hxxps://github[.]com/Viper4K/malware/blob/master/MEMZ/MEMZ[.]bat

Resubmissions

20-06-2024 14:19

240620-rm2czasamf 7

Analysis

max time kernel
242s
max time network
244s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
20-06-2024 14:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Viper4K/malware/blob/master/MEMZ/MEMZ.bat

Score

7^/10

bootkit execution persistence

Malware Config

Signatures

Executes dropped EXE 15 IoCs

pid	Process
2284	MEMZ.exe
2852	MEMZ.exe
2956	MEMZ.exe
1928	MEMZ.exe
2096	MEMZ.exe
2128	MEMZ.exe
2296	MEMZ.exe
1496	MEMZ.exe
856	MEMZ.exe
2892	MEMZ.exe
628	MEMZ.exe
3088	MEMZ.exe
2252	MEMZ.exe
3124	MEMZ.exe
4092	MEMZ.exe

Loads dropped DLL 2 IoCs

pid	Process
2284	MEMZ.exe
1496	MEMZ.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
63	raw.githubusercontent.com
64	raw.githubusercontent.com
65	raw.githubusercontent.com
66	raw.githubusercontent.com

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	MEMZ.exe
File opened for modification	\??\PhysicalDrive0	MEMZ.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SC_Reader.exe	NOTEPAD.EXE
File opened for modification	\??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\sc_reader.exe	NOTEPAD.EXE
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com\Total = "25"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "25"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingDelete	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bd2a7708e9798e4fa0b20f3efd8e9361000000000200000000001066000000010000200000007ef1c8431e83624d7fcf23fe3c073d0e3bf1552a425f0cec5a30258c9878866a000000000e800000000200002000000058c7b15e6d66a7c39139598bed4ed2efb1861e2f4e0417d8d997499b5d0550f920000000c599988bdc58e42834049763d70f3d7b3fe1d7ef8d20325e0eeff7eaecfa5c554000000078a6f728cdbc756adcc1dbb6ca4e6b194bae8858b6530daa1b57a39721d9b98b6bcbc9bb9372d35e5cff9d686bca39c663f163c9505c07530071526e587eebc3	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B4306379-2F10-11EF-A538-5630532AF2EE} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\SearchScopes\Version = "3"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\SearchScopes\UpgradeTime = d8bd534f1dc3da01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 206187531dc3da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{7E620D01-2F10-11EF-A538-5630532AF2EE} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{88D02FB1-2F10-11EF-A538-5630532AF2EE} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "4"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingDelete\C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{B430637B-2F10-11EF-A538-5630532AF2EE}.dat = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	NOTEPAD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	NOTEPAD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0000000001000000ffffffff	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\4	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_Classes\Local Settings	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "48"	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	NOTEPAD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	NOTEPAD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "2"	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	NOTEPAD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	NOTEPAD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlot = "4"	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_Classes\Local Settings	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 200000001a00eebbfe230000100090e24d373f126545916439c4925e467b00000000	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "6"	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac0c00000050000000a66a63283d95d211b5d600c04fd918d00b0000007800000030f125b7ef471a10a5f102608c9eebac0e00000078000000	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	NOTEPAD.EXE

NTFS ADS 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\MEMZ.bat.txt:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\MEMZ(1).bat.txt:Zone.Identifier	firefox.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1656	NOTEPAD.EXE

Suspicious behavior: CmdExeWriteProcessMemorySpam 3 IoCs

pid	Process
2284	MEMZ.exe
1496	MEMZ.exe
4092	MEMZ.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2852	MEMZ.exe
2852	MEMZ.exe
2956	MEMZ.exe
1928	MEMZ.exe
2956	MEMZ.exe
2852	MEMZ.exe
1928	MEMZ.exe
2956	MEMZ.exe
2852	MEMZ.exe
2096	MEMZ.exe
2128	MEMZ.exe
2096	MEMZ.exe
1928	MEMZ.exe
2956	MEMZ.exe
2852	MEMZ.exe
2128	MEMZ.exe
2096	MEMZ.exe
1928	MEMZ.exe
2956	MEMZ.exe
2852	MEMZ.exe
2852	MEMZ.exe
2956	MEMZ.exe
2128	MEMZ.exe
2096	MEMZ.exe
1928	MEMZ.exe
2852	MEMZ.exe
2956	MEMZ.exe
2128	MEMZ.exe
2096	MEMZ.exe
1928	MEMZ.exe
2852	MEMZ.exe
2956	MEMZ.exe
2128	MEMZ.exe
2096	MEMZ.exe
1928	MEMZ.exe
2852	MEMZ.exe
2956	MEMZ.exe
2128	MEMZ.exe
2096	MEMZ.exe
1928	MEMZ.exe
1928	MEMZ.exe
2956	MEMZ.exe
2852	MEMZ.exe
2096	MEMZ.exe
2128	MEMZ.exe
2852	MEMZ.exe
2096	MEMZ.exe
2128	MEMZ.exe
2956	MEMZ.exe
1928	MEMZ.exe
2852	MEMZ.exe
2956	MEMZ.exe
2128	MEMZ.exe
2096	MEMZ.exe
1928	MEMZ.exe
2852	MEMZ.exe
2956	MEMZ.exe
2128	MEMZ.exe
1928	MEMZ.exe
2096	MEMZ.exe
2852	MEMZ.exe
2096	MEMZ.exe
2128	MEMZ.exe
2956	MEMZ.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1364	NOTEPAD.EXE

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2396	firefox.exe
Token: SeDebugPrivilege	2396	firefox.exe
Token: SeDebugPrivilege	2396	firefox.exe
Token: SeDebugPrivilege	2396	firefox.exe

Suspicious use of FindShellTrayWindow 14 IoCs

pid	Process
2396	firefox.exe
2396	firefox.exe
2396	firefox.exe
2396	firefox.exe
1656	NOTEPAD.EXE
2396	firefox.exe
2396	firefox.exe
1228	cscript.exe
1536	iexplore.exe
1176	iexplore.exe
3040	cscript.exe
2284	iexplore.exe
3164	notepad.exe
3900	cscript.exe

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
2396	firefox.exe
2396	firefox.exe
2396	firefox.exe
2396	firefox.exe
2396	firefox.exe

Suspicious use of SetWindowsHookEx 36 IoCs

pid	Process
2396	firefox.exe
2396	firefox.exe
2396	firefox.exe
1656	NOTEPAD.EXE
1656	NOTEPAD.EXE
2396	firefox.exe
2396	firefox.exe
2396	firefox.exe
1364	NOTEPAD.EXE
1364	NOTEPAD.EXE
1364	NOTEPAD.EXE
1536	iexplore.exe
1536	iexplore.exe
1228	IEXPLORE.EXE
1228	IEXPLORE.EXE
1228	IEXPLORE.EXE
1228	IEXPLORE.EXE
1176	iexplore.exe
1176	iexplore.exe
988	IEXPLORE.EXE
988	IEXPLORE.EXE
2112	IEXPLORE.EXE
2112	IEXPLORE.EXE
1804	wordpad.exe
1804	wordpad.exe
1804	wordpad.exe
1804	wordpad.exe
1804	wordpad.exe
2560	mspaint.exe
2560	mspaint.exe
2560	mspaint.exe
2560	mspaint.exe
2284	iexplore.exe
2284	iexplore.exe
2184	IEXPLORE.EXE
2184	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2348 wrote to memory of 2396	2348	firefox.exe	28
PID 2348 wrote to memory of 2396	2348	firefox.exe	28
PID 2348 wrote to memory of 2396	2348	firefox.exe	28
PID 2348 wrote to memory of 2396	2348	firefox.exe	28
PID 2348 wrote to memory of 2396	2348	firefox.exe	28
PID 2348 wrote to memory of 2396	2348	firefox.exe	28
PID 2348 wrote to memory of 2396	2348	firefox.exe	28
PID 2348 wrote to memory of 2396	2348	firefox.exe	28
PID 2348 wrote to memory of 2396	2348	firefox.exe	28
PID 2348 wrote to memory of 2396	2348	firefox.exe	28
PID 2348 wrote to memory of 2396	2348	firefox.exe	28
PID 2348 wrote to memory of 2396	2348	firefox.exe	28
PID 2396 wrote to memory of 2876	2396	firefox.exe	29
PID 2396 wrote to memory of 2876	2396	firefox.exe	29
PID 2396 wrote to memory of 2876	2396	firefox.exe	29
PID 2396 wrote to memory of 2832	2396	firefox.exe	30
PID 2396 wrote to memory of 2832	2396	firefox.exe	30
PID 2396 wrote to memory of 2832	2396	firefox.exe	30
PID 2396 wrote to memory of 2832	2396	firefox.exe	30
PID 2396 wrote to memory of 2832	2396	firefox.exe	30
PID 2396 wrote to memory of 2832	2396	firefox.exe	30
PID 2396 wrote to memory of 2832	2396	firefox.exe	30
PID 2396 wrote to memory of 2832	2396	firefox.exe	30
PID 2396 wrote to memory of 2832	2396	firefox.exe	30
PID 2396 wrote to memory of 2832	2396	firefox.exe	30
PID 2396 wrote to memory of 2832	2396	firefox.exe	30
PID 2396 wrote to memory of 2832	2396	firefox.exe	30
PID 2396 wrote to memory of 2832	2396	firefox.exe	30
PID 2396 wrote to memory of 2832	2396	firefox.exe	30
PID 2396 wrote to memory of 2832	2396	firefox.exe	30
PID 2396 wrote to memory of 2832	2396	firefox.exe	30
PID 2396 wrote to memory of 2832	2396	firefox.exe	30
PID 2396 wrote to memory of 2832	2396	firefox.exe	30
PID 2396 wrote to memory of 2832	2396	firefox.exe	30
PID 2396 wrote to memory of 2832	2396	firefox.exe	30
PID 2396 wrote to memory of 2832	2396	firefox.exe	30
PID 2396 wrote to memory of 2832	2396	firefox.exe	30
PID 2396 wrote to memory of 2832	2396	firefox.exe	30
PID 2396 wrote to memory of 2832	2396	firefox.exe	30
PID 2396 wrote to memory of 2832	2396	firefox.exe	30
PID 2396 wrote to memory of 2832	2396	firefox.exe	30
PID 2396 wrote to memory of 2832	2396	firefox.exe	30
PID 2396 wrote to memory of 2832	2396	firefox.exe	30
PID 2396 wrote to memory of 2832	2396	firefox.exe	30
PID 2396 wrote to memory of 2832	2396	firefox.exe	30
PID 2396 wrote to memory of 2832	2396	firefox.exe	30
PID 2396 wrote to memory of 2832	2396	firefox.exe	30
PID 2396 wrote to memory of 2832	2396	firefox.exe	30
PID 2396 wrote to memory of 2832	2396	firefox.exe	30
PID 2396 wrote to memory of 2832	2396	firefox.exe	30
PID 2396 wrote to memory of 2832	2396	firefox.exe	30
PID 2396 wrote to memory of 2832	2396	firefox.exe	30
PID 2396 wrote to memory of 2832	2396	firefox.exe	30
PID 2396 wrote to memory of 2832	2396	firefox.exe	30
PID 2396 wrote to memory of 2832	2396	firefox.exe	30
PID 2396 wrote to memory of 2832	2396	firefox.exe	30
PID 2396 wrote to memory of 2832	2396	firefox.exe	30
PID 2396 wrote to memory of 2832	2396	firefox.exe	30
PID 2396 wrote to memory of 2832	2396	firefox.exe	30
PID 2396 wrote to memory of 2512	2396	firefox.exe	31
PID 2396 wrote to memory of 2512	2396	firefox.exe	31
PID 2396 wrote to memory of 2512	2396	firefox.exe	31
PID 2396 wrote to memory of 2512	2396	firefox.exe	31
PID 2396 wrote to memory of 2512	2396	firefox.exe	31

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://github.com/Viper4K/malware/blob/master/MEMZ/MEMZ.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2348
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://github.com/Viper4K/malware/blob/master/MEMZ/MEMZ.bat
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2396
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2396.0.406539947\863613902" -parentBuildID 20221007134813 -prefsHandle 1276 -prefMapHandle 1268 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {82c2247a-923d-4b4e-860f-20ce4f84dc59} 2396 "\\.\pipe\gecko-crash-server-pipe.2396" 1352 100da458 gpu
    3⤵
    PID:2876
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2396.1.1840437408\1559892774" -parentBuildID 20221007134813 -prefsHandle 1552 -prefMapHandle 1548 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {944af705-e629-46ed-b535-b74b508ec708} 2396 "\\.\pipe\gecko-crash-server-pipe.2396" 1564 de3758 socket
    3⤵
    PID:2832
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2396.2.1144767124\1207192624" -childID 1 -isForBrowser -prefsHandle 1924 -prefMapHandle 1920 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 572 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1d4f3a5a-9b73-4459-8bd6-819c556c6aad} 2396 "\\.\pipe\gecko-crash-server-pipe.2396" 2036 19e8a458 tab
    3⤵
    PID:2512
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2396.3.227807978\577811444" -childID 2 -isForBrowser -prefsHandle 2832 -prefMapHandle 2828 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 572 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c5b14e66-ce85-4dd3-b15e-f3283a54c067} 2396 "\\.\pipe\gecko-crash-server-pipe.2396" 2844 d62b58 tab
    3⤵
    PID:2004
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2396.4.1974510303\1257512291" -childID 3 -isForBrowser -prefsHandle 3832 -prefMapHandle 3828 -prefsLen 26356 -prefMapSize 233444 -jsInitHandle 572 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2d1c28c0-36db-4b9e-8cb9-e08fffece87d} 2396 "\\.\pipe\gecko-crash-server-pipe.2396" 3844 216d9e58 tab
    3⤵
    PID:1664
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2396.5.1253679448\248063988" -childID 4 -isForBrowser -prefsHandle 3952 -prefMapHandle 3956 -prefsLen 26356 -prefMapSize 233444 -jsInitHandle 572 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a9fcfb08-85fc-4561-87a7-8f8657250cda} 2396 "\\.\pipe\gecko-crash-server-pipe.2396" 3940 216db658 tab
    3⤵
    PID:912
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2396.6.1121539031\1418253570" -childID 5 -isForBrowser -prefsHandle 4120 -prefMapHandle 4124 -prefsLen 26356 -prefMapSize 233444 -jsInitHandle 572 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d3a1358e-265d-46de-b043-7f82a89d254b} 2396 "\\.\pipe\gecko-crash-server-pipe.2396" 4108 216d9858 tab
    3⤵
    PID:284

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\MEMZ.bat.txt
1⤵
- Modifies registry class
- Opens file in notepad (likely ransom note)
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1656

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:768

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\MEMZ(1).bat.txt
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1364

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\Desktop\MEMZ.bat" "
1⤵
PID:2112
- C:\Windows\system32\cscript.exe
  cscript x.js
  2⤵
  - Suspicious use of FindShellTrayWindow
  PID:1228
- C:\Users\Admin\AppData\Roaming\MEMZ.exe
  "C:\Users\Admin\AppData\Roaming\MEMZ.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2284
- - C:\Users\Admin\AppData\Roaming\MEMZ.exe
    "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2852
- - C:\Users\Admin\AppData\Roaming\MEMZ.exe
    "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2956
- - C:\Users\Admin\AppData\Roaming\MEMZ.exe
    "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1928
- - C:\Users\Admin\AppData\Roaming\MEMZ.exe
    "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2096
- - C:\Users\Admin\AppData\Roaming\MEMZ.exe
    "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2128
- - C:\Users\Admin\AppData\Roaming\MEMZ.exe
    "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /main
    3⤵
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    PID:2296
  - - C:\Windows\SysWOW64\notepad.exe
      "C:\Windows\System32\notepad.exe" \note.txt
      4⤵
      PID:836
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://google.co.ck/search?q=mcafee+vs+norton
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      PID:1536
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1536 CREDAT:275457 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1228
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://google.co.ck/search?q=mcafee+vs+norton
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      PID:1176
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1176 CREDAT:275457 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:988
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1176 CREDAT:1061896 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2112
  - - C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
      "C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
      4⤵
      Suspicious use of SetWindowsHookEx
      PID:1804
    - - C:\Windows\splwow64.exe
        
        C:\Windows\splwow64.exe 12288
        5⤵
        
        PID:1860
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://motherboard.vice.com/read/watch-this-malware-turn-a-computer-into-a-digital-hellscape
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      PID:2284
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2284 CREDAT:275457 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2184
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://play.clubpenguin.com/
      4⤵
      PID:3700
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3700 CREDAT:275457 /prefetch:2
        5⤵
        
        PID:3880

C:\Windows\system32\mspaint.exe
C:\Windows\system32\mspaint.exe -Embedding
1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2560

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\Desktop\MEMZ.bat" "
1⤵
PID:2620
- C:\Windows\system32\cscript.exe
  cscript x.js
  2⤵
  - Suspicious use of FindShellTrayWindow
  PID:3040
- C:\Users\Admin\AppData\Roaming\MEMZ.exe
  "C:\Users\Admin\AppData\Roaming\MEMZ.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1496
- - C:\Users\Admin\AppData\Roaming\MEMZ.exe
    "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    PID:856
- - C:\Users\Admin\AppData\Roaming\MEMZ.exe
    "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    PID:2892
- - C:\Users\Admin\AppData\Roaming\MEMZ.exe
    "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    PID:628
- - C:\Users\Admin\AppData\Roaming\MEMZ.exe
    "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    PID:3088
- - C:\Users\Admin\AppData\Roaming\MEMZ.exe
    "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    PID:2252
- - C:\Users\Admin\AppData\Roaming\MEMZ.exe
    "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /main
    3⤵
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    PID:3124
  - - C:\Windows\SysWOW64\notepad.exe
      "C:\Windows\System32\notepad.exe" \note.txt
      4⤵
      Suspicious use of FindShellTrayWindow
      PID:3164

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\Desktop\MEMZ.bat" "
1⤵
PID:3092
- C:\Windows\system32\cscript.exe
  cscript x.js
  2⤵
  - Suspicious use of FindShellTrayWindow
  PID:3900
- C:\Users\Admin\AppData\Roaming\MEMZ.exe
  "C:\Users\Admin\AppData\Roaming\MEMZ.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:4092
- - C:\Users\Admin\AppData\Roaming\MEMZ.exe
    "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
    3⤵
    PID:780
- - C:\Users\Admin\AppData\Roaming\MEMZ.exe
    "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
    3⤵
    PID:2360
- - C:\Users\Admin\AppData\Roaming\MEMZ.exe
    "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
    3⤵
    PID:2888
- - C:\Users\Admin\AppData\Roaming\MEMZ.exe
    "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
    3⤵
    PID:2184
- - C:\Users\Admin\AppData\Roaming\MEMZ.exe
    "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
    3⤵
    PID:1804
- - C:\Users\Admin\AppData\Roaming\MEMZ.exe
    "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /main
    3⤵
    PID:1824
  - - C:\Windows\SysWOW64\notepad.exe
      "C:\Windows\System32\notepad.exe" \note.txt
      4⤵
      PID:1732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416

Filesize
1KB

MD5
55540a230bdab55187a841cfe1aa1545

SHA1
363e4734f757bdeb89868efe94907774a327695e

SHA256
d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb

SHA512
c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
b45d7f0b14e84ac44e5f2e4f1d32f544

SHA1
c5ad3ca154b9e4d68f3e7c422291d70b91b6cd34

SHA256
2df811d8852c7bb1439cc3da532078fd8ec7ab29abe09e2e6317d600ec0c17ad

SHA512
62c83f3c1c015f74f2e7084ba520dc6222d6ae4a1d156c3969515575b997cf40dbc70024b4b9ec921e9f8cabb931f3de5e8a091c4dc365731591583fca963230

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

Filesize
724B

MD5
ac89a852c2aaa3d389b2d2dd312ad367

SHA1
8f421dd6493c61dbda6b839e2debb7b50a20c930

SHA256
0b720e19270c672f9b6e0ec40b468ac49376807de08a814573fe038779534f45

SHA512
c6a88f33688cc0c287f04005e07d5b5e4a8721d204aa429f93ade2a56aeb86e05d89a8f7a44c1e93359a185a4c5f418240c6cdbc5a21314226681c744cf37f36

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_84540F9BF71D6B4D20B65546862F96D5

Filesize
472B

MD5
3a66c41212f8dac9b8f4169934a69c3f

SHA1
8f2f4489ee9f55c66b3040c7e7795e4453d0cfbe

SHA256
d68733c4b41e0bea3a2a59b820856472a5ed410d8887dc268ede04b6c694b801

SHA512
648237fd8be0c8ffcb269afb06447519df15a29636a56995d3c4213b4eb3c2f2c1353107cc2a857a33fb04a564d16cd8e450c45aa38a9f08c54bd391f37ec775

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
8b8fe8648c06b0db078921f0c7192b65

SHA1
bf6f7e90d92c7b7988ae80114edb49b96785f923

SHA256
00a0f55446aeabad4f52a656f66af821f8e2f5822bf7e7c1b438d5df6986044d

SHA512
b36a66d8f8ccf4abdcf2721880d7cb149371dc387b1a723b45d917e4b4d110d7ecaeeec018261f30bab4bb483fad186fd52e3132af9e8435a5b2b5109162f53c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d4c9570f1626a40e9ede71588c17eb0a

SHA1
1fd03f0936a94f89030b7e29dfffa2971ec6981e

SHA256
cda96f54ace8e28e8cf5bdb6f4193b83ab4105414643eab3fe5633193df35ad4

SHA512
96d67abdcd1c4e71f90e2458fdf974b398942cb448dbe523f1885b440dde308fb73328fc3a3921b5c0fda6f9cad2801cd6390a92bb375b8d4d2c31df1ecc23d1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ce9c903c966de679bcac7e4537945a51

SHA1
35f197b5f117d3835b246ce026d5b8178660dcbd

SHA256
6037c229444f5e1e0e4b9d01013e57229231a59ef0967892a3937bc157511063

SHA512
9fcacca0ba9342f97ad537832661718e30c95f94c457ab321242ee43c130e22816d9046a97e0044a2f51efd186fa4fe9033b0c0c7a831f90384852c5a502ab39

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a4055532aaf10f82f6f8b7da095e23b2

SHA1
118d1829bbc278c3518f6b17822fddcabf2ecca5

SHA256
e2de6dc34cbe1e15bbe53b8ea24867a21ab7279b4312a72de2bd17d8507ddce8

SHA512
f53144f22e60c831aa5aa9ae0e40a015f225f2980c246b4283f07a981f38584d05037929c3c5cc773536ff327ab03a6a8d3bdcfe90ac2ff3a5e2027ab868cefd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b964e803b5e5215ace95c1827d7f3327

SHA1
b8fccd1f0c91ca40969d69c6bc28051de577c710

SHA256
ff1ad3797a1eff26b9dc4e8255f3ab8848890472575181d0b00d0d91a9c1c596

SHA512
1057acd82678efbeeeef7ccb640b3b39985e7e701787a8961d855ba8fe9251a82750394b1d6f0d335d5e235dd7d12a333bfcd5ee3966e7ddfc0032407c6962c8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9b02081f57d82a6b9f5067c539b630ce

SHA1
ebf95f4b23aedc17028e8710098d612aaa46a5f5

SHA256
792640f52b00f7d7ac0cc253ed6b5a57d97a6f570e7f3c052da6ece6dd934a45

SHA512
2a0758eff8843279fa78604d03b69bf2eeece4f96ff504761dcda7ea5244df73a20a72bf988c5e7c9a4d7f05e76f98cb00b0a8cedd60b829140df848269706de

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d9360fdae9d28cab97caa1eceba496e1

SHA1
d8e19ec6e4ffbec8db9a04cf88af95a073b4a170

SHA256
8d0e65bbb10212f4b90aebb6864c3fec0c965a107e4b823a44af64ac4be982fe

SHA512
6f365ed7f2dab5ade0eb6b9824e11e068cda59400323f25a5feab49103420b5449d6b9c6b5ff68738291cdeb3d5df340f197a4895d66ab7b25ce4303dc421f40

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e20341ccc046dfa21d3bc998f82e1890

SHA1
d165b8ea8b5c800023a85e8403236df3adc311c0

SHA256
587021fabd3a469a381ab98ccde0f4489b714106516a831034a44752d156223d

SHA512
9f94cecb6135c2497af53631426c0f56474784dfc48c999847eb09e3a185d5006d9145247a9f9ca297757fd113f4407d97d298f6b9266334da1cc01f34a6f025

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
22756e2f0ed2b30785ca750ce86fca3a

SHA1
46c9571fa732fd01f17703933fb0119f19cdaf0f

SHA256
32c9cf82085c7046fc9042fda175f78c681beedef792461a9f6aa9b61bb850c8

SHA512
3a862d1a611fef3733f31fa3143a89a428ed118bd07c252aafcfe29e37e21044cd83156db6e5c49c6609c0ce600f07f0432a29dd4dfb727c269c73cb808a9980

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c795ed5e85ae2624d1a35b62213301ee

SHA1
0ba109cd1585cb50b8041c0f30184b5f8baa663c

SHA256
d47c11f3ae7e0fed3f0dc8c47b5173781d56662f6c6eb82b7d2f6bf50b60d528

SHA512
cffd1b03f6b4ea28cbcef1f4cb517bac52cb82a3265d272bfff1d455825a0866e94e7d323d9ed6e866e1105004922953f0dccb748bb3a84c4c8632aea5e84e11

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3d3dc171f21e089fff1c4c25e0a8d723

SHA1
a79adcd8e45e6c364bcb32783474f19e15e6bee2

SHA256
02a50e2be96c86aedfd7db15dbf1912263bb80a8df0ef00baed85f8aeced9630

SHA512
df49d7a12522fb7216acf36c90481d74f86bc57bfe8b71521ffb564cd60c2195e650da09435df632f1617a86e3f2f37903a54d60314336f3cfe540e7a4149c58

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b037c0786d49fd75d3cb784585d4c094

SHA1
2b7ba93c79f842f29f27e0547a8f099fe22d4c80

SHA256
86d9251f7a91286d75942f56f39a512f52d0f77dedcf3dcab10009fbf56ce468

SHA512
19c7ff31620aa22039d84a02842481055c85a834657bc37e647444ca530bb4c1e90c9f4f95b761c8ba2b6fa4ad9a5c6990755cf2a1ba61ccffae67ce1015f7aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a540419333061d454478eb80f4995178

SHA1
a0519c645846e0f75bb734e476fd10e7a2f896ad

SHA256
49be7b6abe92b1482047dda38929b2966a88c6e5cdad48ba448fde4d844c8230

SHA512
14f95856724de1142e098c61ac4e51d44847563c111080d362473835e35ebfa03754998f2a911f22e23cd3bb244ff851f917096bff9273ea3063999217d80151

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5df5bc9969ef52c95dc1daff6e453c34

SHA1
4efcb44f1af04ee42def51e67995bc81dad43ce9

SHA256
3373b128c7ce21ca4f4ec9a1811737bccfe986847b64f25a7a80af9ecd47ab54

SHA512
0290fc521278149290dee89bcecadb62fd96bc55ccf70cd8af1687875bc0f28d45620895f22881f62e89fd7d93729625876c26932add1edf2c4804d473527275

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d180511f20150a08a45b9eabada6f924

SHA1
3c9a4dc16b911183ff35a4fb05477123bc85eeda

SHA256
be2e1fbde8e5972bb4348adbbba15d75b1cb4233daa0aa75f9328e2e3a0ba791

SHA512
a7c44e2aad0742302275cc861cbfc0b47a152bd6ffa5672e963a42c3bea07834a9b0ef833dc70ed58b67f7a6ab33bbb87af28232a7061d91c561f3f0dd9910db

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ea676074f3c410dd95fd9dc4f1882a7b

SHA1
890c16edb3a93e7de455fe1dea9d871a0c0f224e

SHA256
707d0d68d2ce9a3deafa4ccb184b29eb9734511d33a4b420921b2aee73cdc496

SHA512
cc43c7783108bcaed8c83d716e07d87eaa1eec761368125a2a969db948b1cb8df76b1deed1b0a0534a2bc6c1e6be5b50a6e53b6f199ae7f95983b859a9bfb88e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bce80023cb4c399339e53e3f29857e0f

SHA1
c30600369828479ff072ba2115c044049b1e5ab6

SHA256
f27ca7a2d5039df99123dc803cc84fad10027e34b7951c39f1f89462c9afacf0

SHA512
c89f7169cd4afb59c28276434ac414c0c1b400ad961b3d1349a55f2e10a79843f062cf592874031215c3eb31535c7051b53759db24bab06db97b60ee183b37f9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
65abd08d43722edd5732f8506de0c8a3

SHA1
741ca831aca75bde795ede8b2ac7889d23dacdac

SHA256
490085c0d5826053768f6ba730442909f5c4823ef67dd4866bfb16672d9b4b38

SHA512
2337357902af3f39be71dcfc2515d2ef6ae4b7ef8bc6c0b37f52b862f079997651c3841c43b5033b05d4c33605f21150568475af97cdbc273931f42e3a1bcf4e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1b24ce82ced9a944ab2b359203d77c2f

SHA1
eb9b17b5e2b27462e47d4f66fc5da4833388e2f4

SHA256
f2615c5038d5a867079a37a1f046d4ce9f30e517202596f0a6048be8245f5c0d

SHA512
5a1e7e445071a98938aa08452513a1f34a306f245c1bd65380175aee0ac9aed182a12ab6a9a980af24522f9707678ef2add6af06716ef9a522fc707c61c4e0d8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5fe96adf3497d0e18ef45264deabfd85

SHA1
463ae8bd6c7aea3c90edb59aa797e9e48e61baf7

SHA256
47fa7223cc0728a4a2c8c1d6b9836562d60211c2b568650ccd4d4a9fe5a9c81b

SHA512
15a067b392fa0b129b7a3bd09abb217a7d9568e37b0b822f83ef0eed3081f8313d6a8df71e985e20a70d7233681c3e268431b06c1d4319f2adee835a42778bb8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3804e872f0ecf39d6d580b0c571a6d73

SHA1
bbdf5b2e4702ed2e00cd0e79fee448d12dcf3169

SHA256
76d8e348af099d5da9f4260070b5c73402a449ea816f906f5fe0c03759f7b07b

SHA512
692c91b1d8541c8cdaf17b52e7772de5a6c08629404a12d9ca2c3595396c08aabf4294e895f86635df6ef4df26f0ee9bbfbf1d7fd5463307baabc14675aa0c1e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cd66d42a46a43302f66f70c751bd4a60

SHA1
de8baa56e26deed6aa59ea61862d40a94a38a4a6

SHA256
796eba82dfd69509eda1c62f381d8c399f6f782c9daf84ea834eb71967e2d7b2

SHA512
eb4b58ad99f96c564e6cdd455cd6b1342b34628c1a6b8e549b0c55e01cd7db3439f10aa43105aaacd71e41982c492fb25fadc30a1056400bd278666fbe7dc6c5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
79ef0f365a1390c9a245cd7fdb3d08d2

SHA1
8fb3e3b625eaff5027f7e41e9aeec3bdd20440d7

SHA256
6ad0658c2aed730eb3f6fc31696f5dfc53476b60942a309c91164e7e38e1f988

SHA512
064d96327690c1c4e759d9cc668c2fd3bea78364072461e96035c4d52622fd1932a2a72161ae09b13834f67c14b69a89a897a7ebf9efe7da0a4d2af3bbe0d6ff

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d2a5a157de18985715d03bc4b7ea126b

SHA1
b7d70f5112e1b2e1c500c4f1fcf9f228b3cef3b2

SHA256
d42cbf42ebdbaa8510c2db778b9eae4121540ea00f79ac1df71e804a48a34cd1

SHA512
d2a01db645f2024afb7e14b8885aa3ceec49c513804fad7481810f9893411dd807a04b1411eb4b524f8de349995e87fd5157120d0f890e61a1f2e24522210e58

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
efe113dae8cbd4e154f90192b4e87b95

SHA1
66e9975a8c73f50f4a9a37f71324cc34ec4701ac

SHA256
bdcb83a14496c41923175e365fe1da6676870e316c808782a5647ff33dc5800c

SHA512
149ce50aec04ac51e8b32732ef0740cef561e0ce0d5643b059c99e28dc8e7550269b89bfdc8e71aa520798c361cca2f485a0e03d73860f1ad6d6513a2d98e92c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3e704c85815de1af1ce352cac530265b

SHA1
75d9092934f0ed90d71b2e51d5ff0057dbb8e4d0

SHA256
d4828984d5d3374a54c56687ef5e3f6aa44f5adaa27986b35e6064edaa61955e

SHA512
b173031034b59bc79f27495e0e76b1d0d9b2e80077c8eb67962faf9705b9f20918dd7cb0012ecb0a4d79e06f3e0f38d9ef206fda8610cd56f736b11245015925

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1ab130d126d77909e82073ab30bc48f5

SHA1
7f3ddb8f85c82727a70587d57904fedcd6e5fcbe

SHA256
fd699e28e5e205f5feea44a5377d69c4dc98a36c726da699b404e749ad9fc575

SHA512
f8b922fedbf75170b776752502e348540576fd6ffad9718e83767739400fc2bf4b233fcc7fa0632d12b2711a1441180decb695d997aff877c83e4299a0335f76

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
eb69196cc262b38420d80c68dec94c34

SHA1
ec14c6bc92677c8e288e8c508dce0b925050dff1

SHA256
1806411ca3c47f5a6302c2ba5c9197fe5ba9fe58bd3ca9a38dd7f92740c0cdb9

SHA512
4a0f7326e37bd00bdec308903055a6b477397be1724acfab98b371913e69033e4327fb44bf7413d9caadc35fe872deefab97ae40509ef07e4765e3fabed43412

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0f0989166ad138ef0813ff60b6448baa

SHA1
1fb1944dae6855d027237aebc9e95e26fcb306ba

SHA256
49a182f69ebf05123c21c11f1b9afe6227db9679b34f96f4510b5a497e284ab9

SHA512
b5fd43162e40a744707658cd7096b87d505bc5c3f96035e2773be70fd8db3f281fc506e881e85926062ff20757124750408026d140a1d79db22c2c217ed509df

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
54949bf47b0b87c5132d4dabbe6dd163

SHA1
ffee57588bd8bac7c97ebce94fa6c65a1b0a5eac

SHA256
b987076b6027fbcd86f69f74dff30857078bd41fa9ae52bec9aa47cdbee4410f

SHA512
162cace663d028601b0421c2feb8c8c6b49ae3135b1ca586742770661c98a5937ac002d609f4f56af3e93285de00feaf7a6f66eb25dffb65669dbc1f73e741e4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
745992b86d16b0f3abbec0a25e02bbb9

SHA1
76f2b9447148a79fb467059591099d799cec51c4

SHA256
40351d5dad41d2e282e834335538b9f7ecccf578b2a9b1dd36b1b1f2a26d9fdf

SHA512
ac3526947b015dfee80e92f2f1cd1d81d80c01505ea22fdc6e4ad403f025e48ba1eea911f5909da8b3f416e6fd62676407340333699780c8fba411a88ffe7251

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c003c7291c0af2bc61a0cd8e7bc96d5e

SHA1
532c4e208bb5aa6895a3e6e4af5d14d0dbbd0351

SHA256
85c2cc78c36bdfa2a2cb8370b95aa41da76905f32b82324df76fdb6e609c5472

SHA512
ec0df30e1b22df165a2b788eaf74bcad6f336fe9c42ef3730aef4707806d508aea7a62c3d13394939d724a930850b80de8288f11e57805ed67a33e5c0cf5cd2b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c04378428e3c1aa6bb99bcf3017b2340

SHA1
1e2e1d9182b590e8c25c5dc4fd0e5e4eec3192fa

SHA256
d48d4485d6b28f5384abfc8a6109a0f6316cbe4d092272ca4f6a0e640bba4c0a

SHA512
406b013271366f411d23f2aed929cfdff17b13e184143d5e9099d5dc97b9ebe2eb61e83ae279d015e4021b9dbbdd96e1af93b754a72f0515f54a34ae8c288d45

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5b0eb2004e4a8ee6b2cf5a9bf09fe39a

SHA1
aed62f9d04299ef31f6adddfdde834c50771dc26

SHA256
1d423622e634dc9c0d47adbee41725cc9b5717c26c234dcf1898d0ef94b89199

SHA512
8a28325feabcbaa278cf286df23fe04f3785d304c4ed198c2d3d3b528ffa7e9005e30dff6b7d4b6cc2580508fb756c8791098e190876d0fcc1c40bc591e638eb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

Filesize
392B

MD5
0a886ac4f6814849fb3d1f50950ff7c0

SHA1
2bdbf3a1fb67a0a34f290779dcf4510902c46e53

SHA256
86f9edce5eaa431b8ae5693a69cba3dffce43e5a3fe4bb8ce17d65001e6b85da

SHA512
1224a648f2a2a2f75409c36bd2a95a70ca041358e20dedc29ea5f1d98c2d7cc90368017ebe6036e5b802ae94f6c48938a1e1643768cb32ace1935fe1f131b353

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_84540F9BF71D6B4D20B65546862F96D5

Filesize
406B

MD5
261af2e11ba74a6229327f3fb3562fa2

SHA1
eef0faf56dcc24c4985ea1d458cfffd127fd4949

SHA256
02633b871a0868e830cc839d375ae90f8ac056ecbe60c1995ef0187e576291a7

SHA512
18cf8738eb687a05abdb5104790f7e74da059920cfde6c20d8dd78eb6119f1d353323624bf3a1962d3dbcfe9bd0b4480c04e1a61e55bfb685114804eef50d36c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
e97669945808e2a540067471c728af19

SHA1
b913394efbc7081bd7d38bc7e5ccd5fadfd4b8b8

SHA256
660901d7fc1b5d49e7f7343386c195e97742daf4457612683d253958b263ca59

SHA512
40986d837726e32f9a7c1c43fbf4543be51514230816fe995f133c1e7129680d7e2c4491ae2a75acb33366e752d22426df1f986abcd27d960df8f61243faac23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\EYOKWAMW\www.google[1].xml

Filesize
99B

MD5
66d991776bc53ad26a8dfd7845a14c14

SHA1
22dddb425245309a435b162385e7db3379374d73

SHA256
1d86db321f4e8b68e753563db04e6559a446c7cd7e7a3f0e6fcb45902e54318c

SHA512
317adce979596c50a1196bd4127fab709d31ae282756aa1fe25358efd200e5b3434e6b94953c7a2437ce98c2c4cfff1fc451294a9b836650280aa6b5acfc3818

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{7E620D01-2F10-11EF-A538-5630532AF2EE}.dat

Filesize
5KB

MD5
72d70149a728c4f4547ee5b554fdd852

SHA1
57492e846ddcf12fba1c36d701dd658042105b53

SHA256
a5bbd16adaf7fe03d028c6df8019ac93fa1b468754f747f7e579452ff6f81a1c

SHA512
e5a0782808417ddd88cb08fc6dbe224d51cb85e6992f93f92e04502f51220b43787ed5486102045af42f9520897c038139d2a14c0e607d92d9f47e65034008ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\RecoveryStore.{184F4210-0D57-11EF-9189-5ABA25856535}.dat

Filesize
5KB

MD5
30f4821b067c7319716eeff087bb232a

SHA1
ac9ecb2edfd34a0f2fa1d9e4c877b6cf54c387eb

SHA256
9c63d3902a8e1fe8ad8615826710d8aca438a29ed97ff579de923885f330a775

SHA512
ef4c3d7f3f279d4e87e693e753ca8f0c76cbf7f6154a3682a738e5d7255798478bf547488e6ebf9937ccf9cc6878e4808eda093bee5cfe96d1a5e7c7a2498d78

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\RecoveryStore.{184F4210-0D57-11EF-9189-5ABA25856535}.dat

Filesize
5KB

MD5
513349146c0fce2c72a7460d06f9f4c8

SHA1
efb9229c448d7a762c15504326bb170256d9e034

SHA256
0d545ba886baae5dded43ec2ed3b2ebd5567dca7c4b22a3cd513d8768044ac9c

SHA512
754a24717e1c2b8e56c85f3d803450a30345552c3e53a5f5cd5a91edab2e8243f757e0a5349878ae0f8a41ba0aa1ed7a72f0eeb99555906c1abcfa63eecea256

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\{7E620D05-2F10-11EF-A538-5630532AF2EE}.dat

Filesize
5KB

MD5
35b86583fbbdf6b43f6eff6f72a3667f

SHA1
5ad4ea58c53d9925252ed514db25b266f97ddff5

SHA256
30c06c313e943cefbc1454e0abdf53be9c025288c17939de1d7ea173110c384c

SHA512
c5c1aaf939e0bc9bef82757244c1fc6997f4a805e8a6be0090f83b0f33e0480827c9d045d9215f36fd1ae776360a2fbcb0fd4dd05383d0b9d91049b5be9a9257

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\{92A2E939-2F10-11EF-A538-5630532AF2EE}.dat

Filesize
5KB

MD5
36b0c013c2d46daae05903b6dc906974

SHA1
ee1ecf19d330f23e0e5d75900dec3055815000d3

SHA256
f9431fbe929781c148275b5bb552622fe28df80612747390eb7811b1ef47d8ff

SHA512
e4323f943ffbfe50e99c9d02ab0bc80ec31b1eb790944bb380e494894ba6f029713e2f784ec873bbc0c0a1530ab34344a3db1fa95d298796a26e7402dd3d183d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\{92A2E93A-2F10-11EF-A538-5630532AF2EE}.dat

Filesize
16KB

MD5
882371aee8f651e37d5cfa8ecf819b69

SHA1
f8db427b4fccec3d2d6164f54a5574bb7ea01c08

SHA256
74a701a18ae083ea852920a31a1fa8c5590b9e353ba54862e46749999798213f

SHA512
0c56fc1212290d1131bb27d83af27337c4e99418e59ae0588a8234ee69d29694c80a0d8f41055c6719ffec0ba56f09bf0533e0b7c0d606965863f2b9706ad6d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\92mvs6j\imagestore.dat

Filesize
5KB

MD5
be99ab0e05d74beb4affec2fd51c633b

SHA1
70794636c8f8f9ecb0960c9164c42d74ccce2e54

SHA256
9454a60a9d223082dd8f2a278582ce8f0948074f212ae6e84f85d3a41cfcd01a

SHA512
888fce10b6a68b94abe082845fd1cb930738316f2b0a74d930c1ea11934e321f6686bd0f4f0095ab30732fc1ec6c363c4dd413cf70b6098ebf6e29b8921af9c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\92mvs6j\imagestore.dat

Filesize
5KB

MD5
4086aa5b49ea46c1723e714a18ca2a71

SHA1
efeb1cde25bbf9eea85eeb6af0c6d02dde13428b

SHA256
85ead88a3e0b1f646d6d904a936ed76a7ac57214400f2da88a7558a5d8575847

SHA512
11b9291109e65ae8c9e4e1f5592e032adbfc2b499f31b97c3058c66d7104358f216806f0a2f5b61e84cb1b2a58929ebc9574c3a35b5c4e832786e17be1cb7174

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\G17BROQF\favicon[1].ico

Filesize
5KB

MD5
f3418a443e7d841097c714d69ec4bcb8

SHA1
49263695f6b0cdd72f45cf1b775e660fdc36c606

SHA256
6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770

SHA512
82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\G17BROQF\webworker[1].js

Filesize
102B

MD5
62eb30af91dddd7d80f32a890e1e4672

SHA1
37f1141450a98dda7dd8899600e46d8a9f7cc970

SHA256
d601447806420fb7676679daa6dbb113d6617440ecc79998bb013370dc08f4fa

SHA512
16446d271e46b6561b1e26d77394dcc999f49cbcdd9971cc836be2de8048fef46168dc578f02c8b33af492d586d1e636331360a21778eb337ddcd1d9af471da6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\J8SD872Q\KFOlCnqEu92Fr1MmEU9fBBc9[1].ttf

Filesize
34KB

MD5
4d88404f733741eaacfda2e318840a98

SHA1
49e0f3d32666ac36205f84ac7457030ca0a9d95f

SHA256
b464107219af95400af44c949574d9617de760e100712d4dec8f51a76c50dda1

SHA512
2e5d3280d5f7e70ca3ea29e7c01f47feb57fe93fc55fd0ea63641e99e5d699bb4b1f1f686da25c91ba4f64833f9946070f7546558cbd68249b0d853949ff85c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\J8SD872Q\KFOlCnqEu92Fr1MmYUtfBBc9[1].ttf

Filesize
34KB

MD5
4d99b85fa964307056c1410f78f51439

SHA1
f8e30a1a61011f1ee42435d7e18ba7e21d4ee894

SHA256
01027695832f4a3850663c9e798eb03eadfd1462d0b76e7c5ac6465d2d77dbd0

SHA512
13d93544b16453fe9ac9fc025c3d4320c1c83a2eca4cd01132ce5c68b12e150bc7d96341f10cbaa2777526cf72b2ca0cd64458b3df1875a184bbb907c5e3d731

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\J8SD872Q\KFOmCnqEu92Fr1Mu4mxP[1].ttf

Filesize
34KB

MD5
372d0cc3288fe8e97df49742baefce90

SHA1
754d9eaa4a009c42e8d6d40c632a1dad6d44ec21

SHA256
466989fd178ca6ed13641893b7003e5d6ec36e42c2a816dee71f87b775ea097f

SHA512
8447bc59795b16877974cd77c52729f6ff08a1e741f68ff445c087ecc09c8c4822b83e8907d156a00be81cb2c0259081926e758c12b3aea023ac574e4a6c9885

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\J8SD872Q\styles__ltr[1].css

Filesize
55KB

MD5
4adccf70587477c74e2fcd636e4ec895

SHA1
af63034901c98e2d93faa7737f9c8f52e302d88b

SHA256
0e04cd9eec042868e190cbdabf2f8f0c7172dcc54ab87eb616eca14258307b4d

SHA512
d3f071c0a0aa7f2d3b8e584c67d4a1adf1a9a99595cffc204bf43b99f5b19c4b98cec8b31e65a46c01509fc7af8787bd7839299a683d028e388fdc4ded678cb3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MNCIS1YI\logo_48[1].png

Filesize
2KB

MD5
ef9941290c50cd3866e2ba6b793f010d

SHA1
4736508c795667dcea21f8d864233031223b7832

SHA256
1b9efb22c938500971aac2b2130a475fa23684dd69e43103894968df83145b8a

SHA512
a0c69c70117c5713caf8b12f3b6e8bbb9cdaf72768e5db9db5831a3c37541b87613c6b020dd2f9b8760064a8c7337f175e7234bfe776eee5e3588dc5662419d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MNCIS1YI\recaptcha__en[1].js

Filesize
516KB

MD5
1bb4ebd5a1126f7287c58e242a7188e2

SHA1
f06c98f9b76c942631ca4ced196b6ccff5aae339

SHA256
4b20abde9f7eb27dc344dbbb35f59aba01e4cc70262c07c260beadef9072f25e

SHA512
b51fe40ab04c98c21b1f233cb335f5d1ce2f496a2b07544025e5a89c171413ed1755bd5d9900ea43f0495fce190d4607b6d53c3d8078ebfaaecefa97471c8abe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TTL9DZJ3\api[1].js

Filesize
850B

MD5
832e6993cda3469c6a40da72268663ac

SHA1
4650b1e5c601a454d3fd746276fff4cd3dbd54aa

SHA256
0ef1e5d700fb1691e5faa92a14f8a755c8dd4a92ec9b1a2310ad769b225cf46f

SHA512
6aefa1b28c697c81239e47ff57b3b61cc67bdbf820b7eac99f924db2b5093b7d03a029accd7dce42d517bde32cec9f6540082f7557b72bdc3c8da27095d68b80

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TTL9DZJ3\iUtlSGKYOzM2yMthFEz4EvI4sH8UtHYh8-PL60PBWTs[1].js

Filesize
24KB

MD5
b66c84ab7d1a9f3f3334e7cb0c81e48c

SHA1
ba87d37b29025eb941680c252d522d898ab5088b

SHA256
894b654862983b3336c8cb61144cf812f238b07f14b47621f3e3cbeb43c1593b

SHA512
d46d1b20f9aa559b33f0f8fe3382fd091152bf46347554a8c69b2e02a6f94d1d884c12532255efe28eee95b9d7cfc0ee37466be1b56733a732d41f0387ff6ddb

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ox017b3g.default-release\activity-stream.discovery_stream.json.tmp

Filesize
22KB

MD5
3cee8416c227eb57bbeb3c25eb4d8df4

SHA1
626769936bc8a2e1eef747148f51f5c4700279ac

SHA256
24c30c9a9e0076d90c837afa0392fd5bb406389613acbd1ec88d489971ac7e58

SHA512
d8e2a2dfec7429daca5ef23da0d78fb1c74548025020f8e6f007fde727996e995838ce8daa355bded50b8a990b72d53088e6813e3ab3951098a6d22314b97181

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab50D0.tmp

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar50D3.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar5184.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
442KB

MD5
85430baed3398695717b0263807cf97c

SHA1
fffbee923cea216f50fce5d54219a188a5100f41

SHA256
a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

SHA512
06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
8.0MB

MD5
a01c5ecd6108350ae23d2cddf0e77c17

SHA1
c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

SHA256
345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

SHA512
b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DF0BE0BE6A82CA656A.TMP

Filesize
16KB

MD5
bc5a9292aaedb284120d45f471476d2b

SHA1
8a495200b38792e4b74de09243dbdd811af46fde

SHA256
fb82f1c0a27d506e1369aa75100e63207fe6ee784c868c0b02fe726bc75cea6c

SHA512
0c9d0c00fc5bfcf4b2e210a1b1384a3c3fa6557b0dd0498e987196090ba41726d8f704cb7c1b6336752dcca59d696ed07f454319fe92fbf05c717a4394e0c90f

Download Submit
C:\Users\Admin\AppData\Roaming\MEMZ.exe

Filesize
14KB

MD5
19dbec50735b5f2a72d4199c4e184960

SHA1
6fed7732f7cb6f59743795b2ab154a3676f4c822

SHA256
a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d

SHA512
aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\01XTPX6N.txt

Filesize
124B

MD5
76dc01bd1c3328c22ad8f0c7c6badf5f

SHA1
e9885cc60f353809c9d895ecc49f2edcc5921d53

SHA256
7bd8d32aad5e1909e5fa3511a567ee58c3f8340ad65e286d96a5b4270f8a0802

SHA512
feda287ab55007b6bdb8a1aef33b87bbf77817208c5a0ae8573f68df01b805e7177da6b8359821e2aaca91e8f9ea7f1be9a95588473710c9faf6d425779b7fc4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\P9U5AJES.txt

Filesize
123B

MD5
bdf72bbdd3d6225269a1b320c8f97873

SHA1
a0d9b7a4bc53379a27c865c86dc539c6127d5d29

SHA256
751a25924a2ba8b44d7c1523931bf743ca2570a6ceefc320c0d37ac50ec4b305

SHA512
ffa182410072e1ce0a3cd4982f5e5cd0a534bd8bdb347d34fb505dd565c1757dea70377ad56105763613e1321274b4f584ba22dd33ba95cc37f815beba2ae0b2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\DDC02R0O1OLYB9R8ETKL.temp

Filesize
7KB

MD5
bddd1a0f81f91e10d3d1988bfa5e0221

SHA1
f5f1f1fdf259bb019337a32258b38ccfec0098e3

SHA256
84a461a3759915ceb3d2054b1dcd44919498d47a43ef1307a2d708a9a33fcd1b

SHA512
f3b23dd543d79dcf02d5ecfb52db8fa194c5c0d6e4257c1ea7972e3d3a28c72f41c9e862a464ac78fe3705bf121e1aff8c4f65a463fbb44cf888e68a7f67e425

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ox017b3g.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
18469b36ac28479acc6b270a20009a58

SHA1
946a140f322196f8349029b966b7f2ae1e3c8df1

SHA256
e4bd1ff84ce440b8bafc82ab16f2b0ec3a215884bda953b4751d8fe3ceeb5a60

SHA512
31e4afcf61df38210658354969ff38873339e0efeee461bc09e861005fe315f61a03085f3c9e5e90ac9cd9e923a9624b1131bd34e9a86b7d0a80be03a7a0bbac

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ox017b3g.default-release\datareporting\glean\pending_pings\28f87d59-09b8-4d34-95d3-49dfca888d7b

Filesize
745B

MD5
69ae32d7624e37939f0e745fc5e922a8

SHA1
2a59f504840786f30d3f7e32e386f19b7835034f

SHA256
f535c2475477741473f5cb1f479b5ec2aaafac47a4c9eb37de53dc9b3caab653

SHA512
c991ced2b0f02d1663358d3540bbb638c004f7ee6e3c014de81c4859fa2cd1dd0e1820e188407b7e813c14e8f93d6efdc22c45daa7bf8a723ef90ce4560b78aa

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ox017b3g.default-release\datareporting\glean\pending_pings\dcd67748-28a7-4af8-8e1b-8aa0df5067f4

Filesize
11KB

MD5
edd468f51683481a8d70a7af57001c4d

SHA1
4ec267e50e026d200b7da75cd25f60c039a84359

SHA256
facfaaaf468258ec1067c0bbbbcb22d7104b95dcd002c3c08d2df80cc78ecc5b

SHA512
b52a34ca1cdeee7fe26774a98882eadf16876ad697cb683ae9dd344c3532fdc8d86f52874284fd7dbb8f778d8551dfeed530f18eb054c742e025f7ef1713c18e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ox017b3g.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

Filesize
997KB

MD5
fe3355639648c417e8307c6d051e3e37

SHA1
f54602d4b4778da21bc97c7238fc66aa68c8ee34

SHA256
1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

SHA512
8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ox017b3g.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ox017b3g.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ox017b3g.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

Filesize
372B

MD5
8be33af717bb1b67fbd61c3f4b807e9e

SHA1
7cf17656d174d951957ff36810e874a134dd49e0

SHA256
e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

SHA512
6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ox017b3g.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

Filesize
11.8MB

MD5
33bf7b0439480effb9fb212efce87b13

SHA1
cee50f2745edc6dc291887b6075ca64d716f495a

SHA256
8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

SHA512
d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ox017b3g.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ox017b3g.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

Filesize
1KB

MD5
937326fead5fd401f6cca9118bd9ade9

SHA1
4526a57d4ae14ed29b37632c72aef3c408189d91

SHA256
68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

SHA512
b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ox017b3g.default-release\prefs-1.js

Filesize
6KB

MD5
f41f40f8739c94329fee94c0919124f5

SHA1
c22da0bf0afac0d317561a27e6463fe1eb3fc860

SHA256
971bb86dfcc4198d9c0f74de399201b8c310d0c8d163807ae6dc7847a3a4b479

SHA512
9d510c58d3c50f53451e96384a8a752d13bd2681447d55e42881a116a9f5d59b34c9dda3cefd394f2fc15271b23a2a56b676a1af519a99aafe38e0aa609c512b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ox017b3g.default-release\prefs-1.js

Filesize
6KB

MD5
cbd96420a66be57c589ac8877f8685b4

SHA1
cb362e55e5c6e2a6e9e9d2e4eb3950355bb6834d

SHA256
dcfccc8ba2a65b14ab4d8314a2868ff7c02c4c2a1d47ab3c19de98b1dc0d940d

SHA512
6d50b87310ff0cb12eef369bfcb899bc945a169c37788eea4a420eebbe1142d19217813019ad1d94ccc67e9d11c2daa991c163f9d5b2f3d63c2055baac4751c0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ox017b3g.default-release\prefs-1.js

Filesize
7KB

MD5
5d35b27021401333211f7ae98bb016f6

SHA1
cd5e2a7b55a126679ab9b456a97369db485149c7

SHA256
ed10f95232b89890499518e0194ca7c81bcdca6b4a42c632f648fb6be7d6b35e

SHA512
0b81aac0d102345fb1005937f5f82e569e9ca12ec8917a95aee6ac29b744ea4c3be1c3bcb34a688234140887dd9c6e39c19b8ec7b3ee07c9539ca8766e409dd2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ox017b3g.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
2012980be242ff4a49157ea4d3620ff8

SHA1
afb47ea2809e2b0b0ff92c658d2719706b3f2495

SHA256
dc3f695c9c3e53d6ebfee054aa16f5cfed8bc39b912c1851ad62ed93e733e4e8

SHA512
d14edb2b10f272c3a90207ad93514deed0357121c452ea04118521aa8265bf823f66f925afb5afa6aaf0b75a20e57d19a998b7890234602ca79b0a305f33eacc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ox017b3g.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
5f8cf7d061ce4d65a1cfdbc01a04f31a

SHA1
f1f1f759ea2872ce0f766d0947c70fb0c1739e16

SHA256
31cd8faa888235a1b957168c8a5294c2dd396a3c2a4477ee620e03b913e095c7

SHA512
7fcb582dd94cc775ecb3ba69c0ddae238a55e470c0ce13b91645027f8809a2eeef37b516e98cfdd543c956b383afb86292c6af76f9f1c3e83a03ea176970dd30

Download Submit
C:\Users\Admin\Desktop\x

Filesize
4KB

MD5
214f98cb6a54654a4ca5c456f16aed0a

SHA1
2229090d2f6a1814ba648e5b5a5ae26389cba5a0

SHA256
45f18ccd8df88c127304a7855a608661b52b0ca813e87e06d87da15259c45037

SHA512
5f058b05f166e2688df7b3960e135ada25bbcdfbb62a11da3cf9e70c08c51e5589a1e6ca2250318a694d27197f2c5ba1028c443831c43fba2171ca8e072e9873

Download Submit
C:\Users\Admin\Desktop\x

Filesize
11KB

MD5
1882f3dd051e401349f1af58d55b0a37

SHA1
6b0875f9e3164f3a9f21c1ec36748a7243515b47

SHA256
3c8cea1a86f07b018e637a1ea2649d907573f78c7e4025ef7e514362d09ff6c0

SHA512
fec96d873997b5c6c82a94f8796c88fc2dd38739277c517b8129277dcbda02576851f1e27bdb2fbb7255281077d5b9ba867f6dfe66bedfc859c59fdd3bbffacf

Download Submit
C:\Users\Admin\Desktop\x

Filesize
1KB

MD5
138698f6a43f153aec162c3c0ecd105a

SHA1
a122b85a0c78f051ec3eb801319590fbfcb1362e

SHA256
b7a0abda8610bfedcdb352a6fedc75678b1f5424db1b81b7e6813fb2bf6449a9

SHA512
3fd4c0c3ad603478cc4c943db75595c4231ca5cfb7e654e0185760d2fc9f6e157dea182aef0c878b0127069349ab3f06d6fc19e6e8b5bb9f110c5b41f860b5d2

Download Submit
C:\Users\Admin\Desktop\x

Filesize
1014B

MD5
da93c927459c183a3c824092416fcc1e

SHA1
917323bbfb07ab4d11f18b60ea62c8a7cd23a726

SHA256
ac677428621d950eda8f0449df0d94c5c69d523a3fdf41a993eddbcaa9302af8

SHA512
ab86f1d94638b827fa542b5252da6d1fae394f4cf01c86f6cb2629d0c316fe4732230699a39918b012cb1c347600a19980fdeb09e9d9c0bf0b3bb999877405f5

Download Submit
C:\Users\Admin\Desktop\x

Filesize
2KB

MD5
c945fa2282987df6e0dd61df7ad15030

SHA1
dc52e8252a80eb860584466e3a03461e156e0381

SHA256
046c2cfb9b9a0578d8800a188917eff5880905531367d99dd360a471fcff0e32

SHA512
94ba661b94625e18fb340f9158d65e7e54256552596cf11287e116ffb0dc1aabe8fbcd04a6892fc995304e1f6dcabf3674fec2e47b0ee1de64f2918b69ddf35e

Download Submit
C:\Users\Admin\Desktop\x

Filesize
3KB

MD5
d6b2b752ee9a6d4a00c45ab879adb424

SHA1
487fd40d957a238d7d2912421553b8d15756ba80

SHA256
a8b17302a5dbddb003f61807654af734869ebc884d258122ef35d6c6bbc868fc

SHA512
a0b7da9e43a0df8e73de6c535144a421e09b0fdfa24e0670575ad2b70b3e142d1011440d9482e46126218d1d8d5af7334d71c60048309b7a0fbf63860ea0ab3f

Download Submit
C:\Users\Admin\Desktop\x

Filesize
3KB

MD5
16f126e150647e5dd993a81c19c4d9ee

SHA1
cdbbc15a2ca382f15a572821b641d504eb20a30a

SHA256
d24cce7718307db2e67832de728173d3aa9ec68adb2254a5bcdebb6cfda8c550

SHA512
62cfa5adf7cbc4d5963aa42ab4da3a7fe4b71e65b1bcf8b08db6a6afb1c1fbf6fe523f2feb6de1508a877cd57acf58b9c5a6cc54c505bb60f113e0c232da98bc

Download Submit
C:\Users\Admin\Desktop\x

Filesize
3KB

MD5
3e7a065c19096058e8c1649ebf6237f1

SHA1
f0ecd36a58f09ad4e77fc12f50624e6e41890654

SHA256
8d24c52704e75ef796db0799bab99dca5e90a48d4d97946e1b6cda2b32ef042d

SHA512
31455636b929bed5284558bd3a5a6c2fb68f06ac51f43d202bbb094cd430ebed877fc08a07dc3af752625bb7a30f6956d2ee91e9bb5c6276f69b5e6074642a27

Download Submit
C:\Users\Admin\Desktop\x.js

Filesize
448B

MD5
8eec8704d2a7bc80b95b7460c06f4854

SHA1
1b34585c1fa7ec0bd0505478ac9dbb8b8d19f326

SHA256
aa01b8864b43e92077a106ed3d4656a511f3ba1910fba40c78a32ee6a621d596

SHA512
e274b92810e9a30627a65f87448d784967a2fcfbf49858cbe6ccb841f09e0f53fde253ecc1ea0c7de491d8cc56a6cf8c79d1b7c657e72928cfb0479d11035210

Download Submit
C:\Users\Admin\Desktop\z.zip

Filesize
8KB

MD5
63ee4412b95d7ad64c54b4ba673470a7

SHA1
1cf423c6c2c6299e68e1927305a3057af9b3ce06

SHA256
44c1857b1c4894b3dfbaccbe04905652e634283dcf6b06c25a74b17021e2a268

SHA512
7ff153826bd5fed0a410f6d15a54787b79eba927d5b573c8a7f23f4ecef7bb223d79fd29fe8c2754fbf5b4c77ab7c41598f2989b6f4c7b2aa2f579ef4af06ee7

Download Submit
C:\Users\Admin\Downloads\hVeq41UM.txt.part

Filesize
13KB

MD5
63c6ec6b042bcb00d2d832c0e4f25dca

SHA1
a904a7c3fc89ff497e91384a63db3282e00d31ce

SHA256
dae968f47476ef79b122e771ccd0a2bacde2ac3535f68047239682fefa3dfe50

SHA512
1454cd79a59f0603ae083abb7f3b1438e18c7858ab04dfc3df1a725cee72be48274c289d5c0a44ce415f4bdf8a2c316312453862381fdbf0f4af97a62234e41a

Download Submit
C:\note.txt

Filesize
218B

MD5
afa6955439b8d516721231029fb9ca1b

SHA1
087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

SHA256
8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

SHA512
5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

Download Submit
memory/1656-285-0x0000000003990000-0x00000000039A0000-memory.dmp

Filesize
64KB

Download
memory/2560-1694-0x000007FEF35E0000-0x000007FEF362C000-memory.dmp

Filesize
304KB

Download
memory/2560-1685-0x000007FEF35E0000-0x000007FEF362C000-memory.dmp

Filesize
304KB

Download