6bfc6829a6c86f6ba652b97df5a9772e5d4c3f08a011f0553f229a2e7467f500

Analysis

max time kernel
47s
max time network
59s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
05-10-2024 01:13

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

Main.exe
Size

7.5MB
MD5

3eb46bea293af2205928a34ddb51b8ec
SHA1

7d63680f3d927990eac32daa58d2bfabb1aacb7e
SHA256

6bfc6829a6c86f6ba652b97df5a9772e5d4c3f08a011f0553f229a2e7467f500
SHA512

89a5d7d2e066c7b46827272720a3f5cbe20a9fbee0cf6ee0780c1f09594e6a3b6f8b805b2411381e142321dca12170d51939d4a3b490b46a7ebd940c8bfb1a15
SSDEEP

196608:SgjXSqrf6UkWhJxe6YsdQL/neQ+gKeC3bc1I05O:ljFrfiWxtYsdQL/ejLe5

Score

8^/10

bootkit defense_evasion discovery persistence

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 7 IoCs

pid	Process
1344	MEMZ.exe
3288	MEMZ.exe
2792	MEMZ.exe
3076	MEMZ.exe
2936	MEMZ.exe
2748	MEMZ.exe
3752	MEMZ.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
2	raw.githubusercontent.com
47	raw.githubusercontent.com
48	raw.githubusercontent.com

