Overview
overview
8Static
static
3YouTube-Mu...12.exe
windows11-21h2-x64
7$PLUGINSDIR/INetC.dll
windows11-21h2-x64
3$PLUGINSDI...er.dll
windows11-21h2-x64
1$PLUGINSDI...ls.dll
windows11-21h2-x64
3$PLUGINSDI...em.dll
windows11-21h2-x64
3$PLUGINSDI...ll.dll
windows11-21h2-x64
3$PLUGINSDI...ec.dll
windows11-21h2-x64
3$PLUGINSDI...7z.dll
windows11-21h2-x64
3$R0/Uninst...ic.exe
windows11-21h2-x64
7$PLUGINSDI...ls.dll
windows11-21h2-x64
$PLUGINSDI...em.dll
windows11-21h2-x64
3$PLUGINSDI...ll.dll
windows11-21h2-x64
3$PLUGINSDI...ec.dll
windows11-21h2-x64
3Analysis
-
max time kernel
102s -
max time network
121s -
platform
windows11-21h2_x64 -
resource
win11-20240508-en -
resource tags
arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system -
submitted
01-07-2024 22:45
Static task
static1
Behavioral task
behavioral1
Sample
YouTube-Music-Web-Setup-3.3.12.exe
Resource
win11-20240508-en
Behavioral task
behavioral2
Sample
$PLUGINSDIR/INetC.dll
Resource
win11-20240508-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/SpiderBanner.dll
Resource
win11-20240611-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/StdUtils.dll
Resource
win11-20240419-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/System.dll
Resource
win11-20240611-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/WinShell.dll
Resource
win11-20240611-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/nsExec.dll
Resource
win11-20240508-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/nsis7z.dll
Resource
win11-20240508-en
Behavioral task
behavioral9
Sample
$R0/Uninstall YouTube Music.exe
Resource
win11-20240611-en
Behavioral task
behavioral10
Sample
$PLUGINSDIR/StdUtils.dll
Resource
win11-20240508-en
Behavioral task
behavioral11
Sample
$PLUGINSDIR/System.dll
Resource
win11-20240508-en
Behavioral task
behavioral12
Sample
$PLUGINSDIR/WinShell.dll
Resource
win11-20240611-en
Behavioral task
behavioral13
Sample
$PLUGINSDIR/nsExec.dll
Resource
win11-20240611-en
Errors
General
-
Target
$PLUGINSDIR/StdUtils.dll
-
Size
100KB
-
MD5
c6a6e03f77c313b267498515488c5740
-
SHA1
3d49fc2784b9450962ed6b82b46e9c3c957d7c15
-
SHA256
b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e
-
SHA512
9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803
-
SSDEEP
3072:WNuZmJ9TDP3ahD2TF7Rq9cJNPhF9vyHf:WNuZ81zaAFHhF9v
Malware Config
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 7 IoCs
Processes:
MEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exepid process 1996 MEMZ.exe 1496 MEMZ.exe 3176 MEMZ.exe 1632 MEMZ.exe 4764 MEMZ.exe 3280 MEMZ.exe 4364 MEMZ.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
MEMZ.exedescription ioc process File opened for modification \??\PhysicalDrive0 MEMZ.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 956 3448 WerFault.exe rundll32.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
chrome.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
Processes:
chrome.exedescription ioc process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133643476114540683" chrome.exe -
NTFS ADS 1 IoCs
Processes:
chrome.exedescription ioc process File opened for modification C:\Users\Admin\Downloads\MEMZ.exe:Zone.Identifier chrome.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
