734403a96fad68cb2ef2b340adddd9cadd5894007aac703dcdb4a4cb8326c538

Analysis

max time kernel
856s
max time network
1200s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
10/03/2024, 21:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eeeeeeeeeeeeee/Malware_pack_2/Malware_pack_2/MEMZ 3.0 (1)/MEMZ 3.0/MEMZ.bat
Size

12KB
MD5

13a43c26bb98449fd82d2a552877013a
SHA1

71eb7dc393ac1f204488e11f5c1eef56f1e746af
SHA256

5f52365accb76d679b2b3946870439a62eb8936b9a0595f0fb0198138106b513
SHA512

602518b238d80010fa88c2c88699f70645513963ef4f148a0345675738cf9b0c23b9aeb899d9f7830cc1e5c7e9c7147b2dc4a9222770b4a052ee0c879062cd5a
SSDEEP

384:nnLhRNiqt0kCH2LR0GPXxGiZgCz+KG/yKhLdW79HOli+lz3:nLhRN9t0SR4iZtzlREBWhuF

Score

7^/10

bootkit persistence

Malware Config

Signatures

Executes dropped EXE 7 IoCs

pid	Process
2024	MEMZ.exe
2224	MEMZ.exe
2176	MEMZ.exe
2192	MEMZ.exe
2068	MEMZ.exe
1992	MEMZ.exe
2740	MEMZ.exe

Loads dropped DLL 64 IoCs

pid	Process
2024	MEMZ.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
188	taskmgr.exe
188	taskmgr.exe
188	taskmgr.exe
188	taskmgr.exe
188	taskmgr.exe
188	taskmgr.exe
188	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
188	taskmgr.exe
1624	taskmgr.exe
188	taskmgr.exe
1624	taskmgr.exe
188	taskmgr.exe
1624	taskmgr.exe
188	taskmgr.exe
1624	taskmgr.exe
188	taskmgr.exe
188	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
188	taskmgr.exe
1624	taskmgr.exe
188	taskmgr.exe
1624	taskmgr.exe
188	taskmgr.exe
1624	taskmgr.exe
188	taskmgr.exe
188	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
188	taskmgr.exe
1624	taskmgr.exe
188	taskmgr.exe
1624	taskmgr.exe
188	taskmgr.exe
1624	taskmgr.exe
188	taskmgr.exe
1624	taskmgr.exe
188	taskmgr.exe
188	taskmgr.exe
1624	taskmgr.exe
188	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
188	taskmgr.exe
188	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
188	taskmgr.exe
1624	taskmgr.exe
188	taskmgr.exe
1624	taskmgr.exe
188	taskmgr.exe
1624	taskmgr.exe
188	taskmgr.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	MEMZ.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\devmgmt.msc	mmc.exe
File opened for modification	C:\Windows\System32\devmgmt.msc	mmc.exe
File opened for modification	C:\Windows\System32\devmgmt.msc	mmc.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.google.com\ = "21"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "416270008"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{D5DA49D1-DF29-11EE-A499-62A279F6AF31} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com\Total = "21"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000abb8596cc50c0546bfda6658dcffc23300000000020000000000106600000001000020000000802f0f56269a94d7b3a8d4019054153ab434c6da6b6bccd2a0cf6aae491168ec000000000e80000000020000200000008510a72aef36debdd2c5bd968950c9cd1568888833f10c9f66a43965d962481a20000000af2b03b9a26f6b93e5624ba597a912e7a56aabec460786cc7146415270e87c9c40000000d86d81aac235ac016c22aaaf04f96c6e9e1e0937f65cbc0c435b4cdc59f69872448e2c76da7c86d90991b611730e2764c9d64649b3a7fa32d50614a810b08269	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000abb8596cc50c0546bfda6658dcffc2330000000002000000000010660000000100002000000010db95db52acfc5732e899cb2460dfe7a4b93050263a96e55545276b7bbcd688000000000e8000000002000020000000a3c7bf511d7be0d62016067cd2164f403c0f53a02397390e5779bb103dc5a18d9000000007a26e4f37b25c8f28748408966b0f3c9811c42332a6a808468cd6527e5662cb9829035787ff8924e1e4340f0edd8a2b92ac14c45e8d04e02ca1555a85271ad58005c22e0fbc133c558c386dd05048a0fe6dbd63dbfc43b0d9d2130010e7ed7c9741e330ae8cb52b5db2f273304fc3ab9e672d5fa0615d57016aa05789682e4baf2652323d647a6dc3be9812fe7c1f6d4000000075ec5985ef22230a51b3238f2bba2d5bec47dd600aae46a1e87f289d0c9a82ed0a21842f4da87165af10248c9e5adcb1bb295da8d073c999f9b75da81df56e5c	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "21"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE

Runs regedit.exe 5 IoCs

pid	Process
5276	regedit.exe
6748	regedit.exe
6852	regedit.exe
8428	regedit.exe
8712	regedit.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
2024	MEMZ.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2176	MEMZ.exe
2224	MEMZ.exe
2224	MEMZ.exe
2192	MEMZ.exe
2068	MEMZ.exe
2176	MEMZ.exe
2224	MEMZ.exe
2192	MEMZ.exe
2176	MEMZ.exe
1992	MEMZ.exe
2068	MEMZ.exe
2176	MEMZ.exe
2192	MEMZ.exe
2068	MEMZ.exe
1992	MEMZ.exe
2224	MEMZ.exe
2192	MEMZ.exe
1992	MEMZ.exe
2176	MEMZ.exe
2224	MEMZ.exe
2068	MEMZ.exe
1992	MEMZ.exe
2224	MEMZ.exe
2176	MEMZ.exe
2192	MEMZ.exe
2068	MEMZ.exe
1992	MEMZ.exe
2192	MEMZ.exe
2176	MEMZ.exe
2224	MEMZ.exe
2068	MEMZ.exe
2192	MEMZ.exe
2176	MEMZ.exe
2224	MEMZ.exe
2068	MEMZ.exe
1992	MEMZ.exe
2192	MEMZ.exe
2224	MEMZ.exe
2176	MEMZ.exe
1992	MEMZ.exe
2068	MEMZ.exe
2224	MEMZ.exe
1992	MEMZ.exe
2192	MEMZ.exe
2176	MEMZ.exe
2068	MEMZ.exe
2224	MEMZ.exe
1992	MEMZ.exe
2176	MEMZ.exe
2192	MEMZ.exe
2068	MEMZ.exe
1992	MEMZ.exe
2176	MEMZ.exe
2068	MEMZ.exe
2192	MEMZ.exe
2224	MEMZ.exe
1992	MEMZ.exe
2192	MEMZ.exe
2176	MEMZ.exe
2224	MEMZ.exe
2068	MEMZ.exe
2192	MEMZ.exe
2224	MEMZ.exe
2176	MEMZ.exe

Suspicious behavior: GetForegroundWindowSpam 9 IoCs

pid	Process
1624	taskmgr.exe
2740	MEMZ.exe
188	taskmgr.exe
5092	mmc.exe
4176	mmc.exe
352	iexplore.exe
2592	mmc.exe
5352	mmc.exe
6060	mmc.exe

Suspicious behavior: SetClipboardViewer 5 IoCs

pid	Process
4176	mmc.exe
2592	mmc.exe
5352	mmc.exe
6060	mmc.exe
6880	mmc.exe

Suspicious use of AdjustPrivilegeToken 30 IoCs

description	pid	Process
Token: 33	1688	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1688	AUDIODG.EXE
Token: 33	1688	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1688	AUDIODG.EXE
Token: SeDebugPrivilege	1624	taskmgr.exe
Token: SeDebugPrivilege	188	taskmgr.exe
Token: 33	5092	mmc.exe
Token: SeIncBasePriorityPrivilege	5092	mmc.exe
Token: 33	5092	mmc.exe
Token: SeIncBasePriorityPrivilege	5092	mmc.exe
Token: 33	4176	mmc.exe
Token: SeIncBasePriorityPrivilege	4176	mmc.exe
Token: 33	4176	mmc.exe
Token: SeIncBasePriorityPrivilege	4176	mmc.exe
Token: 33	2592	mmc.exe
Token: SeIncBasePriorityPrivilege	2592	mmc.exe
Token: 33	2592	mmc.exe
Token: SeIncBasePriorityPrivilege	2592	mmc.exe
Token: 33	5352	mmc.exe
Token: SeIncBasePriorityPrivilege	5352	mmc.exe
Token: 33	5352	mmc.exe
Token: SeIncBasePriorityPrivilege	5352	mmc.exe
Token: 33	6060	mmc.exe
Token: SeIncBasePriorityPrivilege	6060	mmc.exe
Token: 33	6060	mmc.exe
Token: SeIncBasePriorityPrivilege	6060	mmc.exe
Token: 33	6880	mmc.exe
Token: SeIncBasePriorityPrivilege	6880	mmc.exe
Token: 33	6880	mmc.exe
Token: SeIncBasePriorityPrivilege	6880	mmc.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1752	cscript.exe
352	iexplore.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
352	iexplore.exe
352	iexplore.exe
284	IEXPLORE.EXE
284	IEXPLORE.EXE
284	IEXPLORE.EXE
284	IEXPLORE.EXE
1864	IEXPLORE.EXE
1864	IEXPLORE.EXE
1864	IEXPLORE.EXE
1864	IEXPLORE.EXE
2496	IEXPLORE.EXE
2496	IEXPLORE.EXE
2496	IEXPLORE.EXE
2496	IEXPLORE.EXE
2420	IEXPLORE.EXE
2420	IEXPLORE.EXE
2420	IEXPLORE.EXE
2420	IEXPLORE.EXE
284	IEXPLORE.EXE
284	IEXPLORE.EXE
284	IEXPLORE.EXE
284	IEXPLORE.EXE
2300	IEXPLORE.EXE
2300	IEXPLORE.EXE
2300	IEXPLORE.EXE
2300	IEXPLORE.EXE
1864	IEXPLORE.EXE
1864	IEXPLORE.EXE
2740	MEMZ.exe
2876	IEXPLORE.EXE
2876	IEXPLORE.EXE
2876	IEXPLORE.EXE
2876	IEXPLORE.EXE
2496	IEXPLORE.EXE
2496	IEXPLORE.EXE
2496	IEXPLORE.EXE
2496	IEXPLORE.EXE
2740	MEMZ.exe
596	wordpad.exe
596	wordpad.exe
596	wordpad.exe
596	wordpad.exe
596	wordpad.exe
2140	IEXPLORE.EXE
2140	IEXPLORE.EXE
2740	MEMZ.exe
2420	IEXPLORE.EXE
2420	IEXPLORE.EXE
2140	IEXPLORE.EXE
2140	IEXPLORE.EXE
2420	IEXPLORE.EXE
2420	IEXPLORE.EXE
2740	MEMZ.exe
2316	IEXPLORE.EXE
2316	IEXPLORE.EXE
2316	IEXPLORE.EXE
2316	IEXPLORE.EXE
2300	IEXPLORE.EXE
2300	IEXPLORE.EXE
2740	MEMZ.exe
2300	IEXPLORE.EXE
2300	IEXPLORE.EXE
1468	IEXPLORE.EXE
1468	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2784 wrote to memory of 1752	2784	cmd.exe	29
PID 2784 wrote to memory of 1752	2784	cmd.exe	29
PID 2784 wrote to memory of 1752	2784	cmd.exe	29
PID 2784 wrote to memory of 2024	2784	cmd.exe	30
PID 2784 wrote to memory of 2024	2784	cmd.exe	30
PID 2784 wrote to memory of 2024	2784	cmd.exe	30
PID 2784 wrote to memory of 2024	2784	cmd.exe	30
PID 2024 wrote to memory of 2224	2024	MEMZ.exe	31
PID 2024 wrote to memory of 2224	2024	MEMZ.exe	31
PID 2024 wrote to memory of 2224	2024	MEMZ.exe	31
PID 2024 wrote to memory of 2224	2024	MEMZ.exe	31
PID 2024 wrote to memory of 2176	2024	MEMZ.exe	32
PID 2024 wrote to memory of 2176	2024	MEMZ.exe	32
PID 2024 wrote to memory of 2176	2024	MEMZ.exe	32
PID 2024 wrote to memory of 2176	2024	MEMZ.exe	32
PID 2024 wrote to memory of 2192	2024	MEMZ.exe	33
PID 2024 wrote to memory of 2192	2024	MEMZ.exe	33
PID 2024 wrote to memory of 2192	2024	MEMZ.exe	33
PID 2024 wrote to memory of 2192	2024	MEMZ.exe	33
PID 2024 wrote to memory of 2068	2024	MEMZ.exe	34
PID 2024 wrote to memory of 2068	2024	MEMZ.exe	34
PID 2024 wrote to memory of 2068	2024	MEMZ.exe	34
PID 2024 wrote to memory of 2068	2024	MEMZ.exe	34
PID 2024 wrote to memory of 1992	2024	MEMZ.exe	35
PID 2024 wrote to memory of 1992	2024	MEMZ.exe	35
PID 2024 wrote to memory of 1992	2024	MEMZ.exe	35
PID 2024 wrote to memory of 1992	2024	MEMZ.exe	35
PID 2024 wrote to memory of 2740	2024	MEMZ.exe	36
PID 2024 wrote to memory of 2740	2024	MEMZ.exe	36
PID 2024 wrote to memory of 2740	2024	MEMZ.exe	36
PID 2024 wrote to memory of 2740	2024	MEMZ.exe	36
PID 2740 wrote to memory of 2200	2740	MEMZ.exe	37
PID 2740 wrote to memory of 2200	2740	MEMZ.exe	37
PID 2740 wrote to memory of 2200	2740	MEMZ.exe	37
PID 2740 wrote to memory of 2200	2740	MEMZ.exe	37
PID 2740 wrote to memory of 352	2740	MEMZ.exe	38
PID 2740 wrote to memory of 352	2740	MEMZ.exe	38
PID 2740 wrote to memory of 352	2740	MEMZ.exe	38
PID 2740 wrote to memory of 352	2740	MEMZ.exe	38
PID 352 wrote to memory of 284	352	iexplore.exe	40
PID 352 wrote to memory of 284	352	iexplore.exe	40
PID 352 wrote to memory of 284	352	iexplore.exe	40
PID 352 wrote to memory of 284	352	iexplore.exe	40
PID 352 wrote to memory of 1864	352	iexplore.exe	44
PID 352 wrote to memory of 1864	352	iexplore.exe	44
PID 352 wrote to memory of 1864	352	iexplore.exe	44
PID 352 wrote to memory of 1864	352	iexplore.exe	44
PID 352 wrote to memory of 2496	352	iexplore.exe	45
PID 352 wrote to memory of 2496	352	iexplore.exe	45
PID 352 wrote to memory of 2496	352	iexplore.exe	45
PID 352 wrote to memory of 2496	352	iexplore.exe	45
PID 352 wrote to memory of 2420	352	iexplore.exe	46
PID 352 wrote to memory of 2420	352	iexplore.exe	46
PID 352 wrote to memory of 2420	352	iexplore.exe	46
PID 352 wrote to memory of 2420	352	iexplore.exe	46
PID 2740 wrote to memory of 1624	2740	MEMZ.exe	48
PID 2740 wrote to memory of 1624	2740	MEMZ.exe	48
PID 2740 wrote to memory of 1624	2740	MEMZ.exe	48
PID 2740 wrote to memory of 1624	2740	MEMZ.exe	48
PID 352 wrote to memory of 2300	352	iexplore.exe	49
PID 352 wrote to memory of 2300	352	iexplore.exe	49
PID 352 wrote to memory of 2300	352	iexplore.exe	49
PID 352 wrote to memory of 2300	352	iexplore.exe	49
PID 352 wrote to memory of 2876	352	iexplore.exe	50

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\eeeeeeeeeeeeee\Malware_pack_2\Malware_pack_2\MEMZ 3.0 (1)\MEMZ 3.0\MEMZ.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2784
- C:\Windows\system32\cscript.exe
  cscript x.js
  2⤵
  - Suspicious use of FindShellTrayWindow
  PID:1752
- C:\Users\Admin\AppData\Roaming\MEMZ.exe
  "C:\Users\Admin\AppData\Roaming\MEMZ.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious use of WriteProcessMemory
  PID:2024
- - C:\Users\Admin\AppData\Roaming\MEMZ.exe
    "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2224
- - C:\Users\Admin\AppData\Roaming\MEMZ.exe
    "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2176
- - C:\Users\Admin\AppData\Roaming\MEMZ.exe
    "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2192
- - C:\Users\Admin\AppData\Roaming\MEMZ.exe
    "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2068
- - C:\Users\Admin\AppData\Roaming\MEMZ.exe
    "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1992
- - C:\Users\Admin\AppData\Roaming\MEMZ.exe
    "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /main
    3⤵
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2740
  - - C:\Windows\SysWOW64\notepad.exe
      "C:\Windows\System32\notepad.exe" \note.txt
      4⤵
      PID:2200
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://play.clubpenguin.com/
      4⤵
      Modifies Internet Explorer settings
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:352
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:352 CREDAT:275457 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:284
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:352 CREDAT:275473 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1864
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:352 CREDAT:406553 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2496
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:352 CREDAT:603186 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2420
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:352 CREDAT:2044959 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2300
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:352 CREDAT:1913901 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2876
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:352 CREDAT:2372655 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2140
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:352 CREDAT:2700335 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2316
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:352 CREDAT:2700356 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1468
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:352 CREDAT:2831421 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        
        PID:1888
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:352 CREDAT:3355734 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        
        PID:3584
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:352 CREDAT:2831484 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        
        PID:3188
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:352 CREDAT:3617911 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        
        PID:3308
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:352 CREDAT:2897045 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        
        PID:1416
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:352 CREDAT:472185 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        
        PID:4684
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:352 CREDAT:2897094 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        
        PID:4076
  - - C:\Windows\SysWOW64\taskmgr.exe
      "C:\Windows\System32\taskmgr.exe"
      4⤵
      Loads dropped DLL
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:1624
  - - C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
      "C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
      4⤵
      Suspicious use of SetWindowsHookEx
      PID:596
    - - C:\Windows\splwow64.exe
        
        C:\Windows\splwow64.exe 12288
        5⤵
        
        PID:2204
  - - C:\Windows\SysWOW64\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      Drops file in Windows directory
      PID:3692
  - - C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
      "C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
      4⤵
      PID:3444
  - - C:\Windows\SysWOW64\taskmgr.exe
      "C:\Windows\System32\taskmgr.exe"
      4⤵
      Loads dropped DLL
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      PID:188
  - - C:\Windows\SysWOW64\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      PID:3676
  - - C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
      "C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
      4⤵
      PID:3800
  - - C:\Windows\SysWOW64\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      PID:4356
  - - C:\Windows\SysWOW64\mmc.exe
      "C:\Windows\System32\mmc.exe"
      4⤵
      PID:5080
    - - C:\Windows\system32\mmc.exe
        
        "C:\Windows\system32\mmc.exe"
        5⤵
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:5092
  - - C:\Windows\SysWOW64\taskmgr.exe
      "C:\Windows\System32\taskmgr.exe"
      4⤵
      PID:4572
  - - C:\Windows\SysWOW64\control.exe
      "C:\Windows\System32\control.exe"
      4⤵
      PID:1952
  - - C:\Windows\SysWOW64\mmc.exe
      "C:\Windows\system32\mmc.exe" "C:\Windows\System32\devmgmt.msc"
      4⤵
      PID:4280
    - - C:\Windows\system32\mmc.exe
        
        "C:\Windows\System32\devmgmt.msc" "C:\Windows\System32\devmgmt.msc"
        5⤵
        Drops file in System32 directory
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious behavior: SetClipboardViewer
        Suspicious use of AdjustPrivilegeToken
        
        PID:4176
  - - C:\Windows\SysWOW64\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:4240
  - - C:\Windows\SysWOW64\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      PID:4648
  - - C:\Windows\SysWOW64\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      Drops file in Windows directory
      PID:3588
  - - C:\Windows\SysWOW64\mmc.exe
      "C:\Windows\system32\mmc.exe" "C:\Windows\System32\devmgmt.msc"
      4⤵
      PID:2128
    - - C:\Windows\system32\mmc.exe
        
        "C:\Windows\System32\devmgmt.msc" "C:\Windows\System32\devmgmt.msc"
        5⤵
        Drops file in System32 directory
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious behavior: SetClipboardViewer
        Suspicious use of AdjustPrivilegeToken
        
        PID:2592
  - - C:\Windows\SysWOW64\mmc.exe
      "C:\Windows\system32\mmc.exe" "C:\Windows\System32\devmgmt.msc"
      4⤵
      PID:5336
    - - C:\Windows\system32\mmc.exe
        
        "C:\Windows\System32\devmgmt.msc" "C:\Windows\System32\devmgmt.msc"
        5⤵
        Drops file in System32 directory
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious behavior: SetClipboardViewer
        Suspicious use of AdjustPrivilegeToken
        
        PID:5352
  - - C:\Windows\SysWOW64\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:2348
  - - C:\Windows\SysWOW64\regedit.exe
      "C:\Windows\System32\regedit.exe"
      4⤵
      Runs regedit.exe
      PID:5276
  - - C:\Windows\SysWOW64\taskmgr.exe
      "C:\Windows\System32\taskmgr.exe"
      4⤵
      PID:4428
  - - C:\Windows\SysWOW64\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      PID:5312
  - - C:\Windows\SysWOW64\mmc.exe
      "C:\Windows\System32\mmc.exe"
      4⤵
      PID:6028
    - - C:\Windows\system32\mmc.exe
        
        "C:\Windows\system32\mmc.exe"
        5⤵
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious behavior: SetClipboardViewer
        Suspicious use of AdjustPrivilegeToken
        
        PID:6060
  - - C:\Windows\SysWOW64\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      PID:5660
  - - C:\Windows\SysWOW64\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:4964
  - - C:\Windows\SysWOW64\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      Drops file in Windows directory
      PID:5260
  - - C:\Windows\SysWOW64\taskmgr.exe
      "C:\Windows\System32\taskmgr.exe"
      4⤵
      PID:5952
  - - C:\Windows\SysWOW64\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:4740
  - - C:\Windows\SysWOW64\explorer.exe
      "C:\Windows\System32\explorer.exe"
      4⤵
      PID:5816
  - - C:\Windows\SysWOW64\taskmgr.exe
      "C:\Windows\System32\taskmgr.exe"
      4⤵
      PID:5876
  - - C:\Windows\SysWOW64\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      PID:5652
  - - C:\Windows\SysWOW64\regedit.exe
      "C:\Windows\System32\regedit.exe"
      4⤵
      Runs regedit.exe
      PID:6748
  - - C:\Windows\SysWOW64\mmc.exe
      "C:\Windows\System32\mmc.exe"
      4⤵
      PID:6892
    - - C:\Windows\system32\mmc.exe
        
        "C:\Windows\system32\mmc.exe"
        5⤵
        Suspicious behavior: SetClipboardViewer
        Suspicious use of AdjustPrivilegeToken
        
        PID:6880
  - - C:\Windows\SysWOW64\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:6848
  - - C:\Windows\SysWOW64\mmc.exe
      "C:\Windows\System32\mmc.exe"
      4⤵
      PID:6644
    - - C:\Windows\system32\mmc.exe
        
        "C:\Windows\system32\mmc.exe"
        5⤵
        
        PID:5148
  - - C:\Windows\SysWOW64\explorer.exe
      "C:\Windows\System32\explorer.exe"
      4⤵
      PID:6008
  - - C:\Windows\SysWOW64\regedit.exe
      "C:\Windows\System32\regedit.exe"
      4⤵
      Runs regedit.exe
      PID:6852
  - - C:\Windows\SysWOW64\taskmgr.exe
      "C:\Windows\System32\taskmgr.exe"
      4⤵
      PID:948
  - - C:\Windows\SysWOW64\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:7216
  - - C:\Windows\SysWOW64\explorer.exe
      "C:\Windows\System32\explorer.exe"
      4⤵
      PID:8016
  - - C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
      "C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
      4⤵
      PID:7556
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" https://google.co.ck/search?q=my+computer+is+doing+weird+things+wtf+is+happenin+plz+halp
      4⤵
      PID:7852
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:3940
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" https://google.co.ck/search?q=facebook+hacking+tool+free+download+no+virus+working+2016
      4⤵
      PID:8120
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:8120 CREDAT:275457 /prefetch:2
        5⤵
        
        PID:7784
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" https://google.co.ck/search?q=virus.exe
      4⤵
      PID:7536
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:7536 CREDAT:275457 /prefetch:2
        5⤵
        
        PID:5176
  - - C:\Windows\SysWOW64\control.exe
      "C:\Windows\System32\control.exe"
      4⤵
      PID:5764
  - - C:\Windows\SysWOW64\control.exe
      "C:\Windows\System32\control.exe"
      4⤵
      PID:5056
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://pcoptimizerpro.com/
      4⤵
      PID:7684
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:7684 CREDAT:275457 /prefetch:2
        5⤵
        
        PID:7936
  - - C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
      "C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
      4⤵
      PID:8132
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" https://google.co.ck/search?q=how+to+remove+memz+trojan+virus
      4⤵
      PID:7300
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:7300 CREDAT:275457 /prefetch:2
        5⤵
        
        PID:7928
  - - C:\Windows\SysWOW64\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      PID:7328
  - - C:\Windows\SysWOW64\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      PID:8280
  - - C:\Windows\SysWOW64\regedit.exe
      "C:\Windows\System32\regedit.exe"
      4⤵
      Runs regedit.exe
      PID:8428
  - - C:\Windows\SysWOW64\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:8888
  - - C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
      "C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
      4⤵
      PID:9044
  - - C:\Windows\SysWOW64\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      PID:9124
  - - C:\Windows\SysWOW64\explorer.exe
      "C:\Windows\System32\explorer.exe"
      4⤵
      PID:8352
  - - C:\Windows\SysWOW64\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      PID:9112
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" https://google.co.ck/search?q=how+2+buy+weed
      4⤵
      PID:8128
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:8128 CREDAT:275457 /prefetch:2
        5⤵
        
        PID:8272
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:8636
  - - C:\Windows\SysWOW64\mmc.exe
      "C:\Windows\system32\mmc.exe" "C:\Windows\System32\devmgmt.msc"
      4⤵
      PID:3460
    - - C:\Windows\system32\mmc.exe
        
        "C:\Windows\System32\devmgmt.msc" "C:\Windows\System32\devmgmt.msc"
        5⤵
        
        PID:9360
  - - C:\Windows\SysWOW64\regedit.exe
      "C:\Windows\System32\regedit.exe"
      4⤵
      Runs regedit.exe
      PID:8712
  - - C:\Windows\SysWOW64\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:9280

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x7c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1688

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:4628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_34D61B4A2A4AE0D3DDAB879224BCA77B

Filesize
2KB

MD5
fc92b2c6175b15300cba0822c2bace0d

SHA1
c23875c1655a5fd48099d82762aa3045fd20d476

SHA256
bb50723924f16869f441be92ce21befefc21a10095b851b74f688f57e90b8947

SHA512
572165088628a78f91cd74dc75b211d6c1159de36209e286ef8b23f900538484558edfa1a662f2882132a1c7680633a617fd473f5c8a13211a0ab3820c0bdc0a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

Filesize
717B

MD5
822467b728b7a66b081c91795373789a

SHA1
d8f2f02e1eef62485a9feffd59ce837511749865

SHA256
af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9

SHA512
bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
7e8f359f842f63d4f8e11b673e763622

SHA1
a7865040b538d6aaa80bc37e89372c61b7427be8

SHA256
f04843e27ab3a622e565eea01945462567d713146b1cbca62c89d2495e924450

SHA512
f417bf439068b5205190c6ca559d14b0aa4a19af87530fc4e46eda587f80281cb8e567bf6caaa74b02f29f1247afec461eebf2ce1e6a079f675d1f304c9b1fd4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\329C03A4966B136B54FB137DCA798EB7

Filesize
5B

MD5
5bfa51f3a417b98e7443eca90fc94703

SHA1
8c015d80b8a23f780bdd215dc842b0f5551f63bd

SHA256
bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128

SHA512
4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
67KB

MD5
753df6889fd7410a2e9fe333da83a429

SHA1
3c425f16e8267186061dd48ac1c77c122962456e

SHA256
b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

SHA512
9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A16C6C16D94F76E0808C087DFC657D99_8F0CBD8C47BA2D164C9E6FDB222DBC71

Filesize
472B

MD5
562c1305690263b343cfbabd7a401e6c

SHA1
c6a624083ccb8f1b7aba90b7c4b1e3ac66c2942c

SHA256
0f0f1c33614d42186e73e4feb4d03d3605e903c06390461d86784fc36b6789ad

SHA512
60e3060ff1172c76a85e85b09a8e9eb9c1eb918f82da83fc79cd4eb150adb4a2e02403bded0ad91643b246d587907d2b2ba6ed185ef6cb14307b51203682e3f4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
1KB

MD5
a5caead01378ea5e8b3b48bb4bf465d0

SHA1
ce6015bd0e6d004add7413334ed0ba90c7b857ab

SHA256
272105992830f2dd4e9a8e228fd8d223f899263ed8dbb1bc66a4c0a3ecb65d53

SHA512
9a85c23e184d0efb3c74dde0954a49a780e364d3eabff32ee80ae3452867812487a44a7580632e233c0abcacc1d8248c0df1582bdaff0725b49e167538cfd3af

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

Filesize
724B

MD5
ac89a852c2aaa3d389b2d2dd312ad367

SHA1
8f421dd6493c61dbda6b839e2debb7b50a20c930

SHA256
0b720e19270c672f9b6e0ec40b468ac49376807de08a814573fe038779534f45

SHA512
c6a88f33688cc0c287f04005e07d5b5e4a8721d204aa429f93ade2a56aeb86e05d89a8f7a44c1e93359a185a4c5f418240c6cdbc5a21314226681c744cf37f36

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_749F323800EEA448718955FAC254DD4F

Filesize
471B

MD5
68be297696f6df373169f0c6e2d06c83

SHA1
947f0e3b4942d22ac9b1ec6ff51e1afd32bf1834

SHA256
b419aae79b16a2161dca133ad6b4ff68a3287994ec849c01a0ddf35471c38810

SHA512
0eb1c88e8ddde49dc11ba89207de461e1ec16ef6561b1077987593b229959a251d9a213ce6e6697ff4957f3642168f1a180b434690e0266bd198f224dafc06e3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2DDCD2B5F37625B82E81F4976CEE400_09B924C8A99A26A75B535D3B83388BE5

Filesize
471B

MD5
0bbb0c0a7acaae6f119c49a57aded9ad

SHA1
def2006a613312d647661ef94f6ac9d43b84202a

SHA256
da2482009e08ab5c1df8db6f2b5454e5a32becbb50e9bc9e3a23982ebd55dbc9

SHA512
7dd647c57f9c57487195c453c1bfd3500e9bf17ae68fd175d3cc2469ba718cc0369d1b0fcc11cf47513a2fb9286dbbe0dd20c47bed4037e449caee77519fcc7d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_34D61B4A2A4AE0D3DDAB879224BCA77B

Filesize
488B

MD5
fc1a1d0a6391f8ef78392b450270b353

SHA1
147f935e5ba2f898e358bbad4c4229ec26ee1794

SHA256
a5e5c74d0ceba30ffff5d4621fae480c71a64e6b01cd05173a54f83a8fc5016c

SHA512
b6e6e372af9ad833828e443ee85a6b15da4fc03edd75b9bb6f9d5ff0e0fbd7d1479bc567b9d2a0c0e777e957160e91d34ac1f38983615f9dd27c571c127e723e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
db463e6d49802fd2aaff2e3d074fef4d

SHA1
4e2935f14bfeed47902695b0826dd843498cef17

SHA256
8a878fa1be5852c98e95ec89810595a302619013f5bc9de2ce3a8a974c5c922b

SHA512
c7cd8ecb2184c1bcfb910be1ff881dfb3463e47228129d09978633c353e25e0899bc6a514382457b91a1f089352dd8d13cbebbd797886f6bf5a3c0687f1cce84

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\329C03A4966B136B54FB137DCA798EB7

Filesize
426B

MD5
6f4d3443c11e8cdfd77c0df5dd3834af

SHA1
49a37c49bedf530e732e23cd1d9e7e1366e0d071

SHA256
2f85fee0b05ba6267c7fb38b37a2915b01775745031100a80e3f95f30b069a67

SHA512
b69d9718bd6a7181c12989b2fa82384023035c29a242adb0cf72de42174963eba9b6c9e9a878b60deed68016b4c96b5f41e1981979693bda6bb538d6e34effef

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\329C03A4966B136B54FB137DCA798EB7

Filesize
426B

MD5
544770d62bc15d89759a7184d18b94e0

SHA1
0253a43844948dc38c5f8e7335e8f14dad606282

SHA256
676d5c5ac41b34248c6a0a69c58cdf6f845820a417dbbcd5d7d5984ce6f2903f

SHA512
b8d559550fd02b1dfa039bc2cabb0e3993df8abd650de2ed6cceca635ddc0298e85ed78560a97b86deef65d9d30bfbbc9b4be411a3167e989cfe4e87931d956b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\329C03A4966B136B54FB137DCA798EB7

Filesize
426B

MD5
2d7a443c24af3c54096c760b30cbe49c

SHA1
f877ddca26a426e9547dfb96da66163eeb5baf06

SHA256
5929a9c1a0a261d860e7cee9e963c8b22b2008aeaa5d6c90c4a29210440da8b8

SHA512
cdea22d0ef55b10ba9fb4939f27a0991fcae490e004c5bea09f32db62b6a4dc270d420aaae1cb731d9740682646cb8151990a13a86b900e5b9a2617af014727c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7b29d754d0994ad38c836629011f6886

SHA1
a3c69833304b8aeb3b601470b560054ac328a6ba

SHA256
e9bc9144473dea6704189010c08a04527badb6c31828501a0323871f05b373f7

SHA512
9755bebecd49b6283dbf1c202e7d907858e9288eeff8280070e4dddb08d3bba741b81da427866265a4ead4e47d1e857986a2e5d72083c211fd32ad48dd6a9f36

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
de3d61af2cbdcaadae635530885eff53

SHA1
4c8e058134309f57ed140c05dd305e3ebea6139a

SHA256
f5e8910fc809b020d624279f21e7705c18747444ef59f5e9b231abb9715467cc

SHA512
597a384e32489c4150e2f6b2b92282c82df424b61ea1c885317159a456e723ea5a2ace898e21248573cb6e3aa31237999e268aae034f98d2fb86daec330ba430

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
514d67dcfcc6fc1b717830002f3cbb5f

SHA1
cfa58ed04860218970bd4457f3e33cd544c1fc67

SHA256
ebd27e5b30af7c0b7c3ee6a4ec985d97fc28ce741e59866ff44829d3f50af61e

SHA512
973276be2721d765d743ef34f3163c38156ee41c43995a9c45a5adaec8bb5c6a5dcef1c628aad70997690c427b7a7ce0d0e34b75ef2d395eda28279bbe54f177

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b202cde042b64c06898531ced473c47f

SHA1
9e602efc1b32d4c2cfcb14ca0f0d4af7fa59da04

SHA256
919610c8f7df1e7a05a8dd2da8138909ffc11cb33fdd67a775e28f1162f4154e

SHA512
ccbb4b28c5da1d34db50664a38de974ab28df0d5f0224ea6296d459e71cb94db9fb9b6ce25993b8c7aa8e9e59f3b4381c577e2725a75e80cb9b37cb772532ab5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0e2a74ab1acd4b7d59484e0ff2c0a38d

SHA1
a4aae880e00264edd092eef72f0c4895079128b6

SHA256
8242f5b2ad0a3c5293ca453adf1689ed1534f92653af260c35be2178e5debedb

SHA512
b9b28fdfb90f60ad582a4730222030160871ae6ccfe3933df16025e08ec23f3f9c61cef471d75e3a5db65c5b6b522f0d4031f95c22d156c73b68de356d83f947

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
75508242e6eb1c8c6370691d1fc7a3ed

SHA1
06959507113b76e2e564362cb48f5dc5d896f9bf

SHA256
87f9b1da0ad004516c1c438736dce3ac35b8f3873fe8555292e01b4a6b909f32

SHA512
d943f5db3a6a9c547533209670d418b1252900d1a9c674b6317585d976be0ef3432c34e7fd21730efe4c62d4b77b24091ee5a4559922434d57de60efa7a841ad

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b60c9bee036453e337f9cce505d1ac12

SHA1
bf798a38404d46884fcfa98c141a065acd790eb2

SHA256
e8499177c9b4bc8ac6132df7cab1a2f68b5b934395076a3339401e8e04debc43

SHA512
94f2fb860a8cd80d4aa118c614639031fdf2f6f9c1274c400763d01dbf081de6945b003f5ed395d7ec48fbbb77d6bfaae345d1562d04c258f28e97d52710e72d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
fe2ba2a904b94d91038acddc91359196

SHA1
137114be86713a199e11b8a1a6dcb51f8e1d31e4

SHA256
bce7a151b1833e963a9e38ed95ae260c504d43330c52a3248ee831ef4a28e8a8

SHA512
7cefd0a42e3d29532043f99530c8c93876e1cd35c575a69655a992346e6117a0322217060378657faf8d2a59b695717bb7b146da3036c376774e7bb6f4fdc9bd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7e2360e1c04cc2f79e5251e41efed268

SHA1
dbdb827cab706cf572a20f6dce81c4eae703800d

SHA256
2362294f49b0320e40c6c4dafd62f9d215cf11048b37c247805d801891be20ca

SHA512
fb05609b01905ba7c4e018342b2a9d94358083380948813543a13e76846827ad075b3e93dd2a076169b576a2544fca156550f0184f9deb2eeb4748a68fe97015

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
09fd055a05aabf1352b2d984d45b7381

SHA1
321b4fd0a7ce18d6ac7185f1d525dcacb6df1c3f

SHA256
c24ba321c945549798badeaa41a88c1e33069fd8f58aa66290002d0a6592b420

SHA512
acafbb1feb780faed096a826db922d7505a1bc7ae0f63e32ba8b71f506ec8ca569f87ead7b696b4d5c5ed2f40ec43cd81b614ecb9e177a4121a9f0af9579488e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
39c868e61dcdf6f3662dadda562f9c35

SHA1
8f3da14326c922322eb20f55cf5f8e6d5f315ed3

SHA256
478e2dbe9ac3b3a48aaaed10cd727261cd8cdd9151f30150e3c109d36e9a70df

SHA512
1392a756e3517909c2a634e4e2cc7e36f3ec47c200ec48f1363700ee6ad75dcf88dfe07d898a93ea95fb5b13090a2a0d351774d75958b8021acb899b33ef56fe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3700ff42974bcc11285cc046e785d8a5

SHA1
09654b655fdbc32883afdec9c9d04cf68b580bc7

SHA256
0b0f346470c42898f5456b3e29154dd6100fe399cb1f688acde690184c2e3afc

SHA512
edd6915ddce0447e7603147a198217a3e854690ce9ed929da82ed5a64cec373f49e9dfc5218fe207d0cbdd9515b6f1fa683a537f46cf4bd6ca26f9e509a1e320

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
22bb6af24c9931279034b7e16ec9f8a3

SHA1
96f359315486ce94cabd3e0281ce08f3591995cc

SHA256
2bb02affdb2953d37f11588b5812bff14dcc071e5b287cbc7a98fb32a9d55bac

SHA512
0dab59a3f6e5cd3a413d1da1dde37f4e22312cbc1f52046257b31136f6ccbb4b46b6eaeaadb4861465c935e631e31e4b9ebee5cd4f3a660a16bcd1f40e06ac10

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e63c664a0e6e57cc5bfc61956e0d0b25

SHA1
2b8f78f6df2cdd701646d56f8808f8567c148d1b

SHA256
b97c402414ab943735e7b4fb8791bd992cf5c72c223606e2b952905075cc33c3

SHA512
8404da489400faf397a40c6aabdfd4e52a3dc60b2c8eaf999063069ed782d9dabcc9ab49350d0fc12a149fd607279f7acc595ac71a3ae6a6b5b42ad1e797d75c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1febc6edaa39126ddff743a41030b81a

SHA1
37d3299d5c0578c682fe7dbf8cac6fe3553372cf

SHA256
ac4d33ecefcadec950c941eabbd83f641e3b760f903024158ca47b52ca0f7663

SHA512
596ed7fe5cf439ec9449fd325aeb92d88def4655f4059409dd5d93cffb2e2ad446df685efaff2c4b21377700d2d3b3265d2899b07e5492d6d518ced821bc3667

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4e030bd883ea56dce6982003c2c6a9b3

SHA1
b8982b5a3c162c4afe00e04218245351ff4298de

SHA256
ea1608398bccece1de48fcd4a8bd3f312fbcfeaf6ee06bd7908e0333400a66b4

SHA512
a86aa6b63ff5640bae4a32c47956c0b3566866fb0dacadfc52fe843b993aad43719e7b9611be1737e3b28849cda4ab586882b0a2cbb5fbd495249680d0efa586

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
49ba857cfc4b591e924851ca428e1538

SHA1
f4bd2f1ebdc6ad096d1f94e863b98d96bb3ba1b7

SHA256
782851ef96595011b87b3016a81540cb48cdddbe4f73ef012aa1d92cbae9aefe

SHA512
caa21891d5d28a3c8a0c80e296dab40805a20eea055f157ef73b8240b5d6779c58d07f7094c2857e7f59e913ddfe557443728a5d491b3b13916445e61f758765

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
bd1186033b3db20d55bba74133c70700

SHA1
7b6a1ab2387c3260bb1ccb9d909192f98c484475

SHA256
215121f3f7ce4061ec77d1f5476d30a075cdb21eaf5578585e591b29a58930cb

SHA512
2a765ff399d385d76665d97c4053e21f4f6c22116a24c9efe3b84e9dd51f1d26b110d245432017bac3e441e1102421ef930e498cac7126fec6611579f78d646b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f34fcf173606e45346d10c81863b3ca6

SHA1
7c845d93a532f7811d6a41a8c252be4eb6e242f9

SHA256
83340aa40d331edee93e4f4bb90bd8f41f4e2a3109db8d75d0cd0b554b21d8be

SHA512
c7379c0f673c372e19efcb8158d43c35b3dee1c96a4dcbcbe1acf8f78b5981ed54392f5f84c3e80c6ec4d64eaf6bd9175361bfc12a3cb72b420bde13c2a4e05c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9194a1bd9a75169ec03525c0304a0752

SHA1
76649b28ab71c70797448b12a937c07bb423861d

SHA256
654fe2186abaa41e22eebad8df7ebf60176ce2839f215eaa94de243e9ac61006

SHA512
d0cadb849ad6a8cea723ee035f6012fe44d4a4316232837adaaaefd6f06d3b3a79ffa86e06b1c250c65f5cf01ac3b39244d5e2362f463321dfe0ed4220a98c34

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3cee1f49d53960f9e3789c6f1b255d49

SHA1
5b6edb4b2799e3f99ac1fd65b315325bf0925a89

SHA256
63635d1bb4413526f26618481f0a427ef257559d1503166bebebce4ad3524e07

SHA512
0a62c16d25267dab0107a4c2a4e1ce52a7dbaf411c50d48f2df576b57ff8fb727595b2d5ee7de8fe8d909be3d8e90e0ce27a4a6cb244853cb3742a9d30e54a29

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a3d961cefbe9f320a574d0a66f8e6281

SHA1
40903383b5ac9da334a5daa5bb9a0ad2fe7c1559

SHA256
3c15c68d0f0d86654fe3ccc554cf6d6177026012a142a6c84b21d96ddaaec58f

SHA512
7d564eb13b6f631b4be9bc827ffa4f263332522fa0af9c0a3766336cc3ed921aaba6fd47631eb90379c9dc97e485419e4eb72a850ab9cf6a20259e0e6ba36485

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
382719ac3aa3e3229faea6db9456342b

SHA1
2e1bc53deaad6c0355d56964dac433b79fec3911

SHA256
5a1b8183455b7ab955ae390e82bcce587641a26869be2f005a60e4c8f088674c

SHA512
2ea05b2417e8d44e02316fc231ed0aba6dac6f954faf8d6566b14f72ae4ff39abf8cab0e767686c228c3b771617f8f2b5b41eb89f9bbaabc5d73c31498f6e13b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A16C6C16D94F76E0808C087DFC657D99_8F0CBD8C47BA2D164C9E6FDB222DBC71

Filesize
402B

MD5
6e27d68eb4430b99a04e8997fd4cbb19

SHA1
32a9d7405e2c2e49be37e0cda07d6eb25e992979

SHA256
1eaa7aa412f4f7c54f8c993f479c4a48537c430fb57fbe5e862ff8603e558f99

SHA512
2e9648b8c878b107fe4a0f90efd9df40b9d89b90193e75357e8c6f0f341047a3235afb6058ef45e88b0e7ce37ca39975f1d5ed3529654df621452588fb3b0477

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
482B

MD5
46df0dc05ac42b3669710d8270c21592

SHA1
305df929e00275939a1bc5d52de9f5129b2cf5c8

SHA256
1e8db153c6649807d9144504d07a4d1e8dc5fbfeff53041d2d877f0d4858cb6f

SHA512
495814f5b8a4038868de3766ff23034b6fdf83682e20bfdc2be4410f4c2b2f0470b5155694689a65e00cb745048d5938dba1fd6f56befdb41e193bdcdfc595a9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

Filesize
392B

MD5
de9c900218003cb97e2d4efd15b7cfad

SHA1
14825490ad24fbfac4b5c286c4f62390f11a89a9

SHA256
9ff5106ac93d1576ffc97dbb6efe74a6665c25b72c196de6eeae006b8b5930d7

SHA512
ac9fb7389c295bbc1b71128e5c82ca26eeede99337cee1dc2544172f23a4f52ce5734a6c46b86fc7e5943d8a52b83a85373072dfd7bc47d913be87e753aa1b0c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_749F323800EEA448718955FAC254DD4F

Filesize
406B

MD5
844155edd6404ab6d12a4a5fa2a790c7

SHA1
e82c49c8504e421b1f05a4117e5dcf304b4bcd8e

SHA256
e3438e7ad5897243369e468145ea6f491d6eb7dac18b6352979c2f1456ca3cfe

SHA512
83dcfcffe51f3b9caeaa073e9a5d631282b763b3f118185d8a15ca920da424629f176d72c6d7291afccb365657a0017eb5cad44f9c89b4ea8e9b3f1fff084b14

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2DDCD2B5F37625B82E81F4976CEE400_09B924C8A99A26A75B535D3B83388BE5

Filesize
406B

MD5
15d2970545ec4da39dbe5b9048f76768

SHA1
1852e2ffd9346a3299032c6168e1932981120398

SHA256
af8668bceff24ad838e5ebe24b10309d51bddd53a771aa22f79e0b67b621b00f

SHA512
d97f47be74ceabab6d5cb04022f13bb85292d32f678e939c88606b9cd5e1476815ec0c9dae9b7c41534fed3828d6154c6895037a3faa842dfec6496077bd8181

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\2S9M24YG\www.google[1].xml

Filesize
95B

MD5
2598b4b838a89af774cab58fa2e1ebe2

SHA1
cfc0f7c1483feee0afb3974561194f903ff25675

SHA256
d1311a1ce5636606afb118730204d887a02d8e2dc4c02de87fbdefda545fb968

SHA512
75434db319d8300766a656ee3a83fcbfa103071bdb4c73413b6b1fccc657b840d37adfa72ef730d1d888c8e0d4c057afa32d4734833f6936fd89b8d47f50523a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\jw2rl61\imagestore.dat

Filesize
6KB

MD5
9826862fdd9cffa294684f31034281d0

SHA1
54cffd60c6ca79507f9de3664e122cce76610dc7

SHA256
3a556996ccf1e51d0ee2f6a45163066ec7d454e4c31e81ae9d40694b948e7007

SHA512
8291f8afdb82adfd2514f85494945304398ec1b989881fcab4170c2f737df01593234befdf27bffe6fa3d384a4f3b06d10f798c4f6bddd620063ab6b05902fe1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\jw2rl61\imagestore.dat

Filesize
5KB

MD5
a51fdcd973dd708f1eff9b13619e05a6

SHA1
053989d3387d055beccae43a3c3b311c958741e6

SHA256
fdcf71a379162101af192df0712c599fa56eb75cc470b713ed15cb9fcf85c748

SHA512
740bdcaf45da6e34b9a7279530779ef0410bd1a27a2be668cb645170bf6716071c67a6791b647ccd7fdbde84897ca146f4bf4c65ba05db60e53a4b07af026dcb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CY2G78MW\KFOmCnqEu92Fr1Mu4mxP[1].ttf

Filesize
34KB

MD5
372d0cc3288fe8e97df49742baefce90

SHA1
754d9eaa4a009c42e8d6d40c632a1dad6d44ec21

SHA256
466989fd178ca6ed13641893b7003e5d6ec36e42c2a816dee71f87b775ea097f

SHA512
8447bc59795b16877974cd77c52729f6ff08a1e741f68ff445c087ecc09c8c4822b83e8907d156a00be81cb2c0259081926e758c12b3aea023ac574e4a6c9885

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CY2G78MW\TG_XdOEg3NKIdftsV7XidAgI3OvClCw0-7YgJxQ1GFY[1].js

Filesize
23KB

MD5
a364179c3816839427c4d9fdbe8ecf3b

SHA1
fd423514f4f0e614688a99571b9165b4e212119b

SHA256
4c6fd774e120dcd28875fb6c57b5e2740808dcebc2942c34fbb6202714351856

SHA512
c4e29c47bb229a293d79a1aa4b9e226ff6261b723b75e0479df367fc7eee3ac006e4993e5406f510aa35da592b525e3f6a0bf62f8671cfa576cae40a627bc45e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CY2G78MW\green_shield[1]

Filesize
810B

MD5
c6452b941907e0f0865ca7cf9e59b97d

SHA1
f9a2c03d1be04b53f2301d3d984d73bf27985081

SHA256
1ba122f4b39a33339fa9935bf656bb0b4b45cdded78afb16aafd73717d647439

SHA512
beb58c06c2c1016a7c7c8289d967eb7ffe5840417d9205a37c6d97bd51b153f4a053e661ad4145f23f56ce0aebda101932b8ed64b1cd4178d127c9e2a20a1f58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CY2G78MW\invalidcert[1]

Filesize
4KB

MD5
a5d6ba8403d720f2085365c16cebebef

SHA1
487dcb1af9d7be778032159f5c0bc0d25a1bf683

SHA256
59e53005e12d5c200ad84aeb73b4745875973877bd7a2f5f80512fe507de02b7

SHA512
6341b8af2f9695bb64bbf86e3b7bfb158471aef0c1b45e8b78f6e4b28d5cb03e7b25f4f0823b503d7e9f386d33a7435e5133117778291a3c543cafa677cdc82d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I819HQXH\KFOlCnqEu92Fr1MmEU9fBBc9[1].ttf

Filesize
34KB

MD5
4d88404f733741eaacfda2e318840a98

SHA1
49e0f3d32666ac36205f84ac7457030ca0a9d95f

SHA256
b464107219af95400af44c949574d9617de760e100712d4dec8f51a76c50dda1

SHA512
2e5d3280d5f7e70ca3ea29e7c01f47feb57fe93fc55fd0ea63641e99e5d699bb4b1f1f686da25c91ba4f64833f9946070f7546558cbd68249b0d853949ff85c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I819HQXH\KFOlCnqEu92Fr1MmYUtfBBc9[1].ttf

Filesize
34KB

MD5
4d99b85fa964307056c1410f78f51439

SHA1
f8e30a1a61011f1ee42435d7e18ba7e21d4ee894

SHA256
01027695832f4a3850663c9e798eb03eadfd1462d0b76e7c5ac6465d2d77dbd0

SHA512
13d93544b16453fe9ac9fc025c3d4320c1c83a2eca4cd01132ce5c68b12e150bc7d96341f10cbaa2777526cf72b2ca0cd64458b3df1875a184bbb907c5e3d731

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I819HQXH\api[1].js

Filesize
850B

MD5
33d99cfc94db7d1ab5149b1e677b4c85

SHA1
ffec081b0a5b325f2b124ea8804ba0de9beae98c

SHA256
0e945fe9e80b82b1ac2e714f03672ed0c439e61e489430ba46623245399fca25

SHA512
315ed3f0edae2d3057be354d7d97ab298f51e791c03cd19c46d96e0116a6757033e509d92633eafba9365d6588af2b96cce4b0088020a88eac5086d07a0b3b26

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I819HQXH\favicon[1].ico

Filesize
1KB

MD5
ac0cd867e03ed914827807d4715bdfe7

SHA1
4051a8c23756c10d9cc00fcde6f7215c780fdf6f

SHA256
b50546da121186fbffd2aec430249cb21c7c2e2c85e561a393a9df9abfc4477c

SHA512
fa11d1d76c39719c218b4ffa34de8dd44d398bdcbb236a666f0be6eeee96bcbe4da9ac65a89441ad284c0de21788c135dc4fd21f6f82c7039f00c8a7c705c8e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I819HQXH\httpErrorPagesScripts[2]

Filesize
8KB

MD5
3f57b781cb3ef114dd0b665151571b7b

SHA1
ce6a63f996df3a1cccb81720e21204b825e0238c

SHA256
46e019fa34465f4ed096a9665d1827b54553931ad82e98be01edb1ddbc94d3ad

SHA512
8cbf4ef582332ae7ea605f910ad6f8a4bc28513482409fa84f08943a72cac2cf0fa32b6af4c20c697e1fac2c5ba16b5a64a23af0c11eefbf69625b8f9f90c8fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I819HQXH\logo_48[1].png

Filesize
2KB

MD5
ef9941290c50cd3866e2ba6b793f010d

SHA1
4736508c795667dcea21f8d864233031223b7832

SHA256
1b9efb22c938500971aac2b2130a475fa23684dd69e43103894968df83145b8a

SHA512
a0c69c70117c5713caf8b12f3b6e8bbb9cdaf72768e5db9db5831a3c37541b87613c6b020dd2f9b8760064a8c7337f175e7234bfe776eee5e3588dc5662419d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RSAB58HZ\4BALDFES.htm

Filesize
150B

MD5
2eeb2e0202b1bf9daf39ac6eb1466b42

SHA1
26abaa251ff391b4311c5cfa927be41b09ced5d3

SHA256
66f963290dda5adc89f8ce4e16676df4540d5b8f600e0fecf86e03a4fcfc1c02

SHA512
101659d11d34d4d38aeeb181917a7ab7630dd6909699a018166a9cbbb4346eeb9801c75c57fb67b63f330bd363b7367ba99ab604bdd9f097127474207b871e16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RSAB58HZ\NewErrorPageTemplate[1]

Filesize
1KB

MD5
cdf81e591d9cbfb47a7f97a2bcdb70b9

SHA1
8f12010dfaacdecad77b70a3e781c707cf328496

SHA256
204d95c6fb161368c795bb63e538fe0b11f9e406494bb5758b3b0d60c5f651bd

SHA512
977dcc2c6488acaf0e5970cef1a7a72c9f9dc6bb82da54f057e0853c8e939e4ab01b163eb7a5058e093a8bc44ecad9d06880fdc883e67e28ac67fee4d070a4cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RSAB58HZ\favicon[1].ico

Filesize
5KB

MD5
f3418a443e7d841097c714d69ec4bcb8

SHA1
49263695f6b0cdd72f45cf1b775e660fdc36c606

SHA256
6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770

SHA512
82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RSAB58HZ\invalidcert[1]

Filesize
2KB

MD5
8ce0833cca8957bda3ad7e4fe051e1dc

SHA1
e5b9df3b327f52a9ed2d3821851e9fdd05a4b558

SHA256
f18e9671426708c65f999ca0fd11492e699cb13edc84a7d863fa9f83eb2178c3

SHA512
283b4c6b1035b070b98e7676054c8d52608a1c9682dfe138c569adfecf84b6c5b04fe1630eb13041ad43a231f83bf38680198acd8d5a76a47ec77829282a99fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RSAB58HZ\red_shield[1]

Filesize
810B

MD5
006def2acbd0d2487dffc287b27654d6

SHA1
c95647a113afc5241bdb313f911bf338b9aeffdc

SHA256
4bd9f96d6971c7d37d03d7dea4af922420bb7c6dd46446f05b8e917c33cf9e4e

SHA512
9dabf92ce2846d8d86e20550c749efbc4a1af23c2319e6ce65a00dc8cbc75ac95a2021020cab1536c3617043a8739b0495302d0ba562f48f4d3c25104b059a04

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RSAB58HZ\styles__ltr[1].css

Filesize
55KB

MD5
eb4bc511f79f7a1573b45f5775b3a99b

SHA1
d910fb51ad7316aa54f055079374574698e74b35

SHA256
7859a62e04b0acb06516eb12454de6673883ecfaeaed6c254659bca7cd59c050

SHA512
ec9bdf1c91b6262b183fd23f640eac22016d1f42db631380676ed34b962e01badda91f9cbdfa189b42fe3182a992f1b95a7353af41e41b2d6e1dab17e87637a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RYNL6UIN\ErrorPageTemplate[1]

Filesize
2KB

MD5
f4fe1cb77e758e1ba56b8a8ec20417c5

SHA1
f4eda06901edb98633a686b11d02f4925f827bf0

SHA256
8d018639281b33da8eb3ce0b21d11e1d414e59024c3689f92be8904eb5779b5f

SHA512
62514ab345b6648c5442200a8e9530dfb88a0355e262069e0a694289c39a4a1c06c6143e5961074bfac219949102a416c09733f24e8468984b96843dc222b436

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RYNL6UIN\background_gradient_red[1]

Filesize
868B

MD5
337038e78cf3c521402fc7352bdd5ea6

SHA1
017eaf48983c31ae36b5de5de4db36bf953b3136

SHA256
fbc23311fb5eb53c73a7ca6bfc93e8fa3530b07100a128b4905f8fb7cb145b61

SHA512
0928d382338f467d0374cce3ff3c392833fe13ac595943e7c5f2aee4ddb3af3447531916dd5ddc716dd17aef14493754ed4c2a1ab7fe6e13386301e36ee98a7d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RYNL6UIN\dnserror[1]

Filesize
1KB

MD5
73c70b34b5f8f158d38a94b9d7766515

SHA1
e9eaa065bd6585a1b176e13615fd7e6ef96230a9

SHA256
3ebd34328a4386b4eba1f3d5f1252e7bd13744a6918720735020b4689c13fcf4

SHA512
927dcd4a8cfdeb0f970cb4ee3f059168b37e1e4e04733ed3356f77ca0448d2145e1abdd4f7ce1c6ca23c1e3676056894625b17987cc56c84c78e73f60e08fc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RYNL6UIN\down[2]

Filesize
748B

MD5
c4f558c4c8b56858f15c09037cd6625a

SHA1
ee497cc061d6a7a59bb66defea65f9a8145ba240

SHA256
39e7de847c9f731eaa72338ad9053217b957859de27b50b6474ec42971530781

SHA512
d60353d3fbea2992d96795ba30b20727b022b9164b2094b922921d33ca7ce1634713693ac191f8f5708954544f7648f4840bcd5b62cb6a032ef292a8b0e52a44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RYNL6UIN\errorPageStrings[1]

Filesize
2KB

MD5
e3e4a98353f119b80b323302f26b78fa

SHA1
20ee35a370cdd3a8a7d04b506410300fd0a6a864

SHA256
9466d620dc57835a2475f8f71e304f54aee7160e134ba160baae0f19e5e71e66

SHA512
d8e4d73c76804a5abebd5dbc3a86dcdb6e73107b873175a8de67332c113fb7c4899890bf7972e467866fa4cd100a7e2a10a770e5a9c41cbf23b54351b771dcee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RYNL6UIN\recaptcha__en[1].js

Filesize
489KB

MD5
d52ac252287f3b65932054857f7c26a7

SHA1
940b62eae6fb008d6f15dfb7aaf6fb125dba1fec

SHA256
4c06e93049378bf0cdbbe5d3a1d0c302ac2d35faec13623ad812ee41495a2a57

SHA512
c08ff9d988aea4c318647c79ae8ca9413b6f226f0efbdab1cdd55ec04b6760812716ff27e0ee86941e8a654d39cddd56251d8392a0ac2c4c8839f27853556154

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RYNL6UIN\red_shield_48[1]

Filesize
4KB

MD5
7c588d6bb88d85c7040c6ffef8d753ec

SHA1
7fdd217323d2dcc4a25b024eafd09ae34da3bfef

SHA256
5e2cd0990d6d3b0b2345c75b890493b12763227a8104de59c5142369a826e3e0

SHA512
0a3add1ff681d5190075c59caffde98245592b9a0f85828ab751e59fdf24403a4ef87214366d158e6b8a4c59c5bdaf563535ff5f097f86923620ea19a9b0dc4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RYNL6UIN\webworker[1].js

Filesize
102B

MD5
5734e3c2032fb7e4b757980f70c5867e

SHA1
22d3e354a89c167d3bebf6b73d6e11e550213a38

SHA256
91e9008a809223ca505257c7cb9232b7bf13e7fbf45e3f6dd2cfca538e7141eb

SHA512
1f748444532bc406964c1be8f3128c47144de38add5c78809bbcdae21bf3d26600a376df41bf91c4cd3c74a9fae598d51c76d653a23357310343c58b3b6d7739

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabAC86.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\EEEEEE~1\MALWAR~1\MALWAR~1\MEMZ3~1.0(1\MEMZ3~1.0\z.zip

Filesize
7KB

MD5
cf0c19ef6909e5c1f10c8460ba9299d8

SHA1
875b575c124acfc1a4a21c1e05acb9690e50b880

SHA256
abb834ebd4b7d7f8ddf545976818f41b3cb51d2b895038a56457616d3a2c6776

SHA512
d930a022a373c283f35d103e277487c2034a0b0814913b8f6ec695b45e20528667aa830eeab58e4483d523bd6a755a16a5379095cb137db6c91909a545a19a2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarADC7.tmp

Filesize
175KB

MD5
dd73cead4b93366cf3465c8cd32e2796

SHA1
74546226dfe9ceb8184651e920d1dbfb432b314e

SHA256
a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

SHA512
ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

Download Submit
C:\Users\Admin\AppData\Local\Temp\eeeeeeeeeeeeee\Malware_pack_2\Malware_pack_2\MEMZ 3.0 (1)\MEMZ 3.0\x

Filesize
10KB

MD5
fc59b7d2eb1edbb9c8cb9eb08115a98e

SHA1
90a6479ce14f8548df54c434c0a524e25efd9d17

SHA256
a05b9be9dd87492f265094146e18d628744c6b09c0e7efaabf228a9f1091a279

SHA512
3392cfc0dbddb37932e76da5a49f4e010a49aaa863c882b85cccab676cd458cfc8f880d8a0e0dc7581175f447e6b0a002da1591ecd14756650bb74996eacd2b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\eeeeeeeeeeeeee\Malware_pack_2\Malware_pack_2\MEMZ 3.0 (1)\MEMZ 3.0\x

Filesize
1KB

MD5
1ae8fafa03455634d4cbd213f2a84464

SHA1
51e1efcd03ef2f5bd9a5e9b18218a4b013179da3

SHA256
2c3425384ae083fe32205f4ff150b9c0c50d9aa0de1f01eb5dfeb54e1a7b19e2

SHA512
8b2abf12834732e4c62c6c72a34e1c3029542a3cd1a92004d367afbe04869e9b5d8784241815f8ae996c2dfe68a485f54788106ac0900f045db3c3693971e157

Download Submit
C:\Users\Admin\AppData\Local\Temp\eeeeeeeeeeeeee\Malware_pack_2\Malware_pack_2\MEMZ 3.0 (1)\MEMZ 3.0\x

Filesize
468B

MD5
f0d52887ffd650ba0c0d96c6b9f8faa5

SHA1
c58fbe36b32a4e7a42578e98a80bb5c5b379a5b4

SHA256
d2be4fb7ecaffb2ee061ffb750424b729a262b377da00768cddc439a42d053c1

SHA512
410b18a4cdbc64c5704e2ca22a3daa91faff44dd1cbbfd8c827b45136767be9ebf8efeb84741ffc318029397b6e243d9e16448991cb4accfd024c820d2a3c152

Download Submit
C:\Users\Admin\AppData\Local\Temp\eeeeeeeeeeeeee\Malware_pack_2\Malware_pack_2\MEMZ 3.0 (1)\MEMZ 3.0\x

Filesize
4KB

MD5
b6873c6cbfc8482c7f0e2dcb77fb7f12

SHA1
844b14037e1f90973a04593785dc88dfca517673

SHA256
0a0cad82d9284ccc3c07de323b76ee2d1c0b328bd2ce59073ed5ac4eb7609bd1

SHA512
f3aa3d46d970db574113f40f489ff8a5f041606e79c4ab02301b283c66ff05732be4c5edc1cf4a851da9fbaaa2f296b97fc1135210966a0e2dfc3763398dfcaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\eeeeeeeeeeeeee\Malware_pack_2\Malware_pack_2\MEMZ 3.0 (1)\MEMZ 3.0\x.js

Filesize
448B

MD5
8eec8704d2a7bc80b95b7460c06f4854

SHA1
1b34585c1fa7ec0bd0505478ac9dbb8b8d19f326

SHA256
aa01b8864b43e92077a106ed3d4656a511f3ba1910fba40c78a32ee6a621d596

SHA512
e274b92810e9a30627a65f87448d784967a2fcfbf49858cbe6ccb841f09e0f53fde253ecc1ea0c7de491d8cc56a6cf8c79d1b7c657e72928cfb0479d11035210

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DF04B3C23563072699.TMP

Filesize
16KB

MD5
bdd9803d5ed64de9f02e2072a95e5026

SHA1
ec74b54457e12bfd849283f6d692e9fe8a537334

SHA256
6785a86738850e47a302aec0059542216c7d30920ecee2d90b8cc10effade603

SHA512
a3c03f096ad84854a98291445a6d84319149d25572471be2ac49703158712a7ec0f5c7b6124e0610ec76af4b5dd684fabb7e9c1066190f15bb98a7b49d11f08a

Download Submit
C:\Users\Admin\AppData\Roaming\MEMZ.exe

Filesize
12KB

MD5
a7bcf7ea8e9f3f36ebfb85b823e39d91

SHA1
761168201520c199dba68add3a607922d8d4a86e

SHA256
3ff64f10603f0330fa2386ff99471ca789391ace969bd0ec1c1b8ce1b4a6db42

SHA512
89923b669d31e590189fd06619bf27e47c5a47e82be6ae71fdb1b9b3b30b06fb7ca8ffed6d5c41ac410a367f2eb07589291e95a2644877d6bffd52775a5b1523

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\VLX7L4FD.txt

Filesize
378B

MD5
805cf444109bd12593eba549d19a8a28

SHA1
cddb4d54624772129e439d7b57dbfd78b7047e76

SHA256
d49347becba25addf141b9e99e60f0fe4e0d0883817a7f918d3303207c09b4ca

SHA512
b211003d0f0021625f63cfb2ba3ff2549738c71fe1744b206473b2c81e32f52720e1b7ba1e8a86798dba99c1acafc45caf561343b5c27e94a56fb2e3d83eb515

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\28c8b86deab549a1.customDestinations-ms

Filesize
3KB

MD5
08fe18eaa242f50a95ac8f33ec9c6c18

SHA1
92c95f1548f50d5c2a717d3db1ebe98859d3d5f9

SHA256
a25af60e8191c48a1dfa072cd7c5265f3139958cafeb9b691350c07ff3b229ea

SHA512
2819a415250c0194b07dd1e8109d360967fd5d66220f085d8de8f0fc00124882477a22e61b3fd2d49f7c88bf5befcf75dd2d892ec784a65caee9ff994f84234b

Download Submit
C:\note.txt

Filesize
218B

MD5
afa6955439b8d516721231029fb9ca1b

SHA1
087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

SHA256
8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

SHA512
5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

Download Submit
memory/596-1679-0x0000000002170000-0x0000000002171000-memory.dmp

Filesize
4KB

Download
memory/596-1666-0x0000000002170000-0x0000000002171000-memory.dmp

Filesize
4KB

Download
memory/1752-150-0x00000000034F0000-0x00000000034F1000-memory.dmp

Filesize
4KB

Download
memory/2592-2082-0x0000000002150000-0x0000000002151000-memory.dmp

Filesize
4KB

Download
memory/2592-2186-0x000007FEF6100000-0x000007FEF613A000-memory.dmp

Filesize
232KB

Download
memory/2592-2084-0x000007FEF6100000-0x000007FEF613A000-memory.dmp

Filesize
232KB

Download
memory/2592-2093-0x0000000002150000-0x0000000002151000-memory.dmp

Filesize
4KB

Download
memory/2592-2193-0x000007FEF6100000-0x000007FEF613A000-memory.dmp

Filesize
232KB

Download
memory/2592-2096-0x000007FEF6100000-0x000007FEF613A000-memory.dmp

Filesize
232KB

Download
memory/3444-1782-0x00000000022D0000-0x00000000022D1000-memory.dmp

Filesize
4KB

Download
memory/3444-1830-0x00000000022D0000-0x00000000022D1000-memory.dmp

Filesize
4KB

Download
memory/3588-2065-0x0000000002700000-0x0000000002701000-memory.dmp

Filesize
4KB

Download
memory/3588-2058-0x0000000002700000-0x0000000002701000-memory.dmp

Filesize
4KB

Download
memory/3692-1760-0x00000000026C0000-0x00000000026C1000-memory.dmp

Filesize
4KB

Download
memory/3800-1940-0x0000000002320000-0x0000000002321000-memory.dmp

Filesize
4KB

Download
memory/3800-1958-0x0000000002320000-0x0000000002321000-memory.dmp

Filesize
4KB

Download
memory/4176-2095-0x000007FEF6E90000-0x000007FEF6ECA000-memory.dmp

Filesize
232KB

Download
memory/4176-2192-0x000007FEF6E90000-0x000007FEF6ECA000-memory.dmp

Filesize
232KB

Download
memory/4176-1997-0x00000000021F0000-0x00000000021F1000-memory.dmp

Filesize
4KB

Download
memory/4176-1998-0x000007FEF5D90000-0x000007FEF5DCA000-memory.dmp

Filesize
232KB

Download
memory/4176-2007-0x00000000021F0000-0x00000000021F1000-memory.dmp

Filesize
4KB

Download
memory/4176-2083-0x000007FEF6E90000-0x000007FEF6ECA000-memory.dmp

Filesize
232KB

Download
memory/4176-2185-0x000007FEF6E90000-0x000007FEF6ECA000-memory.dmp

Filesize
232KB

Download
memory/4176-2092-0x000007FEF5D90000-0x000007FEF5DCA000-memory.dmp

Filesize
232KB

Download
memory/5092-1985-0x0000000001ED0000-0x0000000001ED1000-memory.dmp

Filesize
4KB

Download
memory/5148-2288-0x0000000001C50000-0x0000000001C51000-memory.dmp

Filesize
4KB

Download
memory/5260-2134-0x00000000024E0000-0x00000000024E1000-memory.dmp

Filesize
4KB

Download
memory/5352-2194-0x000007FEF6E90000-0x000007FEF6ECA000-memory.dmp

Filesize
232KB

Download
memory/5352-2094-0x00000000022F0000-0x00000000022F1000-memory.dmp

Filesize
4KB

Download
memory/5352-2097-0x000007FEF6E90000-0x000007FEF6ECA000-memory.dmp

Filesize
232KB

Download
memory/5352-2105-0x00000000022F0000-0x00000000022F1000-memory.dmp

Filesize
4KB

Download
memory/6060-2132-0x0000000001E70000-0x0000000001E71000-memory.dmp

Filesize
4KB

Download
memory/6880-2235-0x00000000020D0000-0x00000000020D1000-memory.dmp

Filesize
4KB

Download
memory/7556-2414-0x0000000002130000-0x0000000002131000-memory.dmp

Filesize
4KB

Download
memory/7556-2432-0x0000000002130000-0x0000000002131000-memory.dmp

Filesize
4KB

Download
memory/8132-2551-0x0000000002280000-0x0000000002281000-memory.dmp

Filesize
4KB

Download
memory/8280-2548-0x0000000000B80000-0x0000000000B81000-memory.dmp

Filesize
4KB

Download
memory/9124-2553-0x0000000000A50000-0x0000000000A51000-memory.dmp

Filesize
4KB

Download