2a45e44be359fba4c85591e7b13d1ec772ed181adc41254d8b00d31b2d15878e

max time kernel
150s
max time network
118s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
25-04-2024 18:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Memz.exe
Size

14KB
MD5

19dbec50735b5f2a72d4199c4e184960
SHA1

6fed7732f7cb6f59743795b2ab154a3676f4c822
SHA256

a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d
SHA512

aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d
SSDEEP

192:sIvxdXSQeWSg9JJS/lcIEiwqZKBkDFR43xWTM3LHn8f26gyr6yfFCj3r:sMVSaSEglcIqq3agmLc+6gyWqFCj

Score

6^/10

bootkit persistence

Malware Config

Signatures

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

Memz.exe

description ioc process

File opened for modification \??\PhysicalDrive0 Memz.exe
Drops file in System32 directory 1 IoCs

Processes:

mmc.exe

description ioc process

File opened for modification C:\Windows\System32\devmgmt.msc mmc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File opened for modification	\??\PhysicalDrive0	Memz.exe

description	ioc	process
File opened for modification	C:\Windows\System32\devmgmt.msc	mmc.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{06D53E01-032E-11EF-919D-C273E1627A77} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c634400c5019744b9338067ad3829abd0000000002000000000010660000000100002000000021edc359ad38f82d93693288e465eae4e4744d8cca15f2b3bb11bdc35944824f000000000e8000000002000020000000912282875ad35a039d251ddc7b214cb02aafd3d2d084ab55d5272f07753effee2000000058acc48f8f893db8e2a84b3b759164e3d82d7b1e11bc84cd7ca8e0e8d218992b400000001a1b9464e79ea9c0b63b06dca22896095b7a6e6a4bd222cc8ef2f7594e3847bbe1a08c3b29353a12df48381727274db6a33bcffd1c8eac90c4cf5c2001e2bf7d	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d03b56db3a97da01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{1606C4C1-032E-11EF-919D-C273E1627A77} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c634400c5019744b9338067ad3829abd00000000020000000000106600000001000020000000f94048e0b23506a408c5dabf13ee2b3ba9e2fc400a906086d03ea969b3a0c5d8000000000e8000000002000020000000ed747fa52e24e1789b5a6f96f38a2a6befe46de2a451fc10bcb28b3acf4483409000000084801760d719f4227668c556049007d64374b27b8d1a472c507023b31f0ecb66537af1c3490499d553780224fc45a9795d1f22536b918b26c220976611802c3dbaa3a5f3343b13eb5768aeb1a06891e4edfec126f4c1f594ca833ddb095dd0a4d515de92f7b940ab0a19385b82b984a42e30b7c909dd818f244a63189c1bf70843cf2e333cec535de9f57753be89752b40000000babbe9df50385b8cd115068db04bfa302e5dfc6aa8b78a7f63bde9d6c50c3ec57cde1811253ea52f40525a1d66be74d8959de7c6e2aae77e9639c35e10322813	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Memz.exeMemz.exeMemz.exeMemz.exeMemz.exe

pid	process
3032	Memz.exe
3032	Memz.exe
940	Memz.exe
940	Memz.exe
3032	Memz.exe
3068	Memz.exe
3068	Memz.exe
940	Memz.exe
2176	Memz.exe
2160	Memz.exe
3032	Memz.exe
940	Memz.exe
3032	Memz.exe
2176	Memz.exe
2160	Memz.exe
3068	Memz.exe
940	Memz.exe
3068	Memz.exe
2160	Memz.exe
2176	Memz.exe
3032	Memz.exe
940	Memz.exe
2176	Memz.exe
2160	Memz.exe
3068	Memz.exe
3032	Memz.exe
3032	Memz.exe
940	Memz.exe
2176	Memz.exe
2160	Memz.exe
3068	Memz.exe
2176	Memz.exe
3068	Memz.exe
3032	Memz.exe
940	Memz.exe
2160	Memz.exe
2160	Memz.exe
940	Memz.exe
3032	Memz.exe
2176	Memz.exe
3068	Memz.exe
940	Memz.exe
3068	Memz.exe
2176	Memz.exe
3032	Memz.exe
2160	Memz.exe
2160	Memz.exe
2176	Memz.exe
3068	Memz.exe
940	Memz.exe
3032	Memz.exe
2176	Memz.exe
940	Memz.exe
3068	Memz.exe
2160	Memz.exe
3032	Memz.exe
3032	Memz.exe
940	Memz.exe
2160	Memz.exe
2176	Memz.exe
3068	Memz.exe
2176	Memz.exe
940	Memz.exe
3032	Memz.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