chrome.exeMEMZ.exepid process 3384 chrome.exe 3384 chrome.exe 3384 chrome.exe 1496 MEMZ.exe 1496 MEMZ.exe 1496 MEMZ.exe 1496 MEMZ.exe 1496 MEMZ.exe 1496 MEMZ.exe 1496 MEMZ.exe 1496 MEMZ.exe 1496 MEMZ.exe 1496 MEMZ.exe 1496 MEMZ.exe 1496 MEMZ.exe 1496 MEMZ.exe 1496 MEMZ.exe 1496 MEMZ.exe 1496 MEMZ.exe 1496 MEMZ.exe 1496 MEMZ.exe 1496 MEMZ.exe 1496 MEMZ.exe 1496 MEMZ.exe 1496 MEMZ.exe 1496 MEMZ.exe 1496 MEMZ.exe 1496 MEMZ.exe 1496 MEMZ.exe 1496 MEMZ.exe 1496 MEMZ.exe 1496 MEMZ.exe 1496 MEMZ.exe 1496 MEMZ.exe 1496 MEMZ.exe 1496 MEMZ.exe 1496 MEMZ.exe 1496 MEMZ.exe 1496 MEMZ.exe 1496 MEMZ.exe 1496 MEMZ.exe 1496 MEMZ.exe 1496 MEMZ.exe 1496 MEMZ.exe 1496 MEMZ.exe 1496 MEMZ.exe 1496 MEMZ.exe 1496 MEMZ.exe 1496 MEMZ.exe 1496 MEMZ.exe 1496 MEMZ.exe 1496 MEMZ.exe 1496 MEMZ.exe 1496 MEMZ.exe 1496 MEMZ.exe 1496 MEMZ.exe 1496 MEMZ.exe 1496 MEMZ.exe 1496 MEMZ.exe 1496 MEMZ.exe 1496 MEMZ.exe 1496 MEMZ.exe 1496 MEMZ.exe 1496 MEMZ.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs
Processes:
chrome.exepid process 3384 chrome.exe 3384 chrome.exe 3384 chrome.exe 3384 chrome.exe 3384 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
chrome.exedescription pid process Token: SeShutdownPrivilege 3384 chrome.exe Token: SeCreatePagefilePrivilege 3384 chrome.exe Token: SeShutdownPrivilege 3384 chrome.exe Token: SeCreatePagefilePrivilege 3384 chrome.exe Token: SeShutdownPrivilege 3384 chrome.exe Token: SeCreatePagefilePrivilege 3384 chrome.exe Token: SeShutdownPrivilege 3384 chrome.exe Token: SeCreatePagefilePrivilege 3384 chrome.exe Token: SeShutdownPrivilege 3384 chrome.exe Token: SeCreatePagefilePrivilege 3384 chrome.exe Token: SeShutdownPrivilege 3384 chrome.exe Token: SeCreatePagefilePrivilege 3384 chrome.exe Token: SeShutdownPrivilege 3384 chrome.exe Token: SeCreatePagefilePrivilege 3384 chrome.exe Token: SeShutdownPrivilege 3384 chrome.exe Token: SeCreatePagefilePrivilege 3384 chrome.exe Token: SeShutdownPrivilege 3384 chrome.exe Token: SeCreatePagefilePrivilege 3384 chrome.exe Token: SeShutdownPrivilege 3384 chrome.exe Token: SeCreatePagefilePrivilege 3384 chrome.exe Token: SeShutdownPrivilege 3384 chrome.exe Token: SeCreatePagefilePrivilege 3384 chrome.exe Token: SeShutdownPrivilege 3384 chrome.exe Token: SeCreatePagefilePrivilege 3384 chrome.exe Token: SeShutdownPrivilege 3384 chrome.exe Token: SeCreatePagefilePrivilege 3384 chrome.exe Token: SeShutdownPrivilege 3384 chrome.exe Token: SeCreatePagefilePrivilege 3384 chrome.exe Token: SeShutdownPrivilege 3384 chrome.exe Token: SeCreatePagefilePrivilege 3384 chrome.exe Token: SeShutdownPrivilege 3384 chrome.exe Token: SeCreatePagefilePrivilege 3384 chrome.exe Token: SeShutdownPrivilege 3384 chrome.exe Token: SeCreatePagefilePrivilege 3384 chrome.exe Token: SeShutdownPrivilege 3384 chrome.exe Token: SeCreatePagefilePrivilege 3384 chrome.exe Token: SeShutdownPrivilege 3384 chrome.exe Token: SeCreatePagefilePrivilege 3384 chrome.exe Token: SeShutdownPrivilege 3384 chrome.exe Token: SeCreatePagefilePrivilege 3384 chrome.exe Token: SeShutdownPrivilege 3384 chrome.exe Token: SeCreatePagefilePrivilege 3384 chrome.exe Token: SeShutdownPrivilege 3384 chrome.exe Token: SeCreatePagefilePrivilege 3384 