satana | ee6d8f24bcf3b55b57b9ecf1e3345a5d1b5fddcad9f343acf9fa5022d26a9c5f

Resubmissions

30-08-2024 18:45

240830-xehhsaygqa 10

30-08-2024 18:24

240830-w19zgsygrk 10

30-08-2024 18:20

240830-wyy47syfpm 6

Analysis

max time kernel
302s
max time network
312s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
30-08-2024 18:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Ransomware-Samples
Size

318KB
MD5

4d769fef0ba5e506272a7bb3d8af5bfd
SHA1

a3c8707909f41971591bcee631f9b6c4e8d00409
SHA256

ee6d8f24bcf3b55b57b9ecf1e3345a5d1b5fddcad9f343acf9fa5022d26a9c5f
SHA512

426ff4366a019b0222748a0a41d2d8a851f11b56605dc6e4f6d589e38618bdcda3b1fc86c15435578088c66b9d08bda41158337a3c23a764366a05f7278a3d60
SSDEEP

6144:s/oWF3uokeOvHS1d1+CNs8wbiWQA9AvZJT3CqbMrhryf65NRPaCieMjAkvCJv1V0:qoWF3uokeOvHS1d1+CNs8wbiWQA9AvZz

Score

10^/10

satana bootkit discovery execution persistence ransomware

Malware Config

Signatures

Satana
Ransomware family which also encrypts the system's Master Boot Record (MBR).
ransomware satana

Executes dropped EXE 14 IoCs

Processes:

MEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exe

pid	process
1260	MEMZ.exe
3224	MEMZ.exe
3704	MEMZ.exe
3620	MEMZ.exe
3484	MEMZ.exe
3472	MEMZ.exe
3576	MEMZ.exe
3600	MEMZ.exe
3192	MEMZ.exe
3480	MEMZ.exe
2008	MEMZ.exe
2748	MEMZ.exe
3292	MEMZ.exe
2244	MEMZ.exe

Loads dropped DLL 2 IoCs

Processes:

MEMZ.exeMEMZ.exe

pid process

1260 MEMZ.exe
3600 MEMZ.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\lapf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\!satana!.txt"	683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service
T1102

Processes:

flow ioc

109 raw.githubusercontent.com
110 raw.githubusercontent.com
111 raw.githubusercontent.com
108 raw.githubusercontent.com
Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

MEMZ.exeMEMZ.exe

description ioc process

File opened for modification \??\PhysicalDrive0 MEMZ.exe
File opened for modification \??\PhysicalDrive0 MEMZ.exe

flow	ioc
109	raw.githubusercontent.com
110	raw.githubusercontent.com
111	raw.githubusercontent.com
108	raw.githubusercontent.com

description	ioc	process
File opened for modification	\??\PhysicalDrive0	MEMZ.exe
File opened for modification	\??\PhysicalDrive0	MEMZ.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96.exe

description	pid	process	target process
PID 4012 set thread context of 292	4012	683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96.exe	683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96.exe

Drops file in Windows directory 1 IoCs

Processes:

firefox.exe

description ioc process

File opened for modification \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico firefox.exe
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File opened for modification	\??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico	firefox.exe

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

MEMZ.exeMEMZ.exenotepad.exeMEMZ.exeMEMZ.exe683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96.exeunpacked.exeMEMZ.exeMEMZ.exeIEXPLORE.EXEMEMZ.exeMEMZ.exenotepad.exe683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96.exerundll32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unpacked.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer settings 1 TTPs 24 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E8775BA1-6700-11EF-A6B8-D6EBA8958965} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe

Modifies registry class 3 IoCs

Processes:

firefox.exerundll32.exerundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_Classes\Local Settings	rundll32.exe

NTFS ADS 1 IoCs

Processes:

firefox.exe

description ioc process

File created C:\Users\Admin\Downloads\Ransomware.Satana.zip:Zone.Identifier firefox.exe
Opens file in notepad (likely ransom note) 2 IoCs
ransomware

Processes:

NOTEPAD.EXENOTEPAD.EXE

pid process

2596 NOTEPAD.EXE
3584 NOTEPAD.EXE
Suspicious behavior: CmdExeWriteProcessMemorySpam 2 IoCs

Processes:

MEMZ.exeMEMZ.exe

pid process

1260 MEMZ.exe
3600 MEMZ.exe

description	ioc	process
File created	C:\Users\Admin\Downloads\Ransomware.Satana.zip:Zone.Identifier	firefox.exe

pid	process
2596	NOTEPAD.EXE
3584	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

chrome.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exe

pid	process
1652	chrome.exe
1652	chrome.exe
3224	MEMZ.exe
3224	MEMZ.exe
3224	MEMZ.exe
3224	MEMZ.exe
3224	MEMZ.exe
3224	MEMZ.exe
3620	MEMZ.exe
3224	MEMZ.exe
3224	MEMZ.exe
3620	MEMZ.exe
3704	MEMZ.exe
3472	MEMZ.exe
3704	MEMZ.exe
3472	MEMZ.exe
3472	MEMZ.exe
3620	MEMZ.exe
3620	MEMZ.exe
3472	MEMZ.exe
3484	MEMZ.exe
3704	MEMZ.exe
3484	MEMZ.exe
3704	MEMZ.exe
3224	MEMZ.exe
3224	MEMZ.exe
3620	MEMZ.exe
3472	MEMZ.exe
3472	MEMZ.exe
3620	MEMZ.exe
3704	MEMZ.exe
3484	MEMZ.exe
3704	MEMZ.exe
3484	MEMZ.exe
3224	MEMZ.exe
3224	MEMZ.exe
3620	MEMZ.exe
3704	MEMZ.exe
3704	MEMZ.exe
3620	MEMZ.exe
3472	MEMZ.exe
3484	MEMZ.exe
3484	MEMZ.exe
3472	MEMZ.exe
3224	MEMZ.exe
3224	MEMZ.exe
3620	MEMZ.exe
3620	MEMZ.exe
3704	MEMZ.exe
3484	MEMZ.exe
3704	MEMZ.exe
3484	MEMZ.exe
3472	MEMZ.exe
3224	MEMZ.exe
3472	MEMZ.exe
3224	MEMZ.exe
3620	MEMZ.exe
3484	MEMZ.exe
3620	MEMZ.exe
3484	MEMZ.exe
3224	MEMZ.exe
3704	MEMZ.exe
3704	MEMZ.exe
3224	MEMZ.exe

Suspicious use of AdjustPrivilegeToken 37 IoCs

Processes:

chrome.exefirefox.exe

description	pid	process
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeShutdownPrivilege	1652	chrome.exe
Token: SeDebugPrivilege	2032	firefox.exe
Token: SeDebugPrivilege	2032	firefox.exe
Token: SeDebugPrivilege	2032	firefox.exe

Suspicious use of FindShellTrayWindow 42 IoCs

Processes:

chrome.exefirefox.execscript.execscript.exeiexplore.exe

pid	process
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
2032	firefox.exe
2032	firefox.exe
2032	firefox.exe
2032	firefox.exe
3112	cscript.exe
2376	cscript.exe
3452	iexplore.exe

Suspicious use of SendNotifyMessage 35 IoCs

Processes:

chrome.exefirefox.exe

pid	process
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
2032	firefox.exe
2032	firefox.exe
2032	firefox.exe

Suspicious use of SetWindowsHookEx 17 IoCs

Processes:

firefox.exeiexplore.exeIEXPLORE.EXEMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exe

pid	process
2032	firefox.exe
2032	firefox.exe
2032	firefox.exe
2032	firefox.exe
2032	firefox.exe
2032	firefox.exe
2032	firefox.exe
2032	firefox.exe
2032	firefox.exe
3452	iexplore.exe
3452	iexplore.exe
3972	IEXPLORE.EXE
3972	IEXPLORE.EXE
3704	MEMZ.exe
3484	MEMZ.exe
3472	MEMZ.exe
3224	MEMZ.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 1652 wrote to memory of 2652	1652	chrome.exe	chrome.exe
PID 1652 wrote to memory of 2652	1652	chrome.exe	chrome.exe
PID 1652 wrote to memory of 2652	1652	chrome.exe	chrome.exe
PID 1652 wrote to memory of 2668	1652	chrome.exe	chrome.exe
PID 1652 wrote to memory of 2668	1652	chrome.exe	chrome.exe
PID 1652 wrote to memory of 2668	1652	chrome.exe	chrome.exe
PID 1652 wrote to memory of 2668	1652	chrome.exe	chrome.exe
PID 1652 wrote to memory of 2668	1652	chrome.exe	chrome.exe
PID 1652 wrote to memory of 2668	1652	chrome.exe	chrome.exe
PID 1652 wrote to memory of 2668	1652	chrome.exe	chrome.exe
PID 1652 wrote to memory of 2668	1652	chrome.exe	chrome.exe
PID 1652 wrote to memory of 2668	1652	chrome.exe	chrome.exe
PID 1652 wrote to memory of 2668	1652	chrome.exe	chrome.exe
PID 1652 wrote to memory of 2668	1652	chrome.exe	chrome.exe
PID 1652 wrote to memory of 2668	1652	chrome.exe	chrome.exe
PID 1652 wrote to memory of 2668	1652	chrome.exe	chrome.exe
PID 1652 wrote to memory of 2668	1652	chrome.exe	chrome.exe
PID 1652 wrote to memory of 2668	1652	chrome.exe	chrome.exe
PID 1652 wrote to memory of 2668	1652	chrome.exe	chrome.exe
PID 1652 wrote to memory of 2668	1652	chrome.exe	chrome.exe
PID 1652 wrote to memory of 2668	1652	chrome.exe	chrome.exe
PID 1652 wrote to memory of 2668	1652	chrome.exe	chrome.exe
PID 1652 wrote to memory of 2668	1652	chrome.exe	chrome.exe
PID 1652 wrote to memory of 2668	1652	chrome.exe	chrome.exe
PID 1652 wrote to memory of 2668	1652	chrome.exe	chrome.exe
PID 1652 wrote to memory of 2668	1652	chrome.exe	chrome.exe
PID 1652 wrote to memory of 2668	1652	chrome.exe	chrome.exe
PID 1652 wrote to memory of 2668	1652	chrome.exe	chrome.exe
PID 1652 wrote to memory of 2668	1652	chrome.exe	chrome.exe
PID 1652 wrote to memory of 2668	1652	chrome.exe	chrome.exe
PID 1652 wrote to memory of 2668	1652	chrome.exe	chrome.exe
PID 1652 wrote to memory of 2668	1652	chrome.exe	chrome.exe
PID 1652 wrote to memory of 2668	1652	chrome.exe	chrome.exe
PID 1652 wrote to memory of 2668	1652	chrome.exe	chrome.exe
PID 1652 wrote to memory of 2668	1652	chrome.exe	chrome.exe
PID 1652 wrote to memory of 2668	1652	chrome.exe	chrome.exe
PID 1652 wrote to memory of 2668	1652	chrome.exe	chrome.exe
PID 1652 wrote to memory of 2668	1652	chrome.exe	chrome.exe
PID 1652 wrote to memory of 2668	1652	chrome.exe	chrome.exe
PID 1652 wrote to memory of 2668	1652	chrome.exe	chrome.exe
PID 1652 wrote to memory of 2668	1652	chrome.exe	chrome.exe
PID 1652 wrote to memory of 2668	1652	chrome.exe	chrome.exe
PID 1652 wrote to memory of 480	1652	chrome.exe	chrome.exe
PID 1652 wrote to memory of 480	1652	chrome.exe	chrome.exe
PID 1652 wrote to memory of 480	1652	chrome.exe	chrome.exe
PID 1652 wrote to memory of 2900	1652	chrome.exe	chrome.exe
PID 1652 wrote to memory of 2900	1652	chrome.exe	chrome.exe
PID 1652 wrote to memory of 2900	1652	chrome.exe	chrome.exe
PID 1652 wrote to memory of 2900	1652	chrome.exe	chrome.exe
PID 1652 wrote to memory of 2900	1652	chrome.exe	chrome.exe
PID 1652 wrote to memory of 2900	1652	chrome.exe	chrome.exe
PID 1652 wrote to memory of 2900	1652	chrome.exe	chrome.exe
PID 1652 wrote to memory of 2900	1652	chrome.exe	chrome.exe
PID 1652 wrote to memory of 2900	1652	chrome.exe	chrome.exe
PID 1652 wrote to memory of 2900	1652	chrome.exe	chrome.exe
PID 1652 wrote to memory of 2900	1652	chrome.exe	chrome.exe
PID 1652 wrote to memory of 2900	1652	chrome.exe	chrome.exe
PID 1652 wrote to memory of 2900	1652	chrome.exe	chrome.exe
PID 1652 wrote to memory of 2900	1652	chrome.exe	chrome.exe
PID 1652 wrote to memory of 2900	1652	chrome.exe	chrome.exe
PID 1652 wrote to memory of 2900	1652	chrome.exe	chrome.exe
PID 1652 wrote to memory of 2900	1652	chrome.exe	chrome.exe
PID 1652 wrote to memory of 2900	1652	chrome.exe	chrome.exe
PID 1652 wrote to memory of 2900	1652	chrome.exe	chrome.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Ransomware-Samples
1⤵
PID:2116

