Resubmissions
17-06-2024 03:53
240617-ef1fwashle 715-06-2024 06:53
240615-hnsb1s1fre 715-06-2024 06:47
240615-hkmblavfmk 7Analysis
-
max time kernel
127s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
15-06-2024 06:47
Static task
static1
Behavioral task
behavioral1
Sample
MEMZ.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
MEMZ.exe
Resource
win10v2004-20240611-en
General
-
Target
MEMZ.exe
-
Size
16KB
-
MD5
1d5ad9c8d3fee874d0feb8bfac220a11
-
SHA1
ca6d3f7e6c784155f664a9179ca64e4034df9595
-
SHA256
3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff
-
SHA512
c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1
-
SSDEEP
192:M2WgyvSW8gRc6olcIEiwqZKBkDFR43xWTM3LHf26gFrcx3sNq:JWgnSmFlcIqq3agmLH+6gF23sN
Malware Config
Signatures
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
MEMZ.exedescription ioc process File opened for modification \??\PhysicalDrive0 MEMZ.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Processes:
iexplore.exeIEXPLORE.EXEIEXPLORE.EXEdescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 60dba31cf0beda01 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000050570ed86928c64d9dfac5cf88fb98c800000000020000000000106600000001000020000000d0d7f0112a7a3b390242f73552acbdf98dcfb429ff37779232db6853e5e0625a000000000e80000000020000200000008116789feef33337b2d6ec2c95aa9835847cfa3df13078b13a96d0ae729e24b09000000054368e8d32a0677fa65c84ffa40887722320a18377149057ae226eee41a38ad7559f2f4f39735c6ece153edf6d926a1b8e1dfd1fa5477b494d6f73de887494663cc4436d114debd4071186dd3c028627642a60e80c8f63c53da837837243c86ea3d2b076bd08a7e2f548164872bc564384e401f09fe335f97e5b4833a5ab233101a9868c8b26cb5a6ae4ab6ca304e6e940000000b09703b29f8ec9e7c3b8cb3a51d47763f3338680212718681f88aa11b1aabbbee63a464d51855bd6e68f4d8d88e81dff5e99c9e85e4cf89c055a9ba8a79c8a23 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "424595976" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000050570ed86928c64d9dfac5cf88fb98c800000000020000000000106600000001000020000000e3a3062a740a19af5fbb4be38f33c01ab3a0a4010b8283b20556b30e6138b541000000000e80000000020000200000003190403add59b8e3659aa340c886d066e916eab2700a0b96293fb4d2144125d220000000216a8ed28656e0194e78cdf0ea7671c2aafd17462a7174436c8361e66f049c3840000000a567bcc2b35aca5418044373b7e88a8c1b09923098d05c30397eae11ae411de530cb43d635180b620b7ee83ae95b1071de102b6b68a57ada0b5ae22672fe0670 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{4566F9B1-2AE3-11EF-873B-52ADCDCA366E} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MINIE iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe -
Runs regedit.exe 1 IoCs
Processes:
regedit.exepid process 2008 regedit.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
MEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exepid process 1736 MEMZ.exe 2392 MEMZ.exe 2160 MEMZ.exe 2332 MEMZ.exe 1736 MEMZ.exe 2392 MEMZ.exe 2224 MEMZ.exe 2160 MEMZ.exe 2332 MEMZ.exe 2160 MEMZ.exe 1736 MEMZ.exe 2392 MEMZ.exe 2332 MEMZ.exe 2224 MEMZ.exe 1736 MEMZ.exe 2392 MEMZ.exe 2224 MEMZ.exe 2160 MEMZ.exe 2332 MEMZ.exe 1736 MEMZ.exe 2392 MEMZ.exe 2224 MEMZ.exe 2160 MEMZ.exe 2332 MEMZ.exe 1736 MEMZ.exe 2392 MEMZ.exe 2224 MEMZ.exe 2160 MEMZ.exe 2332 MEMZ.exe 