4b30f308a5f0cf34361f5a53f2d73c523188adbbd9ac264275946197a3a8aa28

Resubmissions

03-03-2024 13:51

240303-q5vgpscb85 10

03-03-2024 13:45

240303-q2r76sbd9y 10

Analysis

max time kernel
150s
max time network
145s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
03-03-2024 13:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MEMZ 3.0/MEMZ.bat
Size

12KB
MD5

13a43c26bb98449fd82d2a552877013a
SHA1

71eb7dc393ac1f204488e11f5c1eef56f1e746af
SHA256

5f52365accb76d679b2b3946870439a62eb8936b9a0595f0fb0198138106b513
SHA512

602518b238d80010fa88c2c88699f70645513963ef4f148a0345675738cf9b0c23b9aeb899d9f7830cc1e5c7e9c7147b2dc4a9222770b4a052ee0c879062cd5a
SSDEEP

384:nnLhRNiqt0kCH2LR0GPXxGiZgCz+KG/yKhLdW79HOli+lz3:nLhRN9t0SR4iZtzlREBWhuF

Score

7^/10

bootkit persistence

Malware Config

Signatures

Executes dropped EXE 7 IoCs

pid	Process
652	MEMZ.exe
1292	MEMZ.exe
2316	MEMZ.exe
2748	MEMZ.exe
1168	MEMZ.exe
2780	MEMZ.exe
2788	MEMZ.exe

Loads dropped DLL 7 IoCs

pid	Process
652	MEMZ.exe
652	MEMZ.exe
652	MEMZ.exe
652	MEMZ.exe
652	MEMZ.exe
652	MEMZ.exe
652	MEMZ.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	MEMZ.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 51 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.google.com\ = "21"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com\Total = "21"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002dcc56832ee45b40af0f973e997a3e3e0000000002000000000010660000000100002000000092b3a0d75ff8a4aa3c99f1be4860728809097609ad1c163209e35079428faf5f000000000e8000000002000020000000496f1ade8a0da2a9108ad1229f2831d526f1f3e5e21b5c9916f16f468377e8612000000056fa21a02ae642d1b6e97110b85c533c43e4c0c0e5dbc253a3bfddf2a57e86074000000026a10e99d3ae42795e4328845ad74928090823c1285e38369d17214be3fad0be3299f498a1f5838e509c6c2b2c229e178457a7eb700347957c360ab2ae27ba19	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a0d8760e726dda01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "415635794"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{38E26731-D965-11EE-9F86-7EEA931DE775} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.google.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "21"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002dcc56832ee45b40af0f973e997a3e3e0000000002000000000010660000000100002000000048d7fbe65c60c9439d7eb1131d2a7a90ad11de92d2640579bd5af273e4e3c3dc000000000e8000000002000020000000f45e7ce8975aa25ff4a4ab6b2a224932d3e4025e4a41848c528a23169e260ef090000000af99bac65f93c0b0c65514d52f8af6f8f74c8bdb3e66aeb0c53e583e199831a8106ab6214cf5cba194ac47e0341feeff16764a7c45d49283e98d1600e7c92cbb88f5d7dc62adddd44c42468f76a3e650f327ff3b5af828952a9d9622cb949a7f828c46b919085d2ed337a7b066c33be37c14ab04831679282f57470a7285cd7b592622d9dc5c93904ab5702192de12d5400000001eaabe743d798513f4d0533f923e99a6e4db99e54dc2a6cbf3efe7afd7bcb9ad0c6b44018298c8284a7aecbabbe0fe0c28d2a837f1e5afa7de60e486e238fd35	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
652	MEMZ.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1292	MEMZ.exe
1292	MEMZ.exe
2316	MEMZ.exe
1292	MEMZ.exe
2316	MEMZ.exe
1292	MEMZ.exe
2748	MEMZ.exe
2316	MEMZ.exe
1292	MEMZ.exe
2748	MEMZ.exe
2316	MEMZ.exe
1168	MEMZ.exe
1292	MEMZ.exe
2748	MEMZ.exe
2780	MEMZ.exe
2316	MEMZ.exe
1168	MEMZ.exe
1292	MEMZ.exe
2748	MEMZ.exe
2780	MEMZ.exe
2316	MEMZ.exe
1168	MEMZ.exe
1292	MEMZ.exe
2748	MEMZ.exe
2780	MEMZ.exe
2316	MEMZ.exe
1168	MEMZ.exe
2748	MEMZ.exe
2780	MEMZ.exe
1292	MEMZ.exe
2316	MEMZ.exe
1168	MEMZ.exe
2748	MEMZ.exe
1292	MEMZ.exe
2780	MEMZ.exe
2316	MEMZ.exe
2748	MEMZ.exe
1168	MEMZ.exe
1292	MEMZ.exe
2780	MEMZ.exe
2316	MEMZ.exe
1168	MEMZ.exe
2780	MEMZ.exe
2748	MEMZ.exe
1292	MEMZ.exe
2316	MEMZ.exe
1168	MEMZ.exe
2780	MEMZ.exe
2748	MEMZ.exe
1292	MEMZ.exe
2316	MEMZ.exe
1168	MEMZ.exe
2780	MEMZ.exe
2748	MEMZ.exe
1292	MEMZ.exe
2316	MEMZ.exe
1168	MEMZ.exe
2748	MEMZ.exe
2780	MEMZ.exe
1292	MEMZ.exe
2316	MEMZ.exe
2748	MEMZ.exe
1168	MEMZ.exe
2780	MEMZ.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2168	mmc.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: 33	1004	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1004	AUDIODG.EXE
Token: 33	1004	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1004	AUDIODG.EXE
Token: 33	2168	mmc.exe
Token: SeIncBasePriorityPrivilege	2168	mmc.exe
Token: 33	2168	mmc.exe
Token: SeIncBasePriorityPrivilege	2168	mmc.exe
Token: 33	2168	mmc.exe
Token: SeIncBasePriorityPrivilege	2168	mmc.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1912	cscript.exe
2336	iexplore.exe

Suspicious use of SetWindowsHookEx 23 IoCs

pid	Process
2336	iexplore.exe
2336	iexplore.exe
3008	IEXPLORE.EXE
3008	IEXPLORE.EXE
852	IEXPLORE.EXE
852	IEXPLORE.EXE
852	IEXPLORE.EXE
852	IEXPLORE.EXE
2972	IEXPLORE.EXE
2972	IEXPLORE.EXE
2972	IEXPLORE.EXE
2972	IEXPLORE.EXE
988	IEXPLORE.EXE
988	IEXPLORE.EXE
988	IEXPLORE.EXE
988	IEXPLORE.EXE
3008	IEXPLORE.EXE
3008	IEXPLORE.EXE
3008	IEXPLORE.EXE
3008	IEXPLORE.EXE
1412	mmc.exe
2168	mmc.exe
2168	mmc.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 2168 wrote to memory of 1912	2168	cmd.exe	29
PID 2168 wrote to memory of 1912	2168	cmd.exe	29
PID 2168 wrote to memory of 1912	2168	cmd.exe	29
PID 2168 wrote to memory of 652	2168	cmd.exe	30
PID 2168 wrote to memory of 652	2168	cmd.exe	30
PID 2168 wrote to memory of 652	2168	cmd.exe	30
PID 2168 wrote to memory of 652	2168	cmd.exe	30
PID 652 wrote to memory of 1292	652	MEMZ.exe	31
PID 652 wrote to memory of 1292	652	MEMZ.exe	31
PID 652 wrote to memory of 1292	652	MEMZ.exe	31
PID 652 wrote to memory of 1292	652	MEMZ.exe	31
PID 652 wrote to memory of 2316	652	MEMZ.exe	32
PID 652 wrote to memory of 2316	652	MEMZ.exe	32
PID 652 wrote to memory of 2316	652	MEMZ.exe	32
PID 652 wrote to memory of 2316	652	MEMZ.exe	32
PID 652 wrote to memory of 2748	652	MEMZ.exe	33
PID 652 wrote to memory of 2748	652	MEMZ.exe	33
PID 652 wrote to memory of 2748	652	MEMZ.exe	33
PID 652 wrote to memory of 2748	652	MEMZ.exe	33
PID 652 wrote to memory of 1168	652	MEMZ.exe	34
PID 652 wrote to memory of 1168	652	MEMZ.exe	34
PID 652 wrote to memory of 1168	652	MEMZ.exe	34
PID 652 wrote to memory of 1168	652	MEMZ.exe	34
PID 652 wrote to memory of 2780	652	MEMZ.exe	35
PID 652 wrote to memory of 2780	652	MEMZ.exe	35
PID 652 wrote to memory of 2780	652	MEMZ.exe	35
PID 652 wrote to memory of 2780	652	MEMZ.exe	35
PID 652 wrote to memory of 2788	652	MEMZ.exe	36
PID 652 wrote to memory of 2788	652	MEMZ.exe	36
PID 652 wrote to memory of 2788	652	MEMZ.exe	36
PID 652 wrote to memory of 2788	652	MEMZ.exe	36
PID 2788 wrote to memory of 588	2788	MEMZ.exe	37
PID 2788 wrote to memory of 588	2788	MEMZ.exe	37
PID 2788 wrote to memory of 588	2788	MEMZ.exe	37
PID 2788 wrote to memory of 588	2788	MEMZ.exe	37
PID 2788 wrote to memory of 2336	2788	MEMZ.exe	38
PID 2788 wrote to memory of 2336	2788	MEMZ.exe	38
PID 2788 wrote to memory of 2336	2788	MEMZ.exe	38
PID 2788 wrote to memory of 2336	2788	MEMZ.exe	38
PID 2336 wrote to memory of 3008	2336	iexplore.exe	40
PID 2336 wrote to memory of 3008	2336	iexplore.exe	40
PID 2336 wrote to memory of 3008	2336	iexplore.exe	40
PID 2336 wrote to memory of 3008	2336	iexplore.exe	40
PID 2336 wrote to memory of 852	2336	iexplore.exe	44
PID 2336 wrote to memory of 852	2336	iexplore.exe	44
PID 2336 wrote to memory of 852	2336	iexplore.exe	44
PID 2336 wrote to memory of 852	2336	iexplore.exe	44
PID 2336 wrote to memory of 2972	2336	iexplore.exe	45
PID 2336 wrote to memory of 2972	2336	iexplore.exe	45
PID 2336 wrote to memory of 2972	2336	iexplore.exe	45
PID 2336 wrote to memory of 2972	2336	iexplore.exe	45
PID 2336 wrote to memory of 988	2336	iexplore.exe	46
PID 2336 wrote to memory of 988	2336	iexplore.exe	46
PID 2336 wrote to memory of 988	2336	iexplore.exe	46
PID 2336 wrote to memory of 988	2336	iexplore.exe	46
PID 2788 wrote to memory of 1412	2788	MEMZ.exe	48
PID 2788 wrote to memory of 1412	2788	MEMZ.exe	48
PID 2788 wrote to memory of 1412	2788	MEMZ.exe	48
PID 2788 wrote to memory of 1412	2788	MEMZ.exe	48
PID 1412 wrote to memory of 2168	1412	mmc.exe	49
PID 1412 wrote to memory of 2168	1412	mmc.exe	49
PID 1412 wrote to memory of 2168	1412	mmc.exe	49
PID 1412 wrote to memory of 2168	1412	mmc.exe	49

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\MEMZ.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2168
- C:\Windows\system32\cscript.exe
  cscript x.js
  2⤵
  - Suspicious use of FindShellTrayWindow
  PID:1912
- C:\Users\Admin\AppData\Roaming\MEMZ.exe
  "C:\Users\Admin\AppData\Roaming\MEMZ.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious use of WriteProcessMemory
  PID:652
- - C:\Users\Admin\AppData\Roaming\MEMZ.exe
    "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1292
- - C:\Users\Admin\AppData\Roaming\MEMZ.exe
    "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2316
- - C:\Users\Admin\AppData\Roaming\MEMZ.exe
    "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2748
- - C:\Users\Admin\AppData\Roaming\MEMZ.exe
    "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1168
- - C:\Users\Admin\AppData\Roaming\MEMZ.exe
    "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2780
- - C:\Users\Admin\AppData\Roaming\MEMZ.exe
    "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /main
    3⤵
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    - Suspicious use of WriteProcessMemory
    PID:2788
  - - C:\Windows\SysWOW64\notepad.exe
      "C:\Windows\System32\notepad.exe" \note.txt
      4⤵
      PID:588
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" https://google.co.ck/search?q=virus.exe
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2336
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2336 CREDAT:275457 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:3008
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2336 CREDAT:406536 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:852
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2336 CREDAT:537606 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2972
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2336 CREDAT:734223 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:988
  - - C:\Windows\SysWOW64\mmc.exe
      "C:\Windows\System32\mmc.exe"
      4⤵
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1412
    - - C:\Windows\system32\mmc.exe
        
        "C:\Windows\system32\mmc.exe"
        5⤵
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2168

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x52c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

Filesize
717B

MD5
822467b728b7a66b081c91795373789a

SHA1
d8f2f02e1eef62485a9feffd59ce837511749865

SHA256
af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9

SHA512
bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
81ab07a0e8a5aeb4ef5037a35ad5e80e

SHA1
807699680de32236ca125cf89f65e1a1396a082e

SHA256
7b4cf07c19a58f15c5b8cfa6d4eb363fea8470860cc995d6d70614fc7015d019

SHA512
27c9cfea522fec8dadedf8f277038086dee95a241473428568e3cd2887c2bdac1ed937872cdd32fc38712ac1f0a66996c6ca839c911189a08d208eede1615e25

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
67KB

MD5
753df6889fd7410a2e9fe333da83a429

SHA1
3c425f16e8267186061dd48ac1c77c122962456e

SHA256
b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

SHA512
9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

Filesize
724B

MD5
ac89a852c2aaa3d389b2d2dd312ad367

SHA1
8f421dd6493c61dbda6b839e2debb7b50a20c930

SHA256
0b720e19270c672f9b6e0ec40b468ac49376807de08a814573fe038779534f45

SHA512
c6a88f33688cc0c287f04005e07d5b5e4a8721d204aa429f93ade2a56aeb86e05d89a8f7a44c1e93359a185a4c5f418240c6cdbc5a21314226681c744cf37f36

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E87CE99F124623F95572A696C80EFCAF_B7E6E2E5B49339ED1B50F8F39FE34E73

Filesize
472B

MD5
ba2351d6d2dac436c5b2c2f42feab7a5

SHA1
79d67c2428b208a65e13d806471575718ea1bdb2

SHA256
13e85bd875097ae958005449cce29ef16877bc20844e1c98426f978b5067d9a6

SHA512
f719bf032e95af8063973987ebd7bbeb1d931f7291a2071dac78828192b1a421b7c7e9e54c23870eb4a86360c0b49b0bb99d9541a224ff53bc900b3f0acbb0ca

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2DDCD2B5F37625B82E81F4976CEE400_BE7DA50ED4C167DC2E87819405C6BB24

Filesize
471B

MD5
53c9a34bc08eeeeb2b4a89cf23f0b8fe

SHA1
0658ec2aeaf8b4963cce201389c8e8740cfdf1f5

SHA256
3a0cbf4f359cee41b7818ccef795a174ce82ccfc6bf00463b86dbd4aa9f08a50

SHA512
1ae8db15df66b18010cabc9f4d50834d49c2d3346593e49a35906f10cb1de4edd7c95cfc65232aa0162d7c635790805cdeeba2b5ad74fbe60e94429ceaa010f2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

Filesize
192B

MD5
bcf2bde5f14845cf6625851f4381b7c9

SHA1
3ea13350e53ec1e066db8c85c7cdeee5faa3b714

SHA256
9c10be322282a128c482fba92dddc383b724b73bba1086b0b6a950b148280bfe

SHA512
2db7fa63d5cc4252db6e0b41cd20babf391e23734350fab6af9b7a0589e0bc10b6cc227df4b4667a654df1e503c5e98471ebb96fbdecc3c6e76ca76e60badb3f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

Filesize
192B

MD5
cb4aa6cc939dceb4f93ffa85eb03fc79

SHA1
7adfd17d467951d5352623d3edf04b358e7bcbeb

SHA256
b63e123265ccc7adc62253127b9f74e5db6eecd21d0ee6191ee9ae50aee416ac

SHA512
fb53d78537ca8a71bd35ff3115b82c9fcf7835970b06fc8fc3c9040f6f5fa22ad426af4b204071fa724716241a62c9e3b40f7cd3e4aab886bbe03e251fc644f0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

Filesize
192B

MD5
e36bb586a4834d28b63c400707d6bc9a

SHA1
585953a6ec64810cece67df7181fefb51c49f72a

SHA256
746960d863ae4b4c4c9dfae3f1b9eef0701a5dd55490d75683b958dc3ac3d5ca

SHA512
08f198d941925105e27716cd9a8f6bc9ab3238f3ca49f6095abf44ffa204060f1526576e79bc6d6e014a7607d459b7c6c03ec0d29a461df56222b864d6011ae7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
b906de9dd2c2b294f333a3f15ce951cb

SHA1
72bd059941dfb4a0bf2eb18e940b519897eaf4ca

SHA256
838bd29f7f86c3d17593e8b26d89338d7a22a4cb41cad8f4cf748b40027c3cb7

SHA512
d9e5e113774a1a0c955bb9bdaa041e535383f5b42948079ebc5aba4fe3ec2060ebed6c78bd1043298b4b16add7f370a7117ed360e4bc4871d07261c97134d8cc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
967c76bdea6a40a0614d61106645104e

SHA1
6971fb21d36cf0ca7a021b1bfe27ab1fbda8c8e7

SHA256
2076cd2c835812e404152f191d61ab36bfb26f789bdae094f5bb7bd74c6363b3

SHA512
ae35cae1f9dcde16d81fbe7d2c113ff22765286b9f471080f044ee82b27ffd42a2bf2814eb19a5d28a0df55f1535499fbdff2939df8f1694c88adbbb6092ccee

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5668dd91268aaff405084565bb06c08c

SHA1
f0aef94d4978bd56e52aa51f320fa2ed0ad34a8c

SHA256
be949d2c16c6a1138cccdfe0583ce508fca03f227bda3334b44110622274e584

SHA512
06e3671beef00987f290d0b29b0a5bb46b35bf067c9504ff78e1c0186a518685a28967f70998dfe09a63dffe57b71534a5f9e02caa692ea8ead62d887e16f97a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b9e3721a1deaf78858d1cb9c962828b4

SHA1
c83fd0a11f36555c014f7861d6d3fe052427a3a9

SHA256
4c6fac758336263a5acb04c289ac765c18df2e632d6bc2d562323beeeff89f10

SHA512
be201467c77a6e206a4852ace7909302297387c0505fd6343b48ad6df0f55e1eeed5ef155de69f5f5759db5067f4e686e10231ad826285cb102fff1be5afead6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9257557343d18efd2f21ac0fa673443f

SHA1
5aa5d78834da0210442769ba1ce7547ee2cb56c1

SHA256
99a96c2efda18db52fd4bfc3ed8486a4b919c5e12d08538d2f4919a08601cc44

SHA512
2522d8e06ebed4d8f97f007c0c375839811051158e54b3b4c3b088d4746a18b00506cb96c8e8eaa6df1743267c1d3f98c978d4474814c77a6210ba27f9e2a1c0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e9911e0bec1062ea0084ed08118907b4

SHA1
3e01fd983aa9b3fce3b9646725b679ebb7d3d798

SHA256
6bbc8871fffad056c3049a5b29e515f655d2d9c2c153aa594d1278b1f8df0968

SHA512
60c1f6a93decabb548b6c9081f7167fdf00a211e0cee45d556728d9b1ef006f9cc1cd39c29ebac56fe107d70b450fd55a2a74d2855d4273d6afc6ce98cf2fa2f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b4fa07dd02defe067e000359e037291d

SHA1
3cf75e36a9e401372ca4af97bccdae92af6c3677

SHA256
afed7f2d17f59be0793f68374a41eff294cfc2bdebf178be1f2f10d64b1f5061

SHA512
9abf8655c2e28582e100b3e6b29eefe2f7468830e6b49c642e5614132c46d8828113c7f19266d921878db988013b403e7c0943fd0d715ab56a15fc896e5686d4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9345b5e467d8644bc64f6628aefaed2c

SHA1
408b509ebec95f2687c21318d3bb982c0ea9ba26

SHA256
f07dd7a60cce77c40fdd9c2e20963d2171de84eca0ba60a5cb0def8c5f065a0b

SHA512
17aba6b6ba3ff0fedb27299b50ef941d2bc7e3cca62c4add66f09cf7e36a68d14117de1cecccccce2db5e90204bcb3fcaa4be1219868a190375bfb82816bff52

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
056fa5b98fdecd894580b4e8a47ab6a3

SHA1
a9252a3a2fc7f06246ff6877da38e0385a1de3f3

SHA256
56bc6099d0ba7c572ff8ac19c19f17f872b2683447503ccb07dc35f6c8378288

SHA512
7bea3afdcc137aa679c18eee677d223c743daa8730d0b80861b6679b386e0efc7b6eecfab72be39796c83ed72b59c36a00501de18915878b149f5fdb2bba3634

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
44a2873bfb953ee2af5995e749ac089b

SHA1
364917525425e730ad7eca5a7804762a8e11c898

SHA256
50c0eb4c4cd1527effe570d240939889258c780f7bd27c8e76d236bd08314666

SHA512
4a30d7cf6df1f5c0ce3b1bf34db242aa004178fa24850c8e8cd5197d7a6b893b8d2596ccfb5d9480209069934a178442934479f3c2711915555a4e3ad948869f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6378dc62a083bbb7aba2aef55afdf5ad

SHA1
6cf1df513e5128e492560a240bf9b945fc325dfa

SHA256
797b85f0212b8f7bfe3eb4759a00a132502aa7c1060bac85fcbc7f194876de08

SHA512
a7f4d3df5db379831635286c85c3d5a672572d3517e75d006d500fe3acc1e643371379fbceec0ec8c6fdbb744b11fbbdded48da82f9f83a50ff93f63ac46ec8f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
eabeebefc1622df16918fe6a3f915a31

SHA1
d64356743c0615d4eb7c39617d60f47ca8387170

SHA256
a742d32b70d5bf20a772cc17d2753a7c034d513a7c4c942fcd39683c52d7777e

SHA512
e51704024570e3e442d427293800dc5b3153c6fe0978a4f46db634c1604341ee62bcd6fd3c643cd7e3691b95a075c7d739e984733df2e1d3759fbb620dca869d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
17bd3528dd956a91b412f65ba9e02624

SHA1
4d5c2946f44fe0c5e64a8b24aad679d034de503a

SHA256
7caafef37aca3a88c66559f3070be7ce30eb19994b49a47a3478855bcb7f15d6

SHA512
f7fc05a6f16d89c162f7290443c8d6d638986c17276e08ae6b00eec4810bb2b4b806af9781457958a09b9034ee3763181458a5426fc74ed5b60289416733dc61

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8ccae4d761db750a75acae92373e8b9a

SHA1
bc7b69450daee97ba9bce2b041957b750feec50f

SHA256
20e151c0b2d600c2dd4860f68437be447c6166f63fc382463437a04d910271ae

SHA512
b9f424c28287b8461298be5139e36e2042ebd378fb83ae98d0e3d740e21cda2ef10d417b070d218e638fd59ed92ebd8ca91aad19956b5d4644f2d93db7c6042d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4402d0467a955a72381dcea3f25e38c4

SHA1
566ec4592f93a311190e97e151e8a4ca3c76f339

SHA256
f14eb702208198963cd71497a8e18df213ce3ab0d03ab1b16301068bab7da947

SHA512
5b1171037a298b83d45c0e56645d21b92e0d41dd81958e97364c0e01962f16338624a1ff04e50920e26b367365eaa7f72146b254d140e44f14f06c884da725ad

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2742639daa027921fbaa6c6c2002eca8

SHA1
522d80767046307d711e31195b94d94da139c998

SHA256
cbeefa31b4b31725cadcfce5987cd67264c936f751b35628f66d63fd4280aed2

SHA512
0b31ecc738f893b8d958fb54f8a0b6b66fef7014fdeb87ff3a7718d1549b590466b5a297b22f85b605d992afe4b555990de376a968be2de20be98e09ac08ff0d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c05834497ee8a83082f8e8d1b0396b27

SHA1
e50c4c11d4eb4798dba4c125b23727a26c005d5a

SHA256
3e18c1ebce4766419614ef5033091856e73e3656877e1f75bb83e5c0527dee76

SHA512
e6ce8e21ab0f5f85f8fe30c3edc691675bb0da1c6968e07fd8c75843d2279e2cf6551d367c81825701153c08ba9c513e51849012f83ffb1974961df0fe031f4f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8ec6c46fd8df037e35270fc018fae292

SHA1
f7c6391a31a103bbbf6e6ce7a135d0fcb4a80308

SHA256
689cf2a5595e1627228b740dfa33d319c48eac500072ed0cb1661f8661b29870

SHA512
2eb81007c1e916074a362262cbb172219b06777a0bf48401c9c7bf7782f1687540793963939dbb909c5f01ab70a9477800a33ad382f77e35e9b49017d7070ebc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d79190b47a9230a5250ec1d954eee509

SHA1
67b5abe7b9717e9065de6ebd97611431276c2ec1

SHA256
85badf2a29a30264f4133104f5949cc38dba319bed2f76877eaecba8717e4080

SHA512
33668b176832885eaf41f8a4bab81ad881e5f1ff8d0b8b00157c875c44312a38ac2a5c7f45d0f037bdd8d187371b3d3f36d509c4fb62099f716fa67770b6cc54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
bc34cb068c0267920a142b060334adfb

SHA1
c56f75cd39ce279f2646f7691d2acbdfa201ec57

SHA256
3fce645fbae31b1f20ed1d1481e8654dc133f3426b5c346d3ce18b3fff3855f0

SHA512
6cf8efd6dc7a7407d7d22cea2df508145653f59f7ff363ff5f0b37c59e7b88492f6585a6d11b7958f77cab333a853ea4f9e0137a7d71190cb3c1d3c3e35e2cac

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ababe6df2a5b260b6de1b16045478602

SHA1
9304e1ea87bc56facb65270b859712f6cd77498b

SHA256
e9e1e24d069278dfc33f36c864707b4f4a99f3f8e495ab9e52f2d67d4bf173ff

SHA512
44fa02f045848d1bb08018248e5519e594c074b6142f502f1fd60621d12c44e4e0d56e3f077e2c4d3be0e0219ca8771ecb768fc80830c099d043bf385b879d38

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
89ac5e89cc89ed0fae939f0002b30b0c

SHA1
75ace4bd197d80acec502938ff2ae7857613f363

SHA256
48647de5c413f8e5df57fabfc6a79ff892ce76d6fba36149afd592b10ba32209

SHA512
e556fff1b0ee9fe58a8fffe19cf412472394aba87174cd11c6ecee16b1fb81bef94dbeaf8861ac22ca24e3f5b52cb7e7345de096d533d1504811de114b24e70d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ebfc383abd8c6d35e104c51b0c173da5

SHA1
b4f5a200bb06cb4c5f063b1c0c1ef94388ea5a42

SHA256
fe36c2ad41b0a9521cd666c33ef4ee50f47b0d5a02f96361dab61e6a50630d90

SHA512
fc74a4aa71222187c10a44d6b3a5b7c44da6314d7f12bb971a9ab290748f716a14e45a089f3c3bb3112e2a0a58142084981c22bac84846fdcefdb3262e574d05

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0b0e036756833273aaecce3f79c69fc5

SHA1
a454978dfa6f16a69d8a203da219629b077262ce

SHA256
ed861e5baac2a645f536129fb366cf20a115b1e1304851239b22149ba024aa35

SHA512
c65520094e89a141b033d9e464b45d877af7cfc9dd0f3b6b13fd6e9b544f8698f99b73e114a6930aa83a45cb41238a3f113f3d981f6428cce2f009cad8be74bb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

Filesize
392B

MD5
f8b34ab9fbbbfaa766582bca5b6cb350

SHA1
b899ff5553659093a9f4fccee14a4bb0375ee080

SHA256
c0b638648ffe7c7bb60cc15b24689ce40ad90e2177e1e27a3b8a755d962378a3

SHA512
da8fbef073d3d6e125612b37a178e7e39eb500591065652e4e8cd558c2bc8b85e25a6c37cd2aa1baf27d95c72b435cdbab08f163cc79f058f31d2722639dbd90

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E87CE99F124623F95572A696C80EFCAF_B7E6E2E5B49339ED1B50F8F39FE34E73

Filesize
402B

MD5
d80d474f5aa370cc588e0f09693efaca

SHA1
4d8ce8d0df7dd4664a2962e03215980721a949e6

SHA256
3bd4a9a255874c62c54ffa495e08d400b1202529f71846cc648c357749fd9052

SHA512
515db868f3ce7067d27c5187e112073e388ef1c71ca6dec600248c85c220e85a23f32157e61491deea42af3c3ae6066e6692cf1ae58cce670ffba447951da4da

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2DDCD2B5F37625B82E81F4976CEE400_BE7DA50ED4C167DC2E87819405C6BB24

Filesize
406B

MD5
442fa67c6364fdf79d718d2a9fb71a2f

SHA1
3127566cceaa32ee47d4f2b819b4b6f7693961e5

SHA256
1ec40c699632ecb9acdf0947ff50958d25c30225d39859aa29a540dee5dd32cf

SHA512
6ec1e0b64a07e10bfa0f88cc56fa1cccf6df9699dbeda780ac1ca39e06812a26ecde00a2069085d81344ecbcf31f535dbb5b5ebfab3952351bc96b4199845485

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\5542VM83\www.google[1].xml

Filesize
95B

MD5
2caae0aa445151e2ad4a10770ae748ec

SHA1
e8f75efcd7d8fc44edd15617cc43542ccc358a72

SHA256
ca7f2612f30f94341e023d2933f1942f150e312ba42af27c4229cd4db4621bd1

SHA512
8d5f329bf5e333068ff28b74bc1809db3ec919e534a58e0c3c92428bf87c3cc4e87f0b49f4ea3ebaf8d5c09f55013915fced1ae33859b60d63c941e493d99f3d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\3pl5scb\imagestore.dat

Filesize
6KB

MD5
177cf588807ddd948b75a57778b16a54

SHA1
cfd92dfa8dbb5aa5b86443cad2d46c89137a6747

SHA256
9926d7da7076fcf6855481c5ed8247b55720f0c523f0738a535ff1ee9b175cb0

SHA512
00283981d4b42f2fac152132760bb78df856993eb87981f55a934a84834bab7b3dc397f8500b129e623f7669c50bc9ba6ddb4243ea2d04713e32d479e8389135

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\3pl5scb\imagestore.dat

Filesize
5KB

MD5
81ce5c39ed26db6dcc59d739bed9cc15

SHA1
55949ad6fdadf6a2dfee984b6a66168ae2163423

SHA256
b045e77ec8a613676cf1096428f8033eebe4b508dd78e7a18ef5cf5c97dad338

SHA512
1f8245accc7cf216939c1622261bd3f1a77f61ddef002d45fb917689c6615fc45a4aecf86310192fc4063750e2cb8a363d8cb713f42c70e3273d8cb2c2b33adc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4JZQ5QLK\KFOlCnqEu92Fr1MmEU9fBBc9[1].ttf

Filesize
34KB

MD5
4d88404f733741eaacfda2e318840a98

SHA1
49e0f3d32666ac36205f84ac7457030ca0a9d95f

SHA256
b464107219af95400af44c949574d9617de760e100712d4dec8f51a76c50dda1

SHA512
2e5d3280d5f7e70ca3ea29e7c01f47feb57fe93fc55fd0ea63641e99e5d699bb4b1f1f686da25c91ba4f64833f9946070f7546558cbd68249b0d853949ff85c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4JZQ5QLK\KFOlCnqEu92Fr1MmYUtfBBc9[1].ttf

Filesize
34KB

MD5
4d99b85fa964307056c1410f78f51439

SHA1
f8e30a1a61011f1ee42435d7e18ba7e21d4ee894

SHA256
01027695832f4a3850663c9e798eb03eadfd1462d0b76e7c5ac6465d2d77dbd0

SHA512
13d93544b16453fe9ac9fc025c3d4320c1c83a2eca4cd01132ce5c68b12e150bc7d96341f10cbaa2777526cf72b2ca0cd64458b3df1875a184bbb907c5e3d731

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4JZQ5QLK\KFOmCnqEu92Fr1Mu4mxP[1].ttf

Filesize
34KB

MD5
372d0cc3288fe8e97df49742baefce90

SHA1
754d9eaa4a009c42e8d6d40c632a1dad6d44ec21

SHA256
466989fd178ca6ed13641893b7003e5d6ec36e42c2a816dee71f87b775ea097f

SHA512
8447bc59795b16877974cd77c52729f6ff08a1e741f68ff445c087ecc09c8c4822b83e8907d156a00be81cb2c0259081926e758c12b3aea023ac574e4a6c9885

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4JZQ5QLK\styles__ltr[1].css

Filesize
55KB

MD5
eb4bc511f79f7a1573b45f5775b3a99b

SHA1
d910fb51ad7316aa54f055079374574698e74b35

SHA256
7859a62e04b0acb06516eb12454de6673883ecfaeaed6c254659bca7cd59c050

SHA512
ec9bdf1c91b6262b183fd23f640eac22016d1f42db631380676ed34b962e01badda91f9cbdfa189b42fe3182a992f1b95a7353af41e41b2d6e1dab17e87637a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8ADCJI8Z\favicon[1].ico

Filesize
5KB

MD5
f3418a443e7d841097c714d69ec4bcb8

SHA1
49263695f6b0cdd72f45cf1b775e660fdc36c606

SHA256
6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770

SHA512
82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8ADCJI8Z\webworker[1].js

Filesize
102B

MD5
bcf077e54d883df9bb7dc3e0bcac3ded

SHA1
48be834541645c4f5f77789b5d5edd35ae10e83f

SHA256
c8decb7c7d17d6353f74d740f2afba7886d2c53e0b3d10a44ae1ad7738316ff9

SHA512
ffe81f03493d2d9a6b2bbc2a1398b7a72be15a8e9ae9fb61eef540214b12033038517c6db72834409feb074653da6bd5c577551797fff5318569a42f6f1d769c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9ZQLLOZN\TrkBqBAA-aS2zfRFivzOT01UANX8bQoFEDiMg6e3nFU[1].js

Filesize
23KB

MD5
e51858514367a90506a465ee3f5977f2

SHA1
171bd8620c82ea5a18379faa738410f52a0c23ba

SHA256
4eb901a81000f9a4b6cdf4458afcce4f4d5400d5fc6d0a0510388c83a7b79c55

SHA512
ac072a1959d01c284e93cac34fbc7632ef54a522ce60b8e9546a25132a14fd34457f86bd48def48834f7523b23fe689b4fcfd4215607c3dd767a3f951bbf4472

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9ZQLLOZN\api[1].js

Filesize
850B

MD5
d0e48e3d0045d85a0cb71725b215739d

SHA1
ad0647e24920f0815162d595058df31e28430d4d

SHA256
26cd1a6781274af995e5e8cb91f7327d0817f0ec2c943e710af00ae20c80363e

SHA512
582f5605d98c48b372dfe7445b8b2abe0f339cb15f39ca625e02004a684d3c01ea5a8dd78e5eb6485ab839ff09cad364d20dd2a70a8c6d5a9e6bdd9ae16fdf01

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OORQXHVT\favicon[1].ico

Filesize
1KB

MD5
ac0cd867e03ed914827807d4715bdfe7

SHA1
4051a8c23756c10d9cc00fcde6f7215c780fdf6f

SHA256
b50546da121186fbffd2aec430249cb21c7c2e2c85e561a393a9df9abfc4477c

SHA512
fa11d1d76c39719c218b4ffa34de8dd44d398bdcbb236a666f0be6eeee96bcbe4da9ac65a89441ad284c0de21788c135dc4fd21f6f82c7039f00c8a7c705c8e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OORQXHVT\logo_48[1].png

Filesize
2KB

MD5
ef9941290c50cd3866e2ba6b793f010d

SHA1
4736508c795667dcea21f8d864233031223b7832

SHA256
1b9efb22c938500971aac2b2130a475fa23684dd69e43103894968df83145b8a

SHA512
a0c69c70117c5713caf8b12f3b6e8bbb9cdaf72768e5db9db5831a3c37541b87613c6b020dd2f9b8760064a8c7337f175e7234bfe776eee5e3588dc5662419d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OORQXHVT\recaptcha__en[1].js

Filesize
491KB

MD5
884d00314602d7cb55bbcd2e909f7310

SHA1
dcb353b63aefc091523915f4562a819c31463611

SHA256
2c6a3425cec9ba0cbcfcf1dbba2120a72ac369674a6d02e06bd3b0c16efbdcf7

SHA512
50091f9e37dcf299bc8cf9cfeed4e71709011713ca0701be0ff79c4fb42699c9f9894cbc3a0819b3fece4f698c2201d403b987e6a76a259fbf58fb19e493b87c

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabC350.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\x

Filesize
10KB

MD5
fc59b7d2eb1edbb9c8cb9eb08115a98e

SHA1
90a6479ce14f8548df54c434c0a524e25efd9d17

SHA256
a05b9be9dd87492f265094146e18d628744c6b09c0e7efaabf228a9f1091a279

SHA512
3392cfc0dbddb37932e76da5a49f4e010a49aaa863c882b85cccab676cd458cfc8f880d8a0e0dc7581175f447e6b0a002da1591ecd14756650bb74996eacd2b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\x

Filesize
4KB

MD5
3f7105990762acdeab73dad5893a0968

SHA1
3bba599c9db8686561ca67f32c5b95fd79bd3339

SHA256
97330e7450ed724e86fa930489e40d7eb8ef7f2eb8440f900b17c2b3e6ca8144

SHA512
771f79408eaecea7b26662b5e4cf116cad56369700d99bf6b8b7b1ed5c3ac85900bfe3c6f3fd8c6b8e38c6ae1a3c98bbc3236ff5fd8aafef3de588828ab0641e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\x.js

Filesize
448B

MD5
8eec8704d2a7bc80b95b7460c06f4854

SHA1
1b34585c1fa7ec0bd0505478ac9dbb8b8d19f326

SHA256
aa01b8864b43e92077a106ed3d4656a511f3ba1910fba40c78a32ee6a621d596

SHA512
e274b92810e9a30627a65f87448d784967a2fcfbf49858cbe6ccb841f09e0f53fde253ecc1ea0c7de491d8cc56a6cf8c79d1b7c657e72928cfb0479d11035210

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEMZ3~1.0\z.zip

Filesize
7KB

MD5
cf0c19ef6909e5c1f10c8460ba9299d8

SHA1
875b575c124acfc1a4a21c1e05acb9690e50b880

SHA256
abb834ebd4b7d7f8ddf545976818f41b3cb51d2b895038a56457616d3a2c6776

SHA512
d930a022a373c283f35d103e277487c2034a0b0814913b8f6ec695b45e20528667aa830eeab58e4483d523bd6a755a16a5379095cb137db6c91909a545a19a2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarC363.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarC462.tmp

Filesize
175KB

MD5
dd73cead4b93366cf3465c8cd32e2796

SHA1
74546226dfe9ceb8184651e920d1dbfb432b314e

SHA256
a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

SHA512
ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

Download Submit
C:\Users\Admin\AppData\Roaming\MEMZ.exe

Filesize
12KB

MD5
a7bcf7ea8e9f3f36ebfb85b823e39d91

SHA1
761168201520c199dba68add3a607922d8d4a86e

SHA256
3ff64f10603f0330fa2386ff99471ca789391ace969bd0ec1c1b8ce1b4a6db42

SHA512
89923b669d31e590189fd06619bf27e47c5a47e82be6ae71fdb1b9b3b30b06fb7ca8ffed6d5c41ac410a367f2eb07589291e95a2644877d6bffd52775a5b1523

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\JPD56Q6H.txt

Filesize
377B

MD5
ddbdf52746c6c45118ad8bc8280177c6

SHA1
b8bcde171fd5099c67a3c3da6759f79af1b091a5

SHA256
4c6f3ba24c93cee21cada0b34ea634180099e0e7574b3bde6cfa94a8f7632a97

SHA512
b668c605f3a49e987c37062a50b59539d3255896e45ba73c7ed95fbe66bb3a177e5cdda565f261e621141a1a2322b1f7e32a357df064b80de49eefab71219961

Download Submit
C:\note.txt

Filesize
218B

MD5
afa6955439b8d516721231029fb9ca1b

SHA1
087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

SHA256
8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

SHA512
5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

Download Submit
memory/1912-150-0x0000000002470000-0x0000000002471000-memory.dmp

Filesize
4KB

Download
memory/2168-1650-0x00000000021D0000-0x00000000021D1000-memory.dmp

Filesize
4KB

Download