chrome.exe Token: SeShutdownPrivilege 3384 chrome.exe Token: SeCreatePagefilePrivilege 3384 chrome.exe Token: SeShutdownPrivilege 3384 chrome.exe Token: SeCreatePagefilePrivilege 3384 chrome.exe Token: SeShutdownPrivilege 3384 chrome.exe Token: SeCreatePagefilePrivilege 3384 chrome.exe Token: SeShutdownPrivilege 3384 chrome.exe Token: SeCreatePagefilePrivilege 3384 chrome.exe Token: SeShutdownPrivilege 3384 chrome.exe Token: SeCreatePagefilePrivilege 3384 chrome.exe Token: SeShutdownPrivilege 3384 chrome.exe Token: SeCreatePagefilePrivilege 3384 chrome.exe Token: SeShutdownPrivilege 3384 chrome.exe Token: SeCreatePagefilePrivilege 3384 chrome.exe Token: SeShutdownPrivilege 3384 chrome.exe Token: SeCreatePagefilePrivilege 3384 chrome.exe Token: SeShutdownPrivilege 3384 chrome.exe Token: SeCreatePagefilePrivilege 3384 chrome.exe Token: SeShutdownPrivilege 3384 chrome.exe Token: SeCreatePagefilePrivilege 3384 chrome.exe -
Suspicious use of FindShellTrayWindow 36 IoCs
Processes:
chrome.exepid process 3384 chrome.exe 3384 chrome.exe 3384 chrome.exe 3384 chrome.exe 3384 chrome.exe 3384 chrome.exe 3384 chrome.exe 3384 chrome.exe 3384 chrome.exe 3384 chrome.exe 3384 chrome.exe 3384 chrome.exe 3384 chrome.exe 3384 chrome.exe 3384 chrome.exe 3384 chrome.exe 3384 chrome.exe 3384 chrome.exe 3384 chrome.exe 3384 chrome.exe 3384 chrome.exe 3384 chrome.exe 3384 chrome.exe 3384 chrome.exe 3384 chrome.exe 3384 chrome.exe 3384 chrome.exe 3384 chrome.exe 3384 chrome.exe 3384 chrome.exe 3384 chrome.exe 3384 chrome.exe 3384 chrome.exe 3384 chrome.exe 3384 chrome.exe 3384 chrome.exe -
Suspicious use of SendNotifyMessage 14 IoCs
Processes:
chrome.exepid process 3384 chrome.exe 3384 chrome.exe 3384 chrome.exe 3384 chrome.exe 3384 chrome.exe 3384 chrome.exe 3384 chrome.exe 3384 chrome.exe 3384 chrome.exe 3384 chrome.exe 3384 chrome.exe 3384 chrome.exe 3384 chrome.exe 3384 chrome.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
Processes:
MEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exepid process 4764 MEMZ.exe 3176 MEMZ.exe 1632 MEMZ.exe 1496 MEMZ.exe 4764 MEMZ.exe 3176 MEMZ.exe 1632 MEMZ.exe 1496 MEMZ.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
rundll32.exechrome.exedescription pid process target process PID 2692 wrote to memory of 3448 2692 rundll32.exe rundll32.exe PID 2692 wrote to memory of 3448 2692 rundll32.exe rundll32.exe PID 2692 wrote to memory of 3448 2692 rundll32.exe rundll32.exe PID 3384 wrote to memory of 4368 3384 chrome.exe chrome.exe PID 3384 wrote to memory of 4368 3384 chrome.exe chrome.exe PID 3384 wrote to memory of 492 3384 chrome.exe chrome.exe PID 3384 wrote to memory of 492 3384 chrome.exe chrome.exe PID 3384 wrote to memory of 492 3384 chrome.exe chrome.exe PID 3384 wrote to memory of 492 3384 chrome.exe chrome.exe PID 3384 wrote to memory of 492 3384 chrome.exe chrome.exe PID 3384 wrote to memory of 492 3384 chrome.exe chrome.exe PID 3384 wrote to memory of 492 3384 chrome.exe chrome.exe PID 3384 wrote to memory of 492 3384 chrome.exe chrome.exe PID 3384 wrote to memory of 492 3384 chrome.exe chrome.exe PID 3384 wrote to memory of 492 3384 chrome.exe chrome.exe PID 3384 wrote to memory of 492 3384 chrome.exe chrome.exe