e59cbc05af015b2e6c083703a60f931b88e931f14cc9c97c401d4f72fc14e1ec

Analysis

max time kernel
217s
max time network
218s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
12-12-2024 14:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

forge-1.21-51.0.33-installer.jar
Size

6.0MB
MD5

8c436eda9da0144789bab353d08be245
SHA1

5249b3c3ca3d9a2cb8a8d321e3eef67ca64af85f
SHA256

e59cbc05af015b2e6c083703a60f931b88e931f14cc9c97c401d4f72fc14e1ec
SHA512

9e95606a5ec7070d3c3f92470813909c4333af931d1617610d532f44d15bfcd022dc50098443029bdfbde46705a2af851fa6e3068725032f8e9d00f669326ce4
SSDEEP

98304:VewET64fA5dC8hTMfN02yZqbsUwE9gxOvxwIzjX9C27koljF7SRrw7P6Fzr+WvfV:fCcdC8um2yb9E9gxqnzhC275ljtSDFzB

Score

6^/10

bootkit discovery persistence

Malware Config

Signatures

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	MEMZ.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_Classes\Local Settings	firefox.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\MEMZ-virus-main.zip:Zone.Identifier	firefox.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2904	chrome.exe
2904	chrome.exe
3216	MEMZ.exe
3216	MEMZ.exe
3216	MEMZ.exe
3216	MEMZ.exe
3228	MEMZ.exe
3228	MEMZ.exe
3216	MEMZ.exe
3216	MEMZ.exe
3228	MEMZ.exe
3228	MEMZ.exe
3240	MEMZ.exe
3240	MEMZ.exe
3216	MEMZ.exe
3216	MEMZ.exe
3228	MEMZ.exe
3228	MEMZ.exe
3248	MEMZ.exe
3248	MEMZ.exe
3240	MEMZ.exe
3240	MEMZ.exe
3216	MEMZ.exe
3216	MEMZ.exe
3248	MEMZ.exe
3228	MEMZ.exe
3228	MEMZ.exe
3248	MEMZ.exe
3264	MEMZ.exe
3264	MEMZ.exe
3240	MEMZ.exe
3240	MEMZ.exe
3216	MEMZ.exe
3216	MEMZ.exe
3228	MEMZ.exe
3248	MEMZ.exe
3228	MEMZ.exe
3248	MEMZ.exe
3264	MEMZ.exe
3264	MEMZ.exe
3240	MEMZ.exe
3240	MEMZ.exe
3216	MEMZ.exe
3216	MEMZ.exe
3228	MEMZ.exe
3228	MEMZ.exe
3248	MEMZ.exe
3248	MEMZ.exe
3264	MEMZ.exe
3264	MEMZ.exe
3240	MEMZ.exe
3240	MEMZ.exe
3216	MEMZ.exe
3216	MEMZ.exe
3228	MEMZ.exe
3228	MEMZ.exe
3248	MEMZ.exe
3248	MEMZ.exe
3264	MEMZ.exe
3264	MEMZ.exe
3240	MEMZ.exe
3240	MEMZ.exe
3216	MEMZ.exe
3216	MEMZ.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3344	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2904	chrome.exe
Token: SeShutdownPrivilege	2904	chrome.exe
Token: SeShutdownPrivilege	2904	chrome.exe
Token: SeShutdownPrivilege	2904	chrome.exe
Token: SeShutdownPrivilege	2904	chrome.exe
Token: SeShutdownPrivilege	2904	chrome.exe
Token: SeShutdownPrivilege	2904	chrome.exe
Token: SeShutdownPrivilege	2904	chrome.exe
Token: SeShutdownPrivilege	2904	chrome.exe
Token: SeShutdownPrivilege	2904	chrome.exe
Token: SeShutdownPrivilege	2904	chrome.exe
Token: SeShutdownPrivilege	2904	chrome.exe
Token: SeShutdownPrivilege	2904	chrome.exe
Token: SeShutdownPrivilege	2904	chrome.exe
Token: SeShutdownPrivilege	2904	chrome.exe
Token: SeShutdownPrivilege	2904	chrome.exe
Token: SeShutdownPrivilege	2904	chrome.exe
Token: SeShutdownPrivilege	2904	chrome.exe
Token: SeShutdownPrivilege	2904	chrome.exe
Token: SeShutdownPrivilege	2904	chrome.exe
Token: SeDebugPrivilege	2628	firefox.exe
Token: SeDebugPrivilege	2628	firefox.exe
Token: SeDebugPrivilege	2628	firefox.exe
Token: 33	328	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	328	AUDIODG.EXE
Token: 33	328	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	328	AUDIODG.EXE
Token: SeDebugPrivilege	3344	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2628	firefox.exe
2628	firefox.exe
2628	firefox.exe
2628	firefox.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe

Suspicious use of SendNotifyMessage 61 IoCs

pid	Process
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2904	chrome.exe
2628	firefox.exe
2628	firefox.exe
2628	firefox.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2628	firefox.exe
2628	firefox.exe
2628	firefox.exe
3240	MEMZ.exe
3248	MEMZ.exe
3264	MEMZ.exe
3228	MEMZ.exe
3228	MEMZ.exe
3248	MEMZ.exe
3240	MEMZ.exe
3264	MEMZ.exe
3228	MEMZ.exe
3240	MEMZ.exe
3248	MEMZ.exe
3264	MEMZ.exe
3240	MEMZ.exe
3264	MEMZ.exe
3248	MEMZ.exe
3228	MEMZ.exe
3240	MEMZ.exe
3228	MEMZ.exe
3264	MEMZ.exe
3248	MEMZ.exe
3248	MEMZ.exe
3264	MEMZ.exe
3228	MEMZ.exe
3240	MEMZ.exe
3228	MEMZ.exe
3264	MEMZ.exe
3248	MEMZ.exe
3240	MEMZ.exe
3248	MEMZ.exe
3228	MEMZ.exe
3264	MEMZ.exe
3240	MEMZ.exe
3264	MEMZ.exe
3240	MEMZ.exe
3248	MEMZ.exe
3228	MEMZ.exe
3264	MEMZ.exe
3228	MEMZ.exe
3248	MEMZ.exe
3240	MEMZ.exe
3264	MEMZ.exe
3248	MEMZ.exe
3228	MEMZ.exe
3240	MEMZ.exe
3264	MEMZ.exe
3228	MEMZ.exe
3240	MEMZ.exe
3248	MEMZ.exe
3264	MEMZ.exe
3240	MEMZ.exe
3228	MEMZ.exe
3248	MEMZ.exe
3248	MEMZ.exe
3264	MEMZ.exe
3240	MEMZ.exe
3228	MEMZ.exe
3228	MEMZ.exe
3264	MEMZ.exe
3248	MEMZ.exe
3240	MEMZ.exe
3248	MEMZ.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2904 wrote to memory of 2876	2904	chrome.exe	33
PID 2904 wrote to memory of 2876	2904	chrome.exe	33
PID 2904 wrote to memory of 2876	2904	chrome.exe	33
PID 2904 wrote to memory of 2724	2904	chrome.exe	35
PID 2904 wrote to memory of 2724	2904	chrome.exe	35
PID 2904 wrote to memory of 2724	2904	chrome.exe	35
PID 2904 wrote to memory of 2724	2904	chrome.exe	35
PID 2904 wrote to memory of 2724	2904	chrome.exe	35
PID 2904 wrote to memory of 2724	2904	chrome.exe	35
PID 2904 wrote to memory of 2724	2904	chrome.exe	35
PID 2904 wrote to memory of 2724	2904	chrome.exe	35
PID 2904 wrote to memory of 2724	2904	chrome.exe	35
PID 2904 wrote to memory of 2724	2904	chrome.exe	35
PID 2904 wrote to memory of 2724	2904	chrome.exe	35
PID 2904 wrote to memory of 2724	2904	chrome.exe	35
PID 2904 wrote to memory of 2724	2904	chrome.exe	35
PID 2904 wrote to memory of 2724	2904	chrome.exe	35
PID 2904 wrote to memory of 2724	2904	chrome.exe	35
PID 2904 wrote to memory of 2724	2904	chrome.exe	35
PID 2904 wrote to memory of 2724	2904	chrome.exe	35
PID 2904 wrote to memory of 2724	2904	chrome.exe	35
PID 2904 wrote to memory of 2724	2904	chrome.exe	35
PID 2904 wrote to memory of 2724	2904	chrome.exe	35
PID 2904 wrote to memory of 2724	2904	chrome.exe	35
PID 2904 wrote to memory of 2724	2904	chrome.exe	35
PID 2904 wrote to memory of 2724	2904	chrome.exe	35
PID 2904 wrote to memory of 2724	2904	chrome.exe	35
PID 2904 wrote to memory of 2724	2904	chrome.exe	35
PID 2904 wrote to memory of 2724	2904	chrome.exe	35
PID 2904 wrote to memory of 2724	2904	chrome.exe	35
PID 2904 wrote to memory of 2724	2904	chrome.exe	35
PID 2904 wrote to memory of 2724	2904	chrome.exe	35
PID 2904 wrote to memory of 2724	2904	chrome.exe	35
PID 2904 wrote to memory of 2724	2904	chrome.exe	35
PID 2904 wrote to memory of 2724	2904	chrome.exe	35
PID 2904 wrote to memory of 2724	2904	chrome.exe	35
PID 2904 wrote to memory of 2724	2904	chrome.exe	35
PID 2904 wrote to memory of 2724	2904	chrome.exe	35
PID 2904 wrote to memory of 2724	2904	chrome.exe	35
PID 2904 wrote to memory of 2724	2904	chrome.exe	35
PID 2904 wrote to memory of 2724	2904	chrome.exe	35
PID 2904 wrote to memory of 2724	2904	chrome.exe	35
PID 2904 wrote to memory of 1296	2904	chrome.exe	36
PID 2904 wrote to memory of 1296	2904	chrome.exe	36
PID 2904 wrote to memory of 1296	2904	chrome.exe	36
PID 2904 wrote to memory of 2192	2904	chrome.exe	37
PID 2904 wrote to memory of 2192	2904	chrome.exe	37
PID 2904 wrote to memory of 2192	2904	chrome.exe	37
PID 2904 wrote to memory of 2192	2904	chrome.exe	37
PID 2904 wrote to memory of 2192	2904	chrome.exe	37
PID 2904 wrote to memory of 2192	2904	chrome.exe	37
PID 2904 wrote to memory of 2192	2904	chrome.exe	37
PID 2904 wrote to memory of 2192	2904	chrome.exe	37
PID 2904 wrote to memory of 2192	2904	chrome.exe	37
PID 2904 wrote to memory of 2192	2904	chrome.exe	37
PID 2904 wrote to memory of 2192	2904	chrome.exe	37
PID 2904 wrote to memory of 2192	2904	chrome.exe	37
PID 2904 wrote to memory of 2192	2904	chrome.exe	37
PID 2904 wrote to memory of 2192	2904	chrome.exe	37
PID 2904 wrote to memory of 2192	2904	chrome.exe	37
PID 2904 wrote to memory of 2192	2904	chrome.exe	37
PID 2904 wrote to memory of 2192	2904	chrome.exe	37
PID 2904 wrote to memory of 2192	2904	chrome.exe	37
PID 2904 wrote to memory of 2192	2904	chrome.exe	37

