a9cd3d966d453afd424d9ac54df414b80073bb51d249f4089185976fb316e254

Analysis

max time kernel
150s
max time network
137s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
07-04-2023 08:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MEMZ 3.0/MEMZ.bat
Size

12KB
MD5

13a43c26bb98449fd82d2a552877013a
SHA1

71eb7dc393ac1f204488e11f5c1eef56f1e746af
SHA256

5f52365accb76d679b2b3946870439a62eb8936b9a0595f0fb0198138106b513
SHA512

602518b238d80010fa88c2c88699f70645513963ef4f148a0345675738cf9b0c23b9aeb899d9f7830cc1e5c7e9c7147b2dc4a9222770b4a052ee0c879062cd5a
SSDEEP

384:nnLhRNiqt0kCH2LR0GPXxGiZgCz+KG/yKhLdW79HOli+lz3:nLhRN9t0SR4iZtzlREBWhuF

Score

6^/10

bootkit persistence

Malware Config

Signatures

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

MEMZ.exe

description ioc process

File opened for modification \??\PhysicalDrive0 MEMZ.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	MEMZ.exe

Modifies Internet Explorer settings 1 TTPs 38 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007837404bb2ac374381d657b4bfd4f9e200000000020000000000106600000001000020000000abcba4de2272e012176f6f0662906800b980b84eb0c7ccc4cb106daab4487161000000000e8000000002000020000000a9e6a67b9295cd4a2ea77f54c58932b04be331153dc986468a05835bb1a5abb020000000b42bb72aa140ce62df8514528828f8edf4476ccdedb3bb986e62c36a12962d9140000000054c327ce9b23b53b44f6cecc7e890f8e906bada39116e98a994ebf665ac05d526315d0ff74fb9a17cfd26e3da10c34944a02c1e797e22c41bd0201a3e98f839	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007837404bb2ac374381d657b4bfd4f9e2000000000200000000001066000000010000200000009c32a5c5f9acd48bf8db316c19576f1cb5d417ecc03ec45d7a42e13bae648311000000000e80000000020000200000001b7f762c3d7dc8247a39bcbfbf7bd98c4b0b18c445b47a62b40317e48f1c0fad900000008994a60f3fe3613bc599124701c078efb94d7c653208a5f5c3f122740fe8c51c8c4e9810dd7c8011d112bbf96e34a2af6bdef16cd958d6f6b9749d7d23294ba08d2bd4c9ad79cf346aedef9c605e19ea15fb9ffd3b06db10123d75fd99d9d9bed24080208e58fe3a46b96cd986d99d1728a83ed473a974b6941f3aad8f470c94b16f6fc5d89f1088d79087f94a94bfdd400000008dc2393b50f21265c36eb73fbfef4d3ae67630062e109ee3212f6565f7b11e3cfe23d74d3372bf48775fdd130da149a0862f85ccd7186469be6d08b3fba11e0e	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 606004f63769d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "387626638"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{1A7BF251-D52B-11ED-B8E8-C6F40EA7D53E} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

MEMZ.exe

pid process

1468 MEMZ.exe

pid	process
1468	MEMZ.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

MEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exe

pid	process
1704	MEMZ.exe
1860	MEMZ.exe
1740	MEMZ.exe
892	MEMZ.exe
1904	MEMZ.exe
1704	MEMZ.exe
1860	MEMZ.exe
1740	MEMZ.exe
892	MEMZ.exe
1904	MEMZ.exe
1704	MEMZ.exe
1860	MEMZ.exe
1740	MEMZ.exe
892	MEMZ.exe
1904	MEMZ.exe
1704	MEMZ.exe
1860	MEMZ.exe
1740	MEMZ.exe
892	MEMZ.exe
1904	MEMZ.exe
1704	MEMZ.exe
1860	MEMZ.exe
1740	MEMZ.exe
892	MEMZ.exe
1904	MEMZ.exe
1704	MEMZ.exe
1860	MEMZ.exe
1740	MEMZ.exe
892	MEMZ.exe
1904	MEMZ.exe
1704	MEMZ.exe
1860	MEMZ.exe
1740	MEMZ.exe
892	MEMZ.exe
1904	MEMZ.exe
1704	MEMZ.exe
1860	MEMZ.exe
1740	MEMZ.exe
892	MEMZ.exe
1904	MEMZ.exe
1704	MEMZ.exe
1860	MEMZ.exe
1740	MEMZ.exe
892	MEMZ.exe
1904	MEMZ.exe
1704	MEMZ.exe
1860	MEMZ.exe
1740	MEMZ.exe
892	MEMZ.exe
1904	MEMZ.exe
1704	MEMZ.exe
1860	MEMZ.exe
1740	MEMZ.exe
892	MEMZ.exe
1904	MEMZ.exe
1704	MEMZ.exe
1860	MEMZ.exe
1740	MEMZ.exe
892	MEMZ.exe
1904	MEMZ.exe
1704	MEMZ.exe
1860	MEMZ.exe
1740	MEMZ.exe
892	MEMZ.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

AUDIODG.EXE

description	pid	process
Token: 33	2020	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2020	AUDIODG.EXE
Token: 33	2020	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2020	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

980 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

980 iexplore.exe
980 iexplore.exe
2024 IEXPLORE.EXE
2024 IEXPLORE.EXE
2024 IEXPLORE.EXE
2024 IEXPLORE.EXE

pid	process
980	iexplore.exe

pid	process
980	iexplore.exe
980	iexplore.exe
2024	IEXPLORE.EXE
2024	IEXPLORE.EXE
2024	IEXPLORE.EXE
2024	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 43 IoCs

Processes:

cmd.exeMEMZ.exeMEMZ.exeiexplore.exe

description	pid	process	target process
PID 1976 wrote to memory of 872	1976	cmd.exe	cscript.exe
PID 1976 wrote to memory of 872	1976	cmd.exe	cscript.exe
PID 1976 wrote to memory of 872	1976	cmd.exe	cscript.exe
PID 1976 wrote to memory of 1468	1976	cmd.exe	MEMZ.exe
PID 1976 wrote to memory of 1468	1976	cmd.exe	MEMZ.exe
PID 1976 wrote to memory of 1468	1976	cmd.exe	MEMZ.exe
PID 1976 wrote to memory of 1468	1976	cmd.exe	MEMZ.exe
PID 1468 wrote to memory of 1704	1468	MEMZ.exe	MEMZ.exe
PID 1468 wrote to memory of 1704	1468	MEMZ.exe	MEMZ.exe
PID 1468 wrote to memory of 1704	1468	MEMZ.exe	MEMZ.exe
PID 1468 wrote to memory of 1704	1468	MEMZ.exe	MEMZ.exe
PID 1468 wrote to memory of 1860	1468	MEMZ.exe	MEMZ.exe
PID 1468 wrote to memory of 1860	1468	MEMZ.exe	MEMZ.exe
PID 1468 wrote to memory of 1860	1468	MEMZ.exe	MEMZ.exe
PID 1468 wrote to memory of 1860	1468	MEMZ.exe	MEMZ.exe
PID 1468 wrote to memory of 1740	1468	MEMZ.exe	MEMZ.exe
PID 1468 wrote to memory of 1740	1468	MEMZ.exe	MEMZ.exe
PID 1468 wrote to memory of 1740	1468	MEMZ.exe	MEMZ.exe
PID 1468 wrote to memory of 1740	1468	MEMZ.exe	MEMZ.exe
PID 1468 wrote to memory of 892	1468	MEMZ.exe	MEMZ.exe
PID 1468 wrote to memory of 892	1468	MEMZ.exe	MEMZ.exe
PID 1468 wrote to memory of 892	1468	MEMZ.exe	MEMZ.exe
PID 1468 wrote to memory of 892	1468	MEMZ.exe	MEMZ.exe
PID 1468 wrote to memory of 1904	1468	MEMZ.exe	MEMZ.exe
PID 1468 wrote to memory of 1904	1468	MEMZ.exe	MEMZ.exe
PID 1468 wrote to memory of 1904	1468	MEMZ.exe	MEMZ.exe
PID 1468 wrote to memory of 1904	1468	MEMZ.exe	MEMZ.exe
PID 1468 wrote to memory of 1632	1468	MEMZ.exe	MEMZ.exe
PID 1468 wrote to memory of 1632	1468	MEMZ.exe	MEMZ.exe
PID 1468 wrote to memory of 1632	1468	MEMZ.exe	MEMZ.exe
PID 1468 wrote to memory of 1632	1468	MEMZ.exe	MEMZ.exe
PID 1632 wrote to memory of 1536	1632	MEMZ.exe	notepad.exe
PID 1632 wrote to memory of 1536	1632	MEMZ.exe	notepad.exe
PID 1632 wrote to memory of 1536	1632	MEMZ.exe	notepad.exe
PID 1632 wrote to memory of 1536	1632	MEMZ.exe	notepad.exe
PID 1632 wrote to memory of 980	1632	MEMZ.exe	iexplore.exe
PID 1632 wrote to memory of 980	1632	MEMZ.exe	iexplore.exe
PID 1632 wrote to memory of 980	1632	MEMZ.exe	iexplore.exe
PID 1632 wrote to memory of 980	1632	MEMZ.exe	iexplore.exe
PID 980 wrote to memory of 2024	980	iexplore.exe	IEXPLORE.EXE
PID 980 wrote to memory of 2024	980	iexplore.exe	IEXPLORE.EXE
PID 980 wrote to memory of 2024	980	iexplore.exe	IEXPLORE.EXE
PID 980 wrote to memory of 2024	980	iexplore.exe	IEXPLORE.EXE

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\MEMZ.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1976

C:\Windows\system32\cscript.exe
cscript x.js
2⤵
PID:872

C:\Users\Admin\AppData\Roaming\MEMZ.exe
"C:\Users\Admin\AppData\Roaming\MEMZ.exe"
2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of WriteProcessMemory
PID:1468

C:\Users\Admin\AppData\Roaming\MEMZ.exe
"C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1704

C:\Users\Admin\AppData\Roaming\MEMZ.exe
"C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1860

C:\Users\Admin\AppData\Roaming\MEMZ.exe
"C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1740

C:\Users\Admin\AppData\Roaming\MEMZ.exe
"C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:892

C:\Users\Admin\AppData\Roaming\MEMZ.exe
"C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1904

C:\Users\Admin\AppData\Roaming\MEMZ.exe
"C:\Users\Admin\AppData\Roaming\MEMZ.exe" /main
3⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of WriteProcessMemory
PID:1632

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\System32\notepad.exe" \note.txt
4⤵
PID:1536

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://google.co.ck/search?q=how+to+get+money
4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:980

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:980 CREDAT:275457 /prefetch:2
5⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2024

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2f4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2020

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
61KB

MD5
e71c8443ae0bc2e282c73faead0a6dd3

SHA1
0c110c1b01e68edfacaeae64781a37b1995fa94b

SHA256
95b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72

SHA512
b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f0bbdae77e40ca6d1a4fa8870060b957

SHA1
2d3668b17b891a928b73be52928faba0aade0a8d

SHA256
61466e7a6eec2321d3825aabd16fdb44efd8a474194e63496e1e1e3f85776ce3

SHA512
b2f81ebe1e79f900a5af4e2ace561ab7579b10786308dcb6c2719dcbed7badafc2d1fc788a977b54498eeb5dd3869f88a8cf1cf8a3716251a712fecc5afca7cb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cb1f15dcdc68ec0c5abe3f618ec2f627

SHA1
17d8195e87d525555f683d8b2593ab29718b8f6d

SHA256
7bd86b9244771c704c4ee892710c8233005f6315a305b4315a3eb4c80a46c37a

SHA512
ce79e4ab2486ac74a46d2a3fd9a195c6b88b68ced4ff6d58e769bb9dd710d498af8f9c05257e368478bab3a31e276c0dffedccb4cc73bea2648531127112ad6f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8d74c00ec6a8228f157d63bae2de211f

SHA1
165c980d5111e5d2e12d6ddcf187ef1defb05734

SHA256
7d3da761c4e3ff881cf63bf6fe61b353720d5d5aad17999c8a4182596ea48ebe

SHA512
8928eda2ef4a683ebda43c44530c73813f1b15ccb02fa2e9bef325ec98db41a01dd12d2c23085798fc468d666b7ac5ddf0c089c432fef33d6d2f89075aa9a95d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4bc3a92d376d8a43c4196cb59beb3d17

SHA1
a4b0316a167bbf6beb4f4a68520aafd0ab409c08

SHA256
663a94849f682e2a7c06d4811391fde5cb25b9cb4bf55e60554f43dff588bb0f

SHA512
75f1a2476a6720f1ce7364491413755c046858824466df1946f3b21c2576e49e5b381da30026c124d5446ca931f4731de05c9a2d7f662d31389f1b2b0f2bf5da

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
15cb10cd2e4b4a8fc81dc15c8bc33abb

SHA1
529ba5a666ca21507ef0e5ded050834130e6287b

SHA256
6ab97da143c95354d6e60cfe35520977752b03e3e08a70617be999709b446a9c

SHA512
a4ca0c6136256a03a74651dd3283b6eb0342a5860de0451a8352ea32cefaec76e96331517acfe07772e4f1565dbd6f039e489a0452081f654692f309ce5d1af5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4e8f91fbb74d3d192153b84614d34a0a

SHA1
2c4a0c2688bb9cfb3f39a1448007a906fa9a0052

SHA256
0b1e43501fa2466e3e89bce53c45d0d0d5997297bab95aba74ce690a0fbe9cbd

SHA512
21ccbf30db807e088a822e06c768d5517f5f0dd2d4b196bd7a4310abf2fcdf67c5b2e7f089c1ae57f661f00e5a44e0961ba8978c491efc947cfdb44610892dec

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dff860bc6aa601ce0a6cf85e666ace47

SHA1
c38bea38b7bf1131a658cdc2baf728b2e86a9433

SHA256
7dd105dc0b77733f73b7bf5d8c4289318fdb67b1b856b3e1d8f34c6b5a806f0b

SHA512
b79d09ca9dd2831cb478a56ce52d6ed031d15d3adf6e640e43c91ef48b498dff53f9b862ef635c4e75e367f0534cd647bf3c4e72760e4f51801d58bdc0f130d4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ca8a0ef95e97bfa70d4a0d7d78b80d51

SHA1
f7a335b296198b824ede9502c631810fc2ee31f3

SHA256
69da93185b35ef5f0ae3a25e8cd6d069bf58cc9e9fec6345e15082fbb6b5b85b

SHA512
e6832b3d2d33e4d85d0b1ff8870930dc50ea79672e11ad65daf2fbe2d7c924a104438c628d2a7550dc3e287e87513487be5f091ee819be034332dd6619d49795

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
101025c79c951ee9698ecf26ac13aeca

SHA1
bb2116d0801fa46fd5365b14680251425dda4290

SHA256
aebede5d849ed3f9f32114b83b91ec8d576a21370264c93b3b83bec89527f67e

SHA512
8ca990498b8762d38c93b9c1b4bd145db6832dc630e691e0e0b772f06bd9ef4a3ba4aa655b0df35155f2dd4d925f6d6623527234911eb3741a0da16344d36bdf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\z62wpf5\imagestore.dat

Filesize
9KB

MD5
d6ea8bb9642b2c1fee134c26119f27f9

SHA1
f0ec2d9eaf8ecbd3f0072e60efc94247fc1a0fb0

SHA256
48c1b4d21108195f241cf7dc56062942ee5e479c7a5c0e99f32b77931bbd60b5

SHA512
1cd7bdd6ddc48d899f1b2f8bb48f7804d0256e0e73285710265d3fdd5071ad49e73441b0464ae79f01fa45901df680bbe787d3136c031c6b8e0ea7a027763337

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\03S7L47X\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CMIDRLTB\favicon[2].ico

Filesize
5KB

MD5
f3418a443e7d841097c714d69ec4bcb8

SHA1
49263695f6b0cdd72f45cf1b775e660fdc36c606

SHA256
6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770

SHA512
82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabDF99.tmp

Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\x

Filesize
4KB

MD5
b6873c6cbfc8482c7f0e2dcb77fb7f12

SHA1
844b14037e1f90973a04593785dc88dfca517673

SHA256
0a0cad82d9284ccc3c07de323b76ee2d1c0b328bd2ce59073ed5ac4eb7609bd1

SHA512
f3aa3d46d970db574113f40f489ff8a5f041606e79c4ab02301b283c66ff05732be4c5edc1cf4a851da9fbaaa2f296b97fc1135210966a0e2dfc3763398dfcaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarDF9A.tmp

Filesize
161KB

MD5
73b4b714b42fc9a6aaefd0ae59adb009

SHA1
efdaffd5b0ad21913d22001d91bf6c19ecb4ac41

SHA256
c0cf8cc04c34b5b80a2d86ad0eafb2dd71436f070c86b0321fba0201879625fd

SHA512
73af3c51b15f89237552b1718bef21fd80788fa416bab2cb2e7fb3a60d56249a716eda0d2dd68ab643752272640e7eaaaf57ce64bcb38373ddc3d035fb8d57cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarE25E.tmp

Filesize
161KB

MD5
be2bec6e8c5653136d3e72fe53c98aa3

SHA1
a8182d6db17c14671c3d5766c72e58d87c0810de

SHA256
1919aab2a820642490169bdc4e88bd1189e22f83e7498bf8ebdfb62ec7d843fd

SHA512
0d1424ccdf0d53faf3f4e13d534e12f22388648aa4c23edbc503801e3c96b7f73c7999b760b5bef4b5e9dd923dffe21a21889b1ce836dd428420bf0f4f5327ff

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\F4AJMMRE.txt

Filesize
596B

MD5
f1a6264d238fbfc8d49ebf70199021f9

SHA1
3796daccaf3071d5cf848c55c3e4a4349eab40cd

SHA256
6f5cd992d903fdd48b9aaf59db4347f9b847c199afe0041765856f4946a99757

SHA512
22978e12ad49f092ced29808324df0248703e87bec77900125a1d9f460c91e3926dedab6f9f611f90d7e02285d97db2e14ee92f30eec1ddfb0f4b82b1b980772

Download Submit
C:\note.txt

Filesize
218B

MD5
afa6955439b8d516721231029fb9ca1b

SHA1
087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

SHA256
8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

SHA512
5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

Download Submit