734403a96fad68cb2ef2b340adddd9cadd5894007aac703dcdb4a4cb8326c538

max time kernel
897s
max time network
1202s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
15-09-2024 22:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eeeeeeeeeeeeee/Malware_pack_2/Malware_pack_2/MEMZ 3.0 (1)/MEMZ 3.0/MEMZ.exe
Size

12KB
MD5

a7bcf7ea8e9f3f36ebfb85b823e39d91
SHA1

761168201520c199dba68add3a607922d8d4a86e
SHA256

3ff64f10603f0330fa2386ff99471ca789391ace969bd0ec1c1b8ce1b4a6db42
SHA512

89923b669d31e590189fd06619bf27e47c5a47e82be6ae71fdb1b9b3b30b06fb7ca8ffed6d5c41ac410a367f2eb07589291e95a2644877d6bffd52775a5b1523
SSDEEP

192:HMDLTxWDf/pl3cIEiwqZKBktLe3P+qf2jhP6B5b2yL3:H4IDH3cIqqvUWq+jhyT2yL

Score

6^/10

bootkit discovery persistence

Malware Config

Signatures

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	MEMZ.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\devmgmt.msc	mmc.exe
File opened for modification	C:\Windows\System32\devmgmt.msc	mmc.exe
File opened for modification	C:\Windows\System32\devmgmt.msc	mmc.exe
File opened for modification	C:\Windows\System32\devmgmt.msc	mmc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 55 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wordpad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	calc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	control.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wordpad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mspaint.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wordpad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	calc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	calc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wordpad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mspaint.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	control.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000045c0dde48c11474f81d9a2c02be4ea22000000000200000000001066000000010000200000003cfc64eb3286cdfc3a09fe475a791e8deb55a4d0d3fd9226bd2463d5c1ce3c76000000000e800000000200002000000064f6164211b4b6425898ae8671f1ff081484d88b0797b991a8282937e0b00e2d90000000724670243f6dcec551ec0c19e1d817ae303ab6ed42b9627ce7bcd0f4d3b0f362c0f81f09e140d6e40c7399ed2e8a44abb319497ad462f4c2fba77e3a370927f6651434b7cf4ffff84bfc6abfc092cd685cc9b7a3883f9706e2258a858dffff3852d35f1882d1442707b3d8b53e0e6fda930bcac7fe6505b7d9f0110ca271a0e7456da82153e86a9805e75cae8ad8233f400000004043b656ddf0845b2fc228fb8c667fa325ebe2dd4cf55e18ecf55bf92c4d37efbb01674dfe058756bfb2ca2f66e5c804a8505377b4b0a0acfde3d088d95d5f5d	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.google.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com\Total = "21"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c0f57604bd07db01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "432600474"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.google.com\ = "21"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{328209A1-73B0-11EF-A97E-EE9D5ADBD8E3} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE

Runs regedit.exe 12 IoCs

pid	Process
5112	regedit.exe
372	regedit.exe
3772	regedit.exe
4212	regedit.exe
6660	regedit.exe
7124	regedit.exe
9304	regedit.exe
3064	regedit.exe
7580	regedit.exe
7240	regedit.exe
7984	regedit.exe
7712	regedit.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2072	MEMZ.exe
2072	MEMZ.exe
2068	MEMZ.exe
2072	MEMZ.exe
2356	MEMZ.exe
2072	MEMZ.exe
2068	MEMZ.exe
2068	MEMZ.exe
2388	MEMZ.exe
2356	MEMZ.exe
2072	MEMZ.exe
2388	MEMZ.exe
2072	MEMZ.exe
2068	MEMZ.exe
2696	MEMZ.exe
2356	MEMZ.exe
2388	MEMZ.exe
2068	MEMZ.exe
2356	MEMZ.exe
2072	MEMZ.exe
2696	MEMZ.exe
2068	MEMZ.exe
2072	MEMZ.exe
2356	MEMZ.exe
2388	MEMZ.exe
2696	MEMZ.exe
2068	MEMZ.exe
2388	MEMZ.exe
2072	MEMZ.exe
2356	MEMZ.exe
2696	MEMZ.exe
2072	MEMZ.exe
2696	MEMZ.exe
2356	MEMZ.exe
2388	MEMZ.exe
2068	MEMZ.exe
2072	MEMZ.exe
2388	MEMZ.exe
2696	MEMZ.exe
2068	MEMZ.exe
2356	MEMZ.exe
2388	MEMZ.exe
2068	MEMZ.exe
2696	MEMZ.exe
2072	MEMZ.exe
2356	MEMZ.exe
2388	MEMZ.exe
2068	MEMZ.exe
2696	MEMZ.exe
2356	MEMZ.exe
2072	MEMZ.exe
2068	MEMZ.exe
2356	MEMZ.exe
2072	MEMZ.exe
2388	MEMZ.exe
2696	MEMZ.exe
2388	MEMZ.exe
2068	MEMZ.exe
2072	MEMZ.exe
2356	MEMZ.exe
2696	MEMZ.exe
2068	MEMZ.exe
2072	MEMZ.exe
2388	MEMZ.exe