PID 3384 wrote to memory of 492 3384 chrome.exe chrome.exe PID 3384 wrote to memory of 492 3384 chrome.exe chrome.exe PID 3384 wrote to memory of 492 3384 chrome.exe chrome.exe PID 3384 wrote to memory of 492 3384 chrome.exe chrome.exe PID 3384 wrote to memory of 492 3384 chrome.exe chrome.exe PID 3384 wrote to memory of 492 3384 chrome.exe chrome.exe PID 3384 wrote to memory of 492 3384 chrome.exe chrome.exe PID 3384 wrote to memory of 492 3384 chrome.exe chrome.exe PID 3384 wrote to memory of 492 3384 chrome.exe chrome.exe PID 3384 wrote to memory of 492 3384 chrome.exe chrome.exe PID 3384 wrote to memory of 492 3384 chrome.exe chrome.exe PID 3384 wrote to memory of 492 3384 chrome.exe chrome.exe PID 3384 wrote to memory of 492 3384 chrome.exe chrome.exe PID 3384 wrote to memory of 492 3384 chrome.exe chrome.exe PID 3384 wrote to memory of 492 3384 chrome.exe chrome.exe PID 3384 wrote to memory of 492 3384 chrome.exe chrome.exe PID 3384 wrote to memory of 492 3384 chrome.exe chrome.exe PID 3384 wrote to memory of 492 3384 chrome.exe chrome.exe PID 3384 wrote to memory of 492 3384 chrome.exe chrome.exe PID 3384 wrote to memory of 492 3384 chrome.exe chrome.exe PID 3384 wrote to memory of 1540 3384 chrome.exe chrome.exe PID 3384 wrote to memory of 1540 3384 chrome.exe chrome.exe PID 3384 wrote to memory of 4684 3384 chrome.exe chrome.exe PID 3384 wrote to memory of 4684 3384 chrome.exe chrome.exe PID 3384 wrote to memory of 4684 3384 chrome.exe chrome.exe PID 3384 wrote to memory of 4684 3384 chrome.exe chrome.exe PID 3384 wrote to memory of 4684 3384 chrome.exe chrome.exe PID 3384 wrote to memory of 4684 3384 chrome.exe chrome.exe PID 3384 wrote to memory of 4684 3384 chrome.exe chrome.exe PID 3384 wrote to memory of 4684 3384 chrome.exe chrome.exe PID 3384 wrote to memory of 4684 3384 chrome.exe chrome.exe PID 3384 wrote to memory of 4684 3384 chrome.exe chrome.exe PID 3384 wrote to memory of 4684 3384 chrome.exe chrome.exe PID 3384 wrote to memory of 4684 3384 chrome.exe chrome.exe PID 3384 wrote to memory of 4684 3384 chrome.exe chrome.exe PID 3384 wrote to memory of 4684 3384 chrome.exe chrome.exe PID 3384 wrote to memory of 4684 3384 chrome.exe chrome.exe PID 3384 wrote to memory of 4684 3384 chrome.exe chrome.exe PID 3384 wrote to memory of 4684 3384 chrome.exe chrome.exe PID 3384 wrote to memory of 4684 3384 chrome.exe chrome.exe PID 3384 wrote to memory of 4684 3384 chrome.exe chrome.exe PID 3384 wrote to memory of 4684 3384 chrome.exe chrome.exe PID 3384 wrote to memory of 4684 3384 chrome.exe chrome.exe PID 3384 wrote to memory of 4684 3384 chrome.exe chrome.exe PID 3384 wrote to memory of 4684 3384 chrome.exe chrome.exe PID 3384 wrote to memory of 4684 3384 chrome.exe chrome.exe PID 3384 wrote to memory of 4684 3384 chrome.exe chrome.exe PID 3384 wrote to memory of 4684 3384 chrome.exe chrome.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#12⤵PID:3448
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3448 -s 5363⤵
- Program crash
PID:956
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3448 -ip 34481⤵PID:232
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3384 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffe1b6bab58,0x7ffe1b6bab68,0x7ffe1b6bab782⤵PID:4368
