bed64698,0x7ff7bed646a4,0x7ff7bed646b03⤵
- Drops file in Windows directory
PID:456
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=4720,i,17698489768980254194,960148840263609788,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=5016 /prefetch:12⤵PID:4672
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=3344,i,17698489768980254194,960148840263609788,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3396 /prefetch:12⤵PID:4216
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5096,i,17698489768980254194,960148840263609788,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=5136 /prefetch:82⤵PID:2928
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5132,i,17698489768980254194,960148840263609788,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=5284 /prefetch:82⤵PID:4116
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3820,i,17698489768980254194,960148840263609788,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=5144 /prefetch:82⤵
- NTFS ADS
PID:1340
-
-
C:\Users\Admin\Downloads\MEMZ.exe"C:\Users\Admin\Downloads\MEMZ.exe"2⤵
- Executes dropped EXE
PID:2140 -
C:\Users\Admin\Downloads\MEMZ.exe"C:\Users\Admin\Downloads\MEMZ.exe" /watchdog3⤵
- Executes dropped EXE
PID:1712
-
-
C:\Users\Admin\Downloads\MEMZ.exe"C:\Users\Admin\Downloads\MEMZ.exe" /watchdog3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:764
-
-
C:\Users\Admin\Downloads\MEMZ.exe"C:\Users\Admin\Downloads\MEMZ.exe" /watchdog3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2596
-
-
C:\Users\Admin\Downloads\MEMZ.exe"C:\Users\Admin\Downloads\MEMZ.exe" /watchdog3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:904
-
-
C:\Users\Admin\Downloads\MEMZ.exe"C:\Users\Admin\Downloads\MEMZ.exe" /watchdog3⤵
- Executes dropped EXE
PID:1056
-
-
C:\Users\Admin\Downloads\MEMZ.exe"C:\Users\Admin\Downloads\MEMZ.exe" /main3⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:452 -
C:\Windows\SysWOW64\notepad.exe"C:\Windows\System32\notepad.exe" \note.txt4⤵PID:3020
-
-
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"1⤵PID:4428
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵PID:3436
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
649B
MD537cc49d25b486bacc07e66d23659e2bf
SHA15f41348be0e094208eb7300cc4a51241ca43f6ea
SHA2566513b5f74b0959dc4b3cf33b89e7e393c78e7c3ac40c6909e87d16a5b3dceed2
SHA512f773deeaec73a65c26bacabcf13f6b5078ba1dc54e599dfa43494a7c2ad9d911017301f4b85841b400f91da0e17f316bc0f3bcb007861149e479cc96a72cad1a
-
Filesize
2KB
MD595608f8ce0b7c1fdf29b1651a6a0ac01
SHA126e296cfdb8675c1f81dca3568c9b71dd07eea3e
SHA25647fbf7c4504a6c25c717f7d72d3ff574711bb435b37488bc9a106cd87acf7197
SHA512fb6d76813eef86fe2a040ec68fb93f2481492df0f904c68dfd8ef450ed55b20ac62d8808990339ef1b8447fd333bfa5e3bf6f689f3460ef08665c2d5f1c3fe08
-
Filesize
4KB
MD51293b7a8031a8bd92e24a40ee4b10e72
SHA1bcc9ab4e7d8a7982ba5534a1e2c8d15b5e6ded01
SHA2560610dba48e0f13d6a8b1901dff1b9c0d756990b1beb08b936d1811663a5614ac
SHA512e4d602a446b780b89eb8b85dd61dce6470be6b274fa27ec621df3fec4da05c0b895bc4756b25b18f052767f3531a3ba0cd28099bd852c8b4940b00e5f9be82c4
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
354B
MD545eb0432e877629060e685d2c4d0246f
SHA15cc239bfec77c70ffdf173a22a80b325c958ef1e
SHA256df265923bff0b21bb440fc2c1cbfe9a49c0bf468121cd466fa21898858482a7e
SHA512a1817c328b71626f3f479837606d4f13a7948be89dcfa459b643a018eb8326228db2b0feafceff38244b1bac309d4e04c50a6d5973eb1f55968e03426099a6b9
-
Filesize
1KB
MD549c896c262bb8c1802d1fc4f1252bb7f
SHA1a15f7a011a78cbee65ae3022e8c6b3ad047221a4
SHA256ab572fea45eabd25a0adf222bc00b7f39f1ced852ca6105e7731c2d8def0bb8a
SHA51204d6d94688939404e0a02739e88c5be93daae9c8aa4b28f863da8bbb673c97b7b9b6e3a7f09c5582b766a5e00d71fc92ef3da6506a82c440700cb46c05e3f351
-
Filesize
1KB
MD50e3e1cb7a5a31405b4ddda525eeb8466
SHA1dfaf28557b812ba60fbd1d7645641892d1356112
