hxxps://github[.]com/Endermanch/MalwareDatabase

Resubmissions

06/12/2024, 19:50

241206-ykaksszqap 7

06/12/2024, 19:45

24/06/2024, 15:32

24/06/2024, 15:21

24/06/2024, 15:11

24/06/2024, 15:02

28/05/2024, 18:25

28/05/2024, 17:33

Analysis

max time kernel
206s
max time network
205s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
06/12/2024, 19:45

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://github.com/Endermanch/MalwareDatabase

Score

6^/10

bootkit discovery persistence

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
29	raw.githubusercontent.com
8	raw.githubusercontent.com

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	[email protected]

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	[email protected]

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133779879861129362"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings	chrome.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\MEMZ.zip:Zone.Identifier	chrome.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4476	chrome.exe
4476	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1896	chrome.exe
1904	[email protected]
1904	[email protected]
1904	[email protected]
1904	[email protected]
1904	[email protected]
1904	[email protected]
1904	[email protected]
1904	[email protected]
1904	[email protected]
1904	[email protected]
1904	[email protected]
1904	[email protected]
1904	[email protected]
1904	[email protected]
1904	[email protected]
1904	[email protected]
1904	[email protected]
1904	[email protected]
1904	[email protected]
1904	[email protected]
1904	[email protected]
1904	[email protected]
1904	[email protected]
1904	[email protected]
1904	[email protected]
1904	[email protected]
1904	[email protected]
1904	[email protected]
1904	[email protected]
1904	[email protected]
1904	[email protected]
1904	[email protected]
1904	[email protected]
1904	[email protected]
1904	[email protected]
1904	[email protected]
1904	[email protected]
1904	[email protected]
1904	[email protected]
1904	[email protected]
1904	[email protected]
1904	[email protected]
1904	[email protected]
1904	[email protected]
1904	[email protected]
1904	[email protected]
1904	[email protected]
1904	[email protected]
1904	[email protected]
1904	[email protected]
1904	[email protected]
1904	[email protected]
1904	[email protected]
1904	[email protected]
1904	[email protected]
1904	[email protected]
1904	[email protected]
1904	[email protected]

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
4476	chrome.exe
4476	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4476	chrome.exe
Token: SeCreatePagefilePrivilege	4476	chrome.exe
Token: SeShutdownPrivilege	4476	chrome.exe
Token: SeCreatePagefilePrivilege	4476	chrome.exe
Token: SeShutdownPrivilege	4476	chrome.exe
Token: SeCreatePagefilePrivilege	4476	chrome.exe
Token: SeShutdownPrivilege	4476	chrome.exe
Token: SeCreatePagefilePrivilege	4476	chrome.exe
Token: SeShutdownPrivilege	4476	chrome.exe
Token: SeCreatePagefilePrivilege	4476	chrome.exe
Token: SeShutdownPrivilege	4476	chrome.exe
Token: SeCreatePagefilePrivilege	4476	chrome.exe
Token: SeShutdownPrivilege	4476	chrome.exe
Token: SeCreatePagefilePrivilege	4476	chrome.exe
Token: SeShutdownPrivilege	4476	chrome.exe
Token: SeCreatePagefilePrivilege	4476	chrome.exe
Token: SeShutdownPrivilege	4476	chrome.exe
Token: SeCreatePagefilePrivilege	4476	chrome.exe
Token: SeShutdownPrivilege	4476	chrome.exe
Token: SeCreatePagefilePrivilege	4476	chrome.exe
Token: SeShutdownPrivilege	4476	chrome.exe
Token: SeCreatePagefilePrivilege	4476	chrome.exe
Token: SeShutdownPrivilege	4476	chrome.exe
Token: SeCreatePagefilePrivilege	4476	chrome.exe
Token: SeShutdownPrivilege	4476	chrome.exe
Token: SeCreatePagefilePrivilege	4476	chrome.exe
Token: SeShutdownPrivilege	4476	chrome.exe
Token: SeCreatePagefilePrivilege	4476	chrome.exe
Token: SeShutdownPrivilege	4476	chrome.exe
Token: SeCreatePagefilePrivilege	4476	chrome.exe
Token: SeShutdownPrivilege	4476	chrome.exe
Token: SeCreatePagefilePrivilege	4476	chrome.exe
Token: SeShutdownPrivilege	4476	chrome.exe
Token: SeCreatePagefilePrivilege	4476	chrome.exe
Token: SeShutdownPrivilege	4476	chrome.exe
Token: SeCreatePagefilePrivilege	4476	chrome.exe
Token: SeShutdownPrivilege	4476	chrome.exe
Token: SeCreatePagefilePrivilege	4476	chrome.exe
Token: SeShutdownPrivilege	4476	chrome.exe
Token: SeCreatePagefilePrivilege	4476	chrome.exe
Token: SeShutdownPrivilege	4476	chrome.exe
Token: SeCreatePagefilePrivilege	4476	chrome.exe
Token: SeShutdownPrivilege	4476	chrome.exe
Token: SeCreatePagefilePrivilege	4476	chrome.exe
Token: SeShutdownPrivilege	4476	chrome.exe
Token: SeCreatePagefilePrivilege	4476	chrome.exe
Token: SeShutdownPrivilege	4476	chrome.exe
Token: SeCreatePagefilePrivilege	4476	chrome.exe
Token: SeShutdownPrivilege	4476	chrome.exe
Token: SeCreatePagefilePrivilege	4476	chrome.exe
Token: SeShutdownPrivilege	4476	chrome.exe
Token: SeCreatePagefilePrivilege	4476	chrome.exe
Token: SeShutdownPrivilege	4476	chrome.exe
Token: SeCreatePagefilePrivilege	4476	chrome.exe
Token: SeShutdownPrivilege	4476	chrome.exe
Token: SeCreatePagefilePrivilege	4476	chrome.exe
Token: SeShutdownPrivilege	4476	chrome.exe
Token: SeCreatePagefilePrivilege	4476	chrome.exe
Token: SeShutdownPrivilege	4476	chrome.exe
Token: SeCreatePagefilePrivilege	4476	chrome.exe
Token: SeShutdownPrivilege	4476	chrome.exe
Token: SeCreatePagefilePrivilege	4476	chrome.exe
Token: SeShutdownPrivilege	4476	chrome.exe
Token: SeCreatePagefilePrivilege	4476	chrome.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
4476	chrome.exe
4476	chrome.exe
4476	chrome.exe
4476	chrome.exe
4476	chrome.exe
4476	chrome.exe
4476	chrome.exe
4476	chrome.exe
4476	chrome.exe
4476	chrome.exe
4476	chrome.exe
4476	chrome.exe
4476	chrome.exe
4476	chrome.exe
4476	chrome.exe
4476	chrome.exe
4476	chrome.exe
4476	chrome.exe
4476	chrome.exe
4476	chrome.exe
4476	chrome.exe
4476	chrome.exe
4476	chrome.exe
4476	chrome.exe
4476	chrome.exe
4476	chrome.exe
4476	chrome.exe
4476	chrome.exe
4476	chrome.exe
4476	chrome.exe
4476	chrome.exe
4476	chrome.exe
4476	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
4476	chrome.exe
4476	chrome.exe
4476	chrome.exe
4476	chrome.exe
4476	chrome.exe
4476	chrome.exe
4476	chrome.exe
4476	chrome.exe
4476	chrome.exe
4476	chrome.exe
4476	chrome.exe
4476	chrome.exe

Suspicious use of SetWindowsHookEx 47 IoCs

pid	Process
4648	[email protected]
1904	[email protected]
4796	[email protected]
4420	[email protected]
2692	[email protected]
4780	[email protected]
3520	[email protected]
2692	[email protected]
4796	[email protected]
2692	[email protected]
4796	[email protected]
2692	[email protected]
4796	[email protected]
2692	[email protected]
4796	[email protected]
2692	[email protected]
4796	[email protected]
2692	[email protected]
4796	[email protected]
2692	[email protected]
4796	[email protected]
2692	[email protected]
4796	[email protected]
2692	[email protected]
4796	[email protected]
2692	[email protected]
4796	[email protected]
2692	[email protected]
4796	[email protected]
2692	[email protected]
4796	[email protected]
2692	[email protected]
4796	[email protected]
2692	[email protected]
4796	[email protected]
2692	[email protected]
4796	[email protected]
2692	[email protected]
4796	[email protected]
2692	[email protected]
4796	[email protected]
2692	[email protected]
4796	[email protected]
2692	[email protected]
4796	[email protected]
2692	[email protected]
4796	[email protected]

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4476 wrote to memory of 3508	4476	chrome.exe	77
PID 4476 wrote to memory of 3508	4476	chrome.exe	77
PID 4476 wrote to memory of 4308	4476	chrome.exe	78
PID 4476 wrote to memory of 4308	4476	chrome.exe	78
PID 4476 wrote to memory of 4308	4476	chrome.exe	78
PID 4476 wrote to memory of 4308	4476	chrome.exe	78
PID 4476 wrote to memory of 4308	4476	chrome.exe	78
PID 4476 wrote to memory of 4308	4476	chrome.exe	78
PID 4476 wrote to memory of 4308	4476	chrome.exe	78
PID 4476 wrote to memory of 4308	4476	chrome.exe	78
PID 4476 wrote to memory of 4308	4476	chrome.exe	78
PID 4476 wrote to memory of 4308	4476	chrome.exe	78
PID 4476 wrote to memory of 4308	4476	chrome.exe	78
PID 4476 wrote to memory of 4308	4476	chrome.exe	78
PID 4476 wrote to memory of 4308	4476	chrome.exe	78
PID 4476 wrote to memory of 4308	4476	chrome.exe	78
PID 4476 wrote to memory of 4308	4476	chrome.exe	78
PID 4476 wrote to memory of 4308	4476	chrome.exe	78
PID 4476 wrote to memory of 4308	4476	chrome.exe	78
PID 4476 wrote to memory of 4308	4476	chrome.exe	78
PID 4476 wrote to memory of 4308	4476	chrome.exe	78
PID 4476 wrote to memory of 4308	4476	chrome.exe	78
PID 4476 wrote to memory of 4308	4476	chrome.exe	78
PID 4476 wrote to memory of 4308	4476	chrome.exe	78
PID 4476 wrote to memory of 4308	4476	chrome.exe	78
PID 4476 wrote to memory of 4308	4476	chrome.exe	78
PID 4476 wrote to memory of 4308	4476	chrome.exe	78
PID 4476 wrote to memory of 4308	4476	chrome.exe	78
PID 4476 wrote to memory of 4308	4476	chrome.exe	78
PID 4476 wrote to memory of 4308	4476	chrome.exe	78
PID 4476 wrote to memory of 4308	4476	chrome.exe	78
PID 4476 wrote to memory of 4308	4476	chrome.exe	78
PID 4476 wrote to memory of 2220	4476	chrome.exe	79
PID 4476 wrote to memory of 2220	4476	chrome.exe	79
PID 4476 wrote to memory of 3376	4476	chrome.exe	80
PID 4476 wrote to memory of 3376	4476	chrome.exe	80
PID 4476 wrote to memory of 3376	4476	chrome.exe	80
PID 4476 wrote to memory of 3376	4476	chrome.exe	80
PID 4476 wrote to memory of 3376	4476	chrome.exe	80
PID 4476 wrote to memory of 3376	4476	chrome.exe	80
PID 4476 wrote to memory of 3376	4476	chrome.exe	80
PID 4476 wrote to memory of 3376	4476	chrome.exe	80
PID 4476 wrote to memory of 3376	4476	chrome.exe	80
PID 4476 wrote to memory of 3376	4476	chrome.exe	80
PID 4476 wrote to memory of 3376	4476	chrome.exe	80
PID 4476 wrote to memory of 3376	4476	chrome.exe	80
PID 4476 wrote to memory of 3376	4476	chrome.exe	80
PID 4476 wrote to memory of 3376	4476	chrome.exe	80
PID 4476 wrote to memory of 3376	4476	chrome.exe	80
PID 4476 wrote to memory of 3376	4476	chrome.exe	80
PID 4476 wrote to memory of 3376	4476	chrome.exe	80
PID 4476 wrote to memory of 3376	4476	chrome.exe	80
PID 4476 wrote to memory of 3376	4476	chrome.exe	80
PID 4476 wrote to memory of 3376	4476	chrome.exe	80
PID 4476 wrote to memory of 3376	4476	chrome.exe	80
PID 4476 wrote to memory of 3376	4476	chrome.exe	80
PID 4476 wrote to memory of 3376	4476	chrome.exe	80
PID 4476 wrote to memory of 3376	4476	chrome.exe	80
PID 4476 wrote to memory of 3376	4476	chrome.exe	80
PID 4476 wrote to memory of 3376	4476	chrome.exe	80
PID 4476 wrote to memory of 3376	4476	chrome.exe	80
PID 4476 wrote to memory of 3376	4476	chrome.exe	80
PID 4476 wrote to memory of 3376	4476	chrome.exe	80
PID 4476 wrote to memory of 3376	4476	chrome.exe	80

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/Endermanch/MalwareDatabase
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4476
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd0de4cc40,0x7ffd0de4cc4c,0x7ffd0de4cc58
  2⤵
  PID:3508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1880,i,11204193431476966434,1761006146652929620,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1876 /prefetch:2
  2⤵
  PID:4308
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2056,i,11204193431476966434,1761006146652929620,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2088 /prefetch:3
  2⤵
  PID:2220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=1668,i,11204193431476966434,1761006146652929620,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2388 /prefetch:8
  2⤵
  PID:3376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3076,i,11204193431476966434,1761006146652929620,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3104 /prefetch:1
  2⤵
  PID:4312
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3092,i,11204193431476966434,1761006146652929620,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3148 /prefetch:1
  2⤵
  PID:2500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4792,i,11204193431476966434,1761006146652929620,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4800 /prefetch:8
  2⤵
  PID:3928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3548,i,11204193431476966434,1761006146652929620,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4888 /prefetch:8
  2⤵
  - NTFS ADS
  PID:1080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4884,i,11204193431476966434,1761006146652929620,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5112 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1896

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1824

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2288

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2924

C:\Users\Admin\Downloads\MEMZ\[email protected]
"C:\Users\Admin\Downloads\MEMZ\[email protected]"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4648
- C:\Users\Admin\Downloads\MEMZ\[email protected]
  "C:\Users\Admin\Downloads\MEMZ\[email protected]" /watchdog
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1904
- C:\Users\Admin\Downloads\MEMZ\[email protected]
  "C:\Users\Admin\Downloads\MEMZ\[email protected]" /watchdog
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4796
- C:\Users\Admin\Downloads\MEMZ\[email protected]
  "C:\Users\Admin\Downloads\MEMZ\[email protected]" /watchdog
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4420
- C:\Users\Admin\Downloads\MEMZ\[email protected]
  "C:\Users\Admin\Downloads\MEMZ\[email protected]" /watchdog
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2692
- C:\Users\Admin\Downloads\MEMZ\[email protected]
  "C:\Users\Admin\Downloads\MEMZ\[email protected]" /watchdog
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4780
- C:\Users\Admin\Downloads\MEMZ\[email protected]
  "C:\Users\Admin\Downloads\MEMZ\[email protected]" /main
  2⤵
  - Writes to the Master Boot Record (MBR)
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3520
- - C:\Windows\SysWOW64\notepad.exe
    "C:\Windows\System32\notepad.exe" \note.txt
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
b5ad5caaaee00cb8cf445427975ae66c

SHA1
dcde6527290a326e048f9c3a85280d3fa71e1e22

SHA256
b6409b9d55ce242ff022f7a2d86ae8eff873daabf3a0506031712b8baa6197b8

SHA512
92f7fbbcbbea769b1af6dd7e75577be3eb8bb4a4a6f8a9288d6da4014e1ea309ee649a7b089be09ba27866e175ab6f6a912413256d7e13eaf60f6f30e492ce7f

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
1008B

MD5
d222b77a61527f2c177b0869e7babc24

SHA1
3f23acb984307a4aeba41ebbb70439c97ad1f268

SHA256
80dc3ffa698e4ff2e916f97983b5eae79470203e91cb684c5ccd4ff1a465d747

SHA512
d17d836ea77aeaff4cd01f9c7523345167a4a6bc62528aac74acde12679f48079d75d159e9cea2e614da50e83c2dcd92c374c899ea6c4fe8e5513d9bf06c01ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
ff0f1af7158e1791f0a8ae9a95bf25a9

SHA1
12f045939221089809f136dc9907175fcc52b35c

SHA256
93f43c57de908e00f6c345e894afdf0f4a17b66b1276ca13509de43a473d54ab

SHA512
a547fd78916f1784fbd1dc9f79631e316f8fdc021665ac26e3f1839b8315033b17fd054fa0a7bebdd6d83b8412d446b0d9a93bddc59f086d9121381ec903bb25

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
f37472d255358a15bea89ab72cb79d70

SHA1
e9c6007bb58eba4346b9883629fafc3dc098a115

SHA256
4525e65f102196ac3f957c578eef592f73a5e3f57a1016ee02e37e9261bc0585

SHA512
53854ba970a71322abe00d1ed95e6cb2792ac0d132667c3a216ae7c1f540547dc4fb1ced52c1649918d2c2cab27ef34282a1f7cd35acb11995630a64c1aa7fc0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
ce081b41d06e93aa521914be1c1e7371

SHA1
4f588c0d762e32b85817bf935c667276274d4fb3

SHA256
aed679e848a45733c630e5c194af637e7f477bafaa5439d80c545be8574fbd1d

SHA512
cb8c930e14c7a4cb7c3a32c0d669012c90b47d65b52eca425ff7429503adade46e82ac200fbcd4ccb3bd806e042a79669a07779b3ffef12f1bfb996e849f4e05

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
5a935c43d3f09de369659f83d55862a4

SHA1
f5bf1249428cb6b911cf2e21f58f99ea21383153

SHA256
91cdfdf43554c147601ae82b09319714f433041cefbc754d348a2129c607bdd5

SHA512
9c75697f26540a7950dadb528e6c32b11fca39ba9dd9e63372d31adfaff689b85eb1303cbace1133f2466ace2e09bd239054621cdf4ed1ae41ecedcfbf7530a5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
7ab7bcb6aed79b8505e8539de20b3821

SHA1
2903824ca50501e3c1bca18b19b02021b8fc3355

SHA256
ae5c8e1f68ab9a72b48c8005b2f3f755336bde746cd9bede7ff98425270245a6

SHA512
024d6279b08a8d11228af6626226cf0bd58fb288a8bfdf983950d1c5cb016a3f2c22793a74dfdba774513a1060759c9354129462dc894025bb78a51b0067d761

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
57127e584b3b071c7ad76d2716a21afc

SHA1
4ca6ff2588931a305353a15d129b8a0ae633ede2

SHA256
552f985c9c70659d539f0428555c3eb338277339fab6e619eab21dc30583e26b

SHA512
3460301260d7f26886912ad492f69b4a0707aec4a5bb2ea3e0cf2c0a6501145be95f8a04208d7b20caf5af1480d98792cc0238897cb342cbf1d9b27ef468c3f3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
6bce830bb646e5993d06e1206b60c5ee

SHA1
1daa79bd215eec2fe2f61f20d278d9a89598fec5

SHA256
9d94ffa7a852540df3aad3c4eda7556d7cacdf3ccfd40c2ab25d68f9f6acb781

SHA512
c9a8f7e47cbace3cf06aab3f3f97cc147042f8a0c62ba79d67eb47cb486d74f28173b668fdccf4e14c5fd4a74f0e0281c865ee771083f64eb888798d7095f143

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
6a5af8ecb8dc81c043d59214b2361acf

SHA1
306e025c255e411f143d8aa377c59abe6fb5c439

SHA256
fdd526bfaf989e5112d36e3e91c3811018bdf0411b8fac9b24e38a077fa76d16

SHA512
505a34a1ab840551275a923539c819809b86c779e75d539ffeac2672e0886fbb0fb6ba1ed588bb6ea6c8244d6df45515a578b60fd40fcb8d216d4eb015002569

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
93a5adc3f55cd6e6abd662078972bbd9

SHA1
df39e645e4e729ea4fc4321a488dc347fdddc6e1

SHA256
49c2b26f066110556b03fa110029a64e1c649b2684e0430086b53a0e13fa664a

SHA512
dcae0a1e7ba48adbf927dbff7fd08ff804362026bdac7380168195f95e477811e6f38cfabdbe5a74081a61ef80767a7a84be2ed7294caa856ffce616a331f4e6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
0455f826161d5bb7e2112164bd7fe02b

SHA1
79ce7c145175284dd8b5daf3d14b47d951c97e25

SHA256
81aa8b499494a11b63901fdbef4a4aaf3a706602af3ba110b1b2842642de3ae9

SHA512
89d7de7f2d24581e342083c32e75f263bfe5523ab5eda6f8a13bf6ec918cfbddcde11f9ef5db2c597f86169c4328b3df17baa49ff163e35335c1ba7001526c86

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
021e60d346e9be33fc197b096533a1e5

SHA1
3e8d0a07f71116145cca233776a8c70e7d530222

SHA256
b905a1571464b613fd66b8afb0fc5b1f9444c9f05b96b8bd2e820b89a9cb3c21

SHA512
e15f88bcf1d0648865545d6dafc48ef353d291f41cff056790b68307362c27a1036bae29978905f12339909114fd843259abdbf0ac3fe183fcf880b977194609

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a87d99151f22f53d13dfd42b20f51a0d

SHA1
61f00ed8878b66cc491a45c28e13387c9a9c8e4b

SHA256
e4d949f0e8ee756208661ced039fddcea7f2a5f7a8965043a018d5b2e7ee6443

SHA512
0ad3bfd701b77ea0632ebc95baf2257df5ad4850781e15969e5619c7252e30c4d904e12a58fc35a158603472d4aa6924748ddf6be4932178bcdb4dbe5153655a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
fbe3f387db16858ca840a937a0a1a9ea

SHA1
0a56be59f35463666dae6395e1ff2ac01beb0038

SHA256
6ae5604d22e1d0867ee298edb62d0a4feb5c22f6242c559b110cbc40e0bd8a76

SHA512
23befe0c3c64b9719121b256d5810bf1617ed2fa396e124fbbf57543036f91694603aa8918b5b0a25290c58a748f02724b0ed99c522f99f11fda03fa5b5833a0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
fe8a5644f738493ce1a884457294acdb

SHA1
1ef15f12de8ea64d7fad38b8c3e0415ffb22d914

SHA256
3fe8c663f7055159121b4d21e7ba95fd8aa1f39c6b7f54fa2edd7c34a6d08f05

SHA512
2b4df1721cd02f6b6406b381ccdb3c0175dcd8cd5129d74a6ea5a4a4ad52aa96a3bc4fc0e70bb621e299c8d8e5b95caf11d7a76f078900a784b69cf45705aaab

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
3c78b3ea771859a159b8219f6589cf6d

SHA1
55994c55f0b1d4f1a9093e24c3eb0e23df9268e5

SHA256
44b7139e934ea6794f86024f00f791c5d8e7638ba202afc6be11ba65b73a1535

SHA512
45312fc3f6955a7cdf22a55cab0adca5a5e003f1ca08b157c69c3673bf188d02799e2bc88bdee365aec9415893d6856f3b8c37445b089205eaf20322ac69df99

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
df80b0a7c951721a4f2e00d47634236b

SHA1
68bd05e6b1ab1d1da631ca4dbc61f9a245a77464

SHA256
0a4f75421f97a286f523d2c7c4337c5c43ba50a96829b740d53ccc680e2f6ca5

SHA512
302a61dee8c5b8fd463bea2b26429d9de8938e1761d62155c7e5c8078e1556e3aa0441160dcb1286cf948e1925f8777d9177f332bd01e230c9a71d77025f8675

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
b25343bd39d35410f9cd6b7c623fe32e

SHA1
fbae6fd6ab3f4205168e43c21caeb8d41678dc4d

SHA256
5cb3b5f4853075c9997bc48b9c9b9d3032f3647f48bb570f0cab0e388f8f8dc9

SHA512
cbb01559c955f3853980194dce890a694722cf0e2ef7b71bfea888cedbefbbf43af40638402baf531a46e39b860df2c4abbe439efab7a238c1bf742a8a0fa1eb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
2e3e2477be5b3192e8c9180653e673ef

SHA1
0fad17012901db5f6ef71fa1783887569be7542b

SHA256
fb9dc0c97d6f14fc3c9f68b4a5f6729bbb6c82e8d3ff9249a2a08191e1c22c68

SHA512
a6732b1384d131f056e8a71a6b21bf4ca2f0d5ef988a74c207e1b2ac2ff9f2b9b551eff9c0c1b04720c1b11c12ef3695d8bb8388ad88401de29138d27c0fad3d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
425611688edbe64d08f512b803b86f90

SHA1
f6312aa5ed9f4c17a2f61b75b8ba3e36297ee99d

SHA256
63f1da8c7347d5229367c5fe3fcf2fe0f98a2b178240f3a866c08f60660c9dbc

SHA512
18e3f1f78feffaae908de196dac2caa0fce44727f516ea552d38e3699ea8ce9119eb32d25bca8a6740fabf63988a7c1759d8a5ac7c25224c71726f0a178c9d65

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
25c8b2d2f5772767746a54a1a67c6a84

SHA1
1dc73091f72b80abcdef755f058c1c4fe341d235

SHA256
440c6588934ccf079071ef7e784437e5e289a58f6c7f76e86f7109ee57f89b11

SHA512
205b493f7609cd50ecdbb7537715a095afe6752467e22024cc9abb563b1cf328af8618b92fe8f268f86d5db937982d4722664156f7e397058da8872cdb72ac3d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
0ccd0fd651ef70e6c7d7fa7be4b3dee0

SHA1
0cbcfd243a8f22ea55a5b053f6ca6986e7de0277

SHA256
375f8cf09a1316193ecd97660c53c38c758e299d2705f77e20441492045219f5

SHA512
7ac0462e9fa24f21e6c838f4fa49bd706cad2284270bd9d301abbc7b8e3a2718d10222d7522949dd96bea590339540dc699f5c44685c35399cf8aeeae93b89e6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
4d4d8d074657c866677895f0cb74e90c

SHA1
2253c3a1672882e3b42754d95a670a7880128310

SHA256
735e2a1d4917aa91e19317a50d1f0ed50cb122e613e12ef0035a092c6df2a564

SHA512
c0f14452ebdb3d11773dc60daa7fbb594b0aa117a0da0d64cb53e3d77125b08fe54e0e9028666c8d26024059d07713ae270f6bd06cff26f778661531af3cd6d3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
78024d2966a838ce17c3fb4ff13c03c4

SHA1
0c6e20d7a0a2135da90176ff557a5c2435cc1298

SHA256
8555d9ec92f34bfb995273b47386a157170eddcebce4e1cf0e09474f02b0ec52

SHA512
6df386b999164aadfc93325b9547d468ddb4d2e1bf9da0f6e0c6404d43ca73e6f9cff824aed48423ed42696d092fa2997f9996cb803900f7b06c9a5fe1fb3722

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
bafddd64726c4abdf793471581f59a51

SHA1
a89b983c5e15dddce186778e604700ffe592268d

SHA256
08c7ac7560c7f61bbcafeb7006d6886678b82a787c272c4712701fe4089d06c8

SHA512
c0676606a4b78e12a6ed45e5c3aa0b32248aad14454e33e7d0db471dcc61280abe678ef74c1dc0d9dc9762af6fe4f90aa8d09d9142327c4c32dc6c8dfc654967

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
782fd3e24d9f54d8847fad1fc543e7e3

SHA1
ab9433f84771be56e4eb0066597a6c6c67bc2a16

SHA256
110fdda34f22834edf994d6b356910e08636f2454a96ac295119970fad476257

SHA512
3fe7b22e6a6a3fdb21a57b3f09b4a474a01ab4482bcecb034fc918940788070c534294dc5696eaabab6e24434987ced2bb90b20de14b9685716d162484dd829a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
228KB

MD5
47cda3ae6e900f5ef90de56a008a79b5

SHA1
bdd309efb23fc25b610688ae7088139e7df5077a

SHA256
55e2eb07643aed72059afe7992aebfe14c54608f34d9b2ee1740618be77e5c49

SHA512
6277a474e2a50e8b0f09aef86b4b0cf0656b6069aeab4893ccdfabd195cd3119b7cd17104c740f09148e6e94a7bcee5977e737ab7cdb35c7fb9f1dea15198bfe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
228KB

MD5
68bae24ffba140864389da1ffaa8244f

SHA1
6fd758a0401c32f104885051c763da8337e2e6b7

SHA256
04e2314dab1dc35d0239f8b240256c63677a21e4b7353868cb9f5fd6a4fbd73a

SHA512
41a3af1536f8ebb4bcc5a39b37f93fbe2f1772c18415bdc4b2147ca038c92ffe4acb2a546181be0f302f37cd4f2ca2de126098edf2b5998dfc748bbde5fcbc6a

Download Submit
C:\Users\Admin\Downloads\MEMZ.zip:Zone.Identifier

Filesize
55B

MD5
0f98a5550abe0fb880568b1480c96a1c

SHA1
d2ce9f7057b201d31f79f3aee2225d89f36be07d

SHA256
2dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1

SHA512
dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6

Download Submit
C:\note.txt

Filesize
218B

MD5
afa6955439b8d516721231029fb9ca1b

SHA1
087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

SHA256
8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

SHA512
5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

Download Submit

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads