4b30f308a5f0cf34361f5a53f2d73c523188adbbd9ac264275946197a3a8aa28

Resubmissions

03-03-2024 13:51

240303-q5vgpscb85 10

03-03-2024 13:45

240303-q2r76sbd9y 10

Analysis

max time kernel
150s
max time network
134s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
03-03-2024 13:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MEMZ 3.0/MEMZ.bat
Size

12KB
MD5

13a43c26bb98449fd82d2a552877013a
SHA1

71eb7dc393ac1f204488e11f5c1eef56f1e746af
SHA256

5f52365accb76d679b2b3946870439a62eb8936b9a0595f0fb0198138106b513
SHA512

602518b238d80010fa88c2c88699f70645513963ef4f148a0345675738cf9b0c23b9aeb899d9f7830cc1e5c7e9c7147b2dc4a9222770b4a052ee0c879062cd5a
SSDEEP

384:nnLhRNiqt0kCH2LR0GPXxGiZgCz+KG/yKhLdW79HOli+lz3:nLhRN9t0SR4iZtzlREBWhuF

Score

7^/10

bootkit persistence

Malware Config

Signatures

Executes dropped EXE 7 IoCs

pid	Process
1968	MEMZ.exe
524	MEMZ.exe
2016	MEMZ.exe
1996	MEMZ.exe
2364	MEMZ.exe
1388	MEMZ.exe
3032	MEMZ.exe

Loads dropped DLL 1 IoCs

pid	Process
1968	MEMZ.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	MEMZ.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 47 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 80d48f6f716dda01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{9C96B701-D964-11EE-8859-DE62917EBCA6} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000112dd71d930ff24b8b2b71a2c228122b00000000020000000000106600000001000020000000b688d2053b0c8da1f20b2f1bf4ef8c4f149d57c9d816fae16b3c536d8d4c43b1000000000e8000000002000020000000dc2b67ecb102588d051ce36f2c5e076b245b09b39b48259c7184634884d7d56e20000000df5d273ca9ec43c413d59858479a7b82119f16aae0df6a230f4641486676e90340000000a6e6050b9fb1bd84951f90974abb8f26ed20258e19b87d1e8d52475e555f0902d31913061197f164a4a0c23528e259765bb645f6c08bbb1c1f5fa99849afcb2f	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "21"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000112dd71d930ff24b8b2b71a2c228122b00000000020000000000106600000001000020000000141a0e16c020c0b1c8e80675f9bed0b986b5fe940cdb674b23559aca3804af21000000000e8000000002000020000000672cf93b94d711760763d8fdf0649abba9fc4c36f379713274c1f45ae9cd29939000000086d319b8146cf02108addb9cbba94b7835cb7245fd4ae1d5df3c1dd51621d117b79855ec0333b18f8cb9f4d6b52e898ae3b0cd1d91794ab268563995db06a3a3417dea8ac3e80a0f0f5bf27ee0a7aad7aa4c3a78595b75f71cb86ff88c5a8b5e1113272bf7d9d27b341280c8f5570c7a8546196d3d84a283f0a5687158f8281975e2a6af077a86c047f09f38e1a9c50f40000000a5b4955c7991376663d751e3f2404fb6a5e8bb9dd8d417ecd55b9b23d2e5245f7151a6daf73d3105f0c5f0fd58ee56628d4d9e53fb345a7b9ccd2c8073ec70b5	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "415635533"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.google.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com\Total = "21"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.google.com\ = "21"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
1968	MEMZ.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
524	MEMZ.exe
524	MEMZ.exe
2016	MEMZ.exe
524	MEMZ.exe
2016	MEMZ.exe
524	MEMZ.exe
2016	MEMZ.exe
524	MEMZ.exe
1996	MEMZ.exe
524	MEMZ.exe
2016	MEMZ.exe
1996	MEMZ.exe
2016	MEMZ.exe
524	MEMZ.exe
524	MEMZ.exe
1996	MEMZ.exe
2016	MEMZ.exe
2364	MEMZ.exe
2016	MEMZ.exe
2364	MEMZ.exe
524	MEMZ.exe
1388	MEMZ.exe
1996	MEMZ.exe
1996	MEMZ.exe
524	MEMZ.exe
1388	MEMZ.exe
2364	MEMZ.exe
2016	MEMZ.exe
2364	MEMZ.exe
2016	MEMZ.exe
1996	MEMZ.exe
524	MEMZ.exe
1388	MEMZ.exe
2364	MEMZ.exe
2016	MEMZ.exe
1996	MEMZ.exe
524	MEMZ.exe
1388	MEMZ.exe
2016	MEMZ.exe
2364	MEMZ.exe
1388	MEMZ.exe
524	MEMZ.exe
1996	MEMZ.exe
2016	MEMZ.exe
2364	MEMZ.exe
1388	MEMZ.exe
524	MEMZ.exe
1996	MEMZ.exe
2016	MEMZ.exe
2364	MEMZ.exe
1388	MEMZ.exe
524	MEMZ.exe
1996	MEMZ.exe
2016	MEMZ.exe
2364	MEMZ.exe
1388	MEMZ.exe
524	MEMZ.exe
1996	MEMZ.exe
2016	MEMZ.exe
2364	MEMZ.exe
1996	MEMZ.exe
1388	MEMZ.exe
524	MEMZ.exe
1388	MEMZ.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	1624	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1624	AUDIODG.EXE
Token: 33	1624	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1624	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2512	cscript.exe
1364	iexplore.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
1364	iexplore.exe
1364	iexplore.exe
1020	IEXPLORE.EXE
1020	IEXPLORE.EXE
1020	IEXPLORE.EXE
1020	IEXPLORE.EXE
2820	IEXPLORE.EXE
2820	IEXPLORE.EXE
2820	IEXPLORE.EXE
2820	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 59 IoCs

description	pid	Process	procid_target
PID 2784 wrote to memory of 2512	2784	cmd.exe	29
PID 2784 wrote to memory of 2512	2784	cmd.exe	29
PID 2784 wrote to memory of 2512	2784	cmd.exe	29
PID 2784 wrote to memory of 1968	2784	cmd.exe	30
PID 2784 wrote to memory of 1968	2784	cmd.exe	30
PID 2784 wrote to memory of 1968	2784	cmd.exe	30
PID 2784 wrote to memory of 1968	2784	cmd.exe	30
PID 1968 wrote to memory of 524	1968	MEMZ.exe	31
PID 1968 wrote to memory of 524	1968	MEMZ.exe	31
PID 1968 wrote to memory of 524	1968	MEMZ.exe	31
PID 1968 wrote to memory of 524	1968	MEMZ.exe	31
PID 1968 wrote to memory of 2016	1968	MEMZ.exe	32
PID 1968 wrote to memory of 2016	1968	MEMZ.exe	32
PID 1968 wrote to memory of 2016	1968	MEMZ.exe	32
PID 1968 wrote to memory of 2016	1968	MEMZ.exe	32
PID 1968 wrote to memory of 1996	1968	MEMZ.exe	33
PID 1968 wrote to memory of 1996	1968	MEMZ.exe	33
PID 1968 wrote to memory of 1996	1968	MEMZ.exe	33
PID 1968 wrote to memory of 1996	1968	MEMZ.exe	33
PID 1968 wrote to memory of 2364	1968	MEMZ.exe	34
PID 1968 wrote to memory of 2364	1968	MEMZ.exe	34
PID 1968 wrote to memory of 2364	1968	MEMZ.exe	34
PID 1968 wrote to memory of 2364	1968	MEMZ.exe	34
PID 1968 wrote to memory of 1388	1968	MEMZ.exe	35
PID 1968 wrote to memory of 1388	1968	MEMZ.exe	35
PID 1968 wrote to memory of 1388	1968	MEMZ.exe	35
PID 1968 wrote to memory of 1388	1968	MEMZ.exe	35
PID 1968 wrote to memory of 3032	1968	MEMZ.exe	36
PID 1968 wrote to memory of 3032	1968	MEMZ.exe	36
PID 1968 wrote to memory of 3032	1968	MEMZ.exe	36
PID 1968 wrote to memory of 3032	1968	MEMZ.exe	36
PID 3032 wrote to memory of 1100	3032	MEMZ.exe	37
PID 3032 wrote to memory of 1100	3032	MEMZ.exe	37
PID 3032 wrote to memory of 1100	3032	MEMZ.exe	37
PID 3032 wrote to memory of 1100	3032	MEMZ.exe	37
PID 3032 wrote to memory of 2952	3032	MEMZ.exe	40
PID 3032 wrote to memory of 2952	3032	MEMZ.exe	40
PID 3032 wrote to memory of 2952	3032	MEMZ.exe	40
PID 3032 wrote to memory of 2952	3032	MEMZ.exe	40
PID 3032 wrote to memory of 1364	3032	MEMZ.exe	42
PID 3032 wrote to memory of 1364	3032	MEMZ.exe	42
PID 3032 wrote to memory of 1364	3032	MEMZ.exe	42
PID 3032 wrote to memory of 1364	3032	MEMZ.exe	42
PID 1364 wrote to memory of 1020	1364	iexplore.exe	44
PID 1364 wrote to memory of 1020	1364	iexplore.exe	44
PID 1364 wrote to memory of 1020	1364	iexplore.exe	44
PID 1364 wrote to memory of 1020	1364	iexplore.exe	44
PID 1364 wrote to memory of 2820	1364	iexplore.exe	46
PID 1364 wrote to memory of 2820	1364	iexplore.exe	46
PID 1364 wrote to memory of 2820	1364	iexplore.exe	46
PID 1364 wrote to memory of 2820	1364	iexplore.exe	46
PID 3032 wrote to memory of 1760	3032	MEMZ.exe	48
PID 3032 wrote to memory of 1760	3032	MEMZ.exe	48
PID 3032 wrote to memory of 1760	3032	MEMZ.exe	48
PID 3032 wrote to memory of 1760	3032	MEMZ.exe	48
PID 3032 wrote to memory of 2588	3032	MEMZ.exe	50
PID 3032 wrote to memory of 2588	3032	MEMZ.exe	50
PID 3032 wrote to memory of 2588	3032	MEMZ.exe	50
PID 3032 wrote to memory of 2588	3032	MEMZ.exe	50

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\MEMZ.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2784
- C:\Windows\system32\cscript.exe
  cscript x.js
  2⤵
  - Suspicious use of FindShellTrayWindow
  PID:2512
- C:\Users\Admin\AppData\Roaming\MEMZ.exe
  "C:\Users\Admin\AppData\Roaming\MEMZ.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious use of WriteProcessMemory
  PID:1968
- - C:\Users\Admin\AppData\Roaming\MEMZ.exe
    "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:524
- - C:\Users\Admin\AppData\Roaming\MEMZ.exe
    "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2016
- - C:\Users\Admin\AppData\Roaming\MEMZ.exe
    "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1996
- - C:\Users\Admin\AppData\Roaming\MEMZ.exe
    "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2364
- - C:\Users\Admin\AppData\Roaming\MEMZ.exe
    "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1388
- - C:\Users\Admin\AppData\Roaming\MEMZ.exe
    "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /main
    3⤵
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    - Suspicious use of WriteProcessMemory
    PID:3032
  - - C:\Windows\SysWOW64\notepad.exe
      "C:\Windows\System32\notepad.exe" \note.txt
      4⤵
      PID:1100
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:2952
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" https://google.co.ck/search?q=g3t+r3kt
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1364
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1364 CREDAT:275457 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1020
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1364 CREDAT:406542 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2820
  - - C:\Windows\SysWOW64\explorer.exe
      "C:\Windows\System32\explorer.exe"
      4⤵
      PID:1760
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:2588

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x180
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
81ab07a0e8a5aeb4ef5037a35ad5e80e

SHA1
807699680de32236ca125cf89f65e1a1396a082e

SHA256
7b4cf07c19a58f15c5b8cfa6d4eb363fea8470860cc995d6d70614fc7015d019

SHA512
27c9cfea522fec8dadedf8f277038086dee95a241473428568e3cd2887c2bdac1ed937872cdd32fc38712ac1f0a66996c6ca839c911189a08d208eede1615e25

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

Filesize
724B

MD5
ac89a852c2aaa3d389b2d2dd312ad367

SHA1
8f421dd6493c61dbda6b839e2debb7b50a20c930

SHA256
0b720e19270c672f9b6e0ec40b468ac49376807de08a814573fe038779534f45

SHA512
c6a88f33688cc0c287f04005e07d5b5e4a8721d204aa429f93ade2a56aeb86e05d89a8f7a44c1e93359a185a4c5f418240c6cdbc5a21314226681c744cf37f36

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E87CE99F124623F95572A696C80EFCAF_B7E6E2E5B49339ED1B50F8F39FE34E73

Filesize
472B

MD5
ba2351d6d2dac436c5b2c2f42feab7a5

SHA1
79d67c2428b208a65e13d806471575718ea1bdb2

SHA256
13e85bd875097ae958005449cce29ef16877bc20844e1c98426f978b5067d9a6

SHA512
f719bf032e95af8063973987ebd7bbeb1d931f7291a2071dac78828192b1a421b7c7e9e54c23870eb4a86360c0b49b0bb99d9541a224ff53bc900b3f0acbb0ca

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2DDCD2B5F37625B82E81F4976CEE400_BE7DA50ED4C167DC2E87819405C6BB24

Filesize
471B

MD5
53c9a34bc08eeeeb2b4a89cf23f0b8fe

SHA1
0658ec2aeaf8b4963cce201389c8e8740cfdf1f5

SHA256
3a0cbf4f359cee41b7818ccef795a174ce82ccfc6bf00463b86dbd4aa9f08a50

SHA512
1ae8db15df66b18010cabc9f4d50834d49c2d3346593e49a35906f10cb1de4edd7c95cfc65232aa0162d7c635790805cdeeba2b5ad74fbe60e94429ceaa010f2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
624bcac751ccd524bb0e829cc8df7d7a

SHA1
5144a0c558f0ca9ae9421ca89b300defb72ae7f2

SHA256
1eb0d297fabaa85bab98e71cc8c492e856c259547f4bc8f66f7a4301ef5769c0

SHA512
e849632f7f9f4b12e05b02a245c160281f245a3ff10e19e121062d5bd105d4c9a109690def5a62ecf66701788d7a554dd65c3d22fda5027044c643a2ff4209bf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
95e8c2391f3c4ce8c9d5e22a409571e9

SHA1
5ac5be6c872ebecfd41bf7bd9f12cbc893db3475

SHA256
de7ef76e2ffe7e4b0d579bf67a3e1f5d4e5bb0d450d57593132d81a0a43b2ad2

SHA512
ef614193bd856cef48f9944c4d27f00c14949739532c2fd60f9643f2882902f76c634ced069af31f8075892ab2f937875e310ac8993db4b7f40a7446597fc7c1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
227fe55cdd906a48f2da5b4b5c31b161

SHA1
539e079816ab75163622f412b2f0cd2035d2f754

SHA256
d1d41627c9597853957a3bfb3c6d8a78349935ee286d99518471b91ff27ff023

SHA512
dca2de690242cc5cc4fde75d9b74978a338213657b5d2b8acb8fbaa91294b7bcbc89922e37b5c2931c4a9f955c16ce6c82b2d8996c186b891f4cf41e0ecaf8de

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
10de76665e6dcb43c397559ea0266fcd

SHA1
ef4008bb4b81ea6f7fd98b76cbec9bb58c42702c

SHA256
a824e69e1fc0db3131ad10f8f5e4a9d05bcc2dc6365db9f9c52848507c9a3d5b

SHA512
dff29549238e2b4232e151dddff3afbe538b55e4974aa5e69882f44b89421633de21d616fc70ed92e89acb13a5c13d7df30456b973666ea44ddcf18e339d8190

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6a38aff9003ac4bbfd7b40c7ec5a9a34

SHA1
418f42fdda4409863f4ffbc25fc0de6b0b056e03

SHA256
4822ebcd4cd1ffde301c65b79d28b65dfbe6662c51cd6089b884ca67e4075509

SHA512
a9b38fe10c10cf3727a2aef9c0cf9bd41017561a6cf322fee3f451c3a65d946ccf1a4204767e1d821d010fa4bbb013f5343a4b33903aa77fab2fa436c37c1cd6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
696da32cacc6eedef503b99b97b431b4

SHA1
a19de125dc21b63590dea26ee16366c74ed10661

SHA256
11ae9be5da8fe6b7fc634d0c7ed09c40e7b063e46b3fa0bd9113eb1f3ff84440

SHA512
1adcd0b5a2ffdea5410ba80a19a8701a606ca3159c89b39985c57ae713f14746cf0aa96ad2e9ebba9d7f4de8b5ebfb5ad116448ce71e2b5d785147957f986911

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
01075dd51d5f5b5de41025cd367a7ff7

SHA1
3a29092959b325893d77f379401de7b2b39216b0

SHA256
f3bf187ce83a339b0dadfa64ad0f3163a056ca1d2b4179b376c9270bf2f8e678

SHA512
0fbb4e6d2550ed431a4319de2dd8a6fde580fb7088b36d51194efd51ae3ce8e24c8633c199dd28db363105aca557bf20c72d5128e3a4890e0082b76b64228424

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
883187f5b9af26bc9aadf7fea8b9edf7

SHA1
ef3d78ba98b2f1a8e4413c8eba07ad19ee7d17ff

SHA256
a761b11ee5de7bd3f1ec385f2bf658779f695d5050550994c88044dc51495b64

SHA512
ed1f0e10f0ae0408535405cb31e53f38544faefd4810974f9b9688c49aab73606f6ca27ace1857df89bc81f086bce0a7ec01e41acd506672ac876995de03bd09

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
86ffb3eb4d2cb66f9aaf9468117703f5

SHA1
66640d058fa1ef59ffbced80955253451a40451a

SHA256
e79a84b644ea88a81f3fb77bb7be706a876a3ffc320d744a78aaf7bf5b84aa55

SHA512
186414337ab77bc221ab86225c26c2f510aed24562203ec5750cea3f77a84bc05061fc8867142c1a92fed04e3dacb451a0c3ae067dc678238ccb58ec75dcea17

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c66495ff7dc5b2468a483a59aa1fbb22

SHA1
1120ed1eea13e806d7625aa5208c168d677d10b4

SHA256
96423e9533c975a1c7bde12a732a535cd8ba52b6e7361dd081da38b3be14e56a

SHA512
947c0df38f94e8142b18c5bf5bbc8336256fce63130d72f65f33c4ed655d083f1d30f0c18354f0ee1fe7f503b0794445372a2f12590bf59c1bf00e43b9d032ad

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
05549e471c3277350e8250416b7bb389

SHA1
fb14c0b59f60d270dcc05e45d611c77ed3f64cee

SHA256
8200f2f8afc0c7529a28fc4adff236da165c42038f9f06d978b4ca3e9e3cb458

SHA512
d428608a315f40ddc7d4b12e86a765a221abfad1826255084cde7cf1bc376e02ee3826f179934e411412ac0b1e9ccf264cf930d93e2e9fbe96ba076dff6ca2a0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
02012e6da376966616fd68a0b4417bb4

SHA1
85d7dfb71ed20f05fd8113126d19b6398c194f3e

SHA256
c055f89cc50a398ea42af218c88f87fdf4613cc476c2a63ea3d51fd7bb58286a

SHA512
97a7af6a2fae458a272c90f872ea176ff532b30ab91334421e781489f93106d2f5beac63e2c0dc85a58843524fd0062c99caee6e12db20b6360ab227da851089

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e52da6b5bd441e4e68164cc38e042b24

SHA1
960a35a8d7124d42d3eaa8f297285a342659444a

SHA256
d4d2f61e5dc115d6326b4c8919f7e9c6009af6cd7275a5b3aaeca0c1047ec634

SHA512
744217f362cfe7d87c4ad0f55f9e2930a64dc2122ce9c58a7583bf946c84bdf0b8978e2d6f93a09db1bc90b12c3e181ed17c60221b9669ad344403f33cd5e844

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
fff6fdd657100ca5b91a7bb529b34389

SHA1
c7556497ad9a98e2923f38b153731dc9f75045b3

SHA256
77fda7224867f3281362ce4f25b223fe62207432d57fe201e25a6bd2411cd1d6

SHA512
b6ef1c0897fed00757363adc9847a59934cda418dddebdec1e8aba63834662d8c4f9e9ae80f5a618270e2210211721f83c1b1dd7bfa1b3b745d89bb35fe1a378

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
fb144ac16ff72fb665cce1ec621ad7c1

SHA1
fdd217e32ae1c3795b38baa3619e3f770f6fc60a

SHA256
d2cd3fa418be63d8a55871839bb6c7a50f3007e0e929b9c4dbd2578ee016014f

SHA512
f7a9487b267d69fbde83fecd1d4a97aba58baa403695907f83e8ad88a34dc5bd448b61b8170071e985cd252681275ec2ada6bbd870d511febd784af898d669f4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3e99c14a41f48c1e87fdca268747a5ca

SHA1
e8f38bfd54fbe65bce56f72aad1049b962e32f2b

SHA256
a5b4ac8ffbddcbbbdf2154ab5e34a90dbfba285763c1b300ff74b2ec84e2cc90

SHA512
1955a01bfa4de855dbeb8a090ab2d73da3df05ac519a8b96fd53d77b75aa92c4ad38ea705ff10f4d919d2eb09e0eb2e33468bba1ff82f5d5967fc0e6c0e84655

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5b635d872def1d6ec075abc0472fd487

SHA1
7579d2afe63a5a3bdff0494e61ca4b013797ed13

SHA256
eb50a22ecb13a4bbfc269a0c6b70de88592e060736ec8c9a9ae8c3ab095cd568

SHA512
513fef21a2c531bdfc150fdad56ccf6b4750259eb99bc474b9ba9360562cd47147b7a2df68371b5896097332849482b7409f99143eb8836645efdfa4bf597576

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
187ee5e51377402b88c913aaf348bec9

SHA1
3fdf1759f5254015ed20b0ad42737c8f47221597

SHA256
cb5d60b15d70038abb531c509a2b0c75cd6463a98c4d278fa3530ca309358c7f

SHA512
76f02b93cd88896b58c6cca680f479d58abbbeb7500cee9486d634aec2a243a0ccf24d553ade8ee9c061236c6ced1b61df536216f6299d73e366732664126be0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
dd5e4c27ae7d1e3ada8b0af34d0d8376

SHA1
6d22fd767e2d897793a235c18d05b8a31647a087

SHA256
9c27c932cb6750e8f9c082b6f53e462c284c3b4413e2b7c85808b2582a954dc1

SHA512
a6cd9c73e04cf219798d5d0f7de1def38274ba66e0760178cf54e2fba4373c8217160e30b04d3bf1fcfa9b66426dbaa5e615daa2cf9f6468227b119b94d5031e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5cfb906a376747f04c6c7a7a366128eb

SHA1
4e7d5b83424cfec0f36da4abc796001532407b3e

SHA256
0da4e871bb413e0f5484317b3421508c6deb28d89080126efd7e9b3a6b3cce0d

SHA512
9abe17a3c1738a33c99d62a4942914638009f35844b4ae58d858220caea3ce632889c417158560a8c5341aa90187b4de230277f78e5275ca913267ed55132f23

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
865aa2d53bdf1c78da90636fcf2574d3

SHA1
bc54b2f5f65763ca8f6989f0313c0ac3b5eeffd1

SHA256
2e9ca52fe8185f44a87d1ffd1f0211e62e3ecf6ede739ec2e8cb4d1144b18bc8

SHA512
f901e89d82f96a6ea0c41619796cbdbd2b66c6d4a92a2b4c1e73d7ad7cd6daf95a5c419b679f7eceda378452e13d2df28d55b43ffcfff7b28ab95b46e8957553

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d183b2be296b6fdf24e4105ef66fa8a5

SHA1
37db05a0142501e6ea816935caadd022ff72bd18

SHA256
9d77f95d61cd9b045094dd3e490fb3cdc770eb6d9a86e53bd0697dfa8d101fa1

SHA512
be4e3138e961de686423779b445dcc2f776438597504edc2fdf26f957ac2f3259e769d5c430c6adda71f5a87b8f06057ab6e4afcb3e306356e350a6f4158d108

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

Filesize
392B

MD5
6635b7a1f761e4a6a629411be2a77820

SHA1
e3d3aa7363993024432821147dcad07d0e0f3283

SHA256
2ec3dfab47f40673bf3359a15e318e724be07c2cf10ba31a1e299d8b3eacea99

SHA512
ab0b578c6135f040de02fbb005c645689e2cff8234b8807325cafa1f98896e6973874d84f240188c7ec198b76e401ec4dfb858d6ce6f76afd425d7a7fdc3fac6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E87CE99F124623F95572A696C80EFCAF_B7E6E2E5B49339ED1B50F8F39FE34E73

Filesize
402B

MD5
811ba69f5c82b65493dcc1cd9dbf4881

SHA1
131be38f00527ae1573b585f27401285ab65770c

SHA256
65c28759c7572eebf64253e97f91e7dd4d9324a43d136d2de8e3d2b2a64c41af

SHA512
3ac547fa22674ce07a1576c5bdc1abe1dfce276e5119cde9a7e9153f784bbea59315233b99abb0e9603cfb1e6632399058086494a08cff94fe5212102fd04df1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2DDCD2B5F37625B82E81F4976CEE400_BE7DA50ED4C167DC2E87819405C6BB24

Filesize
406B

MD5
c8319ec693e7937fbaa795a4a16aa702

SHA1
a4ea716e3822fbf50d3e1db4eb5fb43597ecd403

SHA256
7f6006a04a8d3be7cd6fc5d895d3241af8a35f3418a758c4a4755e89e5c2458a

SHA512
871000e4bb2e2a633eebd4cb5ffc8b380c4614995f96808b6eb5e76535b39676306538d642d4d3399326d19338933f20de597e1193603d8c24915a6d4941b801

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\DOVY0DNU\www.google[1].xml

Filesize
95B

MD5
495bbf35d67c9d21911adfbfdb674a57

SHA1
8c90e3a0dacfbd81378cc73c836fd7bba6487e2a

SHA256
99515e170fe917e7a9a2dded87ccdb2add5ff82f260097757dbea22645a108ef

SHA512
e7a441cc5a736f1dcd326b94eb5834b31bbdb5f19a714333dc8859b1cf6bce026464fb5c7cc4a34c4359a4cb38d8e745d9df2159681f0361189ace5880d0172f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\q905y6j\imagestore.dat

Filesize
5KB

MD5
fdcac50755a47eb1fb7ea4f667838d11

SHA1
bdc38609dcd06566bd686615272fdcbfc421001d

SHA256
ac302536851ea32da10a946c7062c3d33c6b1a3f67adaf099c2603b3bf5d3574

SHA512
98ed0929a22a422d3aae8092700326a3791805e01f42f4282bb716bc1047038d2c0c1ee34a2f79685db66bbd56407292e62292faac220927f14d034ea5fe3658

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5DKX8QD5\KFOlCnqEu92Fr1MmEU9fBBc9[1].ttf

Filesize
34KB

MD5
4d88404f733741eaacfda2e318840a98

SHA1
49e0f3d32666ac36205f84ac7457030ca0a9d95f

SHA256
b464107219af95400af44c949574d9617de760e100712d4dec8f51a76c50dda1

SHA512
2e5d3280d5f7e70ca3ea29e7c01f47feb57fe93fc55fd0ea63641e99e5d699bb4b1f1f686da25c91ba4f64833f9946070f7546558cbd68249b0d853949ff85c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5DKX8QD5\KFOlCnqEu92Fr1MmYUtfBBc9[1].ttf

Filesize
34KB

MD5
4d99b85fa964307056c1410f78f51439

SHA1
f8e30a1a61011f1ee42435d7e18ba7e21d4ee894

SHA256
01027695832f4a3850663c9e798eb03eadfd1462d0b76e7c5ac6465d2d77dbd0

SHA512
13d93544b16453fe9ac9fc025c3d4320c1c83a2eca4cd01132ce5c68b12e150bc7d96341f10cbaa2777526cf72b2ca0cd64458b3df1875a184bbb907c5e3d731

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5DKX8QD5\KFOmCnqEu92Fr1Mu4mxP[1].ttf

Filesize
34KB

MD5
372d0cc3288fe8e97df49742baefce90

SHA1
754d9eaa4a009c42e8d6d40c632a1dad6d44ec21

SHA256
466989fd178ca6ed13641893b7003e5d6ec36e42c2a816dee71f87b775ea097f

SHA512
8447bc59795b16877974cd77c52729f6ff08a1e741f68ff445c087ecc09c8c4822b83e8907d156a00be81cb2c0259081926e758c12b3aea023ac574e4a6c9885

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5DKX8QD5\logo_48[1].png

Filesize
2KB

MD5
ef9941290c50cd3866e2ba6b793f010d

SHA1
4736508c795667dcea21f8d864233031223b7832

SHA256
1b9efb22c938500971aac2b2130a475fa23684dd69e43103894968df83145b8a

SHA512
a0c69c70117c5713caf8b12f3b6e8bbb9cdaf72768e5db9db5831a3c37541b87613c6b020dd2f9b8760064a8c7337f175e7234bfe776eee5e3588dc5662419d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5DKX8QD5\recaptcha__en[1].js

Filesize
491KB

MD5
884d00314602d7cb55bbcd2e909f7310

SHA1
dcb353b63aefc091523915f4562a819c31463611

SHA256
2c6a3425cec9ba0cbcfcf1dbba2120a72ac369674a6d02e06bd3b0c16efbdcf7

SHA512
50091f9e37dcf299bc8cf9cfeed4e71709011713ca0701be0ff79c4fb42699c9f9894cbc3a0819b3fece4f698c2201d403b987e6a76a259fbf58fb19e493b87c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5DKX8QD5\webworker[1].js

Filesize
102B

MD5
bcf077e54d883df9bb7dc3e0bcac3ded

SHA1
48be834541645c4f5f77789b5d5edd35ae10e83f

SHA256
c8decb7c7d17d6353f74d740f2afba7886d2c53e0b3d10a44ae1ad7738316ff9

SHA512
ffe81f03493d2d9a6b2bbc2a1398b7a72be15a8e9ae9fb61eef540214b12033038517c6db72834409feb074653da6bd5c577551797fff5318569a42f6f1d769c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9M0HR0P6\styles__ltr[1].css

Filesize
55KB

MD5
eb4bc511f79f7a1573b45f5775b3a99b

SHA1
d910fb51ad7316aa54f055079374574698e74b35

SHA256
7859a62e04b0acb06516eb12454de6673883ecfaeaed6c254659bca7cd59c050

SHA512
ec9bdf1c91b6262b183fd23f640eac22016d1f42db631380676ed34b962e01badda91f9cbdfa189b42fe3182a992f1b95a7353af41e41b2d6e1dab17e87637a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\L9PN2QMY\TrkBqBAA-aS2zfRFivzOT01UANX8bQoFEDiMg6e3nFU[1].js

Filesize
23KB

MD5
e51858514367a90506a465ee3f5977f2

SHA1
171bd8620c82ea5a18379faa738410f52a0c23ba

SHA256
4eb901a81000f9a4b6cdf4458afcce4f4d5400d5fc6d0a0510388c83a7b79c55

SHA512
ac072a1959d01c284e93cac34fbc7632ef54a522ce60b8e9546a25132a14fd34457f86bd48def48834f7523b23fe689b4fcfd4215607c3dd767a3f951bbf4472

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\L9PN2QMY\api[1].js

Filesize
850B

MD5
d0e48e3d0045d85a0cb71725b215739d

SHA1
ad0647e24920f0815162d595058df31e28430d4d

SHA256
26cd1a6781274af995e5e8cb91f7327d0817f0ec2c943e710af00ae20c80363e

SHA512
582f5605d98c48b372dfe7445b8b2abe0f339cb15f39ca625e02004a684d3c01ea5a8dd78e5eb6485ab839ff09cad364d20dd2a70a8c6d5a9e6bdd9ae16fdf01

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\U8A9A2DI\favicon[1].ico

Filesize
5KB

MD5
f3418a443e7d841097c714d69ec4bcb8

SHA1
49263695f6b0cdd72f45cf1b775e660fdc36c606

SHA256
6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770

SHA512
82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab9EFE.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabA089.tmp

Filesize
67KB

MD5
753df6889fd7410a2e9fe333da83a429

SHA1
3c425f16e8267186061dd48ac1c77c122962456e

SHA256
b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

SHA512
9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\x

Filesize
10KB

MD5
fc59b7d2eb1edbb9c8cb9eb08115a98e

SHA1
90a6479ce14f8548df54c434c0a524e25efd9d17

SHA256
a05b9be9dd87492f265094146e18d628744c6b09c0e7efaabf228a9f1091a279

SHA512
3392cfc0dbddb37932e76da5a49f4e010a49aaa863c882b85cccab676cd458cfc8f880d8a0e0dc7581175f447e6b0a002da1591ecd14756650bb74996eacd2b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\x

Filesize
4KB

MD5
3f7105990762acdeab73dad5893a0968

SHA1
3bba599c9db8686561ca67f32c5b95fd79bd3339

SHA256
97330e7450ed724e86fa930489e40d7eb8ef7f2eb8440f900b17c2b3e6ca8144

SHA512
771f79408eaecea7b26662b5e4cf116cad56369700d99bf6b8b7b1ed5c3ac85900bfe3c6f3fd8c6b8e38c6ae1a3c98bbc3236ff5fd8aafef3de588828ab0641e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\x.js

Filesize
448B

MD5
8eec8704d2a7bc80b95b7460c06f4854

SHA1
1b34585c1fa7ec0bd0505478ac9dbb8b8d19f326

SHA256
aa01b8864b43e92077a106ed3d4656a511f3ba1910fba40c78a32ee6a621d596

SHA512
e274b92810e9a30627a65f87448d784967a2fcfbf49858cbe6ccb841f09e0f53fde253ecc1ea0c7de491d8cc56a6cf8c79d1b7c657e72928cfb0479d11035210

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEMZ3~1.0\z.zip

Filesize
7KB

MD5
cf0c19ef6909e5c1f10c8460ba9299d8

SHA1
875b575c124acfc1a4a21c1e05acb9690e50b880

SHA256
abb834ebd4b7d7f8ddf545976818f41b3cb51d2b895038a56457616d3a2c6776

SHA512
d930a022a373c283f35d103e277487c2034a0b0814913b8f6ec695b45e20528667aa830eeab58e4483d523bd6a755a16a5379095cb137db6c91909a545a19a2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar9F11.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarA129.tmp

Filesize
175KB

MD5
dd73cead4b93366cf3465c8cd32e2796

SHA1
74546226dfe9ceb8184651e920d1dbfb432b314e

SHA256
a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

SHA512
ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

Download Submit
C:\Users\Admin\AppData\Roaming\MEMZ.exe

Filesize
12KB

MD5
a7bcf7ea8e9f3f36ebfb85b823e39d91

SHA1
761168201520c199dba68add3a607922d8d4a86e

SHA256
3ff64f10603f0330fa2386ff99471ca789391ace969bd0ec1c1b8ce1b4a6db42

SHA512
89923b669d31e590189fd06619bf27e47c5a47e82be6ae71fdb1b9b3b30b06fb7ca8ffed6d5c41ac410a367f2eb07589291e95a2644877d6bffd52775a5b1523

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\HTF6GHY8.txt

Filesize
376B

MD5
d8f66653a69bff9b4367e43ab89bd0c0

SHA1
3be9d4509df30b664e33d1d2fc750e13f2dbf984

SHA256
859f7d229934f48d20d0af9e624b1526ed4230ddf0f4f6875d93e1d025657e9e

SHA512
a0196c19597a29c79f940c1471a95062677f98793b89c757cf55e6eea635b75857edfdb3e4d15af7c5959b023af740a193e79b10403a2f4d498bd61a0e867897

Download Submit
C:\note.txt

Filesize
218B

MD5
afa6955439b8d516721231029fb9ca1b

SHA1
087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

SHA256
8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

SHA512
5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

Download Submit
memory/2512-150-0x00000000023B0000-0x00000000023B1000-memory.dmp

Filesize
4KB

Download