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1628 --field-trial-handle=1804,i,7782084779196333590,18227252647463228644,131072 /prefetch:22⤵PID:492
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 --field-trial-handle=1804,i,7782084779196333590,18227252647463228644,131072 /prefetch:82⤵PID:1540
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2160 --field-trial-handle=1804,i,7782084779196333590,18227252647463228644,131072 /prefetch:82⤵PID:4684
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3044 --field-trial-handle=1804,i,7782084779196333590,18227252647463228644,131072 /prefetch:12⤵PID:1276
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3088 --field-trial-handle=1804,i,7782084779196333590,18227252647463228644,131072 /prefetch:12⤵PID:3136
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4184 --field-trial-handle=1804,i,7782084779196333590,18227252647463228644,131072 /prefetch:12⤵PID:904
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4352 --field-trial-handle=1804,i,7782084779196333590,18227252647463228644,131072 /prefetch:82⤵PID:4816
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4496 --field-trial-handle=1804,i,7782084779196333590,18227252647463228644,131072 /prefetch:82⤵PID:2908
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4412 --field-trial-handle=1804,i,7782084779196333590,18227252647463228644,131072 /prefetch:82⤵PID:1596
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4756 --field-trial-handle=1804,i,7782084779196333590,18227252647463228644,131072 /prefetch:82⤵PID:2664
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe" --reenable-autoupdates --system-level2⤵PID:3616
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x254,0x258,0x25c,0x230,0x260,0x7ff766b6ae48,0x7ff766b6ae58,0x7ff766b6ae683⤵PID:4056
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4384 --field-trial-handle=1804,i,7782084779196333590,18227252647463228644,131072 /prefetch:82⤵PID:3416
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4400 --field-trial-handle=1804,i,7782084779196333590,18227252647463228644,131072 /prefetch:12⤵PID:2676
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=4760 --field-trial-handle=1804,i,7782084779196333590,18227252647463228644,131072 /prefetch:12⤵PID:4088
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3420 --field-trial-handle=1804,i,7782084779196333590,18227252647463228644,131072 /prefetch:82⤵PID:2044
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3404 --field-trial-handle=1804,i,7782084779196333590,18227252647463228644,131072 /prefetch:82⤵PID:1384
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3432 --field-trial-handle=1804,i,7782084779196333590,18227252647463228644,131072 /prefetch:82⤵PID:3468
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5148 --field-trial-handle=1804,i,7782084779196333590,18227252647463228644,131072 /prefetch:82⤵PID:3528
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5124 --field-trial-handle=1804,i,7782084779196333590,18227252647463228644,131072 /prefetch:82⤵
- NTFS ADS
PID:228 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4984 --field-trial-handle=1804,i,7782084779196333590,18227252647463228644,131072 /prefetch:82⤵PID:1304