Suspicious behavior: GetForegroundWindowSpam 9 IoCs

pid	Process
3064	regedit.exe
2964	taskmgr.exe
2584	MEMZ.exe
4148	mmc.exe
2848	iexplore.exe
3724	mmc.exe
5668	mmc.exe
5140	mmc.exe
3660	mmc.exe

Suspicious behavior: SetClipboardViewer 5 IoCs

pid	Process
3724	mmc.exe
5668	mmc.exe
5140	mmc.exe
3660	mmc.exe
5704	mmc.exe

Suspicious use of AdjustPrivilegeToken 32 IoCs

description	pid	Process
Token: 33	2204	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2204	AUDIODG.EXE
Token: 33	2204	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2204	AUDIODG.EXE
Token: SeDebugPrivilege	2964	taskmgr.exe
Token: 33	4148	mmc.exe
Token: SeIncBasePriorityPrivilege	4148	mmc.exe
Token: 33	4148	mmc.exe
Token: SeIncBasePriorityPrivilege	4148	mmc.exe
Token: 33	4148	mmc.exe
Token: SeIncBasePriorityPrivilege	4148	mmc.exe
Token: 33	3724	mmc.exe
Token: SeIncBasePriorityPrivilege	3724	mmc.exe
Token: 33	3724	mmc.exe
Token: SeIncBasePriorityPrivilege	3724	mmc.exe
Token: 33	5668	mmc.exe
Token: SeIncBasePriorityPrivilege	5668	mmc.exe
Token: 33	5668	mmc.exe
Token: SeIncBasePriorityPrivilege	5668	mmc.exe
Token: 33	5140	mmc.exe
Token: SeIncBasePriorityPrivilege	5140	mmc.exe
Token: 33	5140	mmc.exe
Token: SeIncBasePriorityPrivilege	5140	mmc.exe
Token: 33	3660	mmc.exe
Token: SeIncBasePriorityPrivilege	3660	mmc.exe
Token: 33	3660	mmc.exe
Token: SeIncBasePriorityPrivilege	3660	mmc.exe
Token: SeDebugPrivilege	5676	taskmgr.exe
Token: 33	5704	mmc.exe
Token: SeIncBasePriorityPrivilege	5704	mmc.exe
Token: 33	5704	mmc.exe
Token: SeIncBasePriorityPrivilege	5704	mmc.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2848	iexplore.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2848	iexplore.exe
2848	iexplore.exe
2788	IEXPLORE.EXE
2788	IEXPLORE.EXE
2788	IEXPLORE.EXE
2788	IEXPLORE.EXE
2996	IEXPLORE.EXE
2996	IEXPLORE.EXE
2996	IEXPLORE.EXE
2996	IEXPLORE.EXE
2712	IEXPLORE.EXE
2712	IEXPLORE.EXE
2712	IEXPLORE.EXE
2712	IEXPLORE.EXE
1316	IEXPLORE.EXE
1316	IEXPLORE.EXE
1316	IEXPLORE.EXE
1316	IEXPLORE.EXE
2788	IEXPLORE.EXE
2788	IEXPLORE.EXE
2788	IEXPLORE.EXE
2788	IEXPLORE.EXE
868	IEXPLORE.EXE
868	IEXPLORE.EXE
868	IEXPLORE.EXE
868	IEXPLORE.EXE
2584	MEMZ.exe
2996	IEXPLORE.EXE
2996	IEXPLORE.EXE
2996	IEXPLORE.EXE
2996	IEXPLORE.EXE
2584	MEMZ.exe
876	IEXPLORE.EXE
876	IEXPLORE.EXE
876	IEXPLORE.EXE
876	IEXPLORE.EXE
2712	IEXPLORE.EXE
2712	IEXPLORE.EXE
2584	MEMZ.exe
2712	IEXPLORE.EXE
2712	IEXPLORE.EXE
444	IEXPLORE.EXE
444	IEXPLORE.EXE
444	IEXPLORE.EXE
444	IEXPLORE.EXE
2584	MEMZ.exe
1316	IEXPLORE.EXE
1316	IEXPLORE.EXE
1316	IEXPLORE.EXE
1316	IEXPLORE.EXE
2584	MEMZ.exe
2584	MEMZ.exe
1664	mspaint.exe
1664	mspaint.exe
1664	mspaint.exe
1664	mspaint.exe
2584	MEMZ.exe
2256	IEXPLORE.EXE
2256	IEXPLORE.EXE
2256	IEXPLORE.EXE
2256	IEXPLORE.EXE
2584	MEMZ.exe
2256	IEXPLORE.EXE
2256	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2536 wrote to memory of 2072	2536	MEMZ.exe	30
PID 2536 wrote to memory of 2072	2536	MEMZ.exe	30
PID 2536 wrote to memory of 2072	2536	MEMZ.exe	30
PID 2536 wrote to memory of 2072	2536	MEMZ.exe	30
PID 2536 wrote to memory of 2068	2536	MEMZ.exe	31