1736 MEMZ.exe 2392 MEMZ.exe 2224 MEMZ.exe 2160 MEMZ.exe 2332 MEMZ.exe 1736 MEMZ.exe 2160 MEMZ.exe 2392 MEMZ.exe 2332 MEMZ.exe 2224 MEMZ.exe 1736 MEMZ.exe 2160 MEMZ.exe 2392 MEMZ.exe 2332 MEMZ.exe 2224 MEMZ.exe 1736 MEMZ.exe 2392 MEMZ.exe 2160 MEMZ.exe 2224 MEMZ.exe 2332 MEMZ.exe 2392 MEMZ.exe 2160 MEMZ.exe 2224 MEMZ.exe 2332 MEMZ.exe 1736 MEMZ.exe 2224 MEMZ.exe 2160 MEMZ.exe 2392 MEMZ.exe 2332 MEMZ.exe 1736 MEMZ.exe 2224 MEMZ.exe 2160 MEMZ.exe 2392 MEMZ.exe 2332 MEMZ.exe 1736 MEMZ.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
taskmgr.exemmc.exepid process 1936 taskmgr.exe 1796 mmc.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
taskmgr.exemmc.exedescription pid process Token: SeDebugPrivilege 1936 taskmgr.exe Token: 33 1796 mmc.exe Token: SeIncBasePriorityPrivilege 1796 mmc.exe Token: 33 1796 mmc.exe Token: SeIncBasePriorityPrivilege 1796 mmc.exe Token: 33 1796 mmc.exe Token: SeIncBasePriorityPrivilege 1796 mmc.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
iexplore.exetaskmgr.exemmc.exepid process 2584 iexplore.exe 1936 taskmgr.exe 1936 taskmgr.exe 1936 taskmgr.exe 1936 taskmgr.exe 1936 taskmgr.exe 1936 taskmgr.exe 1936 taskmgr.exe 1936 taskmgr.exe 1936 taskmgr.exe 1936 taskmgr.exe 1936 taskmgr.exe 1936 taskmgr.exe 1936 taskmgr.exe 1936 taskmgr.exe 1936 taskmgr.exe 1936 taskmgr.exe 1936 taskmgr.exe 1936 taskmgr.exe 1936 taskmgr.exe 1936 taskmgr.exe 1936 taskmgr.exe 1936 taskmgr.exe 1936 taskmgr.exe 1936 taskmgr.exe 1936 taskmgr.exe 1936 taskmgr.exe 1936 taskmgr.exe 1936 taskmgr.exe 1936 taskmgr.exe 1936 taskmgr.exe 1936 taskmgr.exe 1936 taskmgr.exe 1936 taskmgr.exe 1936 taskmgr.exe 1936 taskmgr.exe 1796 mmc.exe 1936 taskmgr.exe 1936 taskmgr.exe 1936 taskmgr.exe 1936 taskmgr.exe 1936 taskmgr.exe 1936 taskmgr.exe 1936 taskmgr.exe 1936 taskmgr.exe 1936 taskmgr.exe 1936 taskmgr.exe 1936 taskmgr.exe 1936 taskmgr.exe 1936 taskmgr.exe 1936 taskmgr.exe 1936 taskmgr.exe 1936 taskmgr.exe 1936 taskmgr.exe 1936 taskmgr.exe 1936 taskmgr.exe 1936 taskmgr.exe 1936 taskmgr.exe 1936 taskmgr.exe 1936 taskmgr.exe 1936 taskmgr.exe 1936 taskmgr.exe 1936 taskmgr.exe 1936 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
taskmgr.exepid process 1936 taskmgr.exe 1936 taskmgr.exe 1936 taskmgr.exe 1936 taskmgr.exe 1936 taskmgr.exe 1936 taskmgr.exe 1936 taskmgr.exe 1936 taskmgr.exe 1936 taskmgr.exe 1936 taskmgr.exe 1936 taskmgr.exe 1936 taskmgr.exe 1936 taskmgr.exe 1936 taskmgr.exe 1936 taskmgr.exe 1936 taskmgr.exe 1936 taskmgr.exe 1936 taskmgr.exe 1936 taskmgr.exe 1936 taskmgr.exe 1936 taskmgr.exe 1936 taskmgr.exe 1936 taskmgr.exe 1936 taskmgr.exe 1936 taskmgr.exe 1936 taskmgr.exe 1936 taskmgr.exe 1936 taskmgr.exe 1936 taskmgr.exe 1936 taskmgr.exe 1936 taskmgr.exe 1936 taskmgr.exe 1936 taskmgr.exe 1936 taskmgr.exe 1936 taskmgr.exe 1936 taskmgr.exe 1936 taskmgr.exe 1936 taskmgr.exe 1936 taskmgr.exe 1936 taskmgr.exe 1936 taskmgr.exe 1936 taskmgr.exe 1936 taskmgr.exe 1936 taskmgr.exe 1936 taskmgr.exe 1936 taskmgr.exe 1936 taskmgr.exe 1936 taskmgr.exe 1936 taskmgr.exe 1936 taskmgr.exe 1936 taskmgr.exe 1936 taskmgr.exe 1936 taskmgr.exe 1936 taskmgr.exe 1936 taskmgr.exe 1936 taskmgr.exe 1936 taskmgr.exe 1936 taskmgr.exe 1936 taskmgr.exe 1936 taskmgr.exe 1936 taskmgr.exe 1936 taskmgr.exe 1936 taskmgr.exe 1936 taskmgr.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