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	MEMZ.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	setup.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\metadata	setup.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\settings.dat	setup.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\MEMZ.exe:Zone.Identifier	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133725644345146099"	chrome.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\MEMZ.exe:Zone.Identifier	chrome.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2380	Main.exe
2380	Main.exe
2380	Main.exe
2380	Main.exe
2380	Main.exe
2380	Main.exe
2380	Main.exe
2380	Main.exe
4720	chrome.exe
4720	chrome.exe
3288	MEMZ.exe
3288	MEMZ.exe
3288	MEMZ.exe
3288	MEMZ.exe
3288	MEMZ.exe
3288	MEMZ.exe
3288	MEMZ.exe
3288	MEMZ.exe
3288	MEMZ.exe
3288	MEMZ.exe
3288	MEMZ.exe
3288	MEMZ.exe
3288	MEMZ.exe
3288	MEMZ.exe
3288	MEMZ.exe
3288	MEMZ.exe
3288	MEMZ.exe
3288	MEMZ.exe
3288	MEMZ.exe
3288	MEMZ.exe
3288	MEMZ.exe
3288	MEMZ.exe
3288	MEMZ.exe
3288	MEMZ.exe
3288	MEMZ.exe
3288	MEMZ.exe
3288	MEMZ.exe
3288	MEMZ.exe
3288	MEMZ.exe
3288	MEMZ.exe
3288	MEMZ.exe
3288	MEMZ.exe
3288	MEMZ.exe
3288	MEMZ.exe
3288	MEMZ.exe
3288	MEMZ.exe
3288	MEMZ.exe
3288	MEMZ.exe
3288	MEMZ.exe
3288	MEMZ.exe
3288	MEMZ.exe
3288	MEMZ.exe
3288	MEMZ.exe
3288	MEMZ.exe
3288	MEMZ.exe
3288	MEMZ.exe
3288	MEMZ.exe
3288	MEMZ.exe
3288	MEMZ.exe
3288	MEMZ.exe
3288	MEMZ.exe
3288	MEMZ.exe
3288	MEMZ.exe
3288	MEMZ.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
4720	chrome.exe
4720	chrome.exe
4720	chrome.exe
4720	chrome.exe
4720	chrome.exe
4720	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4720	chrome.exe
Token: SeCreatePagefilePrivilege	4720	chrome.exe
Token: SeShutdownPrivilege	4720	chrome.exe
Token: SeCreatePagefilePrivilege	4720	chrome.exe
Token: SeShutdownPrivilege	4720	chrome.exe
Token: SeCreatePagefilePrivilege	4720	chrome.exe
Token: SeShutdownPrivilege	4720	chrome.exe
Token: SeCreatePagefilePrivilege	4720	chrome.exe
Token: SeShutdownPrivilege	4720	chrome.exe
Token: SeCreatePagefilePrivilege	4720	chrome.exe
Token: SeShutdownPrivilege	4720	chrome.exe
Token: SeCreatePagefilePrivilege	4720	chrome.exe
Token: SeShutdownPrivilege	4720	chrome.exe
Token: SeCreatePagefilePrivilege	4720	chrome.exe
Token: SeShutdownPrivilege	4720	chrome.exe
Token: SeCreatePagefilePrivilege	4720	chrome.exe
Token: SeShutdownPrivilege	4720	chrome.exe
Token: SeCreatePagefilePrivilege	4720	chrome.exe
Token: SeShutdownPrivilege	4720	chrome.exe
Token: SeCreatePagefilePrivilege	4720	chrome.exe
Token: SeShutdownPrivilege	4720	chrome.exe
Token: SeCreatePagefilePrivilege	4720	chrome.exe
Token: SeShutdownPrivilege	4720	chrome.exe
Token: SeCreatePagefilePrivilege	4720	chrome.exe
Token: SeShutdownPrivilege	4720	chrome.exe
Token: SeCreatePagefilePrivilege	4720	chrome.exe
Token: SeShutdownPrivilege	4720	chrome.exe
Token: SeCreatePagefilePrivilege	4720	chrome.exe
Token: SeShutdownPrivilege	4720	chrome.exe
Token: SeCreatePagefilePrivilege	4720	chrome.exe
Token: SeShutdownPrivilege	4720	chrome.exe
Token: SeCreatePagefilePrivilege	4720	chrome.exe
Token: SeShutdownPrivilege	4720	chrome.exe
Token: SeCreatePagefilePrivilege	4720	chrome.exe
Token: SeShutdownPrivilege	4720	chrome.exe
Token: SeCreatePagefilePrivilege	4720	chrome.exe
Token: SeShutdownPrivilege	4720	chrome.exe
Token: SeCreatePagefilePrivilege	4720	chrome.exe
Token: SeShutdownPrivilege	4720	chrome.exe
Token: SeCreatePagefilePrivilege	4720	chrome.exe
Token: SeShutdownPrivilege	4720	chrome.exe
Token: SeCreatePagefilePrivilege	4720	chrome.exe
Token: SeShutdownPrivilege	4720	chrome.exe
Token: SeCreatePagefilePrivilege	4720	chrome.exe
Token: SeShutdownPrivilege	4720	chrome.exe
Token: SeCreatePagefilePrivilege	4720	chrome.exe
Token: SeShutdownPrivilege	4720	chrome.exe
Token: SeCreatePagefilePrivilege	4720	chrome.exe
Token: SeShutdownPrivilege	4720	chrome.exe
Token: SeCreatePagefilePrivilege	4720	chrome.exe
Token: SeShutdownPrivilege	4720	chrome.exe
Token: SeCreatePagefilePrivilege	4720	chrome.exe
Token: SeShutdownPrivilege	4720	chrome.exe
Token: SeCreatePagefilePrivilege	4720	chrome.exe
Token: SeShutdownPrivilege	4720	chrome.exe
Token: SeCreatePagefilePrivilege	4720	chrome.exe
Token: SeShutdownPrivilege	4720	chrome.exe
Token: SeCreatePagefilePrivilege	4720	chrome.exe
Token: SeShutdownPrivilege	4720	chrome.exe
Token: SeCreatePagefilePrivilege	4720	chrome.exe
Token: SeShutdownPrivilege	4720	chrome.exe
Token: SeCreatePagefilePrivilege	4720	chrome.exe
Token: SeShutdownPrivilege	4720	chrome.exe
Token: SeCreatePagefilePrivilege	4720	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
4720	chrome.exe
4720	chrome.exe
4720	chrome.exe
4720	chrome.exe
4720	chrome.exe
4720	chrome.exe
4720	chrome.exe
4720	chrome.exe
4720	chrome.exe
4720	chrome.exe
4720	chrome.exe
4720	chrome.exe
4720	chrome.exe
4720	chrome.exe
4720	chrome.exe
4720	chrome.exe
4720	chrome.exe
4720	chrome.exe
4720	chrome.exe
4720	chrome.exe
4720	chrome.exe
4720	chrome.exe
4720	chrome.exe
4720	chrome.exe
4720	chrome.exe
4720	chrome.exe
4720	chrome.exe
4720	chrome.exe
4720	chrome.exe
4720	chrome.exe
4720	chrome.exe
4720	chrome.exe
4720	chrome.exe
4720	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
4720	chrome.exe
4720	chrome.exe
4720	chrome.exe
4720	chrome.exe
4720	chrome.exe
4720	chrome.exe
4720	chrome.exe
4720	chrome.exe
4720	chrome.exe
4720	chrome.exe
4720	chrome.exe
4720	chrome.exe

Suspicious use of SetWindowsHookEx 44 IoCs

pid	Process
3288	MEMZ.exe
3076	MEMZ.exe
2936	MEMZ.exe
2792	MEMZ.exe
2792	MEMZ.exe
3076	MEMZ.exe
2936	MEMZ.exe
3288	MEMZ.exe
3288	MEMZ.exe
2936	MEMZ.exe
3076	MEMZ.exe
2792	MEMZ.exe
3288	MEMZ.exe
2792	MEMZ.exe
3076	MEMZ.exe
2936	MEMZ.exe
3288	MEMZ.exe
2936	MEMZ.exe
3076	MEMZ.exe
2792	MEMZ.exe
3288	MEMZ.exe
3076	MEMZ.exe
2792	MEMZ.exe
2936	MEMZ.exe
3288	MEMZ.exe
2936	MEMZ.exe
2792	MEMZ.exe
3076	MEMZ.exe
3288	MEMZ.exe
3076	MEMZ.exe
2792	MEMZ.exe
2936	MEMZ.exe
3288	MEMZ.exe
2936	MEMZ.exe
2792	MEMZ.exe
3076	MEMZ.exe
3288	MEMZ.exe
3076	MEMZ.exe
2792	MEMZ.exe
2936	MEMZ.exe
3288	MEMZ.exe
2936	MEMZ.exe
2792	MEMZ.exe
3076	MEMZ.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4720 wrote to memory of 924	4720	chrome.exe	87
PID 4720 wrote to memory of 924	4720	chrome.exe	87
PID 4720 wrote to memory of 4612	4720	chrome.exe	88
PID 4720 wrote to memory of 4612	4720	chrome.exe	88
PID 4720 wrote to memory of 4612	4720	chrome.exe	88
PID 4720 wrote to memory of 4612	4720	chrome.exe	88
PID 4720 wrote to memory of 4612	4720	chrome.exe	88
PID 4720 wrote to memory of 4612	4720	chrome.exe	88
PID 4720 wrote to memory of 4612	4720	chrome.exe	88
PID 4720 wrote to memory of 4612	4720	chrome.exe	88
PID 4720 wrote to memory of 4612	4720	chrome.exe	88
PID 4720 wrote to memory of 4612	4720	chrome.exe	88
PID 4720 wrote to memory of 4612	4720	chrome.exe	88
PID 4720 wrote to memory of 4612	4720	chrome.exe	88
PID 4720 wrote to memory of 4612	4720	chrome.exe	88
PID 4720 wrote to memory of 4612	4720	chrome.exe	88
PID 4720 wrote to memory of 4612	4720	chrome.exe	88
PID 4720 wrote to memory of 4612	4720	chrome.exe	88
PID 4720 wrote to memory of 4612	4720	chrome.exe	88
PID 4720 wrote to memory of 4612	4720	chrome.exe	88
PID 4720 wrote to memory of 4612	4720	chrome.exe	88
PID 4720 wrote to memory of 4612	4720	chrome.exe	88
PID 4720 wrote to memory of 4612	4720	chrome.exe	88
PID 4720 wrote to memory of 4612	4720	chrome.exe	88
PID 4720 wrote to memory of 4612	4720	chrome.exe	88
PID 4720 wrote to memory of 4612	4720	chrome.exe	88
PID 4720 wrote to memory of 4612	4720	chrome.exe	88
PID 4720 wrote to memory of 4612	4720	chrome.exe	88
PID 4720 wrote to memory of 4612	4720	chrome.exe	88
PID 4720 wrote to memory of 4612	4720	chrome.exe	88
PID 4720 wrote to memory of 4612	4720	chrome.exe	88
PID 4720 wrote to memory of 4612	4720	chrome.exe	88
PID 4720 wrote to memory of 4212	4720	chrome.exe	89
PID 4720 wrote to memory of 4212	4720	chrome.exe	89
PID 4720 wrote to memory of 3656	4720	chrome.exe	90
PID 4720 wrote to memory of 3656	4720	chrome.exe	90
PID 4720 wrote to memory of 3656	4720	chrome.exe	90
PID 4720 wrote to memory of 3656	4720	chrome.exe	90
PID 4720 wrote to memory of 3656	4720	chrome.exe	90
PID 4720 wrote to memory of 3656	4720	chrome.exe	90
PID 4720 wrote to memory of 3656	4720	chrome.exe	90
PID 4720 wrote to memory of 3656	4720	chrome.exe	90
PID 4720 wrote to memory of 3656	4720	chrome.exe	90
PID 4720 wrote to memory of 3656	4720	chrome.exe	90
PID 4720 wrote to memory of 3656	4720	chrome.exe	90
PID 4720 wrote to memory of 3656	4720	chrome.exe	90
PID 4720 wrote to memory of 3656	4720	chrome.exe	90
PID 4720 wrote to memory of 3656	4720	chrome.exe	90
PID 4720 wrote to memory of 3656	4720	chrome.exe	90
PID 4720 wrote to memory of 3656	4720	chrome.exe	90
PID 4720 wrote to memory of 3656	4720	chrome.exe	90
PID 4720 wrote to memory of 3656	4720	chrome.exe	90
PID 4720 wrote to memory of 3656	4720	chrome.exe	90
PID 4720 wrote to memory of 3656	4720	chrome.exe	90
PID 4720 wrote to memory of 3656	4720	chrome.exe	90
PID 4720 wrote to memory of 3656	4720	chrome.exe	90
PID 4720 wrote to memory of 3656	4720	chrome.exe	90
PID 4720 wrote to memory of 3656	4720	chrome.exe	90
PID 4720 wrote to memory of 3656	4720	chrome.exe	90
PID 4720 wrote to memory of 3656	4720	chrome.exe	90
PID 4720 wrote to memory of 3656	4720	chrome.exe	90
PID 4720 wrote to memory of 3656	4720	chrome.exe	90
PID 4720 wrote to memory of 3656	4720	chrome.exe	90
PID 4720 wrote to memory of 3656	4720	chrome.exe	90