PID 2536 wrote to memory of 2068	2536	MEMZ.exe	31
PID 2536 wrote to memory of 2068	2536	MEMZ.exe	31
PID 2536 wrote to memory of 2068	2536	MEMZ.exe	31
PID 2536 wrote to memory of 2356	2536	MEMZ.exe	32
PID 2536 wrote to memory of 2356	2536	MEMZ.exe	32
PID 2536 wrote to memory of 2356	2536	MEMZ.exe	32
PID 2536 wrote to memory of 2356	2536	MEMZ.exe	32
PID 2536 wrote to memory of 2388	2536	MEMZ.exe	33
PID 2536 wrote to memory of 2388	2536	MEMZ.exe	33
PID 2536 wrote to memory of 2388	2536	MEMZ.exe	33
PID 2536 wrote to memory of 2388	2536	MEMZ.exe	33
PID 2536 wrote to memory of 2696	2536	MEMZ.exe	34
PID 2536 wrote to memory of 2696	2536	MEMZ.exe	34
PID 2536 wrote to memory of 2696	2536	MEMZ.exe	34
PID 2536 wrote to memory of 2696	2536	MEMZ.exe	34
PID 2536 wrote to memory of 2584	2536	MEMZ.exe	35
PID 2536 wrote to memory of 2584	2536	MEMZ.exe	35
PID 2536 wrote to memory of 2584	2536	MEMZ.exe	35
PID 2536 wrote to memory of 2584	2536	MEMZ.exe	35
PID 2584 wrote to memory of 2084	2584	MEMZ.exe	36
PID 2584 wrote to memory of 2084	2584	MEMZ.exe	36
PID 2584 wrote to memory of 2084	2584	MEMZ.exe	36
PID 2584 wrote to memory of 2084	2584	MEMZ.exe	36
PID 2584 wrote to memory of 2848	2584	MEMZ.exe	38
PID 2584 wrote to memory of 2848	2584	MEMZ.exe	38
PID 2584 wrote to memory of 2848	2584	MEMZ.exe	38
PID 2584 wrote to memory of 2848	2584	MEMZ.exe	38
PID 2848 wrote to memory of 2788	2848	iexplore.exe	39
PID 2848 wrote to memory of 2788	2848	iexplore.exe	39
PID 2848 wrote to memory of 2788	2848	iexplore.exe	39
PID 2848 wrote to memory of 2788	2848	iexplore.exe	39
PID 2848 wrote to memory of 2996	2848	iexplore.exe	41
PID 2848 wrote to memory of 2996	2848	iexplore.exe	41
PID 2848 wrote to memory of 2996	2848	iexplore.exe	41
PID 2848 wrote to memory of 2996	2848	iexplore.exe	41
PID 2848 wrote to memory of 2712	2848	iexplore.exe	42
PID 2848 wrote to memory of 2712	2848	iexplore.exe	42
PID 2848 wrote to memory of 2712	2848	iexplore.exe	42
PID 2848 wrote to memory of 2712	2848	iexplore.exe	42
PID 2848 wrote to memory of 1316	2848	iexplore.exe	43
PID 2848 wrote to memory of 1316	2848	iexplore.exe	43
PID 2848 wrote to memory of 1316	2848	iexplore.exe	43
PID 2848 wrote to memory of 1316	2848	iexplore.exe	43
PID 2848 wrote to memory of 868	2848	iexplore.exe	45
PID 2848 wrote to memory of 868	2848	iexplore.exe	45
PID 2848 wrote to memory of 868	2848	iexplore.exe	45
PID 2848 wrote to memory of 868	2848	iexplore.exe	45
PID 2584 wrote to memory of 2392	2584	MEMZ.exe	46
PID 2584 wrote to memory of 2392	2584	MEMZ.exe	46
PID 2584 wrote to memory of 2392	2584	MEMZ.exe	46
PID 2584 wrote to memory of 2392	2584	MEMZ.exe	46
PID 2584 wrote to memory of 3064	2584	MEMZ.exe	48
PID 2584 wrote to memory of 3064	2584	MEMZ.exe	48
PID 2584 wrote to memory of 3064	2584	MEMZ.exe	48
PID 2584 wrote to memory of 3064	2584	MEMZ.exe	48
PID 2584 wrote to memory of 2700	2584	MEMZ.exe	49
PID 2584 wrote to memory of 2700	2584	MEMZ.exe	49
PID 2584 wrote to memory of 2700	2584	MEMZ.exe	49
PID 2584 wrote to memory of 2700	2584	MEMZ.exe	49