Processes:
iexplore.exeIEXPLORE.EXEmmc.exemmc.exeIEXPLORE.EXEMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exepid process 2584 iexplore.exe 2584 iexplore.exe 2696 IEXPLORE.EXE 2696 IEXPLORE.EXE 2696 IEXPLORE.EXE 2696 IEXPLORE.EXE 2312 mmc.exe 1796 mmc.exe 1796 mmc.exe 3032 IEXPLORE.EXE 3032 IEXPLORE.EXE 2160 MEMZ.exe 2332 MEMZ.exe 2224 MEMZ.exe 2392 MEMZ.exe 1736 MEMZ.exe 2160 MEMZ.exe 2332 MEMZ.exe 2392 MEMZ.exe 1736 MEMZ.exe 2224 MEMZ.exe 2332 MEMZ.exe 2160 MEMZ.exe 2392 MEMZ.exe 2224 MEMZ.exe 1736 MEMZ.exe 2332 MEMZ.exe 2160 MEMZ.exe 2224 MEMZ.exe 1736 MEMZ.exe 2392 MEMZ.exe 2160 MEMZ.exe 2332 MEMZ.exe 2224 MEMZ.exe 1736 MEMZ.exe 2392 MEMZ.exe 2332 MEMZ.exe 2160 MEMZ.exe 1736 MEMZ.exe 2392 MEMZ.exe 2224 MEMZ.exe 2332 MEMZ.exe 2160 MEMZ.exe 1736 MEMZ.exe 2392 MEMZ.exe 2224 MEMZ.exe 2160 MEMZ.exe 2332 MEMZ.exe 2224 MEMZ.exe 2392 MEMZ.exe 1736 MEMZ.exe 2160 MEMZ.exe 2332 MEMZ.exe 2224 MEMZ.exe 1736 MEMZ.exe 2392 MEMZ.exe 2160 MEMZ.exe 2332 MEMZ.exe 2224 MEMZ.exe 2392 MEMZ.exe 1736 MEMZ.exe 2160 MEMZ.exe 2332 MEMZ.exe 2224 MEMZ.exe -
Suspicious use of WriteProcessMemory 52 IoCs
Processes:
MEMZ.exeMEMZ.exeiexplore.exemmc.exedescription pid process target process PID 2512 wrote to memory of 1736 2512 MEMZ.exe MEMZ.exe PID 2512 wrote to memory of 1736 2512 MEMZ.exe MEMZ.exe PID 2512 wrote to memory of 1736 2512 MEMZ.exe MEMZ.exe PID 2512 wrote to memory of 1736 2512 MEMZ.exe MEMZ.exe PID 2512 wrote to memory of 2160 2512 MEMZ.exe MEMZ.exe PID 2512 wrote to memory of 2160 2512 MEMZ.exe MEMZ.exe PID 2512 wrote to memory of 2160 2512 MEMZ.exe MEMZ.exe PID 2512 wrote to memory of 2160 2512 MEMZ.exe MEMZ.exe PID 2512 wrote to memory of 2392 2512 MEMZ.exe MEMZ.exe PID 2512 wrote to memory of 2392 2512 MEMZ.exe MEMZ.exe PID 2512 wrote to memory of 2392 2512 MEMZ.exe MEMZ.exe PID 2512 wrote to memory of 2392 2512 MEMZ.exe MEMZ.exe PID 2512 wrote to memory of 2332 2512 MEMZ.exe MEMZ.exe PID 2512 wrote to memory of 2332 2512 MEMZ.exe MEMZ.exe PID 2512 wrote to memory of 2332 2512 MEMZ.exe MEMZ.exe PID 2512 wrote to memory of 2332 2512 MEMZ.exe MEMZ.exe PID 2512 wrote to memory of 2224 2512 MEMZ.exe MEMZ.exe PID 2512 wrote to memory of 2224 2512 MEMZ.exe MEMZ.exe PID 2512 wrote to memory of 2224 2512 MEMZ.exe MEMZ.exe PID 2512 wrote to memory of 2224 2512 MEMZ.exe MEMZ.exe PID 2512 wrote to memory of 2520 2512 MEMZ.exe MEMZ.exe PID 2512 wrote to memory of 2520 2512 MEMZ.exe MEMZ.exe PID 2512 wrote to memory of 2520 2512 MEMZ.exe MEMZ.exe PID 2512 wrote to memory of 2520 2512 MEMZ.exe MEMZ.exe PID 2520 wrote to memory of 2536 2520 MEMZ.exe notepad.exe PID 2520 wrote to memory of 2536 2520 MEMZ.exe notepad.exe PID 2520 wrote to memory of 2536 2520 MEMZ.exe notepad.exe PID 2520 wrote to memory of 2536 2520 MEMZ.exe notepad.exe PID 2520 wrote to memory of 2584 2520 MEMZ.exe iexplore.exe PID 2520 wrote to memory of 2584 2520 MEMZ.exe iexplore.exe PID 2520 wrote to memory of 2584 2520 MEMZ.exe iexplore.exe PID 2520 wrote to memory of 2584 2520 MEMZ.exe iexplore.exe PID 