mmc.exeAUDIODG.EXE

description	pid	process
Token: 33	1952	mmc.exe
Token: SeIncBasePriorityPrivilege	1952	mmc.exe
Token: 33	1952	mmc.exe
Token: SeIncBasePriorityPrivilege	1952	mmc.exe
Token: 33	2956	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2956	AUDIODG.EXE
Token: 33	2956	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2956	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

iexplore.exeiexplore.exe

pid process

3052 iexplore.exe
2084 iexplore.exe

Suspicious use of SetWindowsHookEx 11 IoCs

Processes:

iexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXEmmc.exemmc.exe

pid	process
3052	iexplore.exe
3052	iexplore.exe
2688	IEXPLORE.EXE
2688	IEXPLORE.EXE
2084	iexplore.exe
2084	iexplore.exe
3000	IEXPLORE.EXE
3000	IEXPLORE.EXE
2832	mmc.exe
1952	mmc.exe
1952	mmc.exe

Suspicious use of WriteProcessMemory 60 IoCs

Processes:

Memz.exeMemz.exeiexplore.exeiexplore.exemmc.exe

description	pid	process	target process
PID 1652 wrote to memory of 3032	1652	Memz.exe	Memz.exe
PID 1652 wrote to memory of 3032	1652	Memz.exe	Memz.exe
PID 1652 wrote to memory of 3032	1652	Memz.exe	Memz.exe
PID 1652 wrote to memory of 3032	1652	Memz.exe	Memz.exe
PID 1652 wrote to memory of 940	1652	Memz.exe	Memz.exe
PID 1652 wrote to memory of 940	1652	Memz.exe	Memz.exe
PID 1652 wrote to memory of 940	1652	Memz.exe	Memz.exe
PID 1652 wrote to memory of 940	1652	Memz.exe	Memz.exe
PID 1652 wrote to memory of 3068	1652	Memz.exe	Memz.exe
PID 1652 wrote to memory of 3068	1652	Memz.exe	Memz.exe
PID 1652 wrote to memory of 3068	1652	Memz.exe	Memz.exe
PID 1652 wrote to memory of 3068	1652	Memz.exe	Memz.exe
PID 1652 wrote to memory of 2176	1652	Memz.exe	Memz.exe
PID 1652 wrote to memory of 2176	1652	Memz.exe	Memz.exe
PID 1652 wrote to memory of 2176	1652	Memz.exe	Memz.exe
PID 1652 wrote to memory of 2176	1652	Memz.exe	Memz.exe
PID 1652 wrote to memory of 2160	1652	Memz.exe	Memz.exe
PID 1652 wrote to memory of 2160	1652	Memz.exe	Memz.exe
PID 1652 wrote to memory of 2160	1652	Memz.exe	Memz.exe
PID 1652 wrote to memory of 2160	1652	Memz.exe	Memz.exe
PID 1652 wrote to memory of 3028	1652	Memz.exe	Memz.exe
PID 1652 wrote to memory of 3028	1652	Memz.exe	Memz.exe
PID 1652 wrote to memory of 3028	1652	Memz.exe	Memz.exe