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4948 --field-trial-handle=1804,i,7782084779196333590,18227252647463228644,131072 /prefetch:82⤵PID:3184
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5216 --field-trial-handle=1804,i,7782084779196333590,18227252647463228644,131072 /prefetch:82⤵PID:568
-
C:\Users\Admin\Downloads\MEMZ.exe"C:\Users\Admin\Downloads\MEMZ.exe"2⤵
- Executes dropped EXE
PID:1996 -
C:\Users\Admin\Downloads\MEMZ.exe"C:\Users\Admin\Downloads\MEMZ.exe" /watchdog3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1496 -
C:\Users\Admin\Downloads\MEMZ.exe"C:\Users\Admin\Downloads\MEMZ.exe" /watchdog3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3176 -
C:\Users\Admin\Downloads\MEMZ.exe"C:\Users\Admin\Downloads\MEMZ.exe" /watchdog3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1632 -
C:\Users\Admin\Downloads\MEMZ.exe"C:\Users\Admin\Downloads\MEMZ.exe" /watchdog3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4764 -
C:\Users\Admin\Downloads\MEMZ.exe"C:\Users\Admin\Downloads\MEMZ.exe" /watchdog3⤵
- Executes dropped EXE
PID:3280 -
C:\Users\Admin\Downloads\MEMZ.exe"C:\Users\Admin\Downloads\MEMZ.exe" /main3⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:4364 -
C:\Windows\SysWOW64\notepad.exe"C:\Windows\System32\notepad.exe" \note.txt4⤵PID:1644
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵PID:3476
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\7571f1ab-3d6d-41a2-bc16-84242c2c2b20.tmp
Filesize16KB
MD510b48ed2c94a401a0d059740b8d66fb1
SHA17c4d7f58f143f51fc95749d63a696cbc7860da24
SHA256b2be98a5c99ee4b78102a4afd0eef0e0890dc5f3034980094ab35571650ef47a
SHA512cca938586a594227866fa3d59d9914917363ab943b80c9f5a2690be6407895516dc599e829bd2181942e012a547547ebfbab01cecda717139f341eb9258844ed
-
Filesize
2KB
MD5f3ad50557750635a2f649ad501ec0ba2
SHA124dbca3f5871a568a3c47c684c8dd62c9191f6df
SHA25670663946427d38d7de71f62b9b3d3a34750108444660d898e477a6718d95beb6
SHA512ccfcfb041026d27ae114ce0358d4ac467d32754b55ad62299303ea84c987d53f988fe8c32db713805525e9b5924a0aaea11b5a69ac113b840d6f4da32c62de37
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\8205e94c-ea3d-4051-a6ae-c5c28a98a459.tmp
Filesize1KB
MD5a55c112e030e8fa2f6ffb3c7d07e48af
SHA17f95589f972d5612c74f36d38311bce434ecd475
SHA256efd52616ffa497c059162e49d67fc42309516201ae6dd6e6030750e75a1d4060
SHA5127fdfd6ff22f01c7d9a601f2fb75c12e616eef41e3fc23955c7273badb5d2d286f5b4f81d8b092e35da23def1fa7bf100df0cebd1c4d39eb636668957756a2e73
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
1KB
MD5f9f61d044ff3afba60c271053c990244
SHA16515aba7f84e070553df90cb90bedb104604dae1
SHA2562f16b1fb0cf603df900000a58c2cd48bda46a8b7f7a0447e6e12d9c96613b84c
SHA5127073223d25bc193bb729b3a18badc132679f1a5739b0c6cb5f326a2478ccc8d462ca241fc33319216a8f9644597d0e5569c2bb064fbad5d6fc78ecbc8c5b7f89
-
Filesize
1KB
MD5306f168d6ff1515865365b2025eb9568
SHA1ee79a89058151da3e34d34bfdb2b5f0be9ed1cc5
SHA256fe3fff4821ba8915cce81fe13fd4ffe6ceb4d14a397816fbd9f8b7aae33010ee
SHA512eff4f5eb3386c02df2707f8c0097c4b7a196fb24134dda55c3a4a79ba3678c3778fe56cefeb1edc85d7a7d3b7a53f2ba1d173d0ff35b72fc626afe0d38ad5ca5
-
Filesize
356B
MD576e97735b414e412f186b1d9af74b168
SHA14b3399a15fcf1680fa80168f75ab0865be7d266b
SHA25613832f879683bae2c01c5506f07ec8c53c3b805f9dffa0cd6a36846bebd1e547
SHA5122af7d3f19d6ba3e743b12eaadbdb1ef04de5825fe198402f618427279afd8ebfccec511e0daa5054831cac1c8cd6c20e56e98224a46a53de7c5f2b6e8b9aa3d6
-
Filesize
1KB
MD590b9fb8404d90f369971aa222e7786b3
SHA11951580e3e35229507d59a1db07dfc2791ec9017
SHA2562758676240b18878cf45917c4bc29fcbce7dffb08581414fbd4e28bb5a008296
SHA512e443fd8df291d0d8715227ba477abd000275bebf69a7ea2b0ee3a19e4beb20d57472afde628f1ef984be375400c9ff7c49def8051575d6489c08b15eb606012f
-
Filesize
7KB
MD534bbd619e8631ca3bc0490cbc6c7ad14
SHA191c27c93c756d983dc606269f005578248b10cf4
SHA2568906ee1ae7a0fca0b22b67078a4a62d88f0584776589a73cb29670d8f2753b0f
SHA512b1eb453b37d9a89f43169a4c879a42d3b6f01c33f40816a2479e79dcc26a8f142da4460e73e8b6d6a55124d0bf6a8a0358f801c58d34dc78d5307b9ffc0deeab
-
Filesize
7KB
MD5f99df35da2bcdb95b8da2263ebab2430
SHA175efabe95b9aeee13bcb09d2e512822e88477b23
SHA256d00ed44af15d31ea232414fcc4a9106996036bc676901cc7761c43fb52933df6
SHA512fba345e209ae8450bc1860ee785e12faa49a48f9ba0aa00725ca88d8e3648a3b8d70bb574b62b8032634cf29806213854bd9664b64cb9d5358e772400ac170d1
-
Filesize
8KB
MD56d8cae543bea75f3e6b987681380a0f8
SHA1589ab4f230a4f9f0148f3c04a4b8ec660ae6ce3c
SHA2560ac3fc9e1a07351c683758794a4aba6471222c5756a19b76d12fd2a6abba9264
SHA512ac15f42598ddded6b9eaea4209edc350cb2bad2f94319b2c0ca1b99cdaef84f1ffca9fd6ea62e93d4e434ffa62909f2a984dab586d806be6471d2ae9834f4545
-
Filesize
269KB
MD5b33932c73111fb0533fb2c73aa9c4d26
SHA1f06e14888133a841088b36eee46e8e213e34d0ed
SHA256cf9b2b95d4bcadbd51aab13e1ae96e4eb955a8e8dca980669bdcf7cd8d90d073
SHA512c2f2dd60e57fb3b0498c45b8f99d8b54577b9d7fefa0dab15b99d3a5d656a3be3755a4402350dbdd654c2811a8f4537a6da083de8f45efe4d32b3332a6d1a5a2
-
Filesize
85KB
MD590d1d4aca23394c44fde364eefcea9c4
SHA17394dc95f9396ad0ca84405c7549d7d97f139225
SHA256f70f33490715cf78f1dbb43dd822c5c274bf7597583d7777e459f43586958253
SHA512468b1bd53386ab80493916a38a7f6bd756dc3e00d0c31c905a1a5dd5fde4b1c3781eb63a9ae93afe1e9fd24fd9eecc4cfa0eb5242e09b59cb0aea3821466b98f
-
Filesize
98KB
MD5183683ec2994598f0cd28afb1b77232d
SHA1df39f99dfb403a4b403c50bf02057484ca95b76a
SHA25625679c4390192a39aca914cf5647774a5a71d68ab236df06501089e725cb47ea
SHA512b27c3a3aa6bc9128d8c83c8a6da6d99ea9bf0c3e4f2184b88f086c7bb4b9a032d562f933b3c7c51264949cafddfe2411b254d27a1b8585b333b25669555ad7f3
-
Filesize
83KB
MD52b173c21a468e7212546e2de95841643
SHA1b79f2ece320d7b1110060597e2745d22c7d3257e
SHA2564dd93fb586d618579c0a4bd144fad3d64a4b3f98b9b01899d24a84db323ee725
SHA5121ae803e6dc06326b6d1d103778cd3030d41e1463286523a7723cc5b5f94a5181186a16bf7100068a5b6070381906be5a0d76058ca839caadc0141ec11647b3c1
-
Filesize
16KB
MD51d5ad9c8d3fee874d0feb8bfac220a11
SHA1ca6d3f7e6c784155f664a9179ca64e4034df9595
SHA2563872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff
SHA512c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1
-
Filesize
26B
MD5fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98
-
Filesize
218B
MD5afa6955439b8d516721231029fb9ca1b
SHA1087a043cc123c0c0df2ffadcf8e71e3ac86bbae9
SHA2568e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270
SHA5125da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e