2584 wrote to memory of 2696 2584 iexplore.exe IEXPLORE.EXE PID 2584 wrote to memory of 2696 2584 iexplore.exe IEXPLORE.EXE PID 2584 wrote to memory of 2696 2584 iexplore.exe IEXPLORE.EXE PID 2584 wrote to memory of 2696 2584 iexplore.exe IEXPLORE.EXE PID 2520 wrote to memory of 2008 2520 MEMZ.exe regedit.exe PID 2520 wrote to memory of 2008 2520 MEMZ.exe regedit.exe PID 2520 wrote to memory of 2008 2520 MEMZ.exe regedit.exe PID 2520 wrote to memory of 2008 2520 MEMZ.exe regedit.exe PID 2520 wrote to memory of 2312 2520 MEMZ.exe mmc.exe PID 2520 wrote to memory of 2312 2520 MEMZ.exe mmc.exe PID 2520 wrote to memory of 2312 2520 MEMZ.exe mmc.exe PID 2520 wrote to memory of 2312 2520 MEMZ.exe mmc.exe PID 2312 wrote to memory of 1796 2312 mmc.exe mmc.exe PID 2312 wrote to memory of 1796 2312 mmc.exe mmc.exe PID 2312 wrote to memory of 1796 2312 mmc.exe mmc.exe PID 2312 wrote to memory of 1796 2312 mmc.exe mmc.exe PID 2584 wrote to memory of 3032 2584 iexplore.exe IEXPLORE.EXE PID 2584 wrote to memory of 3032 2584 iexplore.exe IEXPLORE.EXE PID 2584 wrote to memory of 3032 2584 iexplore.exe IEXPLORE.EXE PID 2584 wrote to memory of 3032 2584 iexplore.exe IEXPLORE.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\MEMZ.exe"C:\Users\Admin\AppData\Local\Temp\MEMZ.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\MEMZ.exe"C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\MEMZ.exe"C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\MEMZ.exe"C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\MEMZ.exe"C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\MEMZ.exe"C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\MEMZ.exe"C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /main2⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\System32\notepad.exe" \note.txt3⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://google.co.ck/search?q=how+to+download+memz3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2584 CREDAT:275457 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2584 CREDAT:2372624 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\regedit.exe"C:\Windows\System32\regedit.exe"3⤵
- Runs regedit.exe
-
C:\Windows\SysWOW64\mmc.exe"C:\Windows\System32\mmc.exe"3⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\mmc.exe"C:\Windows\system32\mmc.exe"4⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EAFilesize
1KB
MD5ac5336f1f174cbec803904fce0e8256b
SHA1c3f4bf7a2f88953e56db56275921a2695269503f
SHA256e26d49105fc12539a2bafdf47186ccf74046c5da69b2f4e8f8656da386118b93
SHA5123b05ee314e3d041efa9ba89a458850bcf544e576aed810034490e3219605a1407b625d031481970f87b7b934a0a83756122f93043cccec71fd3a6a1494981f0e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_5E390E1CA50E646B1021D6CAA485D322Filesize
471B
MD54182f0e25fba923f1901b9de3bb14a40
SHA173403b5efe56d62ff1ea5520e937bbcf2eec269a
SHA2568cac4921af175e3c1c904d8494edfcc6bb289881aaa5a6892006dc2a32a34844
SHA512a64d067384cedecc443e34874c9d2b599a9002f6110e5a1b866f18ef89fb3133c9add2f26824b4e5b2e4f65cf2b6adcddf325ec3eef905a9b543746a50519d54
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCCFilesize
914B
MD5e4a68ac854ac5242460afd72481b2a44