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\forge-1.21-51.0.33-installer.jar
1⤵
PID:2596

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef7399758,0x7fef7399768,0x7fef7399778
  2⤵
  PID:2876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1164 --field-trial-handle=1220,i,10629069375027233426,10089638318376632142,131072 /prefetch:2
  2⤵
  PID:2724
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1520 --field-trial-handle=1220,i,10629069375027233426,10089638318376632142,131072 /prefetch:8
  2⤵
  PID:1296
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1596 --field-trial-handle=1220,i,10629069375027233426,10089638318376632142,131072 /prefetch:8
  2⤵
  PID:2192
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2152 --field-trial-handle=1220,i,10629069375027233426,10089638318376632142,131072 /prefetch:1
  2⤵
  PID:2856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2160 --field-trial-handle=1220,i,10629069375027233426,10089638318376632142,131072 /prefetch:1
  2⤵
  PID:1516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1480 --field-trial-handle=1220,i,10629069375027233426,10089638318376632142,131072 /prefetch:2
  2⤵
  PID:2068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1464 --field-trial-handle=1220,i,10629069375027233426,10089638318376632142,131072 /prefetch:1
  2⤵
  PID:1616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3652 --field-trial-handle=1220,i,10629069375027233426,10089638318376632142,131072 /prefetch:8
  2⤵
  PID:1992
- C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  PID:1032
- - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x154,0x158,0x15c,0x128,0x160,0x13fba7688,0x13fba7698,0x13fba76a8
    3⤵
    PID:2344
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3756 --field-trial-handle=1220,i,10629069375027233426,10089638318376632142,131072 /prefetch:1
  2⤵
  PID:320

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2668

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:2552
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:2628
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2628.0.830016440\802349626" -parentBuildID 20221007134813 -prefsHandle 1220 -prefMapHandle 1212 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f43ae23a-2cc4-423a-b811-3721e9a64486} 2628 "\\.\pipe\gecko-crash-server-pipe.2628" 1296 121f5258 gpu
    3⤵
    PID:1968
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2628.1.363988398\1787794496" -parentBuildID 20221007134813 -prefsHandle 1476 -prefMapHandle 1472 -prefsLen 20928 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d805c963-a589-421d-9401-0af17a895638} 2628 "\\.\pipe\gecko-crash-server-pipe.2628" 1488 d6fb58 socket
    3⤵
    PID:1572
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2628.2.251255850\1538703836" -childID 1 -isForBrowser -prefsHandle 2100 -prefMapHandle 2096 -prefsLen 20966 -prefMapSize 233444 -jsInitHandle 828 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {cb04e284-0bc2-4dea-a3fc-de8a2f64ca94} 2628 "\\.\pipe\gecko-crash-server-pipe.2628" 2112 1a65a258 tab
    3⤵
    PID:2584
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2628.3.2021710590\632949437" -childID 2 -isForBrowser -prefsHandle 1648 -prefMapHandle 1644 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 828 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fb486da1-f80a-4420-8f67-0d735be1962f} 2628 "\\.\pipe\gecko-crash-server-pipe.2628" 636 d71c58 tab
    3⤵
    PID:3068
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2628.4.78318728\194308279" -childID 3 -isForBrowser -prefsHandle 2404 -prefMapHandle 2400 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 828 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {161dfe25-8b0e-4aba-8291-d9885b7fd453} 2628 "\\.\pipe\gecko-crash-server-pipe.2628" 2556 14d04158 tab
    3⤵
    PID:3028
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2628.5.1079334723\1080219797" -childID 4 -isForBrowser -prefsHandle 2996 -prefMapHandle 3808 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 828 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6a878a5c-e3ed-4e7c-841f-aba9ac482f79} 2628 "\\.\pipe\gecko-crash-server-pipe.2628" 3820 1ec8ff58 tab
    3⤵
    PID:2988
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2628.6.1980064115\1469742586" -childID 5 -isForBrowser -prefsHandle 3932 -prefMapHandle 3936 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 828 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a274d8a1-41ed-460b-a73a-5fcf4221437b} 2628 "\\.\pipe\gecko-crash-server-pipe.2628" 3920 1ecfc558 tab
    3⤵
    PID:2452
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2628.7.1899973586\755597628" -childID 6 -isForBrowser -prefsHandle 4136 -prefMapHandle 4140 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 828 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {652964f5-584c-4867-851e-a445675e6fa7} 2628 "\\.\pipe\gecko-crash-server-pipe.2628" 4128 1f87ee58 tab
    3⤵
    PID:2660
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2628.8.1272568319\400070812" -childID 7 -isForBrowser -prefsHandle 4408 -prefMapHandle 4412 -prefsLen 26356 -prefMapSize 233444 -jsInitHandle 828 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {488fc3cc-9bed-47cb-8231-a705615b3672} 2628 "\\.\pipe\gecko-crash-server-pipe.2628" 4404 1e882b58 tab
    3⤵
    PID:2916
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2628.9.286875023\882231530" -childID 8 -isForBrowser -prefsHandle 1112 -prefMapHandle 3020 -prefsLen 27487 -prefMapSize 233444 -jsInitHandle 828 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5313cbcc-3c68-4e87-b403-1ba2dcfe6989} 2628 "\\.\pipe\gecko-crash-server-pipe.2628" 1124 1fd78758 tab
    3⤵
    PID:2408

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x500
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:328

