2a45e44be359fba4c85591e7b13d1ec772ed181adc41254d8b00d31b2d15878e

max time kernel
150s
max time network
145s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
25-04-2024 17:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Memz.exe
Size

14KB
MD5

19dbec50735b5f2a72d4199c4e184960
SHA1

6fed7732f7cb6f59743795b2ab154a3676f4c822
SHA256

a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d
SHA512

aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d
SSDEEP

192:sIvxdXSQeWSg9JJS/lcIEiwqZKBkDFR43xWTM3LHn8f26gyr6yfFCj3r:sMVSaSEglcIqq3agmLc+6gyWqFCj

Score

6^/10

bootkit persistence

Malware Config

Signatures

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

Memz.exe

description ioc process

File opened for modification \??\PhysicalDrive0 Memz.exe
Drops file in Windows directory 1 IoCs

Processes:

mspaint.exe

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log mspaint.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File opened for modification	\??\PhysicalDrive0	Memz.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe

Modifies Internet Explorer settings 1 TTPs 40 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEiexplore.exeIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e861098c19b4244d8627ee4664a9606900000000020000000000106600000001000020000000e8057adf68ada6d1c64f8b176b9403c86b7dc17196448bffce82d113ba681080000000000e80000000020000200000005c49e1b8750dc8adac46e4572e8d98da1aef419816e104bebd86b91bd242f1879000000075ae430363c204dec980f4af92433c3f51c02d64504a753398806e9bab580e85eff575764866dc681012677fda23f2146968f301fae7c49ca6646661ccb03c8a80e127f66b0a5f18d5216c1f2584dad81912cadf8b2d164adfc9cbc4349ad4786b3f8bb5a3d6cbbbec8d685e10e9d16fa9a08d115c94e18f552d811552849656dbc24e6a3ba1dc369dec4de6bde5aa8c400000009478564d8484cb78daa2c5828f0b575596ca9c296f7ed52eeffce7ce2eeb717a6750fcd3db629a69b2204a31dcb65f31c371b1b71daf1b71eb867fdf447c1529	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e861098c19b4244d8627ee4664a960690000000002000000000010660000000100002000000009085f6cfc6801a64a5ebd43eeea7090f9e613890b5db0adea156844a9571607000000000e8000000002000020000000a76c6628e4a3f668b6190ebbb67fea9c671e4561cd5fc20616cdfc832cd8152e20000000ef39cf05c378e24861a02a48cfd7967588b4f1c005a77dc09cbbb46ba02620f3400000000bbf65af5241aacace261dcc1afe0e5f423b2c9842b3b381fe70ac21fb83eac2b68c362794eb4cf111d14ffa156dee266b6985bfca4d3c9fb9f8f6fc4eb87e07	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{D4D78851-032C-11EF-9F07-6E6327E9C5D7} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b04bdea53997da01	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Memz.exeMemz.exeMemz.exeMemz.exeMemz.exe

pid	process
2500	Memz.exe
2108	Memz.exe
2500	Memz.exe
2240	Memz.exe
2536	Memz.exe
2108	Memz.exe
2500	Memz.exe
2240	Memz.exe
2604	Memz.exe
2536	Memz.exe
2500	Memz.exe
2108	Memz.exe
2604	Memz.exe
2240	Memz.exe
2536	Memz.exe
2108	Memz.exe
2240	Memz.exe
2500	Memz.exe
2604	Memz.exe
2108	Memz.exe
2500	Memz.exe
2536	Memz.exe
2604	Memz.exe
2240	Memz.exe
2108	Memz.exe
2536	Memz.exe
2240	Memz.exe
2500	Memz.exe
2604	Memz.exe
2536	Memz.exe
2500	Memz.exe
2108	Memz.exe
2240	Memz.exe
2604	Memz.exe
2108	Memz.exe
2536	Memz.exe
2500	Memz.exe
2604	Memz.exe
2240	Memz.exe
2108	Memz.exe
2500	Memz.exe
2536	Memz.exe
2240	Memz.exe
2604	Memz.exe
2536	Memz.exe
2108	Memz.exe
2604	Memz.exe
2500	Memz.exe
2240	Memz.exe
2604	Memz.exe
2240	Memz.exe
2536	Memz.exe
2108	Memz.exe
2500	Memz.exe
2108	Memz.exe
2536	Memz.exe
2604	Memz.exe
2240	Memz.exe
2500	Memz.exe
2536	Memz.exe
2240	Memz.exe
2500	Memz.exe
2108	Memz.exe
2604	Memz.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