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1756

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Downloads\memz.bat
1⤵
- Opens file in notepad (likely ransom note)
PID:2596

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1652

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6879758,0x7fef6879768,0x7fef6879778
2⤵
PID:2652

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1104 --field-trial-handle=1292,i,10842366452921117383,3809685714195311234,131072 /prefetch:2
2⤵
PID:2668

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1304 --field-trial-handle=1292,i,10842366452921117383,3809685714195311234,131072 /prefetch:8
2⤵
PID:480

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1488 --field-trial-handle=1292,i,10842366452921117383,3809685714195311234,131072 /prefetch:8
2⤵
PID:2900

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2032 --field-trial-handle=1292,i,10842366452921117383,3809685714195311234,131072 /prefetch:1
2⤵
PID:3068

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2120 --field-trial-handle=1292,i,10842366452921117383,3809685714195311234,131072 /prefetch:1
2⤵
PID:1768

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1956 --field-trial-handle=1292,i,10842366452921117383,3809685714195311234,131072 /prefetch:2
2⤵
PID:1068

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1944 --field-trial-handle=1292,i,10842366452921117383,3809685714195311234,131072 /prefetch:1
2⤵
PID:3008

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3656 --field-trial-handle=1292,i,10842366452921117383,3809685714195311234,131072 /prefetch:8
2⤵
PID:1872

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe" --reenable-autoupdates --system-level
2⤵
PID:2188

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x154,0x158,0x15c,0x128,0x160,0x140347688,0x140347698,0x1403476a8
3⤵
PID:1328

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3676 --field-trial-handle=1292,i,10842366452921117383,3809685714195311234,131072 /prefetch:1
2⤵
PID:2820

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2064

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:1872

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2032

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2032.0.108184472\704786033" -parentBuildID 20221007134813 -prefsHandle 1200 -prefMapHandle 1148 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {cf6c3728-6ad4-48d2-a26b-a609a65db9aa} 2032 "\\.\pipe\gecko-crash-server-pipe.2032" 1320 10eef158 gpu
3⤵
PID:1644

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2032.1.141810938\213589665" -parentBuildID 20221007134813 -prefsHandle 1476 -prefMapHandle 1472 -prefsLen 20928 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c0fbefc8-7c91-4cc2-bc19-8fcf9b760e9a} 2032 "\\.\pipe\gecko-crash-server-pipe.2032" 1488 e71e58 socket
3⤵
PID:2536

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2032.2.1819712323\1125073092" -childID 1 -isForBrowser -prefsHandle 1984 -prefMapHandle 1980 -prefsLen 20966 -prefMapSize 233444 -jsInitHandle 684 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1b5c0076-edf3-41ac-9f05-4887af96ba84} 2032 "\\.\pipe\gecko-crash-server-pipe.2032" 1996 19b8d258 tab
3⤵
PID:1344

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2032.3.1841564072\663717887" -childID 2 -isForBrowser -prefsHandle 2440 -prefMapHandle 2436 -prefsLen 26151 -prefMapSize 233444 -jsInitHandle 684 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5bfac82b-c0cd-4941-9600-7ae2843ca8c1} 2032 "\\.\pipe\gecko-crash-server-pipe.2032" 2452 1bb9d858 tab
3⤵
PID:584