C:\Users\Admin\AppData\Local\Temp\eeeeeeeeeeeeee\Malware_pack_2\Malware_pack_2\MEMZ 3.0 (1)\MEMZ 3.0\MEMZ.exe
"C:\Users\Admin\AppData\Local\Temp\eeeeeeeeeeeeee\Malware_pack_2\Malware_pack_2\MEMZ 3.0 (1)\MEMZ 3.0\MEMZ.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2536
- C:\Users\Admin\AppData\Local\Temp\eeeeeeeeeeeeee\Malware_pack_2\Malware_pack_2\MEMZ 3.0 (1)\MEMZ 3.0\MEMZ.exe
  "C:\Users\Admin\AppData\Local\Temp\eeeeeeeeeeeeee\Malware_pack_2\Malware_pack_2\MEMZ 3.0 (1)\MEMZ 3.0\MEMZ.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2072
- C:\Users\Admin\AppData\Local\Temp\eeeeeeeeeeeeee\Malware_pack_2\Malware_pack_2\MEMZ 3.0 (1)\MEMZ 3.0\MEMZ.exe
  "C:\Users\Admin\AppData\Local\Temp\eeeeeeeeeeeeee\Malware_pack_2\Malware_pack_2\MEMZ 3.0 (1)\MEMZ 3.0\MEMZ.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2068
- C:\Users\Admin\AppData\Local\Temp\eeeeeeeeeeeeee\Malware_pack_2\Malware_pack_2\MEMZ 3.0 (1)\MEMZ 3.0\MEMZ.exe
  "C:\Users\Admin\AppData\Local\Temp\eeeeeeeeeeeeee\Malware_pack_2\Malware_pack_2\MEMZ 3.0 (1)\MEMZ 3.0\MEMZ.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2356
- C:\Users\Admin\AppData\Local\Temp\eeeeeeeeeeeeee\Malware_pack_2\Malware_pack_2\MEMZ 3.0 (1)\MEMZ 3.0\MEMZ.exe
  "C:\Users\Admin\AppData\Local\Temp\eeeeeeeeeeeeee\Malware_pack_2\Malware_pack_2\MEMZ 3.0 (1)\MEMZ 3.0\MEMZ.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2388
- C:\Users\Admin\AppData\Local\Temp\eeeeeeeeeeeeee\Malware_pack_2\Malware_pack_2\MEMZ 3.0 (1)\MEMZ 3.0\MEMZ.exe
  "C:\Users\Admin\AppData\Local\Temp\eeeeeeeeeeeeee\Malware_pack_2\Malware_pack_2\MEMZ 3.0 (1)\MEMZ 3.0\MEMZ.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2696
- C:\Users\Admin\AppData\Local\Temp\eeeeeeeeeeeeee\Malware_pack_2\Malware_pack_2\MEMZ 3.0 (1)\MEMZ 3.0\MEMZ.exe
  "C:\Users\Admin\AppData\Local\Temp\eeeeeeeeeeeeee\Malware_pack_2\Malware_pack_2\MEMZ 3.0 (1)\MEMZ 3.0\MEMZ.exe" /main
  2⤵
  - Writes to the Master Boot Record (MBR)
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2584
- - C:\Windows\SysWOW64\notepad.exe
    "C:\Windows\System32\notepad.exe" \note.txt
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2084
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" https://google.co.ck/search?q=virus+builder+legit+free+download
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2848
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2848 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2788
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2848 CREDAT:734216 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2996
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2848 CREDAT:799764 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2712
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2848 CREDAT:1192984 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1316
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2848 CREDAT:1389593 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:868
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2848 CREDAT:865341 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:876
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2848 CREDAT:1651749 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:444
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2848 CREDAT:603256 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2256
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2848 CREDAT:1979462 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      PID:1304
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2848 CREDAT:603302 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      PID:2372
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2848 CREDAT:2307166 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      PID:3372
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2848 CREDAT:1193129 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      PID:3968
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2848 CREDAT:2569342 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      PID:3212
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2848 CREDAT:2962562 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      PID:3340
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2848 CREDAT:3486856 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      PID:4424
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2848 CREDAT:3224748 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      PID:3324
- - C:\Windows\SysWOW64\explorer.exe
    "C:\Windows\System32\explorer.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2392
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Runs regedit.exe
    - Suspicious behavior: GetForegroundWindowSpam
    PID:3064
- - C:\Windows\SysWOW64\notepad.exe
    "C:\Windows\System32\notepad.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2700
- - C:\Windows\SysWOW64\notepad.exe
    "C:\Windows\System32\notepad.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2916
- - C:\Windows\SysWOW64\calc.exe
    "C:\Windows\System32\calc.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1556
- - C:\Windows\SysWOW64\mspaint.exe
    "C:\Windows\System32\mspaint.exe"
    3⤵
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1664
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Runs regedit.exe
    PID:372
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3688
- - C:\Windows\SysWOW64\taskmgr.exe
    "C:\Windows\System32\taskmgr.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2964
- - C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
    "C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1132
  - - C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      4⤵
      PID:3264
- - C:\Windows\SysWOW64\calc.exe
    "C:\Windows\System32\calc.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3936
- - C:\Windows\SysWOW64\mmc.exe
    "C:\Windows\System32\mmc.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4116
  - - C:\Windows\system32\mmc.exe
      "C:\Windows\system32\mmc.exe"
      4⤵
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      PID:4148
- - C:\Windows\SysWOW64\control.exe
    "C:\Windows\System32\control.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4688
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Runs regedit.exe
    PID:3772
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5096
- - C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
    "C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4764
- - C:\Windows\SysWOW64\mspaint.exe
    "C:\Windows\System32\mspaint.exe"
    3⤵
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:3256
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Runs regedit.exe
    PID:4212
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3608
- - C:\Windows\SysWOW64\control.exe
    "C:\Windows\System32\control.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4800
- - C:\Windows\SysWOW64\mmc.exe
    "C:\Windows\System32\mmc.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4800
  - - C:\Windows\system32\mmc.exe
      "C:\Windows\system32\mmc.exe"
      4⤵
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious behavior: SetClipboardViewer
      Suspicious use of AdjustPrivilegeToken
      PID:3724
- - C:\Windows\SysWOW64\notepad.exe
    "C:\Windows\System32\notepad.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5728
- - C:\Windows\SysWOW64\mmc.exe
    "C:\Windows\system32\mmc.exe" "C:\Windows\System32\devmgmt.msc"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5660
  - - C:\Windows\system32\mmc.exe
      "C:\Windows\System32\devmgmt.msc" "C:\Windows\System32\devmgmt.msc"
      4⤵
      Drops file in System32 directory
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious behavior: SetClipboardViewer
      Suspicious use of AdjustPrivilegeToken
      PID:5668
- - C:\Windows\SysWOW64\calc.exe
    "C:\Windows\System32\calc.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5724
- - C:\Windows\SysWOW64\mmc.exe
    "C:\Windows\system32\mmc.exe" "C:\Windows\System32\devmgmt.msc"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6012
  - - C:\Windows\system32\mmc.exe
      "C:\Windows\System32\devmgmt.msc" "C:\Windows\System32\devmgmt.msc"
      4⤵
      Drops file in System32 directory
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious behavior: SetClipboardViewer
      Suspicious use of AdjustPrivilegeToken
      PID:5140
- - C:\Windows\SysWOW64\notepad.exe
    "C:\Windows\System32\notepad.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5100
- - C:\Windows\SysWOW64\mmc.exe
    "C:\Windows\system32\mmc.exe" "C:\Windows\System32\devmgmt.msc"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5876
  - - C:\Windows\system32\mmc.exe
      "C:\Windows\System32\devmgmt.msc" "C:\Windows\System32\devmgmt.msc"