C:\Users\Admin\AppData\Local\Temp\Main.exe
"C:\Users\Admin\AppData\Local\Temp\Main.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2380

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff5523cc40,0x7fff5523cc4c,0x7fff5523cc58
  2⤵
  PID:924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1772,i,11077721131994366547,6707160354253930849,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1768 /prefetch:2
  2⤵
  PID:4612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2120,i,11077721131994366547,6707160354253930849,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2124 /prefetch:3
  2⤵
  PID:4212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2188,i,11077721131994366547,6707160354253930849,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2204 /prefetch:8
  2⤵
  PID:3656
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3104,i,11077721131994366547,6707160354253930849,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3240 /prefetch:1
  2⤵
  PID:4972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3184,i,11077721131994366547,6707160354253930849,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3300 /prefetch:1
  2⤵
  PID:2880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4504,i,11077721131994366547,6707160354253930849,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4484 /prefetch:8
  2⤵
  PID:3700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=3584,i,11077721131994366547,6707160354253930849,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4612 /prefetch:1
  2⤵
  PID:1644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4748,i,11077721131994366547,6707160354253930849,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4752 /prefetch:8
  2⤵
  PID:4564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4872,i,11077721131994366547,6707160354253930849,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4884 /prefetch:8
  2⤵
  PID:964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4880,i,11077721131994366547,6707160354253930849,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4768 /prefetch:8
  2⤵
  PID:2264
- C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  - Drops file in Windows directory
  PID:2564
- - C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x244,0x248,0x24c,0x220,0x250,0x7ff6ed454698,0x7ff6ed4546a4,0x7ff6ed4546b0
    3⤵
    - Drops file in Windows directory
    PID:2276
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=4920,i,11077721131994366547,6707160354253930849,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4460 /prefetch:1
  2⤵
  PID:2440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=3372,i,11077721131994366547,6707160354253930849,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3412 /prefetch:1
  2⤵
  PID:4740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5196,i,11077721131994366547,6707160354253930849,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5232 /prefetch:8
  2⤵
  PID:3644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5236,i,11077721131994366547,6707160354253930849,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5400 /prefetch:8
  2⤵
  PID:3620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5240,i,11077721131994366547,6707160354253930849,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5540 /prefetch:8
  2⤵
  PID:4508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5252,i,11077721131994366547,6707160354253930849,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5684 /prefetch:8
  2⤵
  PID:2888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5248,i,11077721131994366547,6707160354253930849,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5716 /prefetch:8
  2⤵
  PID:4484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5060,i,11077721131994366547,6707160354253930849,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5424 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:4124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --field-trial-handle=4372,i,11077721131994366547,6707160354253930849,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3296 /prefetch:1
  2⤵
  PID:4068
- C:\Users\Admin\Downloads\MEMZ.exe
  "C:\Users\Admin\Downloads\MEMZ.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1344
- - C:\Users\Admin\Downloads\MEMZ.exe
    "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3288
- - C:\Users\Admin\Downloads\MEMZ.exe
    "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2792
- - C:\Users\Admin\Downloads\MEMZ.exe
    "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3076
- - C:\Users\Admin\Downloads\MEMZ.exe
    "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2936
- - C:\Users\Admin\Downloads\MEMZ.exe
    "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2748
- - C:\Users\Admin\Downloads\MEMZ.exe
    "C:\Users\Admin\Downloads\MEMZ.exe" /main
    3⤵
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    - System Location Discovery: System Language Discovery
    PID:3752
  - - C:\Windows\SysWOW64\notepad.exe
      "C:\Windows\System32\notepad.exe" \note.txt
      4⤵
      System Location Discovery: System Language Discovery
      PID:2536

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1876

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
58a15ef865e4ab9c053f15c3b5a5c793

SHA1
8a9c91756e8ae09c11fce6cee1916628817abf34

SHA256
dd34f57d8dcdf8144e0defbddef08c662ba69910a2d8f5301e0182e7e53d489f

SHA512
96230895d6d962cc1aef782875e0652ab27eebf9e6dc35318b73ba812fef7559f0eee775a97798d57725efa9fe8a00dc5a32fd8b35badc36d9db438db2dccc19

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
7c968ef9700d7b3fb605ff482aff93ad

SHA1
19ede76aeaca72c1c1c266f9fe13ad51ffcf1872

SHA256
f741ef57ea6d08711d526f831241469480c64077c54094711fe1dda5dc943691

SHA512
9e576e9c082f8c00fdb188df4052f663e7425069f67878227834eca70dd765fd2625cc9fb18a3c9e321d12ca10977fac778e88b6ac7e88758b4b449af0a1eae4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
c54ed8fa3559cdcf3e69f496920c8fe9

SHA1
b9c38f63d48cb2bf7f6741c801816829f05901c4

SHA256
168d2d5b9850f186936053a439dc7527d15f9150f0bf608e7ad4219be0e1f055

SHA512
c6af1fc9126db568039a10ac824f0ecb06631aa8b6cc368acd1c2e233294728cc6579871d247f5cc911b1f5c9e1361a0479d906b030a1be6e22c3221461e4bdd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
a5cb7dd4ab1714409bed3005e74e20c0

SHA1
e1bdda882bed4235efad6eb6231816a75281feb1

SHA256
848e4c23fa07d526a9747f61aca29008b1b76f2b712a8b4de0a3085540ec7279

SHA512
ddd9c3a020bd40d8a5ea55b07f80e1af5f70c15f9964e8af2b56c5c24fdc81c5558aba982c371d86ade433ffa66263bc1b72baba516c5609fbd0a12f6d3cf35c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
e33522be5c06f24a5af77139bbd235a5

SHA1
10e597bd77dd05027c337e868327fc22aeef71b6

SHA256
0e76bee589c83e138799cc4fa04aca65c8aa6d3c9ae69a4f41af5a8de915a72b

SHA512
e364cd84a3357ffba9326c398fde941e8a94cb55498113f9aa8aaf09c1338a8e57a04e3227c064008487f530540f96269264895fc9851db2494b9c6a0df21bee

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
dcac29a485d5ecbe5c4cd3505f437561

SHA1
2fd181b23a6802fc6730f970e2fbc526a19fa44a

SHA256
6cbaba9cdf6a7c06622ea616956db07e64e04701be4053215361c4c18be7782c

SHA512
32da2d3455114acfb7080068f81d81414c21d9248e4e6c3b1b2449f40fa71b8f29098bfa6149f04966be1a91012769da752d2f8a7921218c447c101b52eac362

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
6975f89d6e650de2c0e8d8abb387ab83

SHA1
a5c3bfba90871a6b617a90734a3fae92f67274b3

SHA256
dc1d1c27f8cd36fb4058405612c3c6aa9fd98401c0a12f2888426844cf256171

SHA512
93b306d448b8bbc1857dce47e3309bb8a221bd47aa2b6be3b426a3f11410ed5f009888aba9dfc4f6b29eded74c68a4ab044aeb7dbe7f1218e19453bd03ec78f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
13KB

MD5
a48806cf6a2ec50708aacb4094f1503d

SHA1
dc92bf15f7d08944d9aed4b0ce0cefee6671df5a

SHA256
1e38ae35fef2bd41177eb503dbf9c81fe43cafc0a17c8f7e9c52ad1c7c98f172

SHA512
2193a5376c841831ce5a5284fce6cff01f1bdecb03489688591c0a9a22e90f7867cd897a84336b63e507eae28f1a443d335797e2bd6312e7bee5b33d21d14bb3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\ed456647-334c-4f4a-85ea-9859cd22b84d.tmp

Filesize
10KB

MD5
2f63010652969863092e16ca12d5077b

SHA1
51aeb466a697914f8341a452bda3a4c25c728c4f

SHA256
8980b2c72c7b423d90e515c05fd2ab07b864a0d4097111f5e3ed7efdece11ac6

SHA512
9388b38c3eaf509fb6530e4d00dad5783e26a02f229e012bd4365b31f81f201e5d32f57775c55ee74f63595f3845ff37bb228fd8d7fc587ff6310971263be076

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
212KB

MD5
2561f2954e1ce3e9f46cf3d1270ae289

SHA1
1af6276792d687cd808f9285defb6e32674e0279

SHA256
a37d70f0aa127ed11246fde18ceb15f2a42c202dd35c6c6ead5e72658b632a39

SHA512
bd253957d2e30081976bafd3cbaa02af7499b0d6e7112c101a0f968de33dd5341cfcdf14cbe09c31579438c94361906e3c52ce45d1f613fae6e15e222e515a25

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
212KB

MD5
46e98f327768389d8814b0212060fadc

SHA1
99aa039a1829dece7d14d8b874f6344bfda406de

SHA256
0a55da90f6712ed54870bc4969119fa9a75db6b8c9ef756ec6bda2cee6fe689e

SHA512
b64e14141990cece60b5b9485ff539d16c1738184e85cf56b257200cae317352c051fd66ac5d2db4b3847311daf8101f726029dc6de98510d6c25c7f2a67ac1a

Download Submit
C:\Users\Admin\Downloads\MEMZ.exe

Filesize
16KB

MD5
1d5ad9c8d3fee874d0feb8bfac220a11

SHA1
ca6d3f7e6c784155f664a9179ca64e4034df9595

SHA256
3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff

SHA512
c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1

Download Submit
C:\Users\Admin\Downloads\MEMZ.exe:Zone.Identifier

Filesize
181B

MD5
db2a839d87c6c9124794f34234a4757c

SHA1
f03f1759c262268a1a0ba6b6dfca96ff59c9c779

SHA256
e4e03a3fd4ce91394f49e1519a34dbf68130e80d49dce28461dad8b782b9b474

SHA512
dfc1fcb5ee3cc7d95b177b375a66470715ce7191f106fc940743d3ee9a5505207dfa157980050759b840a3e783f144bdc65021a4967dc22fdd550de328543672

Download Submit
C:\note.txt

Filesize
218B

MD5
afa6955439b8d516721231029fb9ca1b

SHA1
087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

SHA256
8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

SHA512
5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

Download Submit
memory/2380-2-0x0000000140000000-0x0000000140785000-memory.dmp

Filesize
7.5MB

Download
memory/2380-0-0x0000000140000000-0x0000000140785000-memory.dmp

Filesize
7.5MB

Download
memory/2380-1-0x00007FFF642B0000-0x00007FFF642B1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads