734403a96fad68cb2ef2b340adddd9cadd5894007aac703dcdb4a4cb8326c538

max time kernel
150s
max time network
146s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
10-03-2024 19:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MEMZ 3.0/MEMZ.exe
Size

12KB
MD5

a7bcf7ea8e9f3f36ebfb85b823e39d91
SHA1

761168201520c199dba68add3a607922d8d4a86e
SHA256

3ff64f10603f0330fa2386ff99471ca789391ace969bd0ec1c1b8ce1b4a6db42
SHA512

89923b669d31e590189fd06619bf27e47c5a47e82be6ae71fdb1b9b3b30b06fb7ca8ffed6d5c41ac410a367f2eb07589291e95a2644877d6bffd52775a5b1523
SSDEEP

192:HMDLTxWDf/pl3cIEiwqZKBktLe3P+qf2jhP6B5b2yL3:H4IDH3cIqqvUWq+jhyT2yL

Score

6^/10

bootkit persistence

Malware Config

Signatures

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

MEMZ.exe

description ioc process

File opened for modification \??\PhysicalDrive0 MEMZ.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	MEMZ.exe

Drops file in System32 directory 2 IoCs

Processes:

mmc.exemmc.exe

description	ioc	process
File opened for modification	C:\Windows\System32\devmgmt.msc	mmc.exe
File opened for modification	C:\Windows\System32\devmgmt.msc	mmc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 53 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.google.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com\Total = "25"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 80890f123573da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000abb8596cc50c0546bfda6658dcffc23300000000020000000000106600000001000020000000756fef9bd38dd5fbe3f7b8c47053c15acc7f23ddc2126f2a98f8ed08a4c35199000000000e8000000002000020000000370c1ac286481a17032c258df23f78bdcd595376ab6ff2a360cb5b3047d61a2d9000000049a6e4ba456fb0ba978bb8460eaddb5e0ba924f03720936d99a691ef1c3136f1e66d24288a77e573fa6136734600c40d0c1264f6dc03119159a1b6614452c787a4ec22f3b8ec7a5fbff44c6b90600753863c55ffd0fd5c4d8a3ce0908c5e3908c964e0645ff8efb1e28c24e1dfb28f7cbc93c9ad8419efd1a3b2b2719d58e6715b80896df8f20a451d89a79301675bcb40000000bf83539d6b9a45f4042b9058a1fc90b65a8369c83f06813622b163e7d3ee34eaee4a294b057f902bb2ace794a0bc9152e5f8dd09c8d0909c1f8cb7be77cf8caa	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.google.com\ = "25"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "25"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000abb8596cc50c0546bfda6658dcffc2330000000002000000000010660000000100002000000058640c0a7df71598df918746bf81e4ecbe797f819c65b2969e5c806d35f2899e000000000e80000000020000200000008a0a63c2d04fc95236a829659e4c4b83dacb401aa6269600d6078b789b25351b20000000acec495743a947fa7db9b33b9d3963aaebc79b0d5e3b2eba05b8c23d9584c93040000000c8bb1d5922894ea6b914533c4ba4a26184baa42b5d75f0e5d4e3756a720010fe9f6dbfdb1e73952cdf70319b2579d6533313abcf3f1411893049f68eab639f6d	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{3F31E341-DF28-11EE-92B8-52226696DE45} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "416269313"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

MEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exe

pid	process
2188	MEMZ.exe
1848	MEMZ.exe
2188	MEMZ.exe
2188	MEMZ.exe
1848	MEMZ.exe
2188	MEMZ.exe
1848	MEMZ.exe
2252	MEMZ.exe
1848	MEMZ.exe
2576	MEMZ.exe
2188	MEMZ.exe
2252	MEMZ.exe
2576	MEMZ.exe
2252	MEMZ.exe
1848	MEMZ.exe
2188	MEMZ.exe
1848	MEMZ.exe
2576	MEMZ.exe
2252	MEMZ.exe
2188	MEMZ.exe
2124	MEMZ.exe
2252	MEMZ.exe
2576	MEMZ.exe
2124	MEMZ.exe
1848	MEMZ.exe
2188	MEMZ.exe
2576	MEMZ.exe
1848	MEMZ.exe
2252	MEMZ.exe
2124	MEMZ.exe
2188	MEMZ.exe
2576	MEMZ.exe
2188	MEMZ.exe
2252	MEMZ.exe
2124	MEMZ.exe
1848	MEMZ.exe
2576	MEMZ.exe
1848	MEMZ.exe
2188	MEMZ.exe
2124	MEMZ.exe
2252	MEMZ.exe
2188	MEMZ.exe
2576	MEMZ.exe
1848	MEMZ.exe
2124	MEMZ.exe
2252	MEMZ.exe
2576	MEMZ.exe
1848	MEMZ.exe
2124	MEMZ.exe
2188	MEMZ.exe
2252	MEMZ.exe
2576	MEMZ.exe
2188	MEMZ.exe
2124	MEMZ.exe
2252	MEMZ.exe
1848	MEMZ.exe
2188	MEMZ.exe
2576	MEMZ.exe
2252	MEMZ.exe
1848	MEMZ.exe
2124	MEMZ.exe
2188	MEMZ.exe
2576	MEMZ.exe
1848	MEMZ.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

mmc.exemmc.exe

pid process

2344 mmc.exe
2364 mmc.exe
Suspicious behavior: SetClipboardViewer 1 IoCs

Processes:

mmc.exe

pid process

2364 mmc.exe

pid	process
2344	mmc.exe
2364	mmc.exe

pid	process
2364	mmc.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

mmc.exemmc.exeAUDIODG.EXE

description	pid	process
Token: 33	2344	mmc.exe
Token: SeIncBasePriorityPrivilege	2344	mmc.exe
Token: 33	2344	mmc.exe
Token: SeIncBasePriorityPrivilege	2344	mmc.exe
Token: 33	2364	mmc.exe
Token: SeIncBasePriorityPrivilege	2364	mmc.exe
Token: 33	2364	mmc.exe
Token: SeIncBasePriorityPrivilege	2364	mmc.exe
Token: 33	768	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	768	AUDIODG.EXE
Token: 33	768	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	768	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

2644 iexplore.exe

Suspicious use of SetWindowsHookEx 22 IoCs

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXEmmc.exemmc.exemmc.exemmc.exeIEXPLORE.EXEIEXPLORE.EXE

pid	process
2644	iexplore.exe
2644	iexplore.exe
2512	IEXPLORE.EXE
2512	IEXPLORE.EXE
2512	IEXPLORE.EXE
2512	IEXPLORE.EXE
1604	IEXPLORE.EXE
1604	IEXPLORE.EXE
1604	IEXPLORE.EXE
1604	IEXPLORE.EXE
1732	mmc.exe
2344	mmc.exe
2344	mmc.exe
1488	mmc.exe
2364	mmc.exe
2364	mmc.exe
1548	IEXPLORE.EXE
1548	IEXPLORE.EXE
1548	IEXPLORE.EXE
1548	IEXPLORE.EXE
304	IEXPLORE.EXE
304	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

MEMZ.exeMEMZ.exeiexplore.exemmc.exemmc.exe

description	pid	process	target process
PID 2768 wrote to memory of 2188	2768	MEMZ.exe	MEMZ.exe
PID 2768 wrote to memory of 2188	2768	MEMZ.exe	MEMZ.exe
PID 2768 wrote to memory of 2188	2768	MEMZ.exe	MEMZ.exe
PID 2768 wrote to memory of 2188	2768	MEMZ.exe	MEMZ.exe
PID 2768 wrote to memory of 1848	2768	MEMZ.exe	MEMZ.exe
PID 2768 wrote to memory of 1848	2768	MEMZ.exe	MEMZ.exe
PID 2768 wrote to memory of 1848	2768	MEMZ.exe	MEMZ.exe
PID 2768 wrote to memory of 1848	2768	MEMZ.exe	MEMZ.exe
PID 2768 wrote to memory of 2252	2768	MEMZ.exe	MEMZ.exe
PID 2768 wrote to memory of 2252	2768	MEMZ.exe	MEMZ.exe
PID 2768 wrote to memory of 2252	2768	MEMZ.exe	MEMZ.exe
PID 2768 wrote to memory of 2252	2768	MEMZ.exe	MEMZ.exe
PID 2768 wrote to memory of 2576	2768	MEMZ.exe	MEMZ.exe
PID 2768 wrote to memory of 2576	2768	MEMZ.exe	MEMZ.exe
PID 2768 wrote to memory of 2576	2768	MEMZ.exe	MEMZ.exe
PID 2768 wrote to memory of 2576	2768	MEMZ.exe	MEMZ.exe
PID 2768 wrote to memory of 2124	2768	MEMZ.exe	MEMZ.exe
PID 2768 wrote to memory of 2124	2768	MEMZ.exe	MEMZ.exe
PID 2768 wrote to memory of 2124	2768	MEMZ.exe	MEMZ.exe
PID 2768 wrote to memory of 2124	2768	MEMZ.exe	MEMZ.exe
PID 2768 wrote to memory of 3000	2768	MEMZ.exe	MEMZ.exe
PID 2768 wrote to memory of 3000	2768	MEMZ.exe	MEMZ.exe
PID 2768 wrote to memory of 3000	2768	MEMZ.exe	MEMZ.exe
PID 2768 wrote to memory of 3000	2768	MEMZ.exe	MEMZ.exe
PID 3000 wrote to memory of 2496	3000	MEMZ.exe	notepad.exe
PID 3000 wrote to memory of 2496	3000	MEMZ.exe	notepad.exe
PID 3000 wrote to memory of 2496	3000	MEMZ.exe	notepad.exe
PID 3000 wrote to memory of 2496	3000	MEMZ.exe	notepad.exe
PID 3000 wrote to memory of 2644	3000	MEMZ.exe	iexplore.exe
PID 3000 wrote to memory of 2644	3000	MEMZ.exe	iexplore.exe
PID 3000 wrote to memory of 2644	3000	MEMZ.exe	iexplore.exe
PID 3000 wrote to memory of 2644	3000	MEMZ.exe	iexplore.exe
PID 2644 wrote to memory of 2512	2644	iexplore.exe	IEXPLORE.EXE
PID 2644 wrote to memory of 2512	2644	iexplore.exe	IEXPLORE.EXE
PID 2644 wrote to memory of 2512	2644	iexplore.exe	IEXPLORE.EXE
PID 2644 wrote to memory of 2512	2644	iexplore.exe	IEXPLORE.EXE
PID 2644 wrote to memory of 1604	2644	iexplore.exe	IEXPLORE.EXE
PID 2644 wrote to memory of 1604	2644	iexplore.exe	IEXPLORE.EXE
PID 2644 wrote to memory of 1604	2644	iexplore.exe	IEXPLORE.EXE
PID 2644 wrote to memory of 1604	2644	iexplore.exe	IEXPLORE.EXE
PID 3000 wrote to memory of 1732	3000	MEMZ.exe	mmc.exe
PID 3000 wrote to memory of 1732	3000	MEMZ.exe	mmc.exe
PID 3000 wrote to memory of 1732	3000	MEMZ.exe	mmc.exe
PID 3000 wrote to memory of 1732	3000	MEMZ.exe	mmc.exe
PID 1732 wrote to memory of 2344	1732	mmc.exe	mmc.exe
PID 1732 wrote to memory of 2344	1732	mmc.exe	mmc.exe
PID 1732 wrote to memory of 2344	1732	mmc.exe	mmc.exe
PID 1732 wrote to memory of 2344	1732	mmc.exe	mmc.exe
PID 3000 wrote to memory of 1488	3000	MEMZ.exe	mmc.exe
PID 3000 wrote to memory of 1488	3000	MEMZ.exe	mmc.exe
PID 3000 wrote to memory of 1488	3000	MEMZ.exe	mmc.exe
PID 3000 wrote to memory of 1488	3000	MEMZ.exe	mmc.exe
PID 1488 wrote to memory of 2364	1488	mmc.exe	mmc.exe
PID 1488 wrote to memory of 2364	1488	mmc.exe	mmc.exe
PID 1488 wrote to memory of 2364	1488	mmc.exe	mmc.exe
PID 1488 wrote to memory of 2364	1488	mmc.exe	mmc.exe
PID 2644 wrote to memory of 1548	2644	iexplore.exe	IEXPLORE.EXE
PID 2644 wrote to memory of 1548	2644	iexplore.exe	IEXPLORE.EXE
PID 2644 wrote to memory of 1548	2644	iexplore.exe	IEXPLORE.EXE
PID 2644 wrote to memory of 1548	2644	iexplore.exe	IEXPLORE.EXE
PID 2644 wrote to memory of 304	2644	iexplore.exe	IEXPLORE.EXE
PID 2644 wrote to memory of 304	2644	iexplore.exe	IEXPLORE.EXE
PID 2644 wrote to memory of 304	2644	iexplore.exe	IEXPLORE.EXE
PID 2644 wrote to memory of 304	2644	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\MEMZ.exe
"C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\MEMZ.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2768
- C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\MEMZ.exe
  "C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\MEMZ.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2188
- C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\MEMZ.exe
  "C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\MEMZ.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1848
- C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\MEMZ.exe
  "C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\MEMZ.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2252
- C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\MEMZ.exe
  "C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\MEMZ.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2576
- C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\MEMZ.exe
  "C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\MEMZ.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2124
- C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\MEMZ.exe
  "C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\MEMZ.exe" /main
  2⤵
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of WriteProcessMemory
  PID:3000
- - C:\Windows\SysWOW64\notepad.exe
    "C:\Windows\System32\notepad.exe" \note.txt
    3⤵
    PID:2496
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" https://google.co.ck/search?q=best+way+to+kill+yourself
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2644
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2644 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2512
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2644 CREDAT:209949 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1604
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2644 CREDAT:734221 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1548
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2644 CREDAT:472102 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:304
- - C:\Windows\SysWOW64\mmc.exe
    "C:\Windows\system32\mmc.exe" "C:\Windows\System32\devmgmt.msc"
    3⤵
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1732
  - - C:\Windows\system32\mmc.exe
      "C:\Windows\System32\devmgmt.msc" "C:\Windows\System32\devmgmt.msc"
      4⤵
      Drops file in System32 directory
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2344
- - C:\Windows\SysWOW64\mmc.exe
    "C:\Windows\system32\mmc.exe" "C:\Windows\System32\devmgmt.msc"
    3⤵
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1488
  - - C:\Windows\system32\mmc.exe
      "C:\Windows\System32\devmgmt.msc" "C:\Windows\System32\devmgmt.msc"
      4⤵
      Drops file in System32 directory
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious behavior: SetClipboardViewer
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2364

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x500
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
7e8f359f842f63d4f8e11b673e763622

SHA1
a7865040b538d6aaa80bc37e89372c61b7427be8

SHA256
f04843e27ab3a622e565eea01945462567d713146b1cbca62c89d2495e924450

SHA512
f417bf439068b5205190c6ca559d14b0aa4a19af87530fc4e46eda587f80281cb8e567bf6caaa74b02f29f1247afec461eebf2ce1e6a079f675d1f304c9b1fd4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
67KB

MD5
753df6889fd7410a2e9fe333da83a429

SHA1
3c425f16e8267186061dd48ac1c77c122962456e

SHA256
b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

SHA512
9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A16C6C16D94F76E0808C087DFC657D99_8F0CBD8C47BA2D164C9E6FDB222DBC71

Filesize
472B

MD5
562c1305690263b343cfbabd7a401e6c

SHA1
c6a624083ccb8f1b7aba90b7c4b1e3ac66c2942c

SHA256
0f0f1c33614d42186e73e4feb4d03d3605e903c06390461d86784fc36b6789ad

SHA512
60e3060ff1172c76a85e85b09a8e9eb9c1eb918f82da83fc79cd4eb150adb4a2e02403bded0ad91643b246d587907d2b2ba6ed185ef6cb14307b51203682e3f4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

Filesize
724B

MD5
ac89a852c2aaa3d389b2d2dd312ad367

SHA1
8f421dd6493c61dbda6b839e2debb7b50a20c930

SHA256
0b720e19270c672f9b6e0ec40b468ac49376807de08a814573fe038779534f45

SHA512
c6a88f33688cc0c287f04005e07d5b5e4a8721d204aa429f93ade2a56aeb86e05d89a8f7a44c1e93359a185a4c5f418240c6cdbc5a21314226681c744cf37f36

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2DDCD2B5F37625B82E81F4976CEE400_09B924C8A99A26A75B535D3B83388BE5

Filesize
471B

MD5
0bbb0c0a7acaae6f119c49a57aded9ad

SHA1
def2006a613312d647661ef94f6ac9d43b84202a

SHA256
da2482009e08ab5c1df8db6f2b5454e5a32becbb50e9bc9e3a23982ebd55dbc9

SHA512
7dd647c57f9c57487195c453c1bfd3500e9bf17ae68fd175d3cc2469ba718cc0369d1b0fcc11cf47513a2fb9286dbbe0dd20c47bed4037e449caee77519fcc7d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
6c35f1568e8ce421914b0ab7d79a7382

SHA1
c7fce3e619b0886940b547b373e47c97197658cf

SHA256
da2fcc41b3abf08184c622837bfe886e4f2b8e304ede6fca53da2725f391f545

SHA512
42f70031f2d693d9e559dc29a66a319fecdef275b18909bbbd7245a0bec87f351568f8991c5a347ae5ef38688345d90e16a5f4cda52fa30b5ed0a57cc6890940

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b608cad9530c61e1b1df0fc6f99c8457

SHA1
8fddd743476f9ad8cddfdfb2918195da78567294

SHA256
efa970e3272c9b7bf4331db7770b48d67e9264b83830bff0e4299976214877b9

SHA512
9f18d44d5357894802e0488ce412e85069e6027d5317aeeed0f74c8d396756a5e1b315e80027485e5f1bad5a2a89bffea5b6fdd9797f40bfa6594ecab9a135ee

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a956bc274e805dbdb4d94ef747a38d17

SHA1
9e641589e1c14d6c64d181facfd946dab54379f1

SHA256
f90d95b0e9a8af810a209381c4fed4a324a10e19855f2fe18a0c8be00490e65a

SHA512
fc30cbb210066efa46bb359fdc6edaad3ca657cfecfda72e3bb070ede1bcaaca3d8abd1ffda16971007ba42e3296b1f2f2b56a80634c81698425928403c3944e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a56c5fb59af432b47702016a63b28928

SHA1
4781904b693c5d1636b5385d103dec25767abf28

SHA256
2adbd411ff7caefd702a4773fd766eff40aa10b5b49189f449bb73f298bee4f7

SHA512
8bb2cc9403e4ed1891e620279be4abb835e02fea1c20379efb3e2bdac018eb9fc8c09aca4cb656178ccab9a872d697e2d71f7cd2156c3c50abdc5cd2b6852b21

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
140911e47a0d13cc1bb0288088b6822c

SHA1
e836cccb99fb0f56f6d5fcf453f1bf1fcfc17bbc

SHA256
9d12d98a0ce7381fe941e6c21c9c3b99a6754e8102fa2e6373964508ee8c8608

SHA512
83b97c4417ceae840487f041a3c7ec9b83f8d894c89f4aa365d578be1222c53ab7a8be424daeae00b4c2f7406b4c26ec2da52b8dbed7687d1925e22a8f0c1370

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
428eae5206e51c29e149087a87da6255

SHA1
9c8e24be47c944e5d061e2d1ee816a0af5d35b72

SHA256
3847a1fdb0d8d47329fe07cf870d490517bc373065a890b8d1883e0f58dd075f

SHA512
622d9b2cd5654d0b747a8bc2fafe7ee63afc52622c061b6a66d2fd68186ed87f7332534a3e9b31e06e2473e216774ef7cc015b12a88cc44509d4a33ec1cbdb48

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c2851a186e8c82286ad0f83ae001fbc9

SHA1
6ce554522d0ac82d0969d580750ed0c6bdf2acc9

SHA256
77c93ba5618ef7857fb2e765b543d35f0266e0fbd292799830c4979c108c82e4

SHA512
5a643c7c1c9f54303dc12bf0f7884476f53e8e5b816ba6172cca9e88e95e092aadba7419120c435cd5c3ab27687010c2ec2640c2d0caba0dc530ec0f91eab49e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8808904b481849a7ba488d494af7c054

SHA1
eca053948efdb23539205d0174ad1c168a2241fd

SHA256
e6cfd3494138010c1254b8909e90210ca2c3856447cb2d915669c6326141603a

SHA512
2ca77b754ad3d83518576ce3126c31517e46550559eae20d354de0205bbc296e709925e3c0e69625ed5f6e4d06ad8e0e294a824dd74c036c5c689b41c72d10a2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4a99b4a57abc2e71ee21ad42790637e3

SHA1
672ec3bed39fca8f8308338e5244b5977566c961

SHA256
69d3a02e5039550f6a68c4c68e3435869fbb2544b857cfffdd87106d6d90c9d7

SHA512
d64bc9ee8d27caea1ddca32540eb7a7c5e432e5922368c709a8c41f943fa4dec567e855fd05c8e46b52f3db7bda4db4b726bfc61f4296fdf7045c1e71bfa107b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
953687b9440b675da6e7b74239ff9e26

SHA1
7dd08c2faf6bef9b59adef6f10226083ada2fb56

SHA256
0c7f486e53953e45aa097fc7f35eb08eb4d5fc3831c804f59d28fbbf81908e91

SHA512
385f2c1449b708a3ae229c5854beda430ca24d07340ce937efc2cb78dcb94e531d33fb40345a7713726db364136286479188f95224a88468c01fb422aa454993

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
cfb407965e3d63889f06be02191d9478

SHA1
d27dc6c1e9d94fd73fa301d446aacc6cf247581b

SHA256
d312a900d078bd04b6e00d05c40e1a10b20725f5b6be9c365bb48c3747c9670b

SHA512
e1117f1ad584f262b6f161fe5c472ba8e954607c0a2a99372a3d252327a03ea950e83b46538225b7bd66590ec5c1040ae80fdb68953ce600b2fe57cfa123bf26

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f4786325d2b5448928b2b36a2b517621

SHA1
768c3ef3e9ab45362e992689b62802959f2f5e2c

SHA256
36be018ee335e95eeadb474cd3bae744c3c1926c808bdf0339dfa5958d36b4a5

SHA512
35e171734208e2bfdc3e47f0ff2ee918c7f7837e1ddf70c362f63769021f2701ca6778d766166a736102b532ff2f856166a35717d6ab71a30d9d18d311ce4e95

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9fa80fe428fe3c5d816bd156a68cfb56

SHA1
61db0de56bec8c4149e91c7ca9a71c24fceaec17

SHA256
e2fd287751a2231305bdc9003005c9b4c25c542f5718fd8f42ce928330f27883

SHA512
3939cf43f7ccd928ee3a87e7334a230728d14cd985ddd38df5b45fe39162d131a53fc2d2971a3ddcb29419818bcaa0ea8d7931c67f08223c573049be6d16ca43

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
87669c65bd54ab298c57e1f190d5a28b

SHA1
2d52cf0663107acf8fe9a6946d9b5dcaadc7309c

SHA256
400770dc2b1a13951b255bb7a748a692de6362583098da1fd0eb4c1ad2598d0b

SHA512
8e17f0d7c055ef5d301b76b3777433ac0ffc75413dc27306e93a98f3743904f57780c6c360c53ec414cab070f57ed43512b8a3fe3d40a3f354eceab37437791b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
227341d7ec6894cf880b7603697af97e

SHA1
bb4388f9a6a190a8efb636f5b5b3e1ccd13f4bb4

SHA256
3727dfd59502ca23247641aede8a2a119f702d9373517dcf53fc05eb6497bee0

SHA512
ae585b201046e7289756898d1ca3b0c05ced883df9d2dd5e40cd929ccd69b00a3c16d8dd3f8f020f4ff37540a039b91306fc203ff38c7ab9300452d32af2e7f7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
109c820993f80960e02c50ba74f2df99

SHA1
0dccce4b34c6d57ebf52d0702167227da74d8ecf

SHA256
ec49e6d84e15539ba8e2ebd1788637020a60c7eb3c823f5688467c86dff4542b

SHA512
31efa39f3afe5b699c6f4a5fb3ebf5af037dcb08dede4390968762f098bb169e77691bb5b73b50f7e94b1c6257fa6e17e64b38df784dc3d0bc66c7ecdebeaf51

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
57a2670feab760895ac345c04d2edf87

SHA1
229ddb53062372eec76f771fda4fa11ff0274a34

SHA256
cd15d93e55430a823ecb5fe2137620b0e9efb90299fb92f28092370b07f1a756

SHA512
3f306be2d05457a4155ad51dabab246b66a25fa8d415810a399809c9b0398ad586c417769534e7d5b796e264551d8eee1caece051f841c0d44a7b643adf2768c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
78d6f32bd8bc65748422a5d26e967b10

SHA1
84ebcd07dbef4f366e483a598079dd68f0faadb1

SHA256
660010445d3f82b172f2a3e2b058c908a189b8c721c95c9d67c28249bf56b4ef

SHA512
7b10da263f129eef613423cb3da4a4fd16ba51129f89ef10455f7da961719c0ddfad00da780af06e356f881593b120f5af446d8c10ce35f8d73de0cf336efeee

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
291b440a6ce6e93f42b60ad282bca1ef

SHA1
425d84da93e37407b699e0c3c124d17256e1785e

SHA256
0b2b001458b68d8284db5c87c0c4ee75377f3591038e0983328d9e36716b372f

SHA512
9292f2cd98cfa7662e7fbf4c3de67875705e3cd99128623d70d8696504a7ed1fc040f669a9fbb8bead49be21dd9a2f873bedd65aa9412be774c2cd6979b29dc3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f819500e6c6639c33e8929d0a070ec1b

SHA1
16164492fba46913f05acbee55d3cea7009f74fb

SHA256
d967a34e2fd2e0fb84d0379e2511857d2c96c84ddc22d11c99bbe5c62fab79be

SHA512
f1000f7bbffface701b0d941fb86edf0cfee8d64420565772c7433381e301d7a89f046b7244982031298b0c517c814a6f218e7cb0bf28ebef3ba4c7e58cb4845

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
449c46b36f322b8ed04dc34ac8beb761

SHA1
894279cf79b032c3e6113f60c1607423242b1456

SHA256
55066dfa4eb4720627725a10eebb6b266ea1355401d7799b27db8a7b1208108c

SHA512
04def6ba4c05bd45231a07a3aee7e97a06dfb0383e4c15bcdea8312296912b4786e4ec137b2733a02682733191d955d95e8e18f923076a6bb2953020a99f55dd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A16C6C16D94F76E0808C087DFC657D99_8F0CBD8C47BA2D164C9E6FDB222DBC71

Filesize
402B

MD5
60176e36fbde077da1f7fc9dec7925a8

SHA1
910431e2ec09712b173a7ea8ef9f610510674c85

SHA256
e81bfd526bd57e6dc20f64a38417e65bc5967a1440adc4e8b4cd581526191bbd

SHA512
3c3500acffd997314364250b97b2cd9cb9cabedf0b415ba75495978c0fca595aca738f641deae863b1fbc335b2674d15de40594f83746a53f25a2fa29f827ae7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

Filesize
392B

MD5
4c4893ed5b84ced658156754ed4c1a59

SHA1
e23eea1f74a36a3665a3dbb9e72a6af3dfeeee0f

SHA256
994270462176fdfc9ab9197ae07e27b2c699022f96379f4472103c8394dbb4e9

SHA512
fbfdfd7b49dca8840a498151968aedc3468749aecb60069d9d64548364b1d58b893f1ca755c77d74d7ba91c306d2bea38e1c99f524b95a8b0b3964c490c3cf36

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2DDCD2B5F37625B82E81F4976CEE400_09B924C8A99A26A75B535D3B83388BE5

Filesize
406B

MD5
9722fcdd7a1c011f0b9a7b3b98be825d

SHA1
a686db13a686448b43d4e57c2836136a62446bef

SHA256
63ab65c980272e560c1bc8d1616b4c944d0c9fa1ec8bf49a7ade8ddd0ccd8303

SHA512
3de430e81112c86bb6659cd04b796ae933c27b671dfc155b49a76dd9b07f2ebc11614542d24c22f8fe65d1fa77d306c0b97fd313294ace5951c63ff3eff9208b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\X6EW5JFI\www.google[1].xml

Filesize
97B

MD5
79c1b7211788b383ecf35df3aac04519

SHA1
1b8f5af0dc379c5dfae48e7cbe446cc2d23579e5

SHA256
bf2827c8ef7efd0115a51923b482bcf76a891edd08aa0ac12b0806e25da8bf3d

SHA512
8f89415c0f5692681f1d563849b4b9d788c1367153e5f29ddeb8a32b5bf4bd2dc1cfdcb3ce12272aba22e7d7b4a9eee08bb75799dcbed820aff5c8a9740700c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\jw2rl61\imagestore.dat

Filesize
5KB

MD5
2c4f1c75db09bfa518b75d8e8941ccc7

SHA1
76e417d233970f499e6067ee100b0590cacff7a0

SHA256
3ee1824fdc029cc9958cedf5482338860bd1189756f5fb2b71eebdcf225552e8

SHA512
e463625c26f65ab6de29f56d306f540ab2af854a15548550f9f9297cd7a3c30ad24f9088f0d2191b6f11b698c1db1bfe09d2a275197fbca99bfca2fc43118f1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CY2G78MW\KFOlCnqEu92Fr1MmEU9fBBc9[1].ttf

Filesize
34KB

MD5
4d88404f733741eaacfda2e318840a98

SHA1
49e0f3d32666ac36205f84ac7457030ca0a9d95f

SHA256
b464107219af95400af44c949574d9617de760e100712d4dec8f51a76c50dda1

SHA512
2e5d3280d5f7e70ca3ea29e7c01f47feb57fe93fc55fd0ea63641e99e5d699bb4b1f1f686da25c91ba4f64833f9946070f7546558cbd68249b0d853949ff85c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CY2G78MW\KFOlCnqEu92Fr1MmYUtfBBc9[1].ttf

Filesize
34KB

MD5
4d99b85fa964307056c1410f78f51439

SHA1
f8e30a1a61011f1ee42435d7e18ba7e21d4ee894

SHA256
01027695832f4a3850663c9e798eb03eadfd1462d0b76e7c5ac6465d2d77dbd0

SHA512
13d93544b16453fe9ac9fc025c3d4320c1c83a2eca4cd01132ce5c68b12e150bc7d96341f10cbaa2777526cf72b2ca0cd64458b3df1875a184bbb907c5e3d731

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CY2G78MW\KFOmCnqEu92Fr1Mu4mxP[1].ttf

Filesize
34KB

MD5
372d0cc3288fe8e97df49742baefce90

SHA1
754d9eaa4a009c42e8d6d40c632a1dad6d44ec21

SHA256
466989fd178ca6ed13641893b7003e5d6ec36e42c2a816dee71f87b775ea097f

SHA512
8447bc59795b16877974cd77c52729f6ff08a1e741f68ff445c087ecc09c8c4822b83e8907d156a00be81cb2c0259081926e758c12b3aea023ac574e4a6c9885

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CY2G78MW\styles__ltr[1].css

Filesize
55KB

MD5
eb4bc511f79f7a1573b45f5775b3a99b

SHA1
d910fb51ad7316aa54f055079374574698e74b35

SHA256
7859a62e04b0acb06516eb12454de6673883ecfaeaed6c254659bca7cd59c050

SHA512
ec9bdf1c91b6262b183fd23f640eac22016d1f42db631380676ed34b962e01badda91f9cbdfa189b42fe3182a992f1b95a7353af41e41b2d6e1dab17e87637a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I819HQXH\TG_XdOEg3NKIdftsV7XidAgI3OvClCw0-7YgJxQ1GFY[1].js

Filesize
23KB

MD5
a364179c3816839427c4d9fdbe8ecf3b

SHA1
fd423514f4f0e614688a99571b9165b4e212119b

SHA256
4c6fd774e120dcd28875fb6c57b5e2740808dcebc2942c34fbb6202714351856

SHA512
c4e29c47bb229a293d79a1aa4b9e226ff6261b723b75e0479df367fc7eee3ac006e4993e5406f510aa35da592b525e3f6a0bf62f8671cfa576cae40a627bc45e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I819HQXH\api[1].js

Filesize
850B

MD5
33d99cfc94db7d1ab5149b1e677b4c85

SHA1
ffec081b0a5b325f2b124ea8804ba0de9beae98c

SHA256
0e945fe9e80b82b1ac2e714f03672ed0c439e61e489430ba46623245399fca25

SHA512
315ed3f0edae2d3057be354d7d97ab298f51e791c03cd19c46d96e0116a6757033e509d92633eafba9365d6588af2b96cce4b0088020a88eac5086d07a0b3b26

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RSAB58HZ\favicon[1].ico

Filesize
5KB

MD5
f3418a443e7d841097c714d69ec4bcb8

SHA1
49263695f6b0cdd72f45cf1b775e660fdc36c606

SHA256
6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770

SHA512
82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RSAB58HZ\webworker[1].js

Filesize
102B

MD5
5734e3c2032fb7e4b757980f70c5867e

SHA1
22d3e354a89c167d3bebf6b73d6e11e550213a38

SHA256
91e9008a809223ca505257c7cb9232b7bf13e7fbf45e3f6dd2cfca538e7141eb

SHA512
1f748444532bc406964c1be8f3128c47144de38add5c78809bbcdae21bf3d26600a376df41bf91c4cd3c74a9fae598d51c76d653a23357310343c58b3b6d7739

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RYNL6UIN\logo_48[1].png

Filesize
2KB

MD5
ef9941290c50cd3866e2ba6b793f010d

SHA1
4736508c795667dcea21f8d864233031223b7832

SHA256
1b9efb22c938500971aac2b2130a475fa23684dd69e43103894968df83145b8a

SHA512
a0c69c70117c5713caf8b12f3b6e8bbb9cdaf72768e5db9db5831a3c37541b87613c6b020dd2f9b8760064a8c7337f175e7234bfe776eee5e3588dc5662419d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RYNL6UIN\recaptcha__en[1].js

Filesize
489KB

MD5
d52ac252287f3b65932054857f7c26a7

SHA1
940b62eae6fb008d6f15dfb7aaf6fb125dba1fec

SHA256
4c06e93049378bf0cdbbe5d3a1d0c302ac2d35faec13623ad812ee41495a2a57

SHA512
c08ff9d988aea4c318647c79ae8ca9413b6f226f0efbdab1cdd55ec04b6760812716ff27e0ee86941e8a654d39cddd56251d8392a0ac2c4c8839f27853556154

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabB6B4.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarB6B6.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarB8BF.tmp

Filesize
175KB

MD5
dd73cead4b93366cf3465c8cd32e2796

SHA1
74546226dfe9ceb8184651e920d1dbfb432b314e

SHA256
a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

SHA512
ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\SE5V4Y3X.txt

Filesize
373B

MD5
2bb37dc1928dc65a604e023c8e8e875e

SHA1
27c4264a0c617dcf23ebbd5a8613a4424dced445

SHA256
30c34dda3d5c7a1a81fcf58608b18de4e9544bfcf6a26e52b6599a6c99bcd6bb

SHA512
d3971fd1b06bbc0c04f6b1296cf2a710acc48d26731598ec6eb440c1830ab1e6926052738503fe0e01e0c7b15b12f07bd25e683b8ad37f99dbf5d513a4042bd3

Download Submit
C:\note.txt

Filesize
218B

MD5
afa6955439b8d516721231029fb9ca1b

SHA1
087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

SHA256
8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

SHA512
5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

Download Submit
memory/2344-613-0x0000000002070000-0x0000000002071000-memory.dmp

Filesize
4KB

Download
memory/2344-1044-0x0000000002070000-0x0000000002071000-memory.dmp

Filesize
4KB

Download
memory/2344-1046-0x000007FEF5C40000-0x000007FEF5C7A000-memory.dmp

Filesize
232KB

Download
memory/2344-614-0x000007FEF5C80000-0x000007FEF5CBA000-memory.dmp

Filesize
232KB

Download
memory/2364-1045-0x0000000002250000-0x0000000002251000-memory.dmp

Filesize
4KB

Download
memory/2364-1049-0x0000000002250000-0x0000000002251000-memory.dmp

Filesize
4KB

Download