SHA25686ae544f4fef04648553bddeef94225d7140c1497685f15d8c9707491f8ccda2
SHA512375e339a15a75213af9833714d3df7a835263f9c3de0d3f302ddc572eb79e2350613ad587eaf48504947819372aa28acb241203df5667a7d305d02776a87a852
-
Filesize
10KB
MD5515f99256e7bb15fb808201a01d58747
SHA1c8ddd9eb90eef00b2c1f575dd1f24eb59404c08a
SHA256e3f976934e5b17d9e5b64983d39e632ea798670a2ea649f5af5cc5c7c0437436
SHA512cabcd623f7968e4e87e72fa18105dabf8105ee3f37933bbe0b45908fd17f443ec6ee5d67847cf33c7107ab3b39b8b8eb9e4b43e49e678fcef6a7e5ef4d707f8e
-
Filesize
9KB
MD5b82af10ef7f40bd81449c108bac91cd7
SHA198e31d7dcd6c48dc29d8f4bbef9e9fe7ef70b6eb
SHA2567663c85c4c465fbcd452bcb8067aa5cb8a39885cd94cf50720456e24e1273fdf
SHA51287fa85db516115e7400b9c9fa3dbccabf951d4b1df30e1e87050d29103497431cb218e7633c2d26c5012f5592a0df696c9a66979ebbefcf91473dab83b29042e
-
Filesize
10KB
MD5e718c7e3069fb2b0d7f467e149848be6
SHA122a0e4e3bf86fbec169144be1bf1fd4c86ab3640
SHA256163c9ab93526da171332581b9de944e457c5910b7d9c647091e00b846163263c
SHA512605f547c9b41e4dbede66c89c04f522ac508c9d92e2a53502b0c3dfbd496833f97df769f0bc02e6a50c06e4e364423d4e6e62c69b99c5fb9c7c0f04733fdd805
-
Filesize
10KB
MD5858b75a2f5fb117d09947daf08ab9109
SHA159f1db6ee10bdc4c15fbe942b4870f5130457e32
SHA2566233430b6315b8208af7e24797b6bc466afe339882770f0a556e02012a8b82cf
SHA512bcba7c74dc2ed79c71e2862cb7566b3a34e490a7a63634094a703bbbacdece426e4db1bee813f3cfcda077d760892461945f20742342701ab875af2ee108fa92
-
Filesize
10KB
MD53d4f57cc4ec3fddca130dd949353ba3c
SHA17d79af2e2a3dcb4c270204f5fba38b1de8689f9c
SHA2562cb3cdfab15bea132a14a2a9555f034dbf88463cb49c385531693a205c88a1f8
SHA5126a466463d91df3f1ee049107076b9fde60e37f57f6eef98d358479b04c624e2d8fd195ddfcc1ba037314ed14fe8f1bf2f78d9de2ae0a908ffb3a821104455e73
-
Filesize
15KB
MD5892ad6806c955dd4f5aec21d7fd25447
SHA171736da185af9b492946a461a8b1660505c75b6c
SHA25606526a76308f2446ddc25e7dd65a3ed319a73d36834bd7fce17446e1e880f31e
SHA5127dc1bf97dbe95b52e800dbfda07f39ae434ba3c82d762148c133d566585056b7cfde3d518b706b84f4e810405772afec4420a1ebe3138a01d9c4bdd88afa581c
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\fc44cb15-4242-41fe-9ea0-3dedd0047363.tmp
Filesize10KB
MD5724286ad64971549302e43594453d497
SHA1e27b17c4f4b2d0bca00af9f4d23f9e2213ee10e5
SHA256a973686194c327b56893d00046ea62d028779bd6a0f0dd971d4c3ecd86fc96c6
SHA51246ea14237ee2825fec2865787a792a18f579c095288a1321b30d3fc5754a306ad175a48607678e6b4a31385d04d2e097b1e773277accd659ae71440fafd17b4e
-
Filesize
169KB
MD5bdc8e529aa23e8e4c28e11c477829ba0
SHA1ab04aa7b26d24fe0152d95a811d0478400fceab8
SHA256875d437fb7e01dd75d034d0a055ce01d6462d2d258e58850f262320ac23b26c0
SHA5120f51ec45b6a1201ef23f0b76e1a7988ba48b9870c14f6fca25ac09ad45c2d9585db4f0b8a9a2800b3a23ca7690281c04948e9eaddb8401d99b15cae82607d7aa
-
Filesize
169KB
MD5f6f19d9354c43fe13c89819b1865b637
SHA1d6b7c458dd0f6be0a7f92437d65b7237e6b929be
SHA2561d6bda29e1090587b398067aae70247324166a380b32c1f10c23239428a37dbd
SHA512c76b579851a2c95af728b2bd081fdda04e7e9018b949f2d3b5b3b28905bb55a6d9321e5ae0b283114bd55b2d975cd7dbb3b86cb67446d091771aa456530f583e
-
Filesize
16KB
MD51d5ad9c8d3fee874d0feb8bfac220a11
SHA1ca6d3f7e6c784155f664a9179ca64e4034df9595
SHA2563872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff
SHA512c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1
-
Filesize
170B
MD542ba018776c229ec8042d86ed887eb02
SHA1f659b4b6d07346fa251e3ecd12b487a8855ade69
SHA256e10ac4ed219df684b0d33d8e5a69e1d6d94dd7e98431b7af73d678effd1f628e
SHA512021be5429ee8526ffba42f298912446bc621b9a9449e712818b766dd2cff73e91c4496a6cc4f7f2065c063838a67f9e84ef82c81a1586e302bcff2044f8d5123
-
Filesize
218B
MD5afa6955439b8d516721231029fb9ca1b
SHA1087a043cc123c0c0df2ffadcf8e71e3ac86bbae9
SHA2568e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270
SHA5125da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf