3ff64f10603f0330fa2386ff99471ca789391ace969bd0ec1c1b8ce1b4a6db42

Analysis

max time kernel
134s
max time network
152s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
25-06-2024 01:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MEMZ.exe
Size

12KB
MD5

a7bcf7ea8e9f3f36ebfb85b823e39d91
SHA1

761168201520c199dba68add3a607922d8d4a86e
SHA256

3ff64f10603f0330fa2386ff99471ca789391ace969bd0ec1c1b8ce1b4a6db42
SHA512

89923b669d31e590189fd06619bf27e47c5a47e82be6ae71fdb1b9b3b30b06fb7ca8ffed6d5c41ac410a367f2eb07589291e95a2644877d6bffd52775a5b1523
SSDEEP

192:HMDLTxWDf/pl3cIEiwqZKBktLe3P+qf2jhP6B5b2yL3:H4IDH3cIqqvUWq+jhyT2yL

Score

6^/10

bootkit persistence

Malware Config

Signatures

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	MEMZ.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\devmgmt.msc	mmc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{FD74C509-3292-11EF-8547-E6D98B7EB028} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.google.com\ = "21"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F06EFFB9-3292-11EF-8547-E6D98B7EB028} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.google.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{D2746481-3292-11EF-8547-E6D98B7EB028} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000066d4ec3756d38d4d97eb9162687baf7b00000000020000000000106600000001000020000000a8b7013caacd9638be785c5fdcc152cba9e37009f150418eb0c01686f2660230000000000e80000000020000200000001314b351f7d3e867a56308be3d0865d26e68c1dac59726f65511e780190f72c1900000002ce69e7a34f974842dd7f276f1da11969ea48517d7bd8d2e6453462da230cc842c338c7064d64423446d401ef3b61db2044e1007b0d6a03e5b2f06bc13c1bb3bb1a2aab3b17c8aa92e7028747f6e8f25814a8d8d77ef622e9b0e5aaa01724f224584d1007ee9ce21b197c7ca671d9e202c3bd9294102a97c8f709a8786e9f13463d1ab6e58f43fd55cfaba9568667ed740000000b2e9f07fd15397a8816ac66cfd6a4b68ecfbf44c10289388a8ee634e1dff905d079675eb3b5c7c98b64b5a03a04ba430da4313b0ce5dc685d69c29295c4a9f0a	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3052	MEMZ.exe
3052	MEMZ.exe
3052	MEMZ.exe
2900	MEMZ.exe
2900	MEMZ.exe
3052	MEMZ.exe
2900	MEMZ.exe
2504	MEMZ.exe
3052	MEMZ.exe
2852	MEMZ.exe
3052	MEMZ.exe
2900	MEMZ.exe
2852	MEMZ.exe
2504	MEMZ.exe
2504	MEMZ.exe
2900	MEMZ.exe
2544	MEMZ.exe
3052	MEMZ.exe
2852	MEMZ.exe
2852	MEMZ.exe
2900	MEMZ.exe
2504	MEMZ.exe
3052	MEMZ.exe
2544	MEMZ.exe
2544	MEMZ.exe
2504	MEMZ.exe
2852	MEMZ.exe
2900	MEMZ.exe
3052	MEMZ.exe
2504	MEMZ.exe
2900	MEMZ.exe
2544	MEMZ.exe
2852	MEMZ.exe
3052	MEMZ.exe
2544	MEMZ.exe
2900	MEMZ.exe
2852	MEMZ.exe
3052	MEMZ.exe
2504	MEMZ.exe
2900	MEMZ.exe
3052	MEMZ.exe
2852	MEMZ.exe
2504	MEMZ.exe
2544	MEMZ.exe
2900	MEMZ.exe
2504	MEMZ.exe
3052	MEMZ.exe
2544	MEMZ.exe
2852	MEMZ.exe
2504	MEMZ.exe
2544	MEMZ.exe
2900	MEMZ.exe
3052	MEMZ.exe
2852	MEMZ.exe
2852	MEMZ.exe
2900	MEMZ.exe
2504	MEMZ.exe
2544	MEMZ.exe
3052	MEMZ.exe
3052	MEMZ.exe
2544	MEMZ.exe
2900	MEMZ.exe
2852	MEMZ.exe
2504	MEMZ.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2864	mmc.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: 33	2864	mmc.exe
Token: SeIncBasePriorityPrivilege	2864	mmc.exe
Token: 33	2864	mmc.exe
Token: SeIncBasePriorityPrivilege	2864	mmc.exe
Token: SeDebugPrivilege	1636	taskmgr.exe
Token: 33	1252	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1252	AUDIODG.EXE
Token: 33	1252	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1252	AUDIODG.EXE
Token: SeShutdownPrivilege	3052	MEMZ.exe

Suspicious use of FindShellTrayWindow 23 IoCs

pid	Process
1476	iexplore.exe
2356	iexplore.exe
1636	taskmgr.exe
1636	taskmgr.exe
1636	taskmgr.exe
1636	taskmgr.exe
1636	taskmgr.exe
1636	taskmgr.exe
1636	taskmgr.exe
1636	taskmgr.exe
1636	taskmgr.exe
1636	taskmgr.exe
1636	taskmgr.exe
1636	taskmgr.exe
1636	taskmgr.exe
1636	taskmgr.exe
2556	iexplore.exe
1636	taskmgr.exe
1636	taskmgr.exe
1636	taskmgr.exe
1636	taskmgr.exe
1636	taskmgr.exe
1636	taskmgr.exe

Suspicious use of SendNotifyMessage 20 IoCs

pid	Process
1636	taskmgr.exe
1636	taskmgr.exe
1636	taskmgr.exe
1636	taskmgr.exe
1636	taskmgr.exe
1636	taskmgr.exe
1636	taskmgr.exe
1636	taskmgr.exe
1636	taskmgr.exe
1636	taskmgr.exe
1636	taskmgr.exe
1636	taskmgr.exe
1636	taskmgr.exe
1636	taskmgr.exe
1636	taskmgr.exe
1636	taskmgr.exe
1636	taskmgr.exe
1636	taskmgr.exe
1636	taskmgr.exe
1636	taskmgr.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2160	mmc.exe
2864	mmc.exe
2864	mmc.exe
1476	iexplore.exe
1476	iexplore.exe
968	IEXPLORE.EXE
968	IEXPLORE.EXE
968	IEXPLORE.EXE
968	IEXPLORE.EXE
2356	iexplore.exe
2356	iexplore.exe
240	IEXPLORE.EXE
240	IEXPLORE.EXE
2556	iexplore.exe
2556	iexplore.exe
2660	IEXPLORE.EXE
2660	IEXPLORE.EXE
3052	MEMZ.exe
2852	MEMZ.exe
2504	MEMZ.exe
2900	MEMZ.exe
3052	MEMZ.exe
2852	MEMZ.exe
2504	MEMZ.exe
2900	MEMZ.exe
3052	MEMZ.exe
2504	MEMZ.exe
2852	MEMZ.exe
2900	MEMZ.exe
3052	MEMZ.exe
2852	MEMZ.exe
2504	MEMZ.exe
2900	MEMZ.exe
3052	MEMZ.exe
2504	MEMZ.exe
2852	MEMZ.exe
2900	MEMZ.exe
3052	MEMZ.exe
2852	MEMZ.exe
2900	MEMZ.exe
2504	MEMZ.exe
3052	MEMZ.exe
2852	MEMZ.exe
2900	MEMZ.exe
2504	MEMZ.exe
3052	MEMZ.exe
2900	MEMZ.exe
2504	MEMZ.exe
2852	MEMZ.exe
3052	MEMZ.exe
2852	MEMZ.exe
2900	MEMZ.exe
2504	MEMZ.exe
3052	MEMZ.exe
2852	MEMZ.exe
2900	MEMZ.exe
2504	MEMZ.exe
3052	MEMZ.exe
2504	MEMZ.exe
2852	MEMZ.exe
2900	MEMZ.exe
3052	MEMZ.exe
2852	MEMZ.exe
2900	MEMZ.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1992 wrote to memory of 3052	1992	MEMZ.exe	28
PID 1992 wrote to memory of 3052	1992	MEMZ.exe	28
PID 1992 wrote to memory of 3052	1992	MEMZ.exe	28
PID 1992 wrote to memory of 3052	1992	MEMZ.exe	28
PID 1992 wrote to memory of 2900	1992	MEMZ.exe	29
PID 1992 wrote to memory of 2900	1992	MEMZ.exe	29
PID 1992 wrote to memory of 2900	1992	MEMZ.exe	29
PID 1992 wrote to memory of 2900	1992	MEMZ.exe	29
PID 1992 wrote to memory of 2852	1992	MEMZ.exe	30
PID 1992 wrote to memory of 2852	1992	MEMZ.exe	30
PID 1992 wrote to memory of 2852	1992	MEMZ.exe	30
PID 1992 wrote to memory of 2852	1992	MEMZ.exe	30
PID 1992 wrote to memory of 2504	1992	MEMZ.exe	31
PID 1992 wrote to memory of 2504	1992	MEMZ.exe	31
PID 1992 wrote to memory of 2504	1992	MEMZ.exe	31
PID 1992 wrote to memory of 2504	1992	MEMZ.exe	31
PID 1992 wrote to memory of 2544	1992	MEMZ.exe	32
PID 1992 wrote to memory of 2544	1992	MEMZ.exe	32
PID 1992 wrote to memory of 2544	1992	MEMZ.exe	32
PID 1992 wrote to memory of 2544	1992	MEMZ.exe	32
PID 1992 wrote to memory of 2612	1992	MEMZ.exe	33
PID 1992 wrote to memory of 2612	1992	MEMZ.exe	33
PID 1992 wrote to memory of 2612	1992	MEMZ.exe	33
PID 1992 wrote to memory of 2612	1992	MEMZ.exe	33
PID 2612 wrote to memory of 2500	2612	MEMZ.exe	34
PID 2612 wrote to memory of 2500	2612	MEMZ.exe	34
PID 2612 wrote to memory of 2500	2612	MEMZ.exe	34
PID 2612 wrote to memory of 2500	2612	MEMZ.exe	34
PID 2612 wrote to memory of 2160	2612	MEMZ.exe	35
PID 2612 wrote to memory of 2160	2612	MEMZ.exe	35
PID 2612 wrote to memory of 2160	2612	MEMZ.exe	35
PID 2612 wrote to memory of 2160	2612	MEMZ.exe	35
PID 2160 wrote to memory of 2864	2160	mmc.exe	36
PID 2160 wrote to memory of 2864	2160	mmc.exe	36
PID 2160 wrote to memory of 2864	2160	mmc.exe	36
PID 2160 wrote to memory of 2864	2160	mmc.exe	36
PID 2612 wrote to memory of 1476	2612	MEMZ.exe	39
PID 2612 wrote to memory of 1476	2612	MEMZ.exe	39
PID 2612 wrote to memory of 1476	2612	MEMZ.exe	39
PID 2612 wrote to memory of 1476	2612	MEMZ.exe	39
PID 1476 wrote to memory of 968	1476	iexplore.exe	41
PID 1476 wrote to memory of 968	1476	iexplore.exe	41
PID 1476 wrote to memory of 968	1476	iexplore.exe	41
PID 1476 wrote to memory of 968	1476	iexplore.exe	41
PID 2612 wrote to memory of 2380	2612	MEMZ.exe	43
PID 2612 wrote to memory of 2380	2612	MEMZ.exe	43
PID 2612 wrote to memory of 2380	2612	MEMZ.exe	43
PID 2612 wrote to memory of 2380	2612	MEMZ.exe	43
PID 2612 wrote to memory of 2356	2612	MEMZ.exe	44
PID 2612 wrote to memory of 2356	2612	MEMZ.exe	44
PID 2612 wrote to memory of 2356	2612	MEMZ.exe	44
PID 2612 wrote to memory of 2356	2612	MEMZ.exe	44
PID 2356 wrote to memory of 240	2356	iexplore.exe	45
PID 2356 wrote to memory of 240	2356	iexplore.exe	45
PID 2356 wrote to memory of 240	2356	iexplore.exe	45
PID 2356 wrote to memory of 240	2356	iexplore.exe	45
PID 2612 wrote to memory of 2556	2612	MEMZ.exe	48
PID 2612 wrote to memory of 2556	2612	MEMZ.exe	48
PID 2612 wrote to memory of 2556	2612	MEMZ.exe	48
PID 2612 wrote to memory of 2556	2612	MEMZ.exe	48
PID 2556 wrote to memory of 2660	2556	iexplore.exe	49
PID 2556 wrote to memory of 2660	2556	iexplore.exe	49
PID 2556 wrote to memory of 2660	2556	iexplore.exe	49
PID 2556 wrote to memory of 2660	2556	iexplore.exe	49

C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
"C:\Users\Admin\AppData\Local\Temp\MEMZ.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1992
- C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
  "C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3052
- C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
  "C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2900
- C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
  "C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2852
- C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
  "C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2504
- C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
  "C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2544
- C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
  "C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /main
  2⤵
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of WriteProcessMemory
  PID:2612
- - C:\Windows\SysWOW64\notepad.exe
    "C:\Windows\System32\notepad.exe" \note.txt
    3⤵
    PID:2500
- - C:\Windows\SysWOW64\mmc.exe
    "C:\Windows\system32\mmc.exe" "C:\Windows\System32\devmgmt.msc"
    3⤵
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2160
  - - C:\Windows\system32\mmc.exe
      "C:\Windows\System32\devmgmt.msc" "C:\Windows\System32\devmgmt.msc"
      4⤵
      Drops file in System32 directory
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2864
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" https://google.co.ck/search?q=how+to+remove+memz+trojan+virus
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1476
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1476 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:968
- - C:\Windows\SysWOW64\calc.exe
    "C:\Windows\System32\calc.exe"
    3⤵
    PID:2380
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" https://google.co.ck/search?q=g3t+r3kt
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2356
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2356 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:240
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" https://google.co.ck/search?q=how+2+buy+weed
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2556
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2556 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2660

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1636

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x598
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\05DDC6AA91765AACACDB0A5F96DF8199

Filesize
854B

MD5
8d1040b12a663ca4ec7277cfc1ce44f0

SHA1
b27fd6bbde79ebdaee158211a71493e21838756b

SHA256
3086094d4198a5bbd12938b0d2d5f696c4dfc77e1eae820added346a59aa8727

SHA512
610c72970856ef7a316152253f7025ac11635078f1aea7b84641715813792374d2447b1002f1967d62b24073ee291b3e4f3da777b71216a30488a5d7b6103ac1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
81afc0bf5da0665d25a5dee7e2753370

SHA1
0c3be1f39d24b0244b10a55c1206a33e8f53212f

SHA256
5fccf1d8723d62ad01b16c8e53c63c38ebe68f68ec2e2218e2f0c697b9fa4f77

SHA512
81cc789f7a25a488524fbaaf46f930f03de79734d7c0497ee1ec800e5fd1f90e8e7124c55c6b8ba9d9defca243dfd6cfc237d969064cd44107bf738cdd585c58

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4FA45AE1010E09657982D8D28B3BD38E_C9A4EE50DBC832CFBC131D902FC90F41

Filesize
471B

MD5
14f2137a185edcdb34d8d5a6e08f567d

SHA1
41341712a2b3c2414a74f6787901b8e9b96d5dc1

SHA256
b29f4c1a1e45aa42e1db25c7b85dd9a66debc9ee7770c03285cd82cd919af066

SHA512
fd4f1a0fbc257a966230ac943b62a595e7127538cdda6ccb779875cb7be4f66a5cacf34a9a44b502f238b6d1f867d6e08d5caa4cdb988674ebe13ee2bdc13875

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6DA548C7E5915679F87E910D6581DEF1_4E4933C273AFD632077725BC7FF4B704

Filesize
472B

MD5
25ce815778d63cb630d153cfde4220b7

SHA1
692e55dabdc461f26cc9aa9c76198eccaffbce70

SHA256
1c06359fee6c60e885db94aef77a30aa53e51d412143b5cde7dfb2c7a7898e50

SHA512
b582ba1d48c8bd9678741a354adeac56bfc263d2ca1caab6978b7cb1f9ab0baf979b6db16418b3b148d2e4ca1af6612a4f270040cc81fe1891bf14fc982eb879

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199

Filesize
170B

MD5
a9aca32b2f0f751b31a8a4b99516a177

SHA1
b8660b4949089a2c8fab7698fcc403b045334546

SHA256
9e144e579da0d8c8b62489fc6aaf33d625103b32d8fe444cbe05c621d21275c2

SHA512
11cc7512dab220da7adc844c9a99cbe9984f2494d4765f02ed395d48118cd33994659a0f1853b34acaf1d6da5b59febb276cad3d33d338c64090a4f5b3132d9c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
db5ebdff0e888eccd195bfa78350d830

SHA1
77468027e5f49dd1d362a8b6b9d38347c66f8edb

SHA256
04739b11317aeef2b0fb47c266a122f4e6f6408306ff4ae93b8fe3a5f4e9c42b

SHA512
8689980e5e5c4ff15276ee822e9340e761f639d3810a667a807950785a1d88745671be2faf0e130e579def012996185d5b9cb79017c1d750f2c8ec101eb9d8df

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4FA45AE1010E09657982D8D28B3BD38E_C9A4EE50DBC832CFBC131D902FC90F41

Filesize
406B

MD5
f7270a2ea2c2bf76f3fc92987cf77d54

SHA1
fd16322775f6d71903dd01cc5d293737ba80147d

SHA256
aa80c912f3e4aabb8deef2a61fe6b3bc5b82c490d315561273e739bc36568b10

SHA512
ffefaa0df42e3b61f7b31c31476d04749c8c112995426b526e81ab81d74ef143c7ff35d50ab1ea34a07aaf2146868fc0b2ecede249545be6c82de5fae546232b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6DA548C7E5915679F87E910D6581DEF1_4E4933C273AFD632077725BC7FF4B704

Filesize
406B

MD5
136a18a1d94d862b2c8ae6f7c226d693

SHA1
b96d218b2795c7312a0546ba4878996e0217a246

SHA256
5849b9605ba78693d831f90f8e90249b3153baaa5b0da46253484a0115546489

SHA512
9bbe2970ee927ae4d221183d40de49a74f82cc3697fa23578191e097f975cf94e46ba3517b07072891722855be14133ca1a28d6c175972755bb8acc0c7d223e4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
436d4a29194862cb9ef3f44dc09143c8

SHA1
18a725d2d91fe59e1070f6cf87eda29f771509dd

SHA256
fd8d9485474f8f2b5fdcfd9e7d6d1dd5664fede3f87d7d2ea491882d24f40806

SHA512
af9cf1a0d5e0e1c31de895e9012fe9aac27733a369d1340fc290cd512183c0274bd40112d53822a8ac2a594109d65b996ead34b7b0157370157b3bebb8137baa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fcc3199de87a3e10d1a90f95fddb06c0

SHA1
0ed556564440f48d2a5c995b8df3a2f32cf01acf

SHA256
2517e4b855645d40276ec0e602b04b41e9bd1e89e456c8155c60015e5496b533

SHA512
22d500a683013d3aa8434e0f70945732c7cd07d3cb93c6fe8bc119b1e16c1c5b554b8e92943bd69bee624e56d74377a8753a82daa2e42c6504ac89f828c5264a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
504dd9cae2a74a0d2e3d60b65f8afaeb

SHA1
49d2bec92bcfc77b1e486db8f7d7ee1e113526ad

SHA256
ee489308dfa93f30d8946b94542d5911eadd8a43cf8394b0eca2e7c0869b1670

SHA512
12edbf54f26ac622e52fd615a3a45502275856c9b6c753aec4f143346cda95ea3c7eb13ad073824e94bc1a17ebbf4b0210040ad1a7f413571d4b39e2db7a253e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4e2f124b57673cde121fa2ab3a868f6c

SHA1
73755cba6f6ee9db1263de593e8a9e5e1aa67813

SHA256
9099eb14ae668b2596d7d008c7441fbb3269260dac56b7dae341045ca8094355

SHA512
4e5cd6a39ca63a47b4136bbe412216a9f75dc05a2476d6fba5b375d3ee0cbd9ccc18eecfff0f098080ecce6e9e44ad11c423e684597b5645df53b005964bf6e9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b623f12b5d807416f853db94e9d0a418

SHA1
88c09bb1c6e7cfa3d95a207dc74b22ff1aa71f36

SHA256
a7ff48199ad00791b9a092dab027a99fb9478f278c436fb96d3938c1f3d5df3f

SHA512
efc3ce5ba77349147b528d0f8ad25f1e26c096b70a2b61312a30562815168da11b73f2e207ef51cc10af01148703fa4ede365dc8ba67b2a808055df782f227c0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bf154adfdfefb9bebfec16ba81571385

SHA1
c742d4bfb3a3cd09f58f5309f45515be53bf91db

SHA256
9aa2419d55a37f9d602b78def61ba07afc06980050bceb0b787f483b09c29f85

SHA512
f024ed702add050efaf68eccf9cee03d5de1143a44662e1595e3624b7595ffb57e84e21f99835d43fab8a0b6e76ab3fe1a9cefd3bc18763062170f82e195f206

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bfd4b3dec581b013f72e7588402355ef

SHA1
6eef9dade7caa67be587b664129ed20dc902d8ec

SHA256
0f8e85ab3e2080c70343ebb4ed65afe233c2f8e45b26b4cf589888323104b76e

SHA512
be2a85fd298d73d28fab00df2b0720fcd7c344bf6176b13a0eddcf6f16692689077fc8feeb8fecf7844c301c000783e94a0847320e4fc78a3730c9a2618364fd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5640fcd0696a162655cf750adda15ae3

SHA1
e9315c0ceca8d61230b953909cb3d07cec3fe99f

SHA256
41834e7fc8ba2644f9f94c95270273459f5662e5421388af3b9ad3e6d5e96dc3

SHA512
4180d2cd4d900a465cfc01001ac3b2d2702cdb07fd8b9d3c956a6ff2141e84bab07143dde7a26aa6fa1bf121e10404c2a131b3d626712cacc825b38218944e6f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c95540aff004342de0de1497a2f5e724

SHA1
e83cccd872790d04325dbd3175ba110a75332f10

SHA256
3867f2d7f4a3d55d6cb710441f797c3cb53528290723c8446b449ca159e781aa

SHA512
246f09875df01e6e2e35e2cc011770f3160225d11e447bb2837006c0caa2589ce3f07e41b9073eb389f44cbd672d8997fb063db3a12cd82fba739d715cee922c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9e9dff106b9383ab94d687dfa79efcdf

SHA1
6bb6c990035bcc529d8f8da4281d568dc9abb50f

SHA256
52d0b04edf0bbc3a64864a3db4dad0c7b8e161899b368f9bf73305068b7dffb2

SHA512
b59dc4eb2f6703eecfb75395951477fad5cae5f5f36c07d39aa504ab7f0357349bf3064638ca7e04ddac3f225093a4eaacaacbe9aa05cf9b009ec008681f4e9a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
33e058f3895361c01638a28f03ddc8f1

SHA1
956749cc5d85308181d66e5aa3c8be9b3dc484d5

SHA256
e6bbb523e3da824aa9242224d8ee8eb1b44fbb6d9c8fb8fe20369ac19c539235

SHA512
604b7146cbf7b14b3177897a1e01016b82b0f43cf13373554e3d80d9780658c77e3fc919ec9f92620faee74e8a6367f98de45a1bfef9aafd109b4e6fb1ec592a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6cb035074a509b252dd75dbecea5a76a

SHA1
537002eb1044ea9274c7d118edfdedc6bb8a4b9e

SHA256
a89f72af7e5f703522153ba138fabc8044ed23527118b295eaf14e508568548c

SHA512
c81bf56a2052a62ff008f7ce070ab085a63b76e60775bcce1d746c36ff4951a6f087bec4fcf93e8d4bbd8ce1d396fc3d50da2764f0c9695d1b7d2a84ed5b4935

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
48c77889c4fc1105c7b547123cc53d6f

SHA1
78c2bb9557b0db34d7a26b0df36cf16f8e0e478e

SHA256
9a7ab243685acf43183fc8281b261619ea7217321037e8bd60471bb908529e1e

SHA512
baa78e971fdb95e3472bc2fa70ab5e16f1d74f00558036aeb54889b4988cb9a70a89a0258b16222e6ad25e1ee2b1a878f75f73594a2fa97baa1570a08863c5d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\F3TGJEVB\www.google[1].xml

Filesize
95B

MD5
5e6bf77c9a244d00825f977620de9746

SHA1
e30504fc6362f118b5b8c1adbf30c7e53315c93f

SHA256
8fa4d4d0a0aa4d5dd926803fc9b58ca3cf571b3ce5371df04bea427eb0dcac14

SHA512
7a4e6685f8f7596a73bde62de5d858e7697013d77fee72c66c1138d477dbf4e0d61bbcdcdcacae60e9aaa682bd82f8538ba30cdae6f026a569ea97613cd68dd5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{D2746481-3292-11EF-8547-E6D98B7EB028}.dat

Filesize
5KB

MD5
638b30f557c34feb0b3bd7a96dc69d9e

SHA1
fef9b4321bf08d5ca7da3bce897d8cb328e5d12e

SHA256
c1b22ac2976a9288c25e7896d433a28517e5a61ff637ceadba6b9d1de8af81d7

SHA512
ff64bfe849074552ee9816d2e16d651df9b9fb9e3677f189e0c65d8fa5127fc07baf24a611dfd89311a0442627ad4ff78c98831e3466ad5a4f0135401255a660

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\RecoveryStore.{F0875AD0-CFEC-11EE-9B3F-EA6B8212FFD3}.dat

Filesize
5KB

MD5
c1b7d7b3b405cd29214ac2b93769027b

SHA1
28a57c6530db072f3e330ee76ea552e4ead83be1

SHA256
1160d1eac7006f87c7b0905a4cf4848b9271491d097e2d7022235957c2c7c2bd

SHA512
51779ceca7a9087e7249418ecd1b8895711d5deab2cdf587de66cab8b412d3bf7e90bab3b36c3fe131a1af39887fa1c4b84ed4710247ff85e8ad4df51629ff7f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\{EB2BB578-3292-11EF-8547-E6D98B7EB028}.dat

Filesize
16KB

MD5
cc9be271f69af0c3e3b572535cf0ef9a

SHA1
1e03e1adea02f2eae22d8e559fa64d649f1de537

SHA256
71650f7174c5ae15c3872cefc9d17779d7c6dbad209fbbc1adc9b019a24c28c7

SHA512
5add066e5349e62d40f9371cdf724d5d6736247fc4798bc4ab9f7c9da96fbd8e0e735a0b86dd9cebb15be30db2ffc46a10c13aee6c59c4a2dddcb7d476b9d337

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\jw2rl61\imagestore.dat

Filesize
5KB

MD5
aafbbafd88fbeeca71cbadbd15d89e13

SHA1
1d9eb2871af2dbdde0464db1edd44cbe06e7787c

SHA256
c79a9fb7348804c46eefcc8eb3a52d6a9e1e31f2b3600e743dce0ead11a2da41

SHA512
a229dd8cf71c8a41e2a0e22155c127d8719b5bf5892ae83689e73afbec317d5489f8b0129c66538ac08281988bac5904313d820421629ba86782804651e8b120

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\jw2rl61\imagestore.dat

Filesize
5KB

MD5
74960d378ed3d3798606e3eee2ec88a2

SHA1
760ac67c30da7342ece07e28d1ba60ee9fc3c732

SHA256
00096c96613f4cd2273d01c90a03fc911ef27d963943ff2e440a3d4af3ebbbd8

SHA512
ad818ea9562b26e0f67ec26f1e0879441ab5a5b0d06153dbc6df1dd29595407ff92022dbf92729de6bc0e9f098ab57db7c81f67ad297c22d16827660c61dc12d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CY2G78MW\KFOlCnqEu92Fr1MmEU9fBBc9[1].ttf

Filesize
34KB

MD5
4d88404f733741eaacfda2e318840a98

SHA1
49e0f3d32666ac36205f84ac7457030ca0a9d95f

SHA256
b464107219af95400af44c949574d9617de760e100712d4dec8f51a76c50dda1

SHA512
2e5d3280d5f7e70ca3ea29e7c01f47feb57fe93fc55fd0ea63641e99e5d699bb4b1f1f686da25c91ba4f64833f9946070f7546558cbd68249b0d853949ff85c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CY2G78MW\KFOlCnqEu92Fr1MmYUtfBBc9[1].ttf

Filesize
34KB

MD5
4d99b85fa964307056c1410f78f51439

SHA1
f8e30a1a61011f1ee42435d7e18ba7e21d4ee894

SHA256
01027695832f4a3850663c9e798eb03eadfd1462d0b76e7c5ac6465d2d77dbd0

SHA512
13d93544b16453fe9ac9fc025c3d4320c1c83a2eca4cd01132ce5c68b12e150bc7d96341f10cbaa2777526cf72b2ca0cd64458b3df1875a184bbb907c5e3d731

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CY2G78MW\KFOmCnqEu92Fr1Mu4mxP[1].ttf

Filesize
34KB

MD5
372d0cc3288fe8e97df49742baefce90

SHA1
754d9eaa4a009c42e8d6d40c632a1dad6d44ec21

SHA256
466989fd178ca6ed13641893b7003e5d6ec36e42c2a816dee71f87b775ea097f

SHA512
8447bc59795b16877974cd77c52729f6ff08a1e741f68ff445c087ecc09c8c4822b83e8907d156a00be81cb2c0259081926e758c12b3aea023ac574e4a6c9885

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CY2G78MW\styles__ltr[1].css

Filesize
55KB

MD5
4adccf70587477c74e2fcd636e4ec895

SHA1
af63034901c98e2d93faa7737f9c8f52e302d88b

SHA256
0e04cd9eec042868e190cbdabf2f8f0c7172dcc54ab87eb616eca14258307b4d

SHA512
d3f071c0a0aa7f2d3b8e584c67d4a1adf1a9a99595cffc204bf43b99f5b19c4b98cec8b31e65a46c01509fc7af8787bd7839299a683d028e388fdc4ded678cb3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I819HQXH\api[1].js

Filesize
850B

MD5
832e6993cda3469c6a40da72268663ac

SHA1
4650b1e5c601a454d3fd746276fff4cd3dbd54aa

SHA256
0ef1e5d700fb1691e5faa92a14f8a755c8dd4a92ec9b1a2310ad769b225cf46f

SHA512
6aefa1b28c697c81239e47ff57b3b61cc67bdbf820b7eac99f924db2b5093b7d03a029accd7dce42d517bde32cec9f6540082f7557b72bdc3c8da27095d68b80

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I819HQXH\nAi3L_grIveh4_vTblADPYCzmMAuz2fY21GywUlmlrY[1].js

Filesize
24KB

MD5
a60833c49e99a2e6bba69b878e7ca60f

SHA1
ee07c061eb17230c0181a5c2c802e9fa07160491

SHA256
9c08b72ff82b22f7a1e3fbd36e50033d80b398c02ecf67d8db51b2c1496696b6

SHA512
d07320fbc0154e233152ad6d76754fc57b4bde0b7cd3ec3da4cfc64edf0a37a64cafd9c720dc60175d2a470c376bada2c0063f79f88c7dc7be5842a7fbca9160

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RSAB58HZ\favicon[1].ico

Filesize
5KB

MD5
f3418a443e7d841097c714d69ec4bcb8

SHA1
49263695f6b0cdd72f45cf1b775e660fdc36c606

SHA256
6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770

SHA512
82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RSAB58HZ\webworker[1].js

Filesize
102B

MD5
62eb30af91dddd7d80f32a890e1e4672

SHA1
37f1141450a98dda7dd8899600e46d8a9f7cc970

SHA256
d601447806420fb7676679daa6dbb113d6617440ecc79998bb013370dc08f4fa

SHA512
16446d271e46b6561b1e26d77394dcc999f49cbcdd9971cc836be2de8048fef46168dc578f02c8b33af492d586d1e636331360a21778eb337ddcd1d9af471da6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RYNL6UIN\logo_48[1].png

Filesize
2KB

MD5
ef9941290c50cd3866e2ba6b793f010d

SHA1
4736508c795667dcea21f8d864233031223b7832

SHA256
1b9efb22c938500971aac2b2130a475fa23684dd69e43103894968df83145b8a

SHA512
a0c69c70117c5713caf8b12f3b6e8bbb9cdaf72768e5db9db5831a3c37541b87613c6b020dd2f9b8760064a8c7337f175e7234bfe776eee5e3588dc5662419d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RYNL6UIN\recaptcha__en[1].js

Filesize
516KB

MD5
1bb4ebd5a1126f7287c58e242a7188e2

SHA1
f06c98f9b76c942631ca4ced196b6ccff5aae339

SHA256
4b20abde9f7eb27dc344dbbb35f59aba01e4cc70262c07c260beadef9072f25e

SHA512
b51fe40ab04c98c21b1f233cb335f5d1ce2f496a2b07544025e5a89c171413ed1755bd5d9900ea43f0495fce190d4607b6d53c3d8078ebfaaecefa97471c8abe

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1651.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1652.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1752.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFFB389132963F51B4.TMP

Filesize
20KB

MD5
f450d77772cf95979adfd246f3e67b9b

SHA1
d7b064efaf62a6ae1405664bd2accd61f6ec12db

SHA256
fe83b81f3b9b1c1833a11f757c2de6aef42104df71715feac8389f1152b8d9bc

SHA512
7fcbb2ceb6fdd884e559a8090b620b144992702922a97e8a96c08a717ad273407a3c5c8df6631cef014a3e57a8581a42399dadde2f04bf4826df466715c3baac

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\7V8RLCV5.txt

Filesize
382B

MD5
e6ad6eb852fb6a1c567edec6d221550b

SHA1
bfda89ebca016cd452c1c647ab3dd2fd884a7a77

SHA256
683da8e3ee5a014b7e01446595cdf6d258e5ac849df9c6ed8e03f96416dd6421

SHA512
58c90627b554f898cd939232335fa2e7f1a7437345067db675022d17a30b109a204a2cd29ecd41b1d75094620b69e3f4bd940a869989cf7c413c89ada6d8d89a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\28c8b86deab549a1.customDestinations-ms

Filesize
4KB

MD5
c4bdc8b28e72cde0ee0640607fb644f9

SHA1
d9add71b3447653e87abea0fa68003f67ed450c8

SHA256
8fb69ee85f9530bd8e38af1319154eee57e595f18944104b0006b83b13b8af7e

SHA512
d432af7fd357a6c47b8ef8c531854aed00afe10792be17d6510d10677e8e64b8396cff249d7d32109719ce65b8582f2851c803714d42a0a9f10548ad77c95b36

Download Submit
C:\note.txt

Filesize
218B

MD5
afa6955439b8d516721231029fb9ca1b

SHA1
087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

SHA256
8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

SHA512
5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

Download Submit
memory/1636-657-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1636-658-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2864-2-0x000007FEF60E0000-0x000007FEF611A000-memory.dmp

Filesize
232KB

Download