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2032.4.487507257\1327725017" -childID 3 -isForBrowser -prefsHandle 2928 -prefMapHandle 2924 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 684 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e885e216-965e-4c88-842b-ac06f8ec305a} 2032 "\\.\pipe\gecko-crash-server-pipe.2032" 2940 1bffc758 tab
3⤵
PID:264

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2032.5.2081708227\242885113" -childID 4 -isForBrowser -prefsHandle 3904 -prefMapHandle 3888 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 684 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2c79ec53-bece-446a-be16-1a5af3cab6eb} 2032 "\\.\pipe\gecko-crash-server-pipe.2032" 3916 1f95b858 tab
3⤵
PID:1488

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2032.6.1180233003\805306800" -childID 5 -isForBrowser -prefsHandle 4124 -prefMapHandle 4064 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 684 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {82330522-5fda-4dd2-ab87-39a8b1fa88e7} 2032 "\\.\pipe\gecko-crash-server-pipe.2032" 4112 1f95c458 tab
3⤵
PID:1592

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2032.7.1842274408\1645131142" -childID 6 -isForBrowser -prefsHandle 4196 -prefMapHandle 4200 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 684 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4a50d734-6852-4baf-8df4-812bfc79e472} 2032 "\\.\pipe\gecko-crash-server-pipe.2032" 4184 1f95e858 tab
3⤵
PID:1952

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2032.8.1321753036\594973821" -childID 7 -isForBrowser -prefsHandle 2636 -prefMapHandle 1872 -prefsLen 26630 -prefMapSize 233444 -jsInitHandle 684 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5dd5310f-173b-486d-a365-ae5d3710f80b} 2032 "\\.\pipe\gecko-crash-server-pipe.2032" 3900 2357eb58 tab
3⤵
PID:2888

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2032.9.1192864336\1081959367" -childID 8 -isForBrowser -prefsHandle 4776 -prefMapHandle 2636 -prefsLen 27070 -prefMapSize 233444 -jsInitHandle 684 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b185d9e7-1f23-46bf-a845-bf52751ec0e6} 2032 "\\.\pipe\gecko-crash-server-pipe.2032" 4756 22b3da58 tab
3⤵
PID:3316

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2032.10.141773642\1492782447" -childID 9 -isForBrowser -prefsHandle 4812 -prefMapHandle 2636 -prefsLen 27070 -prefMapSize 233444 -jsInitHandle 684 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6b5ab362-5abd-48c3-a09b-c1e4fe04e524} 2032 "\\.\pipe\gecko-crash-server-pipe.2032" 4924 235cbe58 tab
3⤵
PID:4004

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2032.11.1906691753\1276851078" -childID 10 -isForBrowser -prefsHandle 1156 -prefMapHandle 5304 -prefsLen 27070 -prefMapSize 233444 -jsInitHandle 684 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {87d8e5ed-91a5-45a2-9d46-f74b53c4257b} 2032 "\\.\pipe\gecko-crash-server-pipe.2032" 5292 21f83958 tab
3⤵
PID:3728

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Downloads\memz.bat
1⤵
- Opens file in notepad (likely ransom note)
PID:3584

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Downloads\Ransomware.Satana\683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96.bin
1⤵
- Modifies registry class
PID:3644

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Downloads\Ransomware.Satana\unpacked.mem
1⤵
- Modifies registry class
PID:3716

C:\Users\Admin\Downloads\Ransomware.Satana\683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96.exe
"C:\Users\Admin\Downloads\Ransomware.Satana\683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4012

C:\Users\Admin\Downloads\Ransomware.Satana\683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96.exe
"C:\Users\Admin\Downloads\Ransomware.Satana\683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96.exe"
2⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:292

C:\Users\Admin\Downloads\Ransomware.Satana\unpacked.exe
"C:\Users\Admin\Downloads\Ransomware.Satana\unpacked.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:2936

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe
2⤵
- System Location Discovery: System Language Discovery
PID:2092

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\Downloads\memz.bat" "
1⤵
PID:548

C:\Windows\system32\cscript.exe
cscript x.js
2⤵
- Suspicious use of FindShellTrayWindow
PID:3112

C:\Users\Admin\AppData\Roaming\MEMZ.exe
"C:\Users\Admin\AppData\Roaming\MEMZ.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1260

C:\Users\Admin\AppData\Roaming\MEMZ.exe
"C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3224

C:\Users\Admin\AppData\Roaming\MEMZ.exe
"C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3704

C:\Users\Admin\AppData\Roaming\MEMZ.exe
"C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3620

C:\Users\Admin\AppData\Roaming\MEMZ.exe
"C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3472

C:\Users\Admin\AppData\Roaming\MEMZ.exe
"C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3484

C:\Users\Admin\AppData\Roaming\MEMZ.exe
"C:\Users\Admin\AppData\Roaming\MEMZ.exe" /main
3⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
PID:3576

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\System32\notepad.exe" \note.txt
4⤵
- System Location Discovery: System Language Discovery
PID:3916

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://google.co.ck/search?q=what+happens+if+you+delete+system32
4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:3452

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3452 CREDAT:275457 /prefetch:2
5⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3972

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\Downloads\memz.bat" "
1⤵
PID:3640

C:\Windows\system32\cscript.exe
cscript x.js
2⤵
- Suspicious use of FindShellTrayWindow
PID:2376

C:\Users\Admin\AppData\Roaming\MEMZ.exe
"C:\Users\Admin\AppData\Roaming\MEMZ.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:3600

C:\Users\Admin\AppData\Roaming\MEMZ.exe
"C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
3⤵
- Executes dropped EXE
PID:3192

C:\Users\Admin\AppData\Roaming\MEMZ.exe
"C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
3⤵
- Executes dropped EXE
PID:3480

C:\Users\Admin\AppData\Roaming\MEMZ.exe
"C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
3⤵
- Executes dropped EXE
PID:2008

C:\Users\Admin\AppData\Roaming\MEMZ.exe
"C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
3⤵
- Executes dropped EXE
PID:2748

C:\Users\Admin\AppData\Roaming\MEMZ.exe
"C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
3⤵
- Executes dropped EXE
PID:3292

C:\Users\Admin\AppData\Roaming\MEMZ.exe
"C:\Users\Admin\AppData\Roaming\MEMZ.exe" /main
3⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
PID:2244

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\System32\notepad.exe" \note.txt
4⤵
- System Location Discovery: System Language Discovery
PID:2468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001
Filesize
211KB

MD5
e7226392c938e4e604d2175eb9f43ca1

SHA1
2098293f39aa0bcdd62e718f9212d9062fa283ab

SHA256
d46ec08b6c29c4ca56cecbf73149cc66ebd902197590fe28cd65dad52a08c4e1

SHA512
63a4b99101c790d40a813db9e0d5fde21a64ccaf60a6009ead027920dbbdb52cc262af829e5c4140f3702a559c7ac46efa89622d76d45b4b49a9ce01625ef145

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp
Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1
Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
363B

MD5
6108fbd8d23b37c1d7cf3e6aa226cd51

SHA1
174482e99ccb7285e06a6eb2024c985d3c0e3645

SHA256
5116389cbdf33d134a6bf4199f8bae8f0033f7ba77fc3c259a3698ecaabd4323

SHA512
b2d0062dceea35e80fc163d3c56ba7a5c47a64400ca48c08212d86123ca1b6d0c6071f0e2dbff40470f9e7b96bad224cdd62bad901b4e6a1bd715c6fa84ab64a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
3c453eb1751c38d24c7bf54905137157

SHA1
853773c58638d7eefb00a299ac6ed0a30604a883

SHA256
349d7a9cdf5c17596c92d692074dbd8d93af6a133c0a25cc5c0ad7decc045de9

SHA512
af8d1cae5884474ebd235de81befdaec131294a1ae06a1a6cd880bd2c48d113bb1867072be470181987831eab4e395a992b8ac07f7392e3827c95c5809dae565

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\CURRENT
Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
321KB

MD5
6641fb9a850ae31b08ccf1337849007b

SHA1
6d620da17b6377c5f428e5c55586db7268abd406

SHA256
2648b7cc8882f7f1448b59cfb1f6303bd34eda7d686ef174af388a2e07602a01

SHA512
36f0d84bbb26a8b37deb25b058ecdb0cdd664eb4581f35944b79bdf5479a4060f19cc98f1d06416bd98401ba64ba6890de7d7b6d34af5aeaa9d5c1276a4e62bf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\cd61636c-86c6-404e-a999-7929a8424430.tmp
Filesize
321KB

MD5
4606ec3f2020c016307e714d52b27176

SHA1
7219ff1d4bc099e90fe0c591698d5a90d8702944

SHA256
a91ec825756e43f9855f90fa0cc1fe0e1c038e842fedc18e082ef8281930ba24

SHA512
b258e030150b29d6ca1c7ec42242fc12ba71f49799d056ca67fabababa960f7c4b5f7eda72b9c8ced5ddd484c926699df443fd68fba7d869eae8e95c609835c2

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\sexvjvzg.default-release\activity-stream.discovery_stream.json.tmp
Filesize
42KB

MD5
c9c736a0173890e9ae94f75c14f46d5b

SHA1
35fc2631d4c9f0d9e29319bd4aaa8cf66a81157e

SHA256
a4fac58bbd75bb8fc84d2f13bdc36efa05bcce8aaf74d3884b4112df894ba4bc

SHA512
071d969eb9dd945fbafdf608bbbb317438316c73f6bce4d67aba3053fe18aa564e89822e93fc722b103cd61ef06aa7c79e8cd2dd5c7e6b748d1fad4341b968ef

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\sexvjvzg.default-release\cache2\doomed\10843
Filesize
13KB

MD5
d5caa1adf52012f496ae5af649cba61a

SHA1
4ff92255676d2a130c348df4833c96cb717d7f2c

SHA256
7df9d3753d66163f1e83528a73e6e02de6542739ddc3b8da85fffeab506261d1

SHA512
c37025e40350584717ea8eb39d32141a058170b511d2184b3c2be9f2fae69a44b651a6ebb2256ad13d8056685d3802955c1c7909593e74a0851b5dbe14d537a0

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\sexvjvzg.default-release\cache2\doomed\17146
Filesize
12KB

MD5
ec6e16b1923deb9ace79387dc574b957

SHA1
12348d797d96a588683c8c3c74b94d1e1ae8aa72

SHA256
5fd5b1be6b5f0e4f299b09d9391fdc5bb35cd54d7a85addccf8ebe7a979beafe

SHA512
fbd21226c81911fb0ffc54145412b2732e40dcd599f5abcc31a3ba8ffd980bc2884358ce8942fc31c9ea49901f439b6a9e5cb24d97101a4027fbb8f391e912a8

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\sexvjvzg.default-release\cache2\entries\AD8185C100979BEE2403BB5F3C0072BB1D314C2E
Filesize
33KB

MD5
c740c5ad4d3d1c0cbb4169af38b2c881

SHA1
d5f04ab8e429ed3632d11c065d7a9db3ae03f815

SHA256
2678eb1771d823926f14311733c7fba698f0416377f0de28efb5488d44faba13

SHA512
51b78a63e61d419957fab92a9d43df8a9c84b05cc3e68e22c38f03709d0537477e07edea9ac1cd5ecdc1f63b1d84b91662ece1a6a1cb3c388fb0eae9a13e69c1

Download Submit
C:\Users\Admin\AppData\Roaming\MEMZ.exe
Filesize
14KB

MD5
19dbec50735b5f2a72d4199c4e184960

SHA1
6fed7732f7cb6f59743795b2ab154a3676f4c822

SHA256
a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d

SHA512
aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms
Filesize
19KB

MD5
d3e0927748cbb7b5241c8014378f8371

SHA1
2f54011c73c9dbfe0d19776a14a04ee306f57053

SHA256
df40efb1e9cb0087ba76e50a110a9759b15ae164fb38245fc533ac157a220051

SHA512
9eecd237430b9ad52fc9e006d48203f04fa82f22e5d4a1763fd067450299ab5b68833ab9bab0e90ee6dda19fdf00fd206b03faa5d27b771fc419b596cd95ffd3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sexvjvzg.default-release\datareporting\glean\db\data.safe.bin
Filesize
2KB

MD5
3ed85be34c53dae76afa169e7b700795

SHA1
30a9f3116b39239182da0e4e1f380b9b42109dd2

SHA256
d4081a3aaa8dc30bfae7fa3816cf0d547d17ddfaf7ac17bdab43b64dfb8e8898

SHA512
b7148713991ed6cb8f13ae14e91978f3ce77c19cad52ec227f5adaf96982c5264b57a6b362c104dbca68438980273dff83d1200f341a48472c87021587f0ecbb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sexvjvzg.default-release\datareporting\glean\db\data.safe.bin
Filesize
2KB

MD5
7a08c2b030244eb8c57b14f39a6e62c8

SHA1
8e35176f4605c26db2cf9826c5fcee6861fbcedb

SHA256
bd44fd4709dee1436010c46365b5b0e3fa47c2cf0cf95c67d0b24748f14823b4

SHA512
9003c6039010a4eb2e4b5edb5b8cd0b9753e05d96a6a36404ef3d40f852950589b70617ce690c61e3da113ea0946c47d5eba8593e5c0b4917073652a985a9ca4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sexvjvzg.default-release\datareporting\glean\pending_pings\d88f547e-80cf-40c0-9a50-33239be02e4d
Filesize
745B

MD5
2d62591c1c9744e9bf6ba78b3a95b1f2

SHA1
ecfefa907a9dd9abf2843e73d654089d760aec1f

SHA256
ba3519d404f87f9f507ab9d4e61d1dd22f298ed24959f4f81ee5756491c6b75d

SHA512
c705ff5076dd1904855256f6b81fb5de723553591d6adde4b4540ad1492a5909608f163c956c9485602a8d098fd773d22231028ba003a61ae56e2f6ec966fdb3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sexvjvzg.default-release\datareporting\glean\pending_pings\e44a8012-338c-45cc-8124-edfed9c3b257
Filesize
12KB

MD5
5c319430e3249681821b1a83b8d93551

SHA1
1b72379494af10d37ff4be5803df4763e051adb8

SHA256
9c6aeb38bc0cebe248eba349e1ea10a484f7899298582648b20f247bbfba6afc

SHA512
658d5432c9ae64b887a3c7eac097da020cdca2d2b695ef076321397a2fcde74c89cee702f1805583842abae086b03337ea4db5f34908d2756c36ce5f24d3ed9f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sexvjvzg.default-release\prefs-1.js
Filesize
6KB

MD5
b71ebe79a5daf18f8bbe29770daef9e9

SHA1
f14f3ce7772e67a3edc1d67e6ae08f5bc06ca49f

SHA256
c4a590cc6a50d3a9207d24e099fa6e0b09bfd6a5e920fc18d107ad64d404c2e7

SHA512
2ac94ded444a4237954305fea13c1e03719a3042c63f35370d801518cd14881b51ff3a188a70178aec366b24d6fca7915e30cdd01a27441aae6a973136e31e65

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sexvjvzg.default-release\prefs-1.js
Filesize
6KB

MD5
0ea999d809c761d6cebedc35c4cc863e

SHA1
cf788177ac540ec39336622697bf85564e8a559d

SHA256
83431584217c986f63889cdc1767fce66836030a7743c73a39d6e1e9058f1d61

SHA512
4f4ee4472cc2f4a2b83613fbc4c7c02162f813f86c8cfe0d4a00fcab2a08024ba6c4d68b455f0e7aaa9dbe1e7cac6b317553fbe529b74d493bb7f79a373bfff1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sexvjvzg.default-release\prefs-1.js
Filesize
7KB

MD5
e4b3535589f032337c8fcdf12506ab5b

SHA1
8670dee8a17ff1b79bd96ddf9d0d76332ef43867

SHA256
0dfdce75dbe19145c75548bb202dee1922df80bf3659b30fd39e84c723bca5a6

SHA512
9957592ec827fe5a5a78aac0fe51f3f5d652124cd7e13140e7276c18b4f99754f6b7d6dfe762479635693fdd02d818f25524a5a5c2be739dfebd352540d285b9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sexvjvzg.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
1KB

MD5
87f03a105dc53a2205e13d0f64114498

SHA1
484dc98c2d6ae2cf695a94aca9c293953e23873c

SHA256
7faf751b0c20812198195b6e24326f77614957879ff8cd3cb983a39261339f84

SHA512
5463edf26a04c7882a5cec89733084cfc2779a212712d63d877646f0028866abb5eb98b0a0e39faaf4ee62c9415612d890cff4da72aa85ead28b8bbbdcb8bb17

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sexvjvzg.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
5KB

MD5
1fe45b28647714feb6a71b7501ac4f7b

SHA1
ac3c325b5430bef77180bb5a87a409a280429024

SHA256
983242c3191f6578375e245638c4990a13ff549dbae868ddffd4c7a9b3ca0224

SHA512
e3fbc0a2f365f76336567c3e59d77983dec41273a785535c94357b3b7cc911078c145b5b2bdd0b4e00a3bdab899b4c24955ccf43bef1b2fa6bcb4dd4fd49171f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sexvjvzg.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
7KB

MD5
c98333625f07adfcbd23c3ec75f06688

SHA1
c56d819042e2f388ebbf17fa64ff2423c6e37476

SHA256
4b95a395f93ae5e791e289811d1a98c16ee3af1f240047406f2da06dc7f68ef8

SHA512
5df7afd52841b9ae0337d43641c7dadd72868459658d32e9028937b8fd01c2e7a190008f1b994dd9c6187ff37db37c0a8730dcee5ceadc85c090e2b0da804501

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sexvjvzg.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
4KB

MD5
661a74cb443b49cff3079bff3d002d27

SHA1
7dc9750386e088739882438497d23dd6330bc45e

SHA256
701a20ebf169877c6c9a8fd46a3f93dc1c44cb819f8bb890acf576ab1c4f6196

SHA512
0938f294de24820b1a7cbba0793de15cfc890dc5bd20c4041ebcc4a664e5ed7325aefda567d78224695cca396dfb127b20e9f0f7616408833b7994784873dc44

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sexvjvzg.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
8KB

MD5
be0573efc6f190b828c21bc7e5cdba88

SHA1
f8c418368b7ee966da9fc622d1cf4b8b66598876

SHA256
218a29ac3d912db61ae9a5fa1ab0513417380a905c697f06e96f39fbbedaae60

SHA512
a90f309d40d0e50681ecf9437d30ba5a070ae02c0e9d85584ac5d4044e0690ba1729b175e357643839d744fbe54fa99867ce9ca63c944027446d8c27c4ea508f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sexvjvzg.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
7KB

MD5
8a43465611b583b6283b36370846770b

SHA1
2a2bd021ac983fc11a6619d49d8b2381f3be56f3

SHA256
57140de427a080e3303cd14de0a20cfb7462683ab8e4c090318c0a2d0335670d

SHA512
a51ee406148bf91ffaba20d38954d0e91c5102d8092ac0e178142995ec08acec5e122c2fb0c41a3328ba56b5125519d889caaa0a7f666f9523b46a2162ec8c86

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sexvjvzg.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
8KB

MD5
59ebd1130c0d155017104c270bccf349

SHA1
785f176482644178a89041c1644f5d72f69d8c77

SHA256
72212929b99b6c752918c469e0c3e64d03a909f770edc91972368250972d11fd

SHA512
028e57aa5bf62417ff560aa9876986f440e2e9222eed8f3301b5dddc51358164681eded1cbb5f43fda24c4d411e40881b65b5da16ccd49effd7761cb612dc0f5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sexvjvzg.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
7KB

MD5
9767090e414b58074e8d53bcd071f2cb

SHA1
33d8ae13b21facddab5feb2f275de743f28175cd

SHA256
925d2d22ca2bab7a5a581d3663589de60486a3b95f586f3c102fcc1112ad6c4e

SHA512
ae496bdac6997b4814dc7daf0e582c3cc5d2a3aae28442a2d61607d6747be38c0e339bf9745247e9bdb3a09ad9b197e93861f2305587711eae2677381d31bcb6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sexvjvzg.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
8KB

MD5
43d52647cdd7f7ca9a3a6b2f5a986a8e

SHA1
561c4312e48c0710c69162af7c5a9a3cdcbc8dc0

SHA256
35fd2950a72ccb6dbba8a8fe59c8d42eac5bbd12b149d368e462eb6737139609

SHA512
a48a7a35e3e86818cb93bdf1e045d219bd06806c0562489a52242fa74e5b21cb73e5f89d41cdb526314337a236c09328ad0c8ab06c306b86e37ab7443189ef8f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sexvjvzg.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
8KB

MD5
e650d4a14d7b06a5faff38a5d2952726

SHA1
958f07e076f69214a94c3ebed29774f20e2a553f

SHA256
9c4d7d3c03971b7d3892d5d91b7ffd1110cb71de2ef220970430f776e351fef9

SHA512
9be4fdde44702036e307aa6999f80a68a7bc59a47d377407878070d426d2a18c00327c50217bc849eebb0221727e65966f1fe6795168e8f53a4056e48341f4bb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sexvjvzg.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize
184KB

MD5
6c5fc24f72571cfa8c892ffbc5274e35

SHA1
58a463f935ac0cb3cba7f83b09c40639e2432d5a

SHA256
6dfcf6b8d3d92d66364e306a198d1f96dfae565546f0c6c6bfdf3f377f00cefd

SHA512
a98ceddae349169c56976f45958f15d692213686eeccc29acee17a99f5cf744ec7197fa400c6b1774b213f8e925c8d0782c7e639f20d19076f6f87a652b452d0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sexvjvzg.default-release\weave\toFetch\tabs.json.tmp
Filesize
10B