C:\Users\Admin\AppData\Local\Temp\Temp1_MEMZ-virus-main.zip\MEMZ-virus-main\MEMZ.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_MEMZ-virus-main.zip\MEMZ-virus-main\MEMZ.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:3136
- C:\Users\Admin\AppData\Local\Temp\Temp1_MEMZ-virus-main.zip\MEMZ-virus-main\MEMZ.exe
  "C:\Users\Admin\AppData\Local\Temp\Temp1_MEMZ-virus-main.zip\MEMZ-virus-main\MEMZ.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3216
- C:\Users\Admin\AppData\Local\Temp\Temp1_MEMZ-virus-main.zip\MEMZ-virus-main\MEMZ.exe
  "C:\Users\Admin\AppData\Local\Temp\Temp1_MEMZ-virus-main.zip\MEMZ-virus-main\MEMZ.exe" /watchdog
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:3228
- C:\Users\Admin\AppData\Local\Temp\Temp1_MEMZ-virus-main.zip\MEMZ-virus-main\MEMZ.exe
  "C:\Users\Admin\AppData\Local\Temp\Temp1_MEMZ-virus-main.zip\MEMZ-virus-main\MEMZ.exe" /watchdog
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:3240
- C:\Users\Admin\AppData\Local\Temp\Temp1_MEMZ-virus-main.zip\MEMZ-virus-main\MEMZ.exe
  "C:\Users\Admin\AppData\Local\Temp\Temp1_MEMZ-virus-main.zip\MEMZ-virus-main\MEMZ.exe" /watchdog
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:3248
- C:\Users\Admin\AppData\Local\Temp\Temp1_MEMZ-virus-main.zip\MEMZ-virus-main\MEMZ.exe
  "C:\Users\Admin\AppData\Local\Temp\Temp1_MEMZ-virus-main.zip\MEMZ-virus-main\MEMZ.exe" /watchdog
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:3264
- C:\Users\Admin\AppData\Local\Temp\Temp1_MEMZ-virus-main.zip\MEMZ-virus-main\MEMZ.exe
  "C:\Users\Admin\AppData\Local\Temp\Temp1_MEMZ-virus-main.zip\MEMZ-virus-main\MEMZ.exe" /main
  2⤵
  - Writes to the Master Boot Record (MBR)
  - System Location Discovery: System Language Discovery
  PID:3280
- - C:\Windows\SysWOW64\notepad.exe
    "C:\Windows\System32\notepad.exe" \note.txt
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3308
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3424

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\5641235b-0a37-41a3-bc5c-f13cf3322d51.tmp

Filesize
355KB

MD5
62ccb898797bc440d212e132c0167415

SHA1
4f32ce1551897cc698cabc4247de6fba68514390

SHA256
f746202a093f231e3c98df9b0cea975014aa4bc2f86a63801a1cc01b2e169a3e

SHA512
6b9732fb34cdf699e6e2fad08d4479e092920ce212db5bdc200aba7f269f78ba79864baf616b9897f906f34758bdc6ecca1479902df3afbe1fed07c272f9fd01

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000005

Filesize
215KB

MD5
2be38925751dc3580e84c3af3a87f98d

SHA1
8a390d24e6588bef5da1d3db713784c11ca58921

SHA256
1412046f2516b688d644ff26b6c7ef2275b6c8f132eb809bd32e118208a4ec1b

SHA512
1341ffc84f16c1247eb0e9baacd26a70c6b9ee904bc2861e55b092263613c0f09072efd174b3e649a347ef3192ae92d7807cc4f5782f8fd07389703d75c4c4e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
a1dc9b7b27ff73d63bb415e5ea6bb97a

SHA1
37111551539b4d6e218af9b9aab4b69b05ae455d

SHA256
729ca034ddd29f1ffc246ede277d0970d2f714820eb4c8a5397d0359509dc82f

SHA512
1a5c5c3b1473d84da396644926517844712ad1fd51ce240305a80618d280f92fd41f26b8731acbf19c641bff2c0a018ecc0e43164129075d73f5fa699402d5c6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
355KB

MD5
7ff0d928dd876d8813d89e80318b99eb

SHA1
8c1c054847f240a08d2125d9404ff5e1fc4ecd4c

SHA256
ee10262ef4b468c245942650c4fb5f6331917f1c81892c88d7c615698e3ba329

SHA512
f74b61b436850470180b687e63e77db1b7b142e752ef15d850051d9148f2d6df15a2f8f4a2e0510dab15d03de36a0020965f581bbe063d41893cc9323212a9b3

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\z3l10m6w.default-release\activity-stream.discovery_stream.json.tmp