SHA1df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA5125622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBAFilesize
724B
MD5ac89a852c2aaa3d389b2d2dd312ad367
SHA18f421dd6493c61dbda6b839e2debb7b50a20c930
SHA2560b720e19270c672f9b6e0ec40b468ac49376807de08a814573fe038779534f45
SHA512c6a88f33688cc0c287f04005e07d5b5e4a8721d204aa429f93ade2a56aeb86e05d89a8f7a44c1e93359a185a4c5f418240c6cdbc5a21314226681c744cf37f36
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E87CE99F124623F95572A696C80EFCAF_A34D3B1C2EC7792CC8F97AA4FBCEACCAFilesize
472B
MD58d988f4975d833a8a5965909a6736784
SHA14bc6c629faa5d8842ecb55dba62812bdea4d9a4c
SHA25621a6e72528c8e6b98e5c5b4ff262b58648d8d532881ba4dc2b4e0727c6d448fa
SHA51245cea9c59c28e22a82a646342b34fe42180d7ca673211750c75f5f01ed616b81217ab6deab29d0a926449eb2e60213b6828de6148408edf2c2eda2ab474c3bb7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357Filesize
1KB
MD5a266bb7dcc38a562631361bbf61dd11b
SHA13b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA5120da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EAFilesize
410B
MD52df41969ad596ca9381f7e4b1c9fa13c
SHA18cf571964b2d671bb77f58726947c5045b42ab30
SHA25655761743cfa5a222eccf252f1dd6001198d02a25d5a82e6cd0938367e3f3364b
SHA51277f18653a9815caecdab1c3248fdf37a1c72d746495a20b329068c27e6d3e675f9b0d8ec20871b675174df6c7737a5d7b54406e33cc1f8fa704a49363a10f09b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_5E390E1CA50E646B1021D6CAA485D322Filesize
406B
MD56bc7c000cc721a095b633207e9e77dcd
SHA17700369117f80f018ddc62bcf7a3db1963c7987a
SHA256816835bd12fd04ed09692c77c7acc7c84003bd12dffe33085e88159e9f81a2bf
SHA512a2901dbe38eb6cd80c9343fa3ee38a73c984cf084fb2e6f245356a14e275bf5a38c1857d3aced7315b7bee3ecdb51840a19e281b1a05cccb566f3d51d0dd3935
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCCFilesize
252B
MD585bd77b83f1da5bdec196810cb854792
SHA15e5d6935a66ce38eacf1a5991cc6457667e93d88
SHA2560edab1407c35d3eec3896d72ec4a8665d6ff5760080de24960665b40ca33ea91
SHA51279b12327ebeb6300fad4dc431bcc1a7a7ca8e1d83efcc8afc4f17338f5a41d9087256a4897e8671ac82a1ec73303d615135d8417afd7e6f9d53f65d50380b910
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD5a7e13fc16bb74f325bb69e975e97fe45
SHA14e5f8dbf1e8dd9e5720c38940b5348ce0af6e842
SHA256b3a78cd92ee5ca59a7e0b022e897f60caad889f736537934bea63ba1c14d1e44
SHA512ea5f291afcb63a7437d818ca7322afb6ecc772672a1d2bc6709cb46b26f047c008216d68b71f77e126b29fb1e5b078c0b8e259417c789fee0485b44ce2faa9b2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD59cb067f8925985608a74147aa899c29d
SHA1f2ce610e5f3e905563f42817624ef297b43d97cb
SHA256eeca1c436060f7e4b6f5655d77096b434b1aede20e7de80f5556abf132463cc3
SHA5122e9c7f4aa92e371a4a70e2ca41a524385fd31a7472ab78a1c62140f0f0ba705ad0fe76275f0df819cdaf8e91fb8860abdae234dbddede20c1d9ee084e713b0d6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD58833b3a65d705008489dec63d15744b8
SHA1743dd58598c205c42452c2f0c5d1352dc3cb6324
SHA256d4cf7e0e6fafaa855b57593ee02d67104f99c10841acdefa97188b311ca40251
SHA512501beefa88ee885b30572c7a84eb7f7c8d1eadfa2560881a8547234fb70160d88d1ffe983c93233165bf79b683f75c6ee7e12d22b08fa3870190d61fa813f7e6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD506e495a40da58f719fdb332f69087b00
SHA16ac2f7f1de855fad180121cfbaf95470fd84b860
SHA2560b98f847b3bc957e0549e859494066365dd0068c46bc08ca8957d99ae44e0aad
SHA5124bcdff75c9ac74a9aca18f0f0d94f32956ef6d5e8ab438bd2aeeeebe0a17abb0145ba51e2e7d9bfbcc10463fb352fcd64c30635bac48cbcd0ad7092071197bed
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD5c7731cdc478a1d3ad1a09bf9de56ec62
SHA1feca263046e9201cfe800bbd73901cfc29a67630
SHA256515396934d98c124b9f574b036ed093444307e08d3a468528ca48858541af6e3
SHA512f54a22041140a817fe5115de63bbfb75a14c6f75006853ba58837e04ef7ce6b7b6c3bee4b339c56a99fb661c621d1f88f1f42570ab49a58d2855e912cd13c46e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD597420bbc74589d65f76d42704677549f
SHA1068a92a10124248ea4cc8eb17a643cb41e7c4616
SHA2568bf1e1a60fd8c535928465785dec96316e4e77eff6124b7f1bf3e38136489bc7
SHA5127fedf52ebcca24060a6bcd900e6b01a9076f9d98c61d85e62cea2bb79b160a3560059b278608a77169d95b7288c6dae2f35bc25824f8e871c69426e57cca1669
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD58d87a5835eb4ca5c8f4b386f02149af2
SHA154151e348b1428f40a8a1c6f44d2743695d7f263
SHA2561cf88df5689262cd0a4ac0cb4102f3ee371759f9caf06df0907914cd7303182a
SHA5120b61ea9eb4c2a53fdc2140e0047eb2246f3bf9668bd313236a657162d3f66a41ce9c387529c71e29e749fda64e59cf8852c832052ed8fd0a98e6250844ea116c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD51a43d9b9545aaa1a4ce7e512e14e4df5
SHA102fa8e8e5029e562ae7126989368ddad804bc41c
SHA2563e66a295ae669b7eda6716628cdfc0dc5850d40974533c5ca81063d3a04c963b
SHA5122cb4d706155b6aa65ca6479081facb68c6be3bb3cf5cc27421843f037a9dd223d17689d569459a6e38cd38f26e9158ee7adcf3b889e64271f965dd3224f5517d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD5ac7a057e306569dddb1fa9bbdf8ec22e
SHA1dd2d440eaf1fd86a769a58e31d00170398227713
SHA256d3fdd8dba2257e9b735785b52017f20f791cef567f77bb20f6edcfc196c57be3
SHA5123421d9cfbf87461a0f8fd3068b826caafe7a4fddd75544d68f82600ec1616eab952cbe4f0c4ccc63bb9524b52b1dd95c1a5a6f36de4a33bbba43f466402a6fe3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD59f2d3b783bad9c9d6099f777174f505a
SHA1442aac1ba6994aba6c8825a7d4569d4bfb4b55ba
SHA256f6438da1dd25eeaf11cd55bcc27125a03ef824b3067a20aa6a81b4dfcab34c00
SHA512caac5fac2fd7e8b7c2328d6095b14c49fb888cf9fd2c0a31cd36760c79464f46770d3c2ba738f693e01c090152fd4be31a3b7a7483c9a03a5f8189aae38a128b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD552289ebd78680ada0894f005c0b814e0
SHA10bf069a356c2811b2b0b81fb793419fe6837270b
SHA256b9e5d899554b18f40ff52438c694c2364b81267c9040849710563000c069042a
SHA5126cecc0527aa2cc566e67e323437dcde3bcb94c5ecef2f412aa3db26407ede4b2aded38ea88016263f0b5432e3e615e954a478939a8effb8e8febebc56ad56262
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD51fbb29dba297a8040aedb1cdc78aea1d
SHA1aa8121bac4e975db635598bd104637d1aa3f5865
SHA25681a1b10cc2accd7a08631701fee1672ae2b2563a606c74c7bdee07592d75ffb7
SHA5125b1ed0d9da322aab4b62f842dde3ec2e387fcbbf3dc78c0d69f895e9d54fe88f70c1964ed379f0dbb1c83f1c6f935ca0295be5027e6ebce1678e1041ab9b8b90
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD5578308e2761026281da2110e55761fb6
SHA1287b669f6f5ea39099696d1e636991a8590b4980
SHA256b4cd16e50933d8a32ad92bd81f695d10a1cfab2b30f1ac8010105d97328c2c1c
SHA512d6d44ab945649b67394cc9728049164f61eda27fc3c88c81c8de3a41c139dea5993a31d068c58e9e857f589b4ae0c83cbab10b73c08db77f8a92ab120ac826a8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD56cc8eda2f6e880bdde840d3b4692dabc
SHA18112825b280b001990ca1254b8241ada3134d98c
SHA256c0e106096e499f63d05d134dbf0a63aae10343d62c31a5a915cbedf8617a88fe
SHA5120b6679935cdb9e0906e92b0cdad6fcf3cb9dba684a8c252a6038980ca5ff46efeb818642a6ae6bd358137cfb56eb91005557a1732b0a76aace773467ef9a634d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD55770da85cc6d1114cd2e4d60456a16c5
SHA1ee5a6acd0f6a55779e9992584cb21d6ebcce48d1
SHA256acf38e701c48abeb1ea563bbf3d6d1fe9ab9fa618b15e82c6fb43d4d91d0f50e
SHA5124b81d56fcfb0b319b63e08238ccb8f11994c38dbeddac85a322cf924a795b8ac1a25a34358045ab107d2236f76a9a1dcc8ab9cd3042abe52c2895d811a426a3a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD5e15eb24b879b5b8e8e904b22f48869d5
SHA12da0def051133220ac9f7b57554156f16f61d8fc
SHA256df2727bb8c294acdd7d6df0e271b8a7fd85a2da77cd114337d8afdea93a84eab
SHA512ec3e48e0de2438dab66f4c368653ea43a9c19e67881cac16e2dbeef68d8f4a6a3f62bc9e9eaca23f77d06df14a0e544f0ad2f0b62f8f31ef2dd62edd8895b2fb
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD528951fb3f4e99d889efc6d099dfca036
SHA1cb4376d476593942c6a462e33ca44a06daa89940
SHA256d90b829b80749d8c8b670cf8cf026f5b99cd98176b27792e3b32ac03f17e1169
SHA5121209347db65baaf838f37337ed7027472f31f784c0157ae8acc82b4a88eb89779ca7976caf58d5f0d0d528daa822d7530e74f55562b9244e089c92affc8cc255
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD57b4264ced9846e0a222ff938044d7678
SHA18fd032b8bb433fb46db4d340374218f4362c5b8f
SHA256e6b85d40893b7eb134e448acb30a2cff7d148858d0db92a0c685d1680a28ce7b
SHA512c1219c7eb818aef1eb400adf562f036d907fe7db685dff4de67c6f085d9a2e5ba6a6af702a14596adacb2437a2a48fc305c46ec4622ec7c6fbf5d2c7e1be0edc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD5d6ab001f1ee9df8fbdffd60b4360900c
SHA1c5edd05d13cc88c13930bbf8ff503aed33ae38df
SHA2569aef7023c686f3a62f9d23d7d4870ec9e7f63031d250b8c9052504a5f4cd74d2
SHA51240d9b688306ef371f573bdb97b5cc93fce0f378b4fed221509119850caca549616f242349b0bc1c36c973e6cfa51999c904b4bc13495dc4116ee98867dc0a188
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD58ea402d95b4e2e612ef77b1459d6131a
SHA1ec70d803dda225f198b91287ec15a6c023b9ac81
SHA256430b9cdd226601cfd4bf1ccdb4cee35e5f65e56326550e0de47464506c9bbf0b
SHA512ab9e9b787c37ad4ba629e303a2ac3456309a902c26d2036587d27bf99b0ead7920e71c290e5d6c24e504c4681c8f0323b15d402acf1100479c8c044aff954377
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD506b5d1ac98bf21669215a2d56e68f598
SHA167cd5b3d73a0f50c941e146059dc0c769e617b3f
SHA25692f31fc60a16f183f77bc4917d407744b9c4c8bc66d35714ba8a20a8eacfd565
SHA512236af038bf03a169a26e5238db73a7daff0c26ebb5758a5b7d498df40e6d29e43e677ce933924bf3cb308dd182a3eaefa220e778b63b853a38cfce9fedac547c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBAFilesize
392B
MD55aeb15dee8317eff4275df3e82b95a46
SHA140c02b7fe0f5b2e90645d0d0c64c3e9153937ec9
SHA2560b21095e4efde5cbb77cb9b5a7f5a67745ba421f7aac5018591c3b18def3028b
SHA512212aef72b96cf530a3dfde5317be0be3f111b37c922c06a1c6d741d89e1a108b3e49413a153546c65fd35702f24ba7a08992a67927818c37990312cfaf76cd75
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E87CE99F124623F95572A696C80EFCAF_A34D3B1C2EC7792CC8F97AA4FBCEACCAFilesize
402B
MD5120af9d6d30ff08f89fc5ddfb4a9e8ed
SHA1395572a2d0071e57c4cd354efe94a46cf047c12e
SHA256bfd9450bac3e1a1a53dba6c5283d37893130916745112c96861eabec68610043
SHA512385a4c5a80d8fee272060d626937e338b0c2709788976a5a26ffe5adf8bc36bd7c07a61770b4829acd98fd6ef00fbc2ddfc24712eeab1a4f638e2befedbac801
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357Filesize
242B
MD5e1280da82c06bf8541dab4914de40d37
SHA1cc016c6ef520b1f95a908ca4afc02301fbd2e144
SHA256c1510641aba6298c61da7315c58af2d14e4d12aab3d637de3e7e63b889e5de1e
SHA512effe4be57ecb5f167a22eee42ff7fb60c83328cff29670e8549d1f31971df616b6fa4e5ab34bd41b4a740a38e8df161dc4908f31f8dc584ca3b44800748b1b72
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\3pl5scb\imagestore.datFilesize
5KB
MD5b6df2e4a08713dc61ca51df110225c93
SHA13aaaedbb018b88fc85ea9d7aacd1d0a668222bd9
SHA256084feedb2f22e5438db986226777ee68b289f27d6b48250c031f57c2fd145983
SHA5120ad8b1984e1ff8f9677a706e4b87f64c4e1283246dedccdcd1653c5d2428067500fbe96b4af97b4fb702d9cd4eea9564aca5719133a694a02f8ce213a73ed9d5
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OORQXHVT\favicon[1].icoFilesize
5KB
MD5f3418a443e7d841097c714d69ec4bcb8
SHA149263695f6b0cdd72f45cf1b775e660fdc36c606
SHA2566da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770
SHA51282d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563
-
C:\Users\Admin\AppData\Local\Temp\CabCE38.tmpFilesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
C:\Users\Admin\AppData\Local\Temp\TarCE4B.tmpFilesize
171KB
MD59c0c641c06238516f27941aa1166d427
SHA164cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA2564276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06
-
C:\Users\Admin\AppData\Local\Temp\TarCF1C.tmpFilesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
C:\Users\Admin\AppData\Local\Temp\~DF800AF6FC56613D32.TMPFilesize
16KB
MD58525cbbf8148f93684facd4f9478964c
SHA183953a540119fefc67fb600393793ad9f8ea5764
SHA256089c28d1ad2196b9f0afa3ea4331ca35819fe2d99cd57d4e345618ca88f18060
SHA51202fbc24128259100b50c5e7334181624d2e7084f1f1994ab0a612f250ad7fa507f17eb81773f8f0a0a9e2581678575c318f5694cad04b44b4e5a3551843c2b25
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\QTEFF1W8.txtFilesize
618B
MD5cd1b81130e35c449240379eb21aad3cd
SHA158f843e8b8d04bc055ca2f70222bcb9beb92e67e
SHA256e58a8384b02bd403e948c93880b37338df55ea4e6bd4d2a44bb0e3efe674cfbf
SHA51273a5ac727e91ca53ee90eb35b008057df83a67556471247c824f80512d886890fa3db79e8d707a236ecf488c46945504a338fe7dca3ce77d3100e61c6990d31a
-
C:\note.txtFilesize
218B
MD5afa6955439b8d516721231029fb9ca1b
SHA1087a043cc123c0c0df2ffadcf8e71e3ac86bbae9
SHA2568e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270
SHA5125da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf
-
memory/1936-524-0x0000000140000000-0x00000001405E8000-memory.dmpFilesize
5.9MB
-
memory/1936-525-0x0000000140000000-0x00000001405E8000-memory.dmpFilesize
5.9MB
-
memory/1936-526-0x0000000140000000-0x00000001405E8000-memory.dmpFilesize
5.9MB