MD5
f20674a0751f58bbd67ada26a34ad922

SHA1
72a8da9e69d207c3b03adcd315cab704d55d5d5f

SHA256
8f05bafd61f29998ca102b333f853628502d4e45d53cff41148d6dd15f011792

SHA512
2bce112a766304daa2725740622d2afb6fe2221b242e4cb0276a8665d631109fbd498a57ca43f9ca67b14e52402abe900f5bac9502eac819a6617d133c1ba6a3

Download Submit
C:\Users\Admin\DOWNLO~1\z.zip
Filesize
8KB

MD5
63ee4412b95d7ad64c54b4ba673470a7

SHA1
1cf423c6c2c6299e68e1927305a3057af9b3ce06

SHA256
44c1857b1c4894b3dfbaccbe04905652e634283dcf6b06c25a74b17021e2a268

SHA512
7ff153826bd5fed0a410f6d15a54787b79eba927d5b573c8a7f23f4ecef7bb223d79fd29fe8c2754fbf5b4c77ab7c41598f2989b6f4c7b2aa2f579ef4af06ee7

Download Submit
C:\Users\Admin\Downloads\8jangu_8.zip.part
Filesize
57KB

MD5
82f621944ee2639817400befabedffcf

SHA1
c183ae5ab43b9b3d3fabdb29859876c507a8d273

SHA256
4785c134b128df624760c02ad23c7e345a234a99828c3fecf58fbd6d5449897f

SHA512
7a2257af32b265596e9f864767f2b86fb439b846f7bffa4b9f477f2e54bc3ff2bb56a39db88b72a0112972959570afc697c3202839a836a6d10409a10985031b

Download Submit
C:\Users\Admin\Downloads\memz.bat
Filesize
13KB

MD5
4e2a7f369378a76d1df4d8c448f712af

SHA1
1192b4d01254a8704e6d6ae17dc2ec28a7ad5a49

SHA256
5e2cd213ff47b7657abd9167c38ffd8b53c13261fe22adddea92b5a2d9e320ad

SHA512
90e6eedca424e2ee37c78e0c0380db490c049b0378541812734c134510c40c6e4c48c4e213f395339ed99ff337ef087b6056ac5aafb246c1789ca6082dcabd2e

Download Submit
C:\Users\Admin\Downloads\memz.bat
Filesize
13KB

MD5
63c6ec6b042bcb00d2d832c0e4f25dca

SHA1
a904a7c3fc89ff497e91384a63db3282e00d31ce

SHA256
dae968f47476ef79b122e771ccd0a2bacde2ac3535f68047239682fefa3dfe50

SHA512
1454cd79a59f0603ae083abb7f3b1438e18c7858ab04dfc3df1a725cee72be48274c289d5c0a44ce415f4bdf8a2c316312453862381fdbf0f4af97a62234e41a

Download Submit
C:\Users\Admin\Downloads\x
Filesize
4KB

MD5
88e5b4c79314b367d24bc31cdf621f2f

SHA1
2a87b2085b0155bc3fe27611cc999f6899d7d179

SHA256
c6e961471ddb889b8d3d2c6be8d978a0f8f7cedcdc2276ff2e45b74af9dcc1c3

SHA512
a5e96f94837fda53ff56b5235f3bd67100f43c1da905d623121daa6296b2e6cb2b528d98cbc9712d1bfdb440434288c182bca922bc5f47d05ffa2df6a33caafe

Download Submit
C:\Users\Admin\Downloads\x
Filesize
11KB

MD5
1882f3dd051e401349f1af58d55b0a37

SHA1
6b0875f9e3164f3a9f21c1ec36748a7243515b47

SHA256
3c8cea1a86f07b018e637a1ea2649d907573f78c7e4025ef7e514362d09ff6c0

SHA512
fec96d873997b5c6c82a94f8796c88fc2dd38739277c517b8129277dcbda02576851f1e27bdb2fbb7255281077d5b9ba867f6dfe66bedfc859c59fdd3bbffacf

Download Submit
C:\Users\Admin\Downloads\x
Filesize
936B

MD5
3c761ce22476d04f0477812caf5b7100

SHA1
abcf13660825139c4ffe61aaded89f092e651782

SHA256
401224fc27c1d33940d36dbc8b9a57a282142c345cf49736d89342ebcc7afd09

SHA512
cc30d7ad2a2ee846b0cb97a4a9bf2211293606291ddcb683d5142ebae546b5168b2143e607de8af6b8aacba3601d0e1753caa14db86e1bb6974636052c1ab6c6

Download Submit
C:\Users\Admin\Downloads\x.js
Filesize
448B

MD5
8eec8704d2a7bc80b95b7460c06f4854

SHA1
1b34585c1fa7ec0bd0505478ac9dbb8b8d19f326

SHA256
aa01b8864b43e92077a106ed3d4656a511f3ba1910fba40c78a32ee6a621d596

SHA512
e274b92810e9a30627a65f87448d784967a2fcfbf49858cbe6ccb841f09e0f53fde253ecc1ea0c7de491d8cc56a6cf8c79d1b7c657e72928cfb0479d11035210

Download Submit
C:\note.txt
Filesize
218B

MD5
afa6955439b8d516721231029fb9ca1b

SHA1
087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

SHA256
8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

SHA512
5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

Download Submit
\??\pipe\crashpad_1652_MHTRUWBIXHUZHQLF
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/292-1109-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/292-1107-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/292-1103-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/292-1105-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/292-1102-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2092-1111-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/2092-1113-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download