Filesize
23KB

MD5
d86ab13d18e0b465f58631ade1c2981d

SHA1
2e0226a50ba3580d52dd6eeca7e6dff17cfe7a6d

SHA256
f07aa26f8801d6a723ca009a159fccda32fa6e6fda2d9c60ca75262c4adc377b

SHA512
b2dccc803f62354a616b76b1dce886ea3754fa2d20b81b163999005366aca0750cbe433f842fbf15dcba2b26f5e04d5af505ec1ec7e18f755e1ef229ee819bde

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\z3l10m6w.default-release\cache2\doomed\15787

Filesize
9KB

MD5
a8e632170000e528c40f21bf10a99652

SHA1
dd084b62206e51daa3d5713d2e7cb921371c26d2

SHA256
3f7798b72805606c0d2e8c18fbfe0ae4d4d4cc7523e60cc1270547780719e32e

SHA512
acca28db0cc46910ed3ae87b4b62cfbf67a789ee34601cb033ca7024e766517e913068217007cc27fd780bd6b0af5bd566455d949b8daebb337d28f29e7ca04f

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\z3l10m6w.default-release\cache2\entries\8E62FE1C4AC561DFBA4AC7F80730418E5CFDF8B2

Filesize
61KB

MD5
7610f4a4b3eb01be050fc4faadb2fde7

SHA1
69f2ffb73ddcaf783ed6ae9f1db733d80e5ea442

SHA256
39c78880e4ec237850bf1bee1a909b947a4fff1b07f3ba5d6bc3e78e043da4bc

SHA512
7f132a72159fae1d428b979fb9e4030608dae230e67c24580ac172e5ec7133da09c0bfbffa5cc37049c14d9e7a332354249e7111802b431d8cdc6a6a83a9b252

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\z3l10m6w.default-release\cache2\entries\DF88F41E5DAC45B039B785901EE8352DCC6CDA96

Filesize
49KB

MD5
11d7b3b27fcbb3cdb63685f776d21ccf

SHA1
a02b1301d2ae80dea47892a0f9a6816cedae0077

SHA256
c8cce39b616d9730de7b74fadee6e9cb07420856741114bd9d013ae9ecd08a59

SHA512
69c06809c45967cbef2adfecb59fa63e7a3f072a0e1fa9721a9b1aebafbf07ee956a597c19367ae35982f5fb15dc4394fa23ad9470aa640df9fa9ee9ff57940a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\z3l10m6w.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

Filesize
15KB

MD5
96c542dec016d9ec1ecc4dddfcbaac66

SHA1
6199f7648bb744efa58acf7b96fee85d938389e4

SHA256
7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798

SHA512
cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
442KB

MD5
85430baed3398695717b0263807cf97c

SHA1
fffbee923cea216f50fce5d54219a188a5100f41

SHA256
a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

SHA512
06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
8.0MB

MD5
a01c5ecd6108350ae23d2cddf0e77c17

SHA1
c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

SHA256
345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

SHA512
b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z3l10m6w.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
2f3e7bf45958d565ba38ae5df6204dd3

SHA1
23484958204678930d7e9ff46d75510cadf86056

SHA256
c123097ed629721d3208f4e13512c7b23b03a8180a1a9ec7fb65c5c8bcf5b93f

SHA512
316c59254258ec20aeb20d225d4b3606ea90412b193cde64b76df6783bd856f080945c45dd41f67394c2eba0b3af8e1425bd17b9697fa03a6a093384667b8a18

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z3l10m6w.default-release\datareporting\glean\pending_pings\859234ce-8819-4940-898c-a035eb917ab7

Filesize
745B

MD5
4d96e145211c16efd5f61764d7148de1

SHA1
203658aa65bb00ccbdf9c1ffafedd7c4dd22f8b2

SHA256
8d99b6455b117e5a38b2ef941912187feb050adcf1a83b51ccf7d0a2dea5af36

SHA512
852cf81cdb222e48b9dbdd9364c6631a78e742471ef87b05ea85de413877e91b05d3ae2d4b8d8de8e1d7c7fa2b34102b95c712b6d95d5701c80acbc5305822a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z3l10m6w.default-release\datareporting\glean\pending_pings\983a93d5-472e-46ec-b537-e13c46953d80

Filesize
11KB

MD5
3cdcb9f4f7a2a754307a14329ca06f72

SHA1
464798f566a7c459e5df15012a54718ce371cfb3

SHA256
00b9ecdd2d85259b4080fabb70bfd9d9705b9d4bd17c40f0b9bcabea9849ee62

SHA512
9b5d239c92a291854c34c5730e45f2d778ea6bc7d6891b5812fd9af7a86c058deef9ca75f632d301429afe820f2c4d77c00184e535208073e20f0ebfead3dc37

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z3l10m6w.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

Filesize
997KB

MD5
fe3355639648c417e8307c6d051e3e37

SHA1
f54602d4b4778da21bc97c7238fc66aa68c8ee34

SHA256
1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

SHA512
8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z3l10m6w.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z3l10m6w.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z3l10m6w.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

Filesize
372B

MD5
8be33af717bb1b67fbd61c3f4b807e9e

SHA1
7cf17656d174d951957ff36810e874a134dd49e0

SHA256
e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

SHA512
6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z3l10m6w.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

Filesize
11.8MB

MD5
33bf7b0439480effb9fb212efce87b13

SHA1
cee50f2745edc6dc291887b6075ca64d716f495a

SHA256
8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

SHA512
d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z3l10m6w.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z3l10m6w.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

Filesize
1KB

MD5
937326fead5fd401f6cca9118bd9ade9

SHA1
4526a57d4ae14ed29b37632c72aef3c408189d91

SHA256
68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

SHA512
b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z3l10m6w.default-release\prefs-1.js

Filesize
7KB

MD5
e9175adfd7189845d9082e14f3a28c2f

SHA1
27f23324ede8bd83c23fee614787e59f830b9c05

SHA256
f47f608809cc2b2a97b9fc9818213fb2c2a0831128285bbd4b4a6dda43e5c53f

SHA512
254374e06d31a4d84ba89364deb2ff39c0b69bbb08ebc7bb7e1e0a4443f19328c9ad111d2ab841a108388f77d93662519147e512bf52ee36607996092cdeea0e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z3l10m6w.default-release\prefs-1.js

Filesize
6KB

MD5
e0e7ec5787c2c15038eadc2f78855974

SHA1
6b2badcfe5dffd51193a5ecd1c0f26071c37fc7c

SHA256
809c0466664a7abedcdd8cd86415e2e949cbf054e4a7449fa8db28f98053b747

SHA512
95f3a65f87ce24f03737f962cd70535729d2d1094edb3b521c70b44c642a0e7da788533770766bb015709a0d0477720187a235381ad5c7565d6ee289dcc2394a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z3l10m6w.default-release\prefs.js

Filesize
6KB

MD5
552fcbfcf7a079bfe85f3f52c311d633

SHA1
0ee5f432282eeadc4c3c8175772ad8e2628087d4

SHA256
2179295c197e0edfe2e5f0f4ac676464dd2b27b4a6e479146c6882dacbc61b84

SHA512
ce6b25515be747d68fbcd6fa5d73ed009abb0f785257c698cbac757602387d8b48117de1c633a98624d5edc01f0fdde98913827fc7e8b713ee58bdc25d4d7aaf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z3l10m6w.default-release\prefs.js

Filesize
6KB

MD5
003d94946f6b4e279c433119ffc43395

SHA1
824a62a43f5954d8f2cca0fddffa627775596953

SHA256
596d0be910ec181c1f4413dc9b1aa2e33719535336ed75dd16ff3376a7b090d9

SHA512
3c64d5a4c605ae2e70a555474f3f1fc55300e0626dbf4db5bb91808db369521ef241dedc734c49ba1fb7493ee6c549c6d3712512c9f1255b11cf108ff04f5eec

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z3l10m6w.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
d6d9e7de41d19d2cf91dc2d04c19fbd1

SHA1
6ee6216a0684a3ce32ef3ed8945ff3eff8ca48e2

SHA256
a08f55997a45d3b23ffb755bca47fd45cd31097d102acbd9b36689cdb6a79a66

SHA512
3c22cce481b978a581c1cd2fc085542f252885a3c8b6ed7fdd7b3dbce7cda51198be24e0e53a6c0a8631616ff8709b76595cc3497b73abab09c05167f890d800

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z3l10m6w.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
53e7ddd2c0f7fcf56eca3be9dc92deb0

SHA1
e99dbfce744ba47c09e1382ac1fbf9af7bb44256

SHA256
6d2e1b3243bd2345d884f03f84f51f2623170f5f7178ed21a7bf60854f2a7006

SHA512
6568d0fa3e76ade939f4b4d7e3089972f86db03ea35973cbd53dde4e617fb4af2bb99201d016406aae85e2607e1bfaf53353c99a71cb6e88296f8f7d4e084d25

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z3l10m6w.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
6KB

MD5
70d1b0a3f876433924796b5fe7170399

SHA1
687c96b75e45e4656c6c5c04838e3ee33a5a52bd

SHA256
bf40877c616075fcb053d87cb05a12a7c9f4002d54510afc45748ee3899103e5

SHA512
04443117f9f68bd53f026db14dc2b566e48914d47065f6fa6d24891ec3df5c2964467be3598d2f7d77f0d58d2301750af188bf500d901006039876b90d437cc2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z3l10m6w.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
6KB

MD5
cb0fc4374b620e56f18a273d569854dd

SHA1
a4fe5d31a67cf48ae8a9bf82b68b4c141f48c8ab

SHA256
510498adb9750a673ebaa75e25eab3f55362be7c08f29fe0e08f0f70ebd95fe8

SHA512
c258a1f834e36b3fb097c10637d19abe1ba867190a9a6162c2e996e0879b67323bfe1d6ea0fe78673b50d5c44e134fb8327482040fe28adf6c3aea346f0d2f43

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z3l10m6w.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
fe5b384e5182ab4a80b071fe77703fe3

SHA1
c10763e7f5f0794cff5f9e280ee2372804018fc6

SHA256
887ce604b9ee65afaf499b2af63a762070b03f94c4011759cfd47befd3fae1e7

SHA512
2419bdfd45f9f87af7d31b286e54fc2c449f7d93a81497ae749403cf0ecfc037869d6831a14f6f6b6c09a9a1113ca162387bd0ee53e09874715ac18f86cb2c14

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z3l10m6w.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
0548b6763918240aed0d8bda26d3f8fc

SHA1
7c9e10f8771049774f4b6f87a9240f7710c188b6

SHA256
7137a1672a3ad9528da0d7522641c69278b47564d06081ac911fdd0236a4be03

SHA512
c0c9d3f48232cbd8c5318fa3ccad23f9fa2782392f32373625fc86c14bdac43a88e4d54eee5d566bb2d9f047ac09a936c7b926f731f59f6da215cdf2fb380b70

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z3l10m6w.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
a18b615f6ee979ebc63a2241710f4b9a

SHA1
84549f2632d6753fe10fa114d57fe3f6a2d40f67

SHA256
434f49fd0eb8c0900fb668239f230bd9b5dbe83f6876d2207578ce6ca62a8c87

SHA512
55bea9bbd6de79e10fc47cb676292dc4bc7350ea34938e3db4423a52c2eebe5fa7f9c20c5e32bcc617031f5fd2b3c3eae592799ed21583d05ca3a56ddd43e332

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z3l10m6w.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
5KB

MD5
5314400485836bc757f3eeda40b15fad

SHA1
6737ce39007c86b14741099e2a696e707c0f7034

SHA256
2c628de1fa0bbb15344a1dc1f9b5c96688e01622de3fabf3f225efbdd7a0a9f2

SHA512
c1a6a748fcf6c5e395e91f77aa77f0f2d204684a36bb178be43749cdd340f81041beaa3e267a2518dc4420875bb10687c341f084b55a33c9ab6da1431338a8cd

Download Submit
C:\Users\Admin\Downloads\MEMZ-virus-main.zip

Filesize
8KB

MD5
a043dc5c624d091f7c2600dd18b300b7

SHA1
4682f79dabfc6da05441e2b6d820382ff02b4c58

SHA256
0acffde0f952b44d500cf2689d6c9ab87e66ac7fa29a51f3c3e36a43ea5e694a

SHA512
ee4f691a6c7b6c047bca49723b65e5980a8f83cbbc129ddfd578b855430b78acf3d0e461238739cd64c8a5c9071fe132c10da3ac28085fc978b6a19ee1ca3313

Download Submit
C:\note.txt

Filesize
218B

MD5
afa6955439b8d516721231029fb9ca1b

SHA1
087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

SHA256
8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

SHA512
5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

Download Submit
memory/2596-2-0x00000000027D0000-0x0000000002A40000-memory.dmp

Filesize
2.4MB

Download
memory/2596-11-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2596-12-0x00000000027D0000-0x0000000002A40000-memory.dmp

Filesize
2.4MB

Download
memory/3344-821-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/3344-822-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/3344-824-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/3344-825-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download