AUDIODG.EXE

description	pid	process
Token: 33	2316	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2316	AUDIODG.EXE
Token: 33	2316	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2316	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

2652 iexplore.exe

pid	process
2652	iexplore.exe

Suspicious use of SetWindowsHookEx 23 IoCs

Processes:

wordpad.exemspaint.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

pid	process
2420	wordpad.exe
2420	wordpad.exe
2420	wordpad.exe
2420	wordpad.exe
2420	wordpad.exe
1552	mspaint.exe
1552	mspaint.exe
1552	mspaint.exe
1552	mspaint.exe
2652	iexplore.exe
2652	iexplore.exe
2936	IEXPLORE.EXE
2936	IEXPLORE.EXE
2936	IEXPLORE.EXE
2936	IEXPLORE.EXE
2896	IEXPLORE.EXE
2896	IEXPLORE.EXE
2896	IEXPLORE.EXE
2896	IEXPLORE.EXE
2144	IEXPLORE.EXE
2144	IEXPLORE.EXE
2144	IEXPLORE.EXE
2144	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 56 IoCs

Processes:

Memz.exeMemz.exewordpad.exeiexplore.exe

description	pid	process	target process
PID 3064 wrote to memory of 2500	3064	Memz.exe	Memz.exe
PID 3064 wrote to memory of 2500	3064	Memz.exe	Memz.exe
PID 3064 wrote to memory of 2500	3064	Memz.exe	Memz.exe
PID 3064 wrote to memory of 2500	3064	Memz.exe	Memz.exe
PID 3064 wrote to memory of 2108	3064	Memz.exe	Memz.exe
PID 3064 wrote to memory of 2108	3064	Memz.exe	Memz.exe
PID 3064 wrote to memory of 2108	3064	Memz.exe	Memz.exe
PID 3064 wrote to memory of 2108	3064	Memz.exe	Memz.exe
PID 3064 wrote to memory of 2240	3064	Memz.exe	Memz.exe
PID 3064 wrote to memory of 2240	3064	Memz.exe	Memz.exe
PID 3064 wrote to memory of 2240	3064	Memz.exe	Memz.exe
PID 3064 wrote to memory of 2240	3064	Memz.exe	Memz.exe
PID 3064 wrote to memory of 2536	3064	Memz.exe	Memz.exe
PID 3064 wrote to memory of 2536	3064	Memz.exe	Memz.exe
PID 3064 wrote to memory of 2536	3064	Memz.exe	Memz.exe
PID 3064 wrote to memory of 2536	3064	Memz.exe	Memz.exe
PID 3064 wrote to memory of 2604	3064	Memz.exe	Memz.exe
PID 3064 wrote to memory of 2604	3064	Memz.exe	Memz.exe
PID 3064 wrote to memory of 2604	3064	Memz.exe	Memz.exe
PID 3064 wrote to memory of 2604	3064	Memz.exe	Memz.exe
PID 3064 wrote to memory of 2680	3064	Memz.exe	Memz.exe
PID 3064 wrote to memory of 2680	3064	Memz.exe	Memz.exe
PID 3064 wrote to memory of 2680	3064	Memz.exe	Memz.exe
PID 3064 wrote to memory of 2680	3064	Memz.exe	Memz.exe
PID 2680 wrote to memory of 2556	2680	Memz.exe	notepad.exe
PID 2680 wrote to memory of 2556	2680	Memz.exe	notepad.exe
PID 2680 wrote to memory of 2556	2680	Memz.exe	notepad.exe
PID 2680 wrote to memory of 2556	2680	Memz.exe	notepad.exe
PID 2680 wrote to memory of 2420	2680	Memz.exe	wordpad.exe
PID 2680 wrote to memory of 2420	2680	Memz.exe	wordpad.exe
PID 2680 wrote to memory of 2420	2680	Memz.exe	wordpad.exe
PID 2680 wrote to memory of 2420	2680	Memz.exe	wordpad.exe
PID 2420 wrote to memory of 2456	2420	wordpad.exe	splwow64.exe
PID 2420 wrote to memory of 2456	2420	wordpad.exe	splwow64.exe
PID 2420 wrote to memory of 2456	2420	wordpad.exe	splwow64.exe
PID 2420 wrote to memory of 2456	2420	wordpad.exe	splwow64.exe
PID 2680 wrote to memory of 1552	2680	Memz.exe	mspaint.exe
PID 2680 wrote to memory of 1552	2680	Memz.exe	mspaint.exe
PID 2680 wrote to memory of 1552	2680	Memz.exe	mspaint.exe
PID 2680 wrote to memory of 1552	2680	Memz.exe	mspaint.exe