PID 1652 wrote to memory of 3028	1652	Memz.exe	Memz.exe
PID 3028 wrote to memory of 2568	3028	Memz.exe	notepad.exe
PID 3028 wrote to memory of 2568	3028	Memz.exe	notepad.exe
PID 3028 wrote to memory of 2568	3028	Memz.exe	notepad.exe
PID 3028 wrote to memory of 2568	3028	Memz.exe	notepad.exe
PID 3028 wrote to memory of 3052	3028	Memz.exe	iexplore.exe
PID 3028 wrote to memory of 3052	3028	Memz.exe	iexplore.exe
PID 3028 wrote to memory of 3052	3028	Memz.exe	iexplore.exe
PID 3028 wrote to memory of 3052	3028	Memz.exe	iexplore.exe
PID 3052 wrote to memory of 2688	3052	iexplore.exe	IEXPLORE.EXE
PID 3052 wrote to memory of 2688	3052	iexplore.exe	IEXPLORE.EXE
PID 3052 wrote to memory of 2688	3052	iexplore.exe	IEXPLORE.EXE
PID 3052 wrote to memory of 2688	3052	iexplore.exe	IEXPLORE.EXE
PID 3028 wrote to memory of 2084	3028	Memz.exe	iexplore.exe
PID 3028 wrote to memory of 2084	3028	Memz.exe	iexplore.exe
PID 3028 wrote to memory of 2084	3028	Memz.exe	iexplore.exe
PID 3028 wrote to memory of 2084	3028	Memz.exe	iexplore.exe
PID 2084 wrote to memory of 3000	2084	iexplore.exe	IEXPLORE.EXE
PID 2084 wrote to memory of 3000	2084	iexplore.exe	IEXPLORE.EXE
PID 2084 wrote to memory of 3000	2084	iexplore.exe	IEXPLORE.EXE
PID 2084 wrote to memory of 3000	2084	iexplore.exe	IEXPLORE.EXE
PID 3028 wrote to memory of 1948	3028	Memz.exe	control.exe
PID 3028 wrote to memory of 1948	3028	Memz.exe	control.exe
PID 3028 wrote to memory of 1948	3028	Memz.exe	control.exe
PID 3028 wrote to memory of 1948	3028	Memz.exe	control.exe
PID 3028 wrote to memory of 2596	3028	Memz.exe	cmd.exe
PID 3028 wrote to memory of 2596	3028	Memz.exe	cmd.exe
PID 3028 wrote to memory of 2596	3028	Memz.exe	cmd.exe
PID 3028 wrote to memory of 2596	3028	Memz.exe	cmd.exe
PID 3028 wrote to memory of 2832	3028	Memz.exe	mmc.exe
PID 3028 wrote to memory of 2832	3028	Memz.exe	mmc.exe
PID 3028 wrote to memory of 2832	3028	Memz.exe	mmc.exe
PID 3028 wrote to memory of 2832	3028	Memz.exe	mmc.exe
PID 2832 wrote to memory of 1952	2832	mmc.exe	mmc.exe
PID 2832 wrote to memory of 1952	2832	mmc.exe	mmc.exe
PID 2832 wrote to memory of 1952	2832	mmc.exe	mmc.exe
PID 2832 wrote to memory of 1952	2832	mmc.exe	mmc.exe

C:\Users\Admin\AppData\Local\Temp\Memz.exe
"C:\Users\Admin\AppData\Local\Temp\Memz.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1652
- C:\Users\Admin\AppData\Local\Temp\Memz.exe
  "C:\Users\Admin\AppData\Local\Temp\Memz.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3032
- C:\Users\Admin\AppData\Local\Temp\Memz.exe
  "C:\Users\Admin\AppData\Local\Temp\Memz.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:940
- C:\Users\Admin\AppData\Local\Temp\Memz.exe
  "C:\Users\Admin\AppData\Local\Temp\Memz.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3068
- C:\Users\Admin\AppData\Local\Temp\Memz.exe
  "C:\Users\Admin\AppData\Local\Temp\Memz.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2176
- C:\Users\Admin\AppData\Local\Temp\Memz.exe
  "C:\Users\Admin\AppData\Local\Temp\Memz.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2160
- C:\Users\Admin\AppData\Local\Temp\Memz.exe
  "C:\Users\Admin\AppData\Local\Temp\Memz.exe" /main
  2⤵
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of WriteProcessMemory
  PID:3028
- - C:\Windows\SysWOW64\notepad.exe
    "C:\Windows\System32\notepad.exe" \note.txt
    3⤵
    PID:2568
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://play.clubpenguin.com/
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3052
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3052 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2688
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://google.co.ck/search?q=how+2+buy+weed
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2084
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2084 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:3000
- - C:\Windows\SysWOW64\control.exe
    "C:\Windows\System32\control.exe"
    3⤵
    PID:1948
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe"
    3⤵
    PID:2596
- - C:\Windows\SysWOW64\mmc.exe
    "C:\Windows\system32\mmc.exe" "C:\Windows\System32\devmgmt.msc"
    3⤵
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2832
  - - C:\Windows\system32\mmc.exe
      "C:\Windows\System32\devmgmt.msc" "C:\Windows\System32\devmgmt.msc"
      4⤵
      Drops file in System32 directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:1952

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:2588

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x550
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
e86ab7112e4b2ff8c2c0ad3f76a32b8a

SHA1
c34f50cd04f20d923892c0dfdef897380a70eae6

SHA256
cf25dcba5a53c98fceac2bdc1c163d790cc54eb554ea7855eb7f0100303f21e3

SHA512
e491169891baf0327a3eafcfb07a889080ca612cc565e887bcd08b5e6eef20a6c86b8e25535807153305b979721e4267955ec0de0b60b40cf5a16fe680d37630

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
392cd811a836c28461d37e5fd1a03d93

SHA1
1a0f0690ef3758c9e8b3fc85d3a39391b399b0b7

SHA256
72120f1d30d0a00eb5e3aecf7e2bef8efd5c77eb64bfb672670b95c38c661b7d

SHA512
b94c3a9f000dfe73f30c768b5c2dca97f58ecefc1b75d090d4897860e6f91498d7f437067a949e94a1f5dbcaf051af2d446fa18e06b2ab0e7ac6c4b80a82d311

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8f6c4993ce93467091122ee026f7a369

SHA1
17c20abbccaf7221f0f0edb5b4b6144d5b1137eb

SHA256
a1779f09d4bdc15cb6e3ae2f5c903ca422c6718e7f4af76fb011a0d93912d57a

SHA512
90523c13c0490065a2d999d75e46dffb34f0ef5c48e5be332d8eb5afa16a4eee4f3da28e32726117aa6f338076f7a72ba5ecaa95408de129c4bebd0944384835

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8617324f73ae895eeef9d074699b8c1d

SHA1
be27a0e690901c96cd69c5b7e6e152c42788e410

SHA256
48a8fae81bff011c7f987d404e6a1ca0d37ece8b90ed5c8a995e3a94bf088917

SHA512
22b9eb0261d22e16fda6431ce7cb09ef07fc29ef633f5bdae41c7fb860bfdad15b483d9bc3e52411f1d51b292370be4cd4cfed9b81c41a826d20dfa70939c149

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ded8857a68a384ddcc6a996540d8a4a4

SHA1
144e72a1eecc8d12f8651328d823f2796beace90

SHA256
b543d0ddc12996133943024fe753ee2f0309f26baf62c749a4cfda8e40836381

SHA512
b9c8b0aa196b3683d340db439d672baef23dc04bf80510477b0311487ece6660f6e2430c1b24de08c977a1cf9b9dff207bb9d650caa05f870320df98ba694097

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a60e31da3dcdb9a600abf9b416cd52be

SHA1
a1a0b67f25d0494381b919aa225428e67c1398f0

SHA256
c0382885d09a5f93e06b43d5d03debd7928d9cc3e118427302c1dcf7ba791389

SHA512
587ef044bfba4f6c2e62b39d07feb519e368e63c62cad9548b7a6c7948dbcbab59c74566927727454aad1cfcee227d8ae1f2b2d8b7581a459b7bd09c34c88d05

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
645b79ad80cb46d54b8ee738de74ab77

SHA1
43dfc08e0f468e6428202680898fc6855e1a3926

SHA256
c51c4682c7adb36ca03a8e7bf18c618246fe057523e25f0da02040f4a8d8fce1

SHA512
525d662180699f6270dbad0e457dab9d1e749d92d9357be2e3e892d26703fbc9542559a93cc9f6abbf7706ae0678a01b524573b506fd4f68ed1dff4a15d2c0ef

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3c99ec93edf44460e3f355a95ff9fa96

SHA1
c5a7920dff22b8f670ace19ae6a8dc277eba7c8b

SHA256
98f58210e36867b32f8f8c2a2691e97628042e794dfd18d3250f337d0e51e12e

SHA512
b56ab5add3f0d13205a1bd4aeaafb323296c9c6a3ae0f6024dc99217659d4ad3dfd84336b14e1e1daa2915774ca027f60d6fd8f856d01c1031965cc8f13359b2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d928576adc28868dc80f6a562f16e7a4

SHA1
a9f3b2ab41aac884b3d2456f565655c09d3d4cac

SHA256
95dfe3f51bd0ab3cc5f56fca6bd02ee5f8fb08a39b679029418f3c08505eae78

SHA512
fb07fb46602aec58dc6f2d306c2b0149937e1444aad8ae3c187b85900371a1773f3b8d2b3f79c20e963206eb1e7509fd7b10e909df180aeca1249a3355b1f01d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b480ba38f71bb6924fa6bb206c27295d

SHA1
3062d5ce8d9162b22f7db8e48d2447a29a1d7c77

SHA256
8ed2ec3b924ef0be0dd160ae47184e27c6aa75c434ea4a1d718f3d7049e86e87

SHA512
09dfd4c0b39d1b32c7207e105df9419c88aec46243f31f6e976b5561de2a77ff1e4f35606ceea0b22c118612f96cf7834a7b92feaa9cfd5a1c43a69bfea667a3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
fb24ba3ac0d5369b49b5f91e79e88e43

SHA1
a28bfd76f6979304d31e7315488a381fc2b1ae4d

SHA256
35a760c776fc6cc3bc6a87d5aefffa1586c7b7cb714fd0464cc2b0f8ed430c1f

SHA512
97299b5f6479011368f2903423e2fd7e39851dbac8f049f8035b676cbd903075894488bf45d8ad4bf7e8da56a7c204a77a14c4483d7766da4739ec0d1ce76a6a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0fb41ab60f844d4f643cbb8b54491ea6

SHA1
cae8826485b05c23104664f52734f7ea28f6a816

SHA256
0efffb90a69b9ee83f03072b5d49318ddb6cf570193d10cf9cabee1e3b9333b2

SHA512
5e3d6da1583f1d0a42014bab2e7d3a73185f0772445ae415542e93ba7916695ee7c499c899c33f77ab5205d4e5b6f0f656648d63cf6a183585f954cec5009eb1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
59bb94b053af35a9c357e7c016651fa2

SHA1
126a2ed4afd4430284d33fc0b9595811620fbe98

SHA256
c264c7cc332cebb9028ba041755dddd9df1b8eb2df1e5adc75a67e3a59534cd3

SHA512
a4c9b71ed2cc91bc62638c3cbf6e3a6ad3ad414078fe60b8c7ed34f1f98dba56c56fcc7c921b52d349108cb6ab411e9780a69fc7952aa21089246f89ea7def79

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4fc2eb09dbe93457ae9f1aabca403db6

SHA1
a56f98595727355164bc6ea241a4e5d2afa0c71d

SHA256
40fcf9bd28c0ae5e7f0a41af9c687eb96798dc7878d052fd4c50f536c2ed630e

SHA512
67c3de3db99107cca2639f8bc3bece7bca6735ac2a9ea3c1983746b0f62733ede1c9f1cc90961c2de9183663db8e2559105687f05d30e97eb0412dc1c8c0c98b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c29e8b6fb10401337e67425433c5859d

SHA1
097b2189e713bbcb01c1827245580f0e88c2851c

SHA256
4baa39bc33e17e9c77cb9ab2c5fdc62afffe88ae210ae1fdcf88a1372dc60671

SHA512
1dacc14cfbe2a074308ee8fcf5850f4633aa13b3c3209520e22b8f95339df035884c3d0b8f6bf3605f8088fd62875112eef3ca844e97283a724a5009addda033

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
828fb6eb66f7867ed404d6799ed59a41

SHA1
f2a2a179ceda368888bd40e0e0648d39c461e278

SHA256
d7787d7da3f4b4739610d4ce1db525ff241d2ba25265e8296adbe6d74b265be9

SHA512
f55f9593694b8f6517fefdcd324dfaeb9a2a99de84ca167e0f0acdea1c9a3620e4f45e777582dbd4585da5ce9c1be047745d73475f327fea114b00d45b57d54f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
dbef8c45f8a0a7d2ba7c925fe6b44246

SHA1
b6c09103221385f6feeae686c17989e524316e24

SHA256
fc3bf906bfb3c93453cf97629838af66a2c17a47716ec99f83b3888835169f54

SHA512
d4a78e8ffda694d560db293a3c11138b8089daf4915eaed91176a30000b390ccca7ee66c6660e04d3b292912662159c70cd7cbef5b7f68e3c54def6ea2f01471

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
11d54c471b195f9210d99711818bad35

SHA1
0b47077accd796ce5007a5af851ecb41be150855

SHA256
818d355b00c0983ec210ffb33aed38c85386f0fd43121855886f949e80c2e173

SHA512
ca8fd64b8dafee1a9edcc11b41444f6dcafe89aa0e4a22c4735a564876d7f7d3da04a3804526e6b75b268f61094d521d9aa1bd46cfcb61e0c4b43af08694b325

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b7d8ae6405ffd7bde8ba5368362c1b10

SHA1
52590fc996602eebaed5a4f0525e90a4c5f000d3

SHA256
7ed4b12758dd3d4feb596c8dc0d2c0abafdd6ec7faa24d13aef3a88d13c2f379

SHA512
79a92b68795789a4642ff7d44f1fd55bad64a8abd8dc47f7b9de4ab93f6c8cb495a295689c22809a2fcb8d18328ea109cd413d918eb9162d70056012b03281b0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9ac974714ca21193f365a71dc4dfae9b

SHA1
a557237fba437760ca002b1ac620a378f939c9d1

SHA256
56de5af00733eff8068bd8d434eee4077662454f52677e73f35686a869219f5f

SHA512
af93ed93885c41b1e75e174ff923d606cd8884d1046c6d17675e04359331f09bc6389eee1584ae08837b8ce42e2aea1c2437efd49ab89b5fb5df288104bf4c61

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
359b1c6439c375ff4d22996b4030797f

SHA1
2f24b487b3a930cda714736b234f168951a0fb89

SHA256
e4182feba71c4ddc27bcbfc3ad9d06f0c462d9951ba568395df48ef1d762b810

SHA512
385aa29579d8c3324e459199b20fe5c5bfbc73b4627f376da9c4085b96862f8b51e8316e663392a50ad71b41dbd72d2ee4e2c858b5fead52513935496778ef49

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
4f5b33687d0764dbd0384bb8c15ef114

SHA1
f12b41b571dd0323ce62a6e71ab77c72ca737e1c

SHA256
f3e3f4b3320df087dcc5067543c190af84c00eb9280ddc0ce57a3bb87cd48eba

SHA512
82eb58d6d14fcb10fbc9485a048013b72607553d6beaca29f6755f62de2e504458493dac9a2c75bfee2c2eed225c03f99c2b8233bea82f6c15c27f01d3233186

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{06D53E01-032E-11EF-919D-C273E1627A77}.dat

Filesize
5KB

MD5
f3be9630098af62d707dbf944f4e9193

SHA1
1ed10aa729e2948d0a1a07f4a53239ebdd28aa04

SHA256
36b73558e1e1e5154ca232b2d7bc949f756b2b49d0ffba202a59ec711917ae24

SHA512
f78fb40eb3f8f4ea25f080c8b8bb060eb7c0d873516b17dc6a2dfcfada36abc0d707c6daea0ebc382d882f0804a035ab8a302d62872b45ce0c72c8fffa3c14ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\RecoveryStore.{D6F58CF0-8EDC-11EE-8BED-7ED9061E9C39}.dat

Filesize
5KB

MD5
492c1e803642e7f72b8b42295589789a

SHA1
8ac5dded02718f4139883a8a08f4d9e4eb9c8781

SHA256
a281d1fad4f89866ab3f83558ebd072bbf1ac1cbab21bf3bb5d39d6322ddda2c

SHA512
c1ff013368b26d7321cf5c4ef5ec6a837f579c2d6d91a9763e13105a5e3fbdf60fb0d979beb9b0a8734db25aa2c1643172d9dd2db32c3c8cf086df06c17276f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\{06D53E04-032E-11EF-919D-C273E1627A77}.dat

Filesize
4KB

MD5
ad7a57434fec62166b0cd985c0446996

SHA1
b1141358eaace6568fea8d6985d6c73b20743828

SHA256
db42094db071ce8da3a381e428e16f2377469c9b41923190df6e0660773962a1

SHA512
054d85b52bbcc446b4d98898ed7412cd975228c12b279b9c7add8cd7d973e7b03267a864eee03a9a419696e8d3fab5b0da91f6c18698a917071318315b794df5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\s8rbov0\imagestore.dat

Filesize
5KB

MD5
dc6d3396f3a9cc45b4f0eded1427b11d

SHA1
166b5a3ae5a25d2e43d4ded41d61a88298bc8556

SHA256
f9fb31302f83280dc7b1f212d6656039e97c8a2f9e07c4c0b1e36073fa6e1575

SHA512
74936b3a18bfc7fc3e0d0e08090a0a181c4303a5b2a49c6d9412ea05c070652b556758fa8411f6bf0df8cdb5af910dc91b3087c6f3fcc6387253aa0137892d2c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MA0CYFYJ\favicon[1].ico

Filesize
5KB

MD5
f3418a443e7d841097c714d69ec4bcb8

SHA1
49263695f6b0cdd72f45cf1b775e660fdc36c606

SHA256
6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770

SHA512
82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarD0AD.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DF5B19C5D6527BBD60.TMP

Filesize
20KB

MD5
9c6712e9e375f854ba5416d34131b6ba

SHA1
50d56817d999ab3adf8dc339d96c8a424af51ad6

SHA256
e7b8c2cea1a91a52cd3bcd931d4c330a34c89cbe4b8871a898dcb6f45e3817d7

SHA512
66efa15f21d0d6a6bcec433c792596a090e283c4a949b61b6f559b1f20a0086367e21ae05e4f92d592dc669a35d378b500b94e96086d19d69ad1bcae9d6ecf6a

Download Submit
C:\note.txt

Filesize
218B

MD5
afa6955439b8d516721231029fb9ca1b

SHA1
087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

SHA256
8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

SHA512
5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

Download Submit
memory/1952-1101-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/1952-1102-0x000007FEF7A60000-0x000007FEF7A9A000-memory.dmp

Filesize
232KB

Download
memory/2568-1095-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download