734403a96fad68cb2ef2b340adddd9cadd5894007aac703dcdb4a4cb8326c538

max time kernel
599s
max time network
601s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
10-03-2024 21:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eeeeeeeeeeeeee/Malware_pack_2/Malware_pack_2/MEMZ 3.0 (1)/MEMZ 3.0/MEMZ.bat
Size

12KB
MD5

13a43c26bb98449fd82d2a552877013a
SHA1

71eb7dc393ac1f204488e11f5c1eef56f1e746af
SHA256

5f52365accb76d679b2b3946870439a62eb8936b9a0595f0fb0198138106b513
SHA512

602518b238d80010fa88c2c88699f70645513963ef4f148a0345675738cf9b0c23b9aeb899d9f7830cc1e5c7e9c7147b2dc4a9222770b4a052ee0c879062cd5a
SSDEEP

384:nnLhRNiqt0kCH2LR0GPXxGiZgCz+KG/yKhLdW79HOli+lz3:nLhRN9t0SR4iZtzlREBWhuF

Score

7^/10

bootkit persistence

Malware Config

Signatures

Executes dropped EXE 7 IoCs

Processes:

MEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exe

pid process

3016 MEMZ.exe
1552 MEMZ.exe
1448 MEMZ.exe
1176 MEMZ.exe
1236 MEMZ.exe
3024 MEMZ.exe
2480 MEMZ.exe

Loads dropped DLL 27 IoCs

Processes:

MEMZ.exetaskmgr.exetaskmgr.exe

pid	process
3016	MEMZ.exe
3016	MEMZ.exe
3016	MEMZ.exe
3016	MEMZ.exe
3016	MEMZ.exe
3016	MEMZ.exe
3016	MEMZ.exe
4388	taskmgr.exe
4388	taskmgr.exe
4388	taskmgr.exe
4388	taskmgr.exe
4388	taskmgr.exe
4388	taskmgr.exe
4856	taskmgr.exe
4856	taskmgr.exe
4856	taskmgr.exe
4856	taskmgr.exe
4856	taskmgr.exe
4856	taskmgr.exe
4388	taskmgr.exe
4856	taskmgr.exe
4388	taskmgr.exe
4856	taskmgr.exe
4388	taskmgr.exe
4856	taskmgr.exe
4388	taskmgr.exe
4856	taskmgr.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

MEMZ.exe

description ioc process

File opened for modification \??\PhysicalDrive0 MEMZ.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	MEMZ.exe

Drops file in Windows directory 2 IoCs

Processes:

mspaint.exemspaint.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000abb8596cc50c0546bfda6658dcffc23300000000020000000000106600000001000020000000bb2e84f99cf1b7b14285a74175a7d3dd3a74be82cf7f657fa03fcd24071fd799000000000e800000000200002000000079070d05bf81180fcf76aec70691e191ac283f7bc2125fa131e0f4481c8fa72590000000c3f9f717ec6a385459849c9b55d922a86e2c287d24aec48c8d54202cd5c0246145f2b24eefea7f82c5e5e85c7a1bc4aed7f22aa6bc37f3e9eee7184f0e31b6a90d57d081d438c0d3a39ca51fd06124448265965d2505736f86b346f005979d1ee5203876a10f9018fe4e46c02d8b4d057bcad58cad12cf365cf9fce814fc3db044c6d4ccafc893275ffec40e69f1315d40000000f0eb1ced9c60d861bc5fe240a19c3b212fd8f44ea2f63180e39d1d8a8540597808d288c1a3db6fe96638b8e346e6759bfb74382149289adde76b02c9b13e5b75	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 30f51ca85773da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000abb8596cc50c0546bfda6658dcffc233000000000200000000001066000000010000200000002b5e385d8a5d07626b192c4223cc3b7132498f7d5efac61a52cdeacee9c3a019000000000e80000000020000200000004a22821098e8741ce0a53e2a378292464861ede74db5a056d4316b1cc5bc538120000000e51deefd0ed7843d70e8dfbb34964a5a9aee4af931f32879e47afc74415bcd0340000000105b044a7bade4329717a3d15d1acc0a0973b2025a5cd1858a29b08d0eb746b1a79cb9736c37aaf0b37380a5b5f15596a5d203e271e80e4fe80d64285b804518	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "416284148"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com\Total = "21"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe

Runs regedit.exe 1 IoCs

Processes:

regedit.exe

pid process

3724 regedit.exe
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

MEMZ.exe

pid process

3016 MEMZ.exe

pid	process
3724	regedit.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

MEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exe

pid	process
1552	MEMZ.exe
1552	MEMZ.exe
1552	MEMZ.exe
1448	MEMZ.exe
1448	MEMZ.exe
1552	MEMZ.exe
1176	MEMZ.exe
1176	MEMZ.exe
1448	MEMZ.exe
1236	MEMZ.exe
1552	MEMZ.exe
1236	MEMZ.exe
1448	MEMZ.exe
1552	MEMZ.exe
1176	MEMZ.exe
3024	MEMZ.exe
3024	MEMZ.exe
1448	MEMZ.exe
1236	MEMZ.exe
1176	MEMZ.exe
1552	MEMZ.exe
1448	MEMZ.exe
1236	MEMZ.exe
3024	MEMZ.exe
1176	MEMZ.exe
1552	MEMZ.exe
1448	MEMZ.exe
1236	MEMZ.exe
3024	MEMZ.exe
1176	MEMZ.exe
1552	MEMZ.exe
1448	MEMZ.exe
1236	MEMZ.exe
3024	MEMZ.exe
1176	MEMZ.exe
1552	MEMZ.exe
1448	MEMZ.exe
3024	MEMZ.exe
1176	MEMZ.exe
1236	MEMZ.exe
1552	MEMZ.exe
1448	MEMZ.exe
1236	MEMZ.exe
3024	MEMZ.exe
1176	MEMZ.exe
1552	MEMZ.exe
1448	MEMZ.exe
1236	MEMZ.exe
1552	MEMZ.exe
1176	MEMZ.exe
3024	MEMZ.exe
1448	MEMZ.exe
1236	MEMZ.exe
1552	MEMZ.exe
1176	MEMZ.exe
3024	MEMZ.exe
1448	MEMZ.exe
1236	MEMZ.exe
1552	MEMZ.exe
1176	MEMZ.exe
3024	MEMZ.exe
1448	MEMZ.exe
1236	MEMZ.exe
1552	MEMZ.exe

Suspicious behavior: GetForegroundWindowSpam 4 IoCs

Processes:

MEMZ.exemmc.exemmc.exemmc.exe

pid process

2480 MEMZ.exe
4448 mmc.exe
4884 mmc.exe
4812 mmc.exe
Suspicious behavior: SetClipboardViewer 3 IoCs

Processes:

mmc.exemmc.exemmc.exe

pid process

4884 mmc.exe
4812 mmc.exe
4440 mmc.exe

pid	process
2480	MEMZ.exe
4448	mmc.exe
4884	mmc.exe
4812	mmc.exe

pid	process
4884	mmc.exe
4812	mmc.exe
4440	mmc.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

AUDIODG.EXEmmc.exetaskmgr.exetaskmgr.exemmc.exemmc.exemmc.exe

description	pid	process
Token: 33	768	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	768	AUDIODG.EXE
Token: 33	768	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	768	AUDIODG.EXE
Token: 33	4448	mmc.exe
Token: SeIncBasePriorityPrivilege	4448	mmc.exe
Token: 33	4448	mmc.exe
Token: SeIncBasePriorityPrivilege	4448	mmc.exe
Token: SeDebugPrivilege	4388	taskmgr.exe
Token: SeDebugPrivilege	4856	taskmgr.exe
Token: 33	4884	mmc.exe
Token: SeIncBasePriorityPrivilege	4884	mmc.exe
Token: 33	4884	mmc.exe
Token: SeIncBasePriorityPrivilege	4884	mmc.exe
Token: 33	4812	mmc.exe
Token: SeIncBasePriorityPrivilege	4812	mmc.exe
Token: 33	4812	mmc.exe
Token: SeIncBasePriorityPrivilege	4812	mmc.exe
Token: 33	4440	mmc.exe
Token: SeIncBasePriorityPrivilege	4440	mmc.exe
Token: 33	4440	mmc.exe
Token: SeIncBasePriorityPrivilege	4440	mmc.exe
Token: 33	4440	mmc.exe
Token: SeIncBasePriorityPrivilege	4440	mmc.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

cscript.exeiexplore.exetaskmgr.exetaskmgr.exe

pid	process
2296	cscript.exe
1112	iexplore.exe
4388	taskmgr.exe
4388	taskmgr.exe
4388	taskmgr.exe
4388	taskmgr.exe
4388	taskmgr.exe
4388	taskmgr.exe
4388	taskmgr.exe
4388	taskmgr.exe
4388	taskmgr.exe
4388	taskmgr.exe
4388	taskmgr.exe
4388	taskmgr.exe
4388	taskmgr.exe
4388	taskmgr.exe
4388	taskmgr.exe
4388	taskmgr.exe
4388	taskmgr.exe
4388	taskmgr.exe
4388	taskmgr.exe
4388	taskmgr.exe
4388	taskmgr.exe
4388	taskmgr.exe
4388	taskmgr.exe
4388	taskmgr.exe
4856	taskmgr.exe
4856	taskmgr.exe
4856	taskmgr.exe
4856	taskmgr.exe
4856	taskmgr.exe
4856	taskmgr.exe
4856	taskmgr.exe
4856	taskmgr.exe
4856	taskmgr.exe
4856	taskmgr.exe
4856	taskmgr.exe
4856	taskmgr.exe
4856	taskmgr.exe
4856	taskmgr.exe
4388	taskmgr.exe
4856	taskmgr.exe
4388	taskmgr.exe
4856	taskmgr.exe
4388	taskmgr.exe
4856	taskmgr.exe
4388	taskmgr.exe
4856	taskmgr.exe
4388	taskmgr.exe
4856	taskmgr.exe
4388	taskmgr.exe
4856	taskmgr.exe
4388	taskmgr.exe
4856	taskmgr.exe
4388	taskmgr.exe
4856	taskmgr.exe
4388	taskmgr.exe
4856	taskmgr.exe
4388	taskmgr.exe
4856	taskmgr.exe
4388	taskmgr.exe
4856	taskmgr.exe
4388	taskmgr.exe
4856	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

taskmgr.exetaskmgr.exe

pid	process
4388	taskmgr.exe
4388	taskmgr.exe
4388	taskmgr.exe
4388	taskmgr.exe
4388	taskmgr.exe
4388	taskmgr.exe
4388	taskmgr.exe
4388	taskmgr.exe
4388	taskmgr.exe
4388	taskmgr.exe
4388	taskmgr.exe
4388	taskmgr.exe
4388	taskmgr.exe
4388	taskmgr.exe
4388	taskmgr.exe
4388	taskmgr.exe
4388	taskmgr.exe
4388	taskmgr.exe
4388	taskmgr.exe
4388	taskmgr.exe
4388	taskmgr.exe
4388	taskmgr.exe
4388	taskmgr.exe
4388	taskmgr.exe
4856	taskmgr.exe
4856	taskmgr.exe
4856	taskmgr.exe
4856	taskmgr.exe
4856	taskmgr.exe
4856	taskmgr.exe
4856	taskmgr.exe
4856	taskmgr.exe
4856	taskmgr.exe
4856	taskmgr.exe
4856	taskmgr.exe
4856	taskmgr.exe
4856	taskmgr.exe
4856	taskmgr.exe
4388	taskmgr.exe
4856	taskmgr.exe
4388	taskmgr.exe
4856	taskmgr.exe
4388	taskmgr.exe
4856	taskmgr.exe
4388	taskmgr.exe
4856	taskmgr.exe
4388	taskmgr.exe
4856	taskmgr.exe
4388	taskmgr.exe
4856	taskmgr.exe
4388	taskmgr.exe
4856	taskmgr.exe
4388	taskmgr.exe
4856	taskmgr.exe
4388	taskmgr.exe
4856	taskmgr.exe
4388	taskmgr.exe
4856	taskmgr.exe
4388	taskmgr.exe
4856	taskmgr.exe
4388	taskmgr.exe
4856	taskmgr.exe
4388	taskmgr.exe
4856	taskmgr.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

iexplore.exeIEXPLORE.EXEwordpad.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEMEMZ.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

pid	process
1112	iexplore.exe
1112	iexplore.exe
1152	IEXPLORE.EXE
1152	IEXPLORE.EXE
1152	IEXPLORE.EXE
1152	IEXPLORE.EXE
2552	wordpad.exe
2552	wordpad.exe
2552	wordpad.exe
2552	wordpad.exe
2552	wordpad.exe
2432	IEXPLORE.EXE
2432	IEXPLORE.EXE
2432	IEXPLORE.EXE
2432	IEXPLORE.EXE
2544	IEXPLORE.EXE
2544	IEXPLORE.EXE
2544	IEXPLORE.EXE
2544	IEXPLORE.EXE
2372	IEXPLORE.EXE
2372	IEXPLORE.EXE
2372	IEXPLORE.EXE
2372	IEXPLORE.EXE
1152	IEXPLORE.EXE
1152	IEXPLORE.EXE
2788	IEXPLORE.EXE
2788	IEXPLORE.EXE
2788	IEXPLORE.EXE
2788	IEXPLORE.EXE
2480	MEMZ.exe
2432	IEXPLORE.EXE
2432	IEXPLORE.EXE
1276	IEXPLORE.EXE
1276	IEXPLORE.EXE
1276	IEXPLORE.EXE
1276	IEXPLORE.EXE
2480	MEMZ.exe
2544	IEXPLORE.EXE
2544	IEXPLORE.EXE
2544	IEXPLORE.EXE
2544	IEXPLORE.EXE
1548	IEXPLORE.EXE
1548	IEXPLORE.EXE
2480	MEMZ.exe
2372	IEXPLORE.EXE
2372	IEXPLORE.EXE
1548	IEXPLORE.EXE
1548	IEXPLORE.EXE
2480	MEMZ.exe
2480	MEMZ.exe
2372	IEXPLORE.EXE
2372	IEXPLORE.EXE
2676	IEXPLORE.EXE
2676	IEXPLORE.EXE
2676	IEXPLORE.EXE
2676	IEXPLORE.EXE
2480	MEMZ.exe
2788	IEXPLORE.EXE
2788	IEXPLORE.EXE
2480	MEMZ.exe
2788	IEXPLORE.EXE
2788	IEXPLORE.EXE
2952	IEXPLORE.EXE
2952	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exeMEMZ.exeMEMZ.exeiexplore.exewordpad.exe

description	pid	process	target process
PID 2088 wrote to memory of 2296	2088	cmd.exe	cscript.exe
PID 2088 wrote to memory of 2296	2088	cmd.exe	cscript.exe
PID 2088 wrote to memory of 2296	2088	cmd.exe	cscript.exe
PID 2088 wrote to memory of 3016	2088	cmd.exe	MEMZ.exe
PID 2088 wrote to memory of 3016	2088	cmd.exe	MEMZ.exe
PID 2088 wrote to memory of 3016	2088	cmd.exe	MEMZ.exe
PID 2088 wrote to memory of 3016	2088	cmd.exe	MEMZ.exe
PID 3016 wrote to memory of 1552	3016	MEMZ.exe	MEMZ.exe
PID 3016 wrote to memory of 1552	3016	MEMZ.exe	MEMZ.exe
PID 3016 wrote to memory of 1552	3016	MEMZ.exe	MEMZ.exe
PID 3016 wrote to memory of 1552	3016	MEMZ.exe	MEMZ.exe
PID 3016 wrote to memory of 1448	3016	MEMZ.exe	MEMZ.exe
PID 3016 wrote to memory of 1448	3016	MEMZ.exe	MEMZ.exe
PID 3016 wrote to memory of 1448	3016	MEMZ.exe	MEMZ.exe
PID 3016 wrote to memory of 1448	3016	MEMZ.exe	MEMZ.exe
PID 3016 wrote to memory of 1176	3016	MEMZ.exe	MEMZ.exe
PID 3016 wrote to memory of 1176	3016	MEMZ.exe	MEMZ.exe
PID 3016 wrote to memory of 1176	3016	MEMZ.exe	MEMZ.exe
PID 3016 wrote to memory of 1176	3016	MEMZ.exe	MEMZ.exe
PID 3016 wrote to memory of 1236	3016	MEMZ.exe	MEMZ.exe
PID 3016 wrote to memory of 1236	3016	MEMZ.exe	MEMZ.exe
PID 3016 wrote to memory of 1236	3016	MEMZ.exe	MEMZ.exe
PID 3016 wrote to memory of 1236	3016	MEMZ.exe	MEMZ.exe
PID 3016 wrote to memory of 3024	3016	MEMZ.exe	MEMZ.exe
PID 3016 wrote to memory of 3024	3016	MEMZ.exe	MEMZ.exe
PID 3016 wrote to memory of 3024	3016	MEMZ.exe	MEMZ.exe
PID 3016 wrote to memory of 3024	3016	MEMZ.exe	MEMZ.exe
PID 3016 wrote to memory of 2480	3016	MEMZ.exe	MEMZ.exe
PID 3016 wrote to memory of 2480	3016	MEMZ.exe	MEMZ.exe
PID 3016 wrote to memory of 2480	3016	MEMZ.exe	MEMZ.exe
PID 3016 wrote to memory of 2480	3016	MEMZ.exe	MEMZ.exe
PID 2480 wrote to memory of 1088	2480	MEMZ.exe	notepad.exe
PID 2480 wrote to memory of 1088	2480	MEMZ.exe	notepad.exe
PID 2480 wrote to memory of 1088	2480	MEMZ.exe	notepad.exe
PID 2480 wrote to memory of 1088	2480	MEMZ.exe	notepad.exe
PID 2480 wrote to memory of 1112	2480	MEMZ.exe	iexplore.exe
PID 2480 wrote to memory of 1112	2480	MEMZ.exe	iexplore.exe
PID 2480 wrote to memory of 1112	2480	MEMZ.exe	iexplore.exe
PID 2480 wrote to memory of 1112	2480	MEMZ.exe	iexplore.exe
PID 1112 wrote to memory of 1152	1112	iexplore.exe	IEXPLORE.EXE
PID 1112 wrote to memory of 1152	1112	iexplore.exe	IEXPLORE.EXE
PID 1112 wrote to memory of 1152	1112	iexplore.exe	IEXPLORE.EXE
PID 1112 wrote to memory of 1152	1112	iexplore.exe	IEXPLORE.EXE
PID 2480 wrote to memory of 2552	2480	MEMZ.exe	wordpad.exe
PID 2480 wrote to memory of 2552	2480	MEMZ.exe	wordpad.exe
PID 2480 wrote to memory of 2552	2480	MEMZ.exe	wordpad.exe
PID 2480 wrote to memory of 2552	2480	MEMZ.exe	wordpad.exe
PID 2552 wrote to memory of 2792	2552	wordpad.exe	splwow64.exe
PID 2552 wrote to memory of 2792	2552	wordpad.exe	splwow64.exe
PID 2552 wrote to memory of 2792	2552	wordpad.exe	splwow64.exe
PID 2552 wrote to memory of 2792	2552	wordpad.exe	splwow64.exe
PID 1112 wrote to memory of 2432	1112	iexplore.exe	IEXPLORE.EXE
PID 1112 wrote to memory of 2432	1112	iexplore.exe	IEXPLORE.EXE
PID 1112 wrote to memory of 2432	1112	iexplore.exe	IEXPLORE.EXE
PID 1112 wrote to memory of 2432	1112	iexplore.exe	IEXPLORE.EXE
PID 1112 wrote to memory of 2544	1112	iexplore.exe	IEXPLORE.EXE
PID 1112 wrote to memory of 2544	1112	iexplore.exe	IEXPLORE.EXE
PID 1112 wrote to memory of 2544	1112	iexplore.exe	IEXPLORE.EXE
PID 1112 wrote to memory of 2544	1112	iexplore.exe	IEXPLORE.EXE
PID 1112 wrote to memory of 2372	1112	iexplore.exe	IEXPLORE.EXE
PID 1112 wrote to memory of 2372	1112	iexplore.exe	IEXPLORE.EXE
PID 1112 wrote to memory of 2372	1112	iexplore.exe	IEXPLORE.EXE
PID 1112 wrote to memory of 2372	1112	iexplore.exe	IEXPLORE.EXE
PID 1112 wrote to memory of 2788	1112	iexplore.exe	IEXPLORE.EXE

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\eeeeeeeeeeeeee\Malware_pack_2\Malware_pack_2\MEMZ 3.0 (1)\MEMZ 3.0\MEMZ.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2088

C:\Windows\system32\cscript.exe
cscript x.js
2⤵
- Suspicious use of FindShellTrayWindow
PID:2296

C:\Users\Admin\AppData\Roaming\MEMZ.exe
"C:\Users\Admin\AppData\Roaming\MEMZ.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of WriteProcessMemory
PID:3016

C:\Users\Admin\AppData\Roaming\MEMZ.exe
"C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1552

C:\Users\Admin\AppData\Roaming\MEMZ.exe
"C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1448

C:\Users\Admin\AppData\Roaming\MEMZ.exe
"C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1176

C:\Users\Admin\AppData\Roaming\MEMZ.exe
"C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1236

C:\Users\Admin\AppData\Roaming\MEMZ.exe
"C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3024

C:\Users\Admin\AppData\Roaming\MEMZ.exe
"C:\Users\Admin\AppData\Roaming\MEMZ.exe" /main
3⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2480

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\System32\notepad.exe" \note.txt
4⤵
PID:1088

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://google.co.ck/search?q=my+computer+is+doing+weird+things+wtf+is+happenin+plz+halp
4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1112

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1112 CREDAT:275457 /prefetch:2
5⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1152

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1112 CREDAT:406549 /prefetch:2
5⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2432

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1112 CREDAT:865294 /prefetch:2
5⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2544

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1112 CREDAT:930838 /prefetch:2
5⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2372

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1112 CREDAT:275520 /prefetch:2
5⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2788

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1112 CREDAT:865334 /prefetch:2
5⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1276

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1112 CREDAT:668745 /prefetch:2
5⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1548

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1112 CREDAT:3879988 /prefetch:2
5⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2676

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1112 CREDAT:3945540 /prefetch:2
5⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2952

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1112 CREDAT:1258561 /prefetch:2
5⤵
- Modifies Internet Explorer settings
PID:3912

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1112 CREDAT:275631 /prefetch:2
5⤵
- Modifies Internet Explorer settings
PID:3548

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1112 CREDAT:1455205 /prefetch:2
5⤵
- Modifies Internet Explorer settings
PID:3964

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1112 CREDAT:2831448 /prefetch:2
5⤵
- Modifies Internet Explorer settings
PID:3228

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1112 CREDAT:1586293 /prefetch:2
5⤵
- Modifies Internet Explorer settings
PID:624

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1112 CREDAT:1389722 /prefetch:2
5⤵
- Modifies Internet Explorer settings
PID:4080

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1112 CREDAT:2307212 /prefetch:2
5⤵
- Modifies Internet Explorer settings
PID:4592

C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
"C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
4⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2552

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
5⤵
PID:2792

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\System32\notepad.exe"
4⤵
PID:2104

C:\Windows\SysWOW64\calc.exe
"C:\Windows\System32\calc.exe"
4⤵
PID:1700

C:\Windows\SysWOW64\calc.exe
"C:\Windows\System32\calc.exe"
4⤵
PID:3060

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\System32\notepad.exe"
4⤵
PID:2208

C:\Windows\SysWOW64\mspaint.exe
"C:\Windows\System32\mspaint.exe"
4⤵
- Drops file in Windows directory
PID:1800

C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
"C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
4⤵
PID:2380

C:\Windows\SysWOW64\mspaint.exe
"C:\Windows\System32\mspaint.exe"
4⤵
- Drops file in Windows directory
PID:3268

C:\Windows\SysWOW64\control.exe
"C:\Windows\System32\control.exe"
4⤵
PID:3772

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\System32\explorer.exe"
4⤵
PID:4060

C:\Windows\SysWOW64\mmc.exe
"C:\Windows\System32\mmc.exe"
4⤵
PID:4412

C:\Windows\system32\mmc.exe
"C:\Windows\system32\mmc.exe"
5⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:4448

C:\Windows\SysWOW64\taskmgr.exe
"C:\Windows\System32\taskmgr.exe"
4⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4388

C:\Windows\SysWOW64\taskmgr.exe
"C:\Windows\System32\taskmgr.exe"
4⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4856

C:\Windows\SysWOW64\mmc.exe
"C:\Windows\System32\mmc.exe"
4⤵
PID:4860

C:\Windows\system32\mmc.exe
"C:\Windows\system32\mmc.exe"
5⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
PID:4884

C:\Windows\SysWOW64\mmc.exe
"C:\Windows\System32\mmc.exe"
4⤵
PID:4860

C:\Windows\system32\mmc.exe
"C:\Windows\system32\mmc.exe"
5⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
PID:4812

C:\Windows\SysWOW64\regedit.exe
"C:\Windows\System32\regedit.exe"
4⤵
- Runs regedit.exe
PID:3724

C:\Windows\SysWOW64\mmc.exe
"C:\Windows\System32\mmc.exe"
4⤵
PID:4340

C:\Windows\system32\mmc.exe
"C:\Windows\system32\mmc.exe"
5⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
PID:4440

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
4⤵
PID:3684

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\System32\explorer.exe"
4⤵
PID:4832

C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
"C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
4⤵
PID:4208

C:\Windows\SysWOW64\calc.exe
"C:\Windows\System32\calc.exe"
4⤵
PID:4416

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
4⤵
PID:4996

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x504
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:768

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:3572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_34D61B4A2A4AE0D3DDAB879224BCA77B

Filesize
2KB

MD5
fc92b2c6175b15300cba0822c2bace0d

SHA1
c23875c1655a5fd48099d82762aa3045fd20d476

SHA256
bb50723924f16869f441be92ce21befefc21a10095b851b74f688f57e90b8947

SHA512
572165088628a78f91cd74dc75b211d6c1159de36209e286ef8b23f900538484558edfa1a662f2882132a1c7680633a617fd473f5c8a13211a0ab3820c0bdc0a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
25815685f4efc87d1162095a54295fad

SHA1
78c369eebfa4cbd40ceda7a9fb935b1ff9568b04

SHA256
7f8831f8c3b72f6e05ba336c028530a99e7846970778d639def50eedb9d35cf4

SHA512
435c1da6733c8c59a10d1f0b51b157d0cc8647f784a1753abf89edd845d2b1535765b448da3f14b44e925c0531cf9595cd9a06939a7a749a1356ebdae3f721dc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\329C03A4966B136B54FB137DCA798EB7

Filesize
5B

MD5
5bfa51f3a417b98e7443eca90fc94703

SHA1
8c015d80b8a23f780bdd215dc842b0f5551f63bd

SHA256
bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128

SHA512
4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
67KB

MD5
753df6889fd7410a2e9fe333da83a429

SHA1
3c425f16e8267186061dd48ac1c77c122962456e

SHA256
b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

SHA512
9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A16C6C16D94F76E0808C087DFC657D99_8F0CBD8C47BA2D164C9E6FDB222DBC71

Filesize
472B

MD5
562c1305690263b343cfbabd7a401e6c

SHA1
c6a624083ccb8f1b7aba90b7c4b1e3ac66c2942c

SHA256
0f0f1c33614d42186e73e4feb4d03d3605e903c06390461d86784fc36b6789ad

SHA512
60e3060ff1172c76a85e85b09a8e9eb9c1eb918f82da83fc79cd4eb150adb4a2e02403bded0ad91643b246d587907d2b2ba6ed185ef6cb14307b51203682e3f4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
1KB

MD5
02be4b01991a79ad90dfa5c48fd9f3d1

SHA1
5d21477930dd665bca274029c5a07012a83c9f0c

SHA256
59ed00a9a0711c349ac7e35380e60196223d7045d996ab8e1719da0ba438f913

SHA512
bc43f6099d769adc9e69e8bd12d42bbd3ccba4ecb11b220abd2625cdc6e8e6a8ecf17585c14f82631a4c8d21efda6fae7cb4305d1fdf5be7a226c7b96904947a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

Filesize
724B

MD5
ac89a852c2aaa3d389b2d2dd312ad367

SHA1
8f421dd6493c61dbda6b839e2debb7b50a20c930

SHA256
0b720e19270c672f9b6e0ec40b468ac49376807de08a814573fe038779534f45

SHA512
c6a88f33688cc0c287f04005e07d5b5e4a8721d204aa429f93ade2a56aeb86e05d89a8f7a44c1e93359a185a4c5f418240c6cdbc5a21314226681c744cf37f36

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_749F323800EEA448718955FAC254DD4F

Filesize
471B

MD5
68be297696f6df373169f0c6e2d06c83

SHA1
947f0e3b4942d22ac9b1ec6ff51e1afd32bf1834

SHA256
b419aae79b16a2161dca133ad6b4ff68a3287994ec849c01a0ddf35471c38810

SHA512
0eb1c88e8ddde49dc11ba89207de461e1ec16ef6561b1077987593b229959a251d9a213ce6e6697ff4957f3642168f1a180b434690e0266bd198f224dafc06e3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2DDCD2B5F37625B82E81F4976CEE400_09B924C8A99A26A75B535D3B83388BE5

Filesize
471B

MD5
0bbb0c0a7acaae6f119c49a57aded9ad

SHA1
def2006a613312d647661ef94f6ac9d43b84202a

SHA256
da2482009e08ab5c1df8db6f2b5454e5a32becbb50e9bc9e3a23982ebd55dbc9

SHA512
7dd647c57f9c57487195c453c1bfd3500e9bf17ae68fd175d3cc2469ba718cc0369d1b0fcc11cf47513a2fb9286dbbe0dd20c47bed4037e449caee77519fcc7d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_34D61B4A2A4AE0D3DDAB879224BCA77B

Filesize
488B

MD5
d4d460bd954a3b207af582545919f91a

SHA1
020970c0c5b49234bddff9d3eb96c9dca17c1ea1

SHA256
bcce95c26b5b8e69f7b979179ba9e8eb7a091aaf452b9acffb333c7def4d1793

SHA512
e8cb34261fbd8fb1eac73af37141f4ea3df54ffbe71274b423f90d092b058463b0081ee88effa6d25bce772af4b8252dd808ca3667166bd84b52f58533002825

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
d5408b730cfa535e017caf01ed906f42

SHA1
6a68e8466af384a117345ddede62571bc8fbbee3

SHA256
a557ed49940d97f64ed2d7df13c8d4516ff78af7e26d18367b33f3feb2ce2311

SHA512
59d75cd6afd39a279f303f2d3c5a4ff5740e4d2e3b0b8c1ac26c3c5acdb99baaf64ff3b648402ddae9a6acfc61d1375bf168ed91baff13bd14d86c8d5e353fd9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\329C03A4966B136B54FB137DCA798EB7

Filesize
426B

MD5
236361aef81edfd07652fe75ebd4562a

SHA1
75bad33968eae2233b88a77204deec65a5a1ca82

SHA256
c406371680d23fd5be465859da309f4023099bf4e64064e3de5f870dd5911623

SHA512
b0a7d92badfbf8ed666873f50cefbdea28c6de578a3a2ac1ddfa6bc06ca121ed9cf775519a6108441d2b07ac60d53b4abe84f266ec150c2f8e165d96cfdb08cc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e024006043e7764e10b68ebc948197d7

SHA1
0bb14f4cd9162c871e4411766e5fe7b9a0ebdddf

SHA256
52b8095e4d8e4aa477607ee778005f8b9a4c37c5c95175012fd0da23b185a111

SHA512
e3608706aaf0238828785cf1606cf3197bab69cec3ed01a76bea4fc29f02d0de685056864e84ae9c8719b6edcf6f916757f5dd36c9302f1214bc157c82eae64e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e4c6f03cfd4d9fe75fee0e32b8a1ffe6

SHA1
ba23e897652318f3f02be655e1654ce3a681e635

SHA256
7bd72725f423f1e05371a87710f40a14e3e673d06f6cb9d09134b989b14b4edc

SHA512
fe13412a56d6ca32b3df9363785c03cb6dd050446301b512a6b91e1be37a774c1f3591f91af22484eead42676997662dd3f2282bf0fda64849b17ede66702ff0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
21288353f95d9993bc2782d133d6568f

SHA1
07285d53280dee8a8280c563fb2358bbd6d627d5

SHA256
5efedc76731649ea1aeb88c0dda50b1c6680e853d056173f9443108d1d7955cc

SHA512
2de8fe4cb1485c4a02e211f127d4ab22226f83b7db42dfa5a418e0fec50de100ab750670086806db38db20604bd684f110a02106d43847a7a335b5f385f3f518

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b899e745e010ce0add8d6b5381439865

SHA1
44b558482c77ee3b671a0294038794900bb629b0

SHA256
7c57cafa6aa1e356e7c647bae83aa3e255acfa49c996c713babfa742caa4afdc

SHA512
1ff723553773cd94bbe1ac98e0bbfc0f79696f94bcff40e9a77946f7f7c2ecc630cc89a9847167a45b3db62d7af2e44b618ac344103f537219e237642574242f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6b8efd27dbe892b0634481c61cd8f2f5

SHA1
ec426c1cd82f861d65c996afd72620719d587aa8

SHA256
b315bef049e9b46164b1828c99e71d1431d0b2feba5184e76c3c6ff29ddaf099

SHA512
b5d80287c8b8e1906909bb8c055603040d8949b57c649ff5b33b1b3119fe703212df8a3cd5a6c3decf5e1e23940af532ce2a43d937413e2898f4057bd0235296

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
42aa2d61e5b4fa90bde079ffc67f7324

SHA1
69dc8e35381a14473b893813334acc9d82e61c6e

SHA256
33595f310703a65ed00a6a409d7f183040e484565c363570e04c1ff7a2094f5a

SHA512
a0824565133d82e7cdcbcea1eed4057a1a0a53a0d9d37c7e7cb90967503161adb80b0fd39214bb636339e7d63f1a4b8c253336cf0cf5fa6b0042cd0609318cfd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
07da359791615f57718d706997a57cb8

SHA1
f180c1bd560c962030359514f52d0b4dd9513bea

SHA256
ea6b8f12cc0d9563f37ad96a3633874b1cc4f8d9dbfeca60a9d6d55301e859a8

SHA512
a89834c43b0493c7f8893f2aad3783af206adce9b1e1eef9d526b3418dbbeaf3a2096c0a3ad46751aafdcacfc93844ca361976d6dc8ff9ff896aaf973bb15042

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5826ad8cf6ac10771aa064f988403f9c

SHA1
116558701e3ec2f6602924df4fd56557cb8cc865

SHA256
5328f2896d30c5ab96e71f2170a9e2e9338c2d94fba5976ff41fb61d1b898a72

SHA512
b7f84e70a7e47eb8cf28e88d919f34040445c292a86e88bb0d3a30eacab50ae57fcb3b91b50abfb9e853c663d466a0f6112080e8ab89fe3373003c001de8fadd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a08114254b9b8d4e8737600d6e622f29

SHA1
1c26fbf32aefeacb552b34db69dc1b533dbc4a3b

SHA256
26865ff4199fd50bd34dbbc931ae3cc47df6515a273f9425ff03e743f75167f6

SHA512
2daa2e11ee9486a36fa0e7e0a6274950d930a9a0f540809861f70c03f87425d0beba53b6e4c6427e7c9522b8fbc3ede6b3dd6633f52f846ad676e460e8d9a033

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ea13d2ea4e8d5c312c59ba1dee88f4af

SHA1
7437beae4bd561883d651a3c3a1c3bdfe1f33273

SHA256
1703be1e30ca06cf6f90eaa78e4c344c6fb5c6e778371bd8467cfbf3a9e30d65

SHA512
d49b04038695af395772069e26688915b01093887fed96010261bda239d8b2b25fd88f84da011bccb7660312aab73632b14f4b8a785adb320a9f2a0cdf380ee5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3188513349f09fefda7c2605d00226de

SHA1
47b0c73460d162e27a9094d3525faf770157d065

SHA256
1917597690e6aaabfda34127a5230689ba16773976bcc5904d6492891b2d3d8e

SHA512
76d9307c4a0c945410e181a6422588537ca54dbcdea98e2bad6949fe2647ab2f69d66815b4b2494e9a3197a2b93cc8d44b76fc612b29b7995b6b19704cb8836d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
dab051f13d9905b0aa0b3a31ddafc468

SHA1
65a436303dbcd7ab8723de51d1a5586033be9430

SHA256
cdf9b26b423b5aefb21238f2455b73d8e0082724b0633808a4188e05c08e652d

SHA512
4bc41553acc18d52f075d3c2d2e37cc2a412b8b5a2ffe22b952c8d17f622a539a72e8940b64867e4ff6ba57c9d41c121ede0ecdd75b4a3c26d228896663c3953

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c4a9e82975c53a1f743bab641322e324

SHA1
052182426ae3e893ae7a26733fdc668aeaff713e

SHA256
7a2608c8145631066f7c024b841dc3c939fc47631053374e38b54f8ad9c21c67

SHA512
27c53a5a5b49503f3be5507309652d9bd0e5f53ffb5c033fad7f7046e884b606a648c4f566e5ff41117a0228766890e49fd1c1604b8e921918bcb8d7871ba7f4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
423ba6730527770a52b78559c3e3ae6c

SHA1
a28b1295ef56e29012c67b5d6eececdb389acb91

SHA256
455d7f953a1ccde15d6f5f49e0b0d0c664997536fa4db6f781a4c380d60ed9ef

SHA512
1a8998199010bbab2ce6fb1ed0c05d65bea328e5bcc5039d73bbe0777517c57277b22841e6f0b389d211cc976f1f38f350347bf4de4eda884c5faad08053db1e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3d8cf0fa00613e8a8a03b2f9f32fd684

SHA1
30810303d4f7723927b206f82a3b8c51709372fb

SHA256
270fd4287c1e170c8a35e258dbbec5a34f9d3f01e3b5ef7d3c48300f1cb83206

SHA512
b91daf1bfd2f33ccd4a502f5e1989db8c02283c4460c3cb54496fdfc81bcc2bd0af3285a3204cbe2ba347139659f5cdf7222259bed76cf0e8152169f81b140b8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
132039114a35d0cb5871e0fdd3c8efb1

SHA1
1ea4295c209581a0868ddf49ac10ed39a1f5f4ce

SHA256
b769ffd3ec59dd287c3506cfa434793dbc33432eaa57a5f2ffdaa05f32d1f107

SHA512
ddebd860ad24399f990d71b49449a20a5d7224eea88af6b648bbd5a133d6c567674bfbe5775a72c2601e5739dc7c9d914686d6c9ebdc85e085da6cbcba4871a7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
62ab175c5e89bee40cea7a64c1e451fe

SHA1
39d30cc66b0816aec095804b40b333dbedf09412

SHA256
18d55e4183e62cc57d253f79e9dc7c74534ab8738b4689394c9d9d5de4d524fe

SHA512
79b5080efe8003b8f5257e61d16f80d65605cd694c4cdc44fc27fef8ce238f3bb49a99d4802788bae4527683c18d7fa635a87ccdb9dbb744fa45090b68222f7f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
cba56eb3df5914b926954370dfc18b67

SHA1
93674cdc260ea9b07a4361c8546a20a606b37aec

SHA256
8f48542e1665247841e1b12b1d42654d6c765a7c333eb0acc186debe9451a688

SHA512
de07dfb50936dddd46ddb259ffaa8bc1279a275af85170e97cd0bc87ac5c027a1c985cc63455b23544ec2b57526d988042c9740185f7f99f057537bf680a1f1b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A16C6C16D94F76E0808C087DFC657D99_8F0CBD8C47BA2D164C9E6FDB222DBC71

Filesize
402B

MD5
2f4770c0a364386ca4cdaa42f772ea47

SHA1
2d87cd55b2c9c358ce67fa2fa9d9af97c8d5ae69

SHA256
3af6b8ff127e3716d6eb35806131af43fdefa7e7ed657443ca6c2570ab3c49bd

SHA512
89ddb62021a3740c20fbacce81dec6efdabd0c7a4f3f751f2a945c28a1a724bcf4a1dbf518f371fc7176bc6f16702f279882924eb8d2866e72309d3d1b8bfa57

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
482B

MD5
dfe0add532de79cac5ae0815beb2997e

SHA1
b248df3e45162e7e348f9fa3d35422933e8b5885

SHA256
2589aa9afd29237c216e124c40087d7d09f523525f0b2452660752ca3318e08d

SHA512
6a48f79786967d8bf52d38018cc3dc5105798b1b17fbe36563291ee494cc6c30d3aa8a49a30da91ed3ea2e05cb5d782e7f4ff64b6b41ad8e639ba02d0d6c8da8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

Filesize
392B

MD5
db95dce0c928649b51a40a788b6ea014

SHA1
277e5d0fd0ea3610f7db2e225d926abc13ba7b8a

SHA256
5274d85dccc388ba010ff8d3323d455ab2c15a8ea3d14957f748613a971e7cc5

SHA512
d01a83b0764b9777c50bdf18b89da1369f45c52e54144f4ed9bb9c9326664e14f5798b8c4265c376ccb48f3ea0c4e22247db56289fde1a2209ee53b90f395174

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_749F323800EEA448718955FAC254DD4F

Filesize
406B

MD5
d6d3134ff69f5b66d3fce33af6226b9e

SHA1
e06c5df224f21b5d4b7ad25a8b42490642d2ea1a

SHA256
4bb92c44be23f72abfaa9b292adbd244c5ac1001a27514701acf52f656f6d33e

SHA512
24d1cdc01647b90f413bc0c0053bba1bc4785e6fcdf554eb647a2a5ac31985acfc37d0972fcdd2d36aade3181fccd0a0560546d2a541399a3d141d3b7855f369

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2DDCD2B5F37625B82E81F4976CEE400_09B924C8A99A26A75B535D3B83388BE5

Filesize
406B

MD5
e45bedea6ade339f6a02a988a13fe3e2

SHA1
1d961c798d67278b2a8b8a0b3c66657a369b309b

SHA256
3c6274b93f8fb9dae2f645260b59cbed67227325f4827aca65c876c1a9db0eca

SHA512
e14262cea8bc97a199ab41162bd11901582a79df8f3bf7d5141a9bfbb2ed7e824a27a9a64a0b918c68edc92ceda2b26b39fbb6f7db68bd3ae1017b91f8f21877

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\AI1G2381\www.google[1].xml

Filesize
95B

MD5
715861ea521d374c6cf5dfeab42d920a

SHA1
6ee24bbfc5e885cb0bb42a25066adcfee103b75b

SHA256
deb3f669cb820b466736c212c7ea811f20b8d2a9adb51b2de53a61cc0d36f16b

SHA512
1457582b16397b20813f0f5012e5f07abcc354500a6dc815ea125d987a384685246eefd84429379f2352c70688207ad3ae7c159e45434e6ff963afb9cbf03f98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\jw2rl61\imagestore.dat

Filesize
5KB

MD5
20e12bcc229a7cd92d85380edf781919

SHA1
622f7aa8e1f39eb6016bc7c8e91ec9b02830c787

SHA256
51b881e3a2168cd7d7c4fff2ac7c1d280ce7ac1766f8663f7fd4fb22dd50c7f7

SHA512
6233e9829ce1e0c47439370d4d5711af4f877428c0651e724ca7b8ba97a5f26594051b163f1e229c029d5f3cd14ac5e966207238da5f60d113fbeb05b3e3cb09

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CY2G78MW\KFOmCnqEu92Fr1Mu4mxP[1].ttf

Filesize
34KB

MD5
372d0cc3288fe8e97df49742baefce90

SHA1
754d9eaa4a009c42e8d6d40c632a1dad6d44ec21

SHA256
466989fd178ca6ed13641893b7003e5d6ec36e42c2a816dee71f87b775ea097f

SHA512
8447bc59795b16877974cd77c52729f6ff08a1e741f68ff445c087ecc09c8c4822b83e8907d156a00be81cb2c0259081926e758c12b3aea023ac574e4a6c9885

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CY2G78MW\ZLEBFWOX.htm

Filesize
150B

MD5
2eeb2e0202b1bf9daf39ac6eb1466b42

SHA1
26abaa251ff391b4311c5cfa927be41b09ced5d3

SHA256
66f963290dda5adc89f8ce4e16676df4540d5b8f600e0fecf86e03a4fcfc1c02

SHA512
101659d11d34d4d38aeeb181917a7ab7630dd6909699a018166a9cbbb4346eeb9801c75c57fb67b63f330bd363b7367ba99ab604bdd9f097127474207b871e16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CY2G78MW\styles__ltr[1].css

Filesize
55KB

MD5
eb4bc511f79f7a1573b45f5775b3a99b

SHA1
d910fb51ad7316aa54f055079374574698e74b35

SHA256
7859a62e04b0acb06516eb12454de6673883ecfaeaed6c254659bca7cd59c050

SHA512
ec9bdf1c91b6262b183fd23f640eac22016d1f42db631380676ed34b962e01badda91f9cbdfa189b42fe3182a992f1b95a7353af41e41b2d6e1dab17e87637a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I819HQXH\SANgo9F4nm5u2dMq42p2HajKzd6tIQxdZSIadGt1b8g[1].js

Filesize
24KB

MD5
e5aae696ce9963f03693958cf4b2d3ad

SHA1
28ab61d79382b83de80278c73ed6c308e45552f4

SHA256
480360a3d1789e6e6ed9d32ae36a761da8cacddead210c5d65221a746b756fc8

SHA512
618735e2392f1fc9635c7f9da7ba77b43fbd3f2cbef0697b820b27e98e12a83bfc6fbe134921b51630e7a11a1313981f30aa5acaeca9cd0d47d4997f4928e1bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I819HQXH\TG_XdOEg3NKIdftsV7XidAgI3OvClCw0-7YgJxQ1GFY[1].js

Filesize
23KB

MD5
a364179c3816839427c4d9fdbe8ecf3b

SHA1
fd423514f4f0e614688a99571b9165b4e212119b

SHA256
4c6fd774e120dcd28875fb6c57b5e2740808dcebc2942c34fbb6202714351856

SHA512
c4e29c47bb229a293d79a1aa4b9e226ff6261b723b75e0479df367fc7eee3ac006e4993e5406f510aa35da592b525e3f6a0bf62f8671cfa576cae40a627bc45e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I819HQXH\api[1].js

Filesize
850B

MD5
33d99cfc94db7d1ab5149b1e677b4c85

SHA1
ffec081b0a5b325f2b124ea8804ba0de9beae98c

SHA256
0e945fe9e80b82b1ac2e714f03672ed0c439e61e489430ba46623245399fca25

SHA512
315ed3f0edae2d3057be354d7d97ab298f51e791c03cd19c46d96e0116a6757033e509d92633eafba9365d6588af2b96cce4b0088020a88eac5086d07a0b3b26

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RSAB58HZ\KFOlCnqEu92Fr1MmEU9fBBc9[1].ttf

Filesize
34KB

MD5
4d88404f733741eaacfda2e318840a98

SHA1
49e0f3d32666ac36205f84ac7457030ca0a9d95f

SHA256
b464107219af95400af44c949574d9617de760e100712d4dec8f51a76c50dda1

SHA512
2e5d3280d5f7e70ca3ea29e7c01f47feb57fe93fc55fd0ea63641e99e5d699bb4b1f1f686da25c91ba4f64833f9946070f7546558cbd68249b0d853949ff85c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RSAB58HZ\KFOlCnqEu92Fr1MmYUtfBBc9[1].ttf

Filesize
34KB

MD5
4d99b85fa964307056c1410f78f51439

SHA1
f8e30a1a61011f1ee42435d7e18ba7e21d4ee894

SHA256
01027695832f4a3850663c9e798eb03eadfd1462d0b76e7c5ac6465d2d77dbd0

SHA512
13d93544b16453fe9ac9fc025c3d4320c1c83a2eca4cd01132ce5c68b12e150bc7d96341f10cbaa2777526cf72b2ca0cd64458b3df1875a184bbb907c5e3d731

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RSAB58HZ\favicon[1].ico

Filesize
5KB

MD5
f3418a443e7d841097c714d69ec4bcb8

SHA1
49263695f6b0cdd72f45cf1b775e660fdc36c606

SHA256
6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770

SHA512
82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RYNL6UIN\logo_48[1].png

Filesize
2KB

MD5
ef9941290c50cd3866e2ba6b793f010d

SHA1
4736508c795667dcea21f8d864233031223b7832

SHA256
1b9efb22c938500971aac2b2130a475fa23684dd69e43103894968df83145b8a

SHA512
a0c69c70117c5713caf8b12f3b6e8bbb9cdaf72768e5db9db5831a3c37541b87613c6b020dd2f9b8760064a8c7337f175e7234bfe776eee5e3588dc5662419d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RYNL6UIN\recaptcha__en[1].js

Filesize
489KB

MD5
d52ac252287f3b65932054857f7c26a7

SHA1
940b62eae6fb008d6f15dfb7aaf6fb125dba1fec

SHA256
4c06e93049378bf0cdbbe5d3a1d0c302ac2d35faec13623ad812ee41495a2a57

SHA512
c08ff9d988aea4c318647c79ae8ca9413b6f226f0efbdab1cdd55ec04b6760812716ff27e0ee86941e8a654d39cddd56251d8392a0ac2c4c8839f27853556154

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RYNL6UIN\webworker[1].js

Filesize
102B

MD5
5734e3c2032fb7e4b757980f70c5867e

SHA1
22d3e354a89c167d3bebf6b73d6e11e550213a38

SHA256
91e9008a809223ca505257c7cb9232b7bf13e7fbf45e3f6dd2cfca538e7141eb

SHA512
1f748444532bc406964c1be8f3128c47144de38add5c78809bbcdae21bf3d26600a376df41bf91c4cd3c74a9fae598d51c76d653a23357310343c58b3b6d7739

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab2FE.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\EEEEEE~1\MALWAR~1\MALWAR~1\MEMZ3~1.0(1\MEMZ3~1.0\z.zip

Filesize
7KB

MD5
cf0c19ef6909e5c1f10c8460ba9299d8

SHA1
875b575c124acfc1a4a21c1e05acb9690e50b880

SHA256
abb834ebd4b7d7f8ddf545976818f41b3cb51d2b895038a56457616d3a2c6776

SHA512
d930a022a373c283f35d103e277487c2034a0b0814913b8f6ec695b45e20528667aa830eeab58e4483d523bd6a755a16a5379095cb137db6c91909a545a19a2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar478.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar671.tmp

Filesize
175KB

MD5
dd73cead4b93366cf3465c8cd32e2796

SHA1
74546226dfe9ceb8184651e920d1dbfb432b314e

SHA256
a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

SHA512
ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

Download Submit
C:\Users\Admin\AppData\Local\Temp\eeeeeeeeeeeeee\Malware_pack_2\Malware_pack_2\MEMZ 3.0 (1)\MEMZ 3.0\x

Filesize
10KB

MD5
fc59b7d2eb1edbb9c8cb9eb08115a98e

SHA1
90a6479ce14f8548df54c434c0a524e25efd9d17

SHA256
a05b9be9dd87492f265094146e18d628744c6b09c0e7efaabf228a9f1091a279

SHA512
3392cfc0dbddb37932e76da5a49f4e010a49aaa863c882b85cccab676cd458cfc8f880d8a0e0dc7581175f447e6b0a002da1591ecd14756650bb74996eacd2b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\eeeeeeeeeeeeee\Malware_pack_2\Malware_pack_2\MEMZ 3.0 (1)\MEMZ 3.0\x

Filesize
2KB

MD5
e88f1ab2765acd3ecff19d5d28127c3c

SHA1
c2971f236ecbcc0c94fab09dce4ca29536a9aefb

SHA256
18bcde9e24887ac3ed33c54698c05dc50389a7097b7578a19e2ad7f63d6b892f

SHA512
222489440625d8070f295b8377924e226ab77851d06bc38ee8f6ca760747ddbfdd0671e8f3a15a8fb8dd53316ad60971bf5123febf42113028ae6e385ecebe76

Download Submit
C:\Users\Admin\AppData\Local\Temp\eeeeeeeeeeeeee\Malware_pack_2\Malware_pack_2\MEMZ 3.0 (1)\MEMZ 3.0\x

Filesize
4KB

MD5
5a85297dcc7d25bab3dfaa3dcf2ffe65

SHA1
b5c8303bc805235ecb05c7d5d175a762a8345fdb

SHA256
fc8b914ee9cb8eb6eb295660c948a74150776f7a4b7464107db42d1078f1c94a

SHA512
91f77649176559f30bfb1fea68afab47de189f968865192a8fc58eda9a2073fde12fb812936dd31abb2bf2c936e9d7e5b79d807ea371a4dfc1b42fec80423c36

Download Submit
C:\Users\Admin\AppData\Local\Temp\eeeeeeeeeeeeee\Malware_pack_2\Malware_pack_2\MEMZ 3.0 (1)\MEMZ 3.0\x

Filesize
780B

MD5
73648def0c63131e4ef4fd67b04c42e9

SHA1
9404e11726a34e8548e4a5408128a025119f46a4

SHA256
4aea6b9bb62f0c8f0ee3ef9adba8d7a61bcb6c9aad4127dda58df6d3488d063e

SHA512
95a65b0d787ed6bf80f75ce2b1f79210acda41bed5fd8c1c398d172546000313a6e6aa39238173b204635ed80d04b5c2081c7edad632330a979ce24e6213ad5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\eeeeeeeeeeeeee\Malware_pack_2\Malware_pack_2\MEMZ 3.0 (1)\MEMZ 3.0\x.js

Filesize
448B

MD5
8eec8704d2a7bc80b95b7460c06f4854

SHA1
1b34585c1fa7ec0bd0505478ac9dbb8b8d19f326

SHA256
aa01b8864b43e92077a106ed3d4656a511f3ba1910fba40c78a32ee6a621d596

SHA512
e274b92810e9a30627a65f87448d784967a2fcfbf49858cbe6ccb841f09e0f53fde253ecc1ea0c7de491d8cc56a6cf8c79d1b7c657e72928cfb0479d11035210

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DF9009E074DBC58BF8.TMP

Filesize
16KB

MD5
52e6698789706c0da74f5b702665c03f

SHA1
89126fac9969044b93cfae3646690f2c601ecad5

SHA256
899f1fb1562ff2ea2c56ac0ab694f269f5e277c471cd6d29f1272bf34b13e2f9

SHA512
bcb2f08a6797e24ab12805e179b4e7942af53eb3fbe7e9cc1763e25dc2164e028b84e6a4711368d2f0963fa7355e1345f69ddc2c0534a54fbabdb63a159f577f

Download Submit
C:\Users\Admin\AppData\Roaming\MEMZ.exe

Filesize
12KB

MD5
a7bcf7ea8e9f3f36ebfb85b823e39d91

SHA1
761168201520c199dba68add3a607922d8d4a86e

SHA256
3ff64f10603f0330fa2386ff99471ca789391ace969bd0ec1c1b8ce1b4a6db42

SHA512
89923b669d31e590189fd06619bf27e47c5a47e82be6ae71fdb1b9b3b30b06fb7ca8ffed6d5c41ac410a367f2eb07589291e95a2644877d6bffd52775a5b1523

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\1LJE2DSZ.txt

Filesize
378B

MD5
f9f08f26a4a772597b2140dfca3faa6f

SHA1
3070c734cf09d2e260ce34a05e0a686a5726cf5e

SHA256
ce30da63ec7f5331800178cec8ac6caae1b9ba42d6ae4dcb39d0a96d6a3bda5d

SHA512
4536fa4200acae1f50c10237e4bbbad866d8e0550dba7c2d96d2dc26e6ec565d166e11f9df17f95a0b67ca7464b86592d709055dde341be8c67623237311706c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\28c8b86deab549a1.customDestinations-ms

Filesize
3KB

MD5
43f266f1748df7ae1328c6242d079284

SHA1
b3579c3071b4bc59624669842cedca7c173a867f

SHA256
fba57f3de1c3e44b89f4ca2bd2a493ff1d431a008903042be0a10461fb9aa827

SHA512
c89f17efe61b2f6978d56c3ea87588074126d02fc1faaadcd1668e7b241c766aebda72785532e39a546ca81acaf082bd4ba4f712b1664689bd0fd2115e85af26

Download Submit
C:\note.txt

Filesize
218B

MD5
afa6955439b8d516721231029fb9ca1b

SHA1
087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

SHA256
8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

SHA512
5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

Download Submit
memory/1800-1333-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/1800-1331-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2296-150-0x0000000003480000-0x0000000003481000-memory.dmp

Filesize
4KB

Download
memory/2380-1349-0x0000000000750000-0x0000000000751000-memory.dmp

Filesize
4KB

Download
memory/2380-1332-0x0000000000750000-0x0000000000751000-memory.dmp

Filesize
4KB

Download
memory/2552-259-0x0000000002290000-0x0000000002291000-memory.dmp

Filesize
4KB

Download
memory/2552-743-0x0000000002290000-0x0000000002291000-memory.dmp

Filesize
4KB

Download
memory/3268-1416-0x0000000000A70000-0x0000000000A71000-memory.dmp

Filesize
4KB

Download
memory/3268-1406-0x0000000000A70000-0x0000000000A71000-memory.dmp

Filesize
4KB

Download
memory/4208-1602-0x0000000002290000-0x0000000002291000-memory.dmp

Filesize
4KB

Download
memory/4208-1605-0x0000000002290000-0x0000000002291000-memory.dmp

Filesize
4KB

Download
memory/4440-1591-0x0000000001DF0000-0x0000000001DF1000-memory.dmp

Filesize
4KB

Download
memory/4448-1525-0x00000000020D0000-0x00000000020D1000-memory.dmp

Filesize
4KB

Download
memory/4812-1588-0x0000000001E70000-0x0000000001E71000-memory.dmp

Filesize
4KB

Download
memory/4884-1575-0x0000000001E70000-0x0000000001E71000-memory.dmp

Filesize
4KB

Download