PID 2680 wrote to memory of 2652	2680	Memz.exe	iexplore.exe
PID 2680 wrote to memory of 2652	2680	Memz.exe	iexplore.exe
PID 2680 wrote to memory of 2652	2680	Memz.exe	iexplore.exe
PID 2680 wrote to memory of 2652	2680	Memz.exe	iexplore.exe
PID 2652 wrote to memory of 2936	2652	iexplore.exe	IEXPLORE.EXE
PID 2652 wrote to memory of 2936	2652	iexplore.exe	IEXPLORE.EXE
PID 2652 wrote to memory of 2936	2652	iexplore.exe	IEXPLORE.EXE
PID 2652 wrote to memory of 2936	2652	iexplore.exe	IEXPLORE.EXE
PID 2652 wrote to memory of 2896	2652	iexplore.exe	IEXPLORE.EXE
PID 2652 wrote to memory of 2896	2652	iexplore.exe	IEXPLORE.EXE
PID 2652 wrote to memory of 2896	2652	iexplore.exe	IEXPLORE.EXE
PID 2652 wrote to memory of 2896	2652	iexplore.exe	IEXPLORE.EXE
PID 2652 wrote to memory of 2144	2652	iexplore.exe	IEXPLORE.EXE
PID 2652 wrote to memory of 2144	2652	iexplore.exe	IEXPLORE.EXE
PID 2652 wrote to memory of 2144	2652	iexplore.exe	IEXPLORE.EXE
PID 2652 wrote to memory of 2144	2652	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\Memz.exe
"C:\Users\Admin\AppData\Local\Temp\Memz.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3064
- C:\Users\Admin\AppData\Local\Temp\Memz.exe
  "C:\Users\Admin\AppData\Local\Temp\Memz.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2500
- C:\Users\Admin\AppData\Local\Temp\Memz.exe
  "C:\Users\Admin\AppData\Local\Temp\Memz.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2108
- C:\Users\Admin\AppData\Local\Temp\Memz.exe
  "C:\Users\Admin\AppData\Local\Temp\Memz.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2240
- C:\Users\Admin\AppData\Local\Temp\Memz.exe
  "C:\Users\Admin\AppData\Local\Temp\Memz.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2536
- C:\Users\Admin\AppData\Local\Temp\Memz.exe
  "C:\Users\Admin\AppData\Local\Temp\Memz.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2604
- C:\Users\Admin\AppData\Local\Temp\Memz.exe
  "C:\Users\Admin\AppData\Local\Temp\Memz.exe" /main
  2⤵
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of WriteProcessMemory
  PID:2680
- - C:\Windows\SysWOW64\notepad.exe
    "C:\Windows\System32\notepad.exe" \note.txt
    3⤵
    PID:2556
- - C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
    "C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
    3⤵
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2420
  - - C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      4⤵
      PID:2456
- - C:\Windows\SysWOW64\mspaint.exe
    "C:\Windows\System32\mspaint.exe"
    3⤵
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:1552
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://google.co.ck/search?q=vinesauce+meme+collection
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2652
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2652 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2936
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2652 CREDAT:275474 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2896
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2652 CREDAT:209945 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2144

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x494
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
4ec20346a7b5dd75cfde7b15df208cf0

SHA1
517b437fc42dfc6e2f0d055dc678a0c080d47a0b

SHA256
4e3ee32076baf8538d9b9473169229647c419aa92f4bef71fb12fb714ac4e77d

SHA512
dff871a49c68eebb57eb5d21c197c5f47adc2444edde5f9da25c35a91519747cdb07aae26adfebcf0e48409f45ed8e040ec1c777910942aa7c18268bc6bcd7d1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

Filesize
724B

MD5
ac89a852c2aaa3d389b2d2dd312ad367

SHA1
8f421dd6493c61dbda6b839e2debb7b50a20c930

SHA256
0b720e19270c672f9b6e0ec40b468ac49376807de08a814573fe038779534f45

SHA512
c6a88f33688cc0c287f04005e07d5b5e4a8721d204aa429f93ade2a56aeb86e05d89a8f7a44c1e93359a185a4c5f418240c6cdbc5a21314226681c744cf37f36

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E87CE99F124623F95572A696C80EFCAF_58CE33FE794A546ABE22647AB5C8AA99

Filesize
471B

MD5
bc43f7d8588cb0093321be4a04a3037a

SHA1
9930e37d4c58310ea562a9403ee858c84ac870c5

SHA256
3359165a3908d8576f6132b3e8b70dc0d08c6d4b3a6e4217c0adeb05dd1c4a7c

SHA512
188559e47ffc97ea0fb2ea3b0aa3f771debd6fcf021c77711d2f213662043a43223d81f62af6aa5c89373a87a6b4e2ea50207f95045641e75360317bd56507b6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E87CE99F124623F95572A696C80EFCAF_E52F12F30DE193E10231A582710DFC46

Filesize
472B

MD5
4df4254b42da108df7c1cb3a33cc8ddd

SHA1
c35a314eec69da5b6e217d24885b8455cfc87bcd

SHA256
1d143e54529f08ee7ddb8b081da329202d0fd7fd3ebbd707e5a4caebf40b1d84

SHA512
a9f7addf795cfc4a91b61bdfec447ad555bd95389670be91bbafb96cf0c994e4cc6a26d37482497002a04f94b2d102df87da393358afdbb1fcc4e73cc1833fec

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
6a1345b80e78865759200e38904549dd

SHA1
325c02b7bf9a2d32b9e51f439a0b8b348b8b6f0f

SHA256
d14a0269274a21b3462f6d91117d33eea7a9d724e158d2fcf28566e11f8e39c5

SHA512
304c9274f05cc19d1aa22b9dd6ba058f2b3e420d03ee1f70ae936bf3cf851284bec8832b3bbc376cbb4967c2bc92a154deff9d6eea7993f913530174f61ce67b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0a1978278aa0b40f5e93cb5eac24a090

SHA1
3e35189517386a43ef6e5d09661189eb82e936a4

SHA256
93f980021e2e013874e8bc72a707edb773cdf02a6d8fc3f56e4d36fe82e21feb

SHA512
550c2c09193e74867526243883046c839a3d374373d10a745484be7eb461087d6c3aaa0df62f8600948585aab4a690bc0b7e4533e815f66f311bfdbc5d115794

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c30bc5835d36ec82a71c9e9e79086874

SHA1
a204875321f87a51b9fb0ffe8192dd231ca5e334

SHA256
a20478ccf8e96a94d07b383da431dc6e8b10e31f47a7a872e0044062bc76d2c8

SHA512
782529c4fac5974973a0bc0b2df403bf7be9196c13a9d189fb8eaa18c85460619560ce7e8abfe878867f7fa95d247f78b1740e5fa217696a8602e56d56fb6fb4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0ed86e707de7b2164e1359ce15c444a7

SHA1
a8247c3524f5180c1db12cc671d7cc7836a8cb01

SHA256
a943ca2f3df3b488ba59b7bdbc077b3d27c5a182c2e75426c9490556b743a9a2

SHA512
129d286d2ac7da2b76ff6d32e559f7e83a77d84dc91887940c1d2a529b4d8ca0a23954baead310f278f10e5607ce90d1645dfc6cc6a242c5848ee81a68c5bd81

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

Filesize
392B

MD5
ed54b70b73172ea24f686dc6f5e4c172

SHA1
dc00b8f520b51477c4cdc556e2de91d6603d3a53

SHA256
43132b69c4703c4067b930f4f8d05d1d5c20401e075b4ee87c16ec98cd6f9af1

SHA512
8130fb5d8dc075a4f8bf27f409769804e2acc9a60715fdabdd722ca908dbbcbf36179bbaed9b1d48f9077127b45f9c5f39b67229f353a28d72c7bea1e41874aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E87CE99F124623F95572A696C80EFCAF_58CE33FE794A546ABE22647AB5C8AA99

Filesize
410B

MD5
ba4535fd5203132500bf9882cfb22d19

SHA1
2791d15b229966433bd34fa010e5e30a4131e5f2

SHA256
566a284d92f272adf5f7ffce9eb115d9bd50ac0dad89829988e35d01694f1083

SHA512
278ce2825af833bf18bec6aa5f0d74e12049704cf6aee13b9c421be272cfd3a4e23581c9e28077d6ef39cdee80e749ece60e35659a7faa62820244ba0b2f109e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E87CE99F124623F95572A696C80EFCAF_E52F12F30DE193E10231A582710DFC46

Filesize
402B

MD5
d42fbf99742c916beee5805dbef644d9

SHA1
bf9a4ed21398357dfd76e4587aec328ad16a70ef

SHA256
a70b33f01ec1c6b71fba400b91bfa28c2e07ca5eeaebd68d779037886c5cb0b2

SHA512
d5c1ceeb1ab497fe0c9b731b1d32b04d9b8f4fb775572e6cae6c914d7ffd701766410d368014f15b7de8795a4cc01436a4636782aa4c2c7286b5af09c6f400a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\sxsuh4u\imagestore.dat

Filesize
5KB

MD5
2e05dbcc57781a19dfca16d915f36f8a

SHA1
2df5a0a555a50434f6d92d319b8e98490165ebdc

SHA256
9a81486e589a2fba2d3a5e7098aead3554d12db43161dfae6593f27df7084603

SHA512
4d2120612dfb34eeece6dd0a277fb52402347871c5144955ad6cf0e90ca2e020e4dd1c51267988102c35620ae200c17d37ae40281c570f446bf856c040e2a6f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3NPBB818\favicon[1].ico

Filesize
5KB

MD5
f3418a443e7d841097c714d69ec4bcb8

SHA1
49263695f6b0cdd72f45cf1b775e660fdc36c606

SHA256
6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770

SHA512
82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabAB5D.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarAB60.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarB085.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\MVUBQDDT.txt

Filesize
624B

MD5
372bf8c537a734d5666a7ac791c73a84

SHA1
600529296f3298eb1ef8c7d2bdf00dc3b77ad2c8

SHA256
17d197db973e834d241db28e6f8f29f954cfe94152f9cdfbb6f04c0f60804895

SHA512
91eecdc755826023f32b33eb7f86870902fa856c7ebdf32ab5f728be6c446b41f4b99e64d17ae11a0e9546bd634150d52961729647e6da23dc1afb4505978ae4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\R18VKO4F.txt

Filesize
632B

MD5
ec3cd8c5b6e7f757e52a52f6e6ebc4da

SHA1
5b71286e5fc141879afe3e463e3da49a5d772425

SHA256
5ed1b0357cdc101aaaa7cdea18ce8e16b1a31271ecd38e66fc72d5ad710ab24f

SHA512
1fb3ba648e5b465b12698531b01fdb1494873a7e7f23b74dd4d7578c61383f9a32d4ee0a8d3da92d4d63589335d458fa05edd565647c3518ad023e51db1c317a

Download Submit
C:\note.txt

Filesize
218B

MD5
afa6955439b8d516721231029fb9ca1b

SHA1
087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

SHA256
8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

SHA512
5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

Download Submit
memory/1552-5-0x0000000000940000-0x0000000000941000-memory.dmp

Filesize
4KB

Download
memory/2420-4-0x0000000002140000-0x0000000002141000-memory.dmp

Filesize
4KB

Download
memory/2420-2-0x0000000002140000-0x0000000002141000-memory.dmp

Filesize
4KB

Download