      4⤵
      Drops file in System32 directory
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious behavior: SetClipboardViewer
      Suspicious use of AdjustPrivilegeToken
      PID:3660
- - C:\Windows\SysWOW64\taskmgr.exe
    "C:\Windows\System32\taskmgr.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:5676
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Runs regedit.exe
    PID:6660
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6996
- - C:\Windows\SysWOW64\taskmgr.exe
    "C:\Windows\System32\taskmgr.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6880
- - C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
    "C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6344
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6728
- - C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
    "C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2236
- - C:\Windows\SysWOW64\mmc.exe
    "C:\Windows\system32\mmc.exe" "C:\Windows\System32\devmgmt.msc"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:7036
  - - C:\Windows\system32\mmc.exe
      "C:\Windows\System32\devmgmt.msc" "C:\Windows\System32\devmgmt.msc"
      4⤵
      Drops file in System32 directory
      Suspicious behavior: SetClipboardViewer
      Suspicious use of AdjustPrivilegeToken
      PID:5704
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe"
    3⤵
    - Runs regedit.exe
    PID:7124
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe"
    3⤵
    - Runs regedit.exe
    PID:5112
- - C:\Windows\SysWOW64\notepad.exe
    "C:\Windows\System32\notepad.exe"
    3⤵
    PID:7284
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe"
    3⤵
    - Runs regedit.exe
    PID:7580
- - C:\Windows\SysWOW64\mspaint.exe
    "C:\Windows\System32\mspaint.exe"
    3⤵
    PID:6032
- - C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
    "C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:7764
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe"
    3⤵
    - Runs regedit.exe
    PID:7240
- - C:\Windows\SysWOW64\mspaint.exe
    "C:\Windows\System32\mspaint.exe"
    3⤵
    PID:7216
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe"
    3⤵
    - Runs regedit.exe
    PID:7984
- - C:\Windows\SysWOW64\mmc.exe
    "C:\Windows\system32\mmc.exe" "C:\Windows\System32\devmgmt.msc"
    3⤵
    PID:8396
  - - C:\Windows\system32\mmc.exe
      "C:\Windows\System32\devmgmt.msc" "C:\Windows\System32\devmgmt.msc"
      4⤵
      PID:8432
- - C:\Windows\SysWOW64\mspaint.exe
    "C:\Windows\System32\mspaint.exe"
    3⤵
    PID:8308
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe"
    3⤵
    PID:8608
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe"
    3⤵
    - Runs regedit.exe
    PID:7712
- - C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
    "C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:8732
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" https://google.co.ck/search?q=how+to+create+your+own+ransomware
    3⤵
    PID:9132
- - C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
    "C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:9128
- - C:\Windows\SysWOW64\calc.exe
    "C:\Windows\System32\calc.exe"
    3⤵
    PID:8248
- - C:\Windows\SysWOW64\mmc.exe
    "C:\Windows\system32\mmc.exe" "C:\Windows\System32\devmgmt.msc"
    3⤵
    PID:9672
  - - C:\Windows\system32\mmc.exe
      "C:\Windows\System32\devmgmt.msc" "C:\Windows\System32\devmgmt.msc"
      4⤵
      PID:9704
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe"
    3⤵
    - Runs regedit.exe
    PID:9304
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe"
    3⤵
    PID:9768
- - C:\Windows\SysWOW64\mmc.exe
    "C:\Windows\System32\mmc.exe"
    3⤵
    PID:10172
  - - C:\Windows\system32\mmc.exe
      "C:\Windows\system32\mmc.exe"
      4⤵
      PID:10208

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x50c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2204

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
- System Location Discovery: System Language Discovery
PID:4888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\05DDC6AA91765AACACDB0A5F96DF8199

Filesize
854B

MD5
e935bc5762068caf3e24a2683b1b8a88

SHA1
82b70eb774c0756837fe8d7acbfeec05ecbf5463

SHA256
a8accfcfeb51bd73df23b91f4d89ff1a9eb7438ef5b12e8afda1a6ff1769e89d

SHA512
bed4f6f5357b37662623f1f8afed1a3ebf3810630b2206a0292052a2e754af9dcfe34ee15c289e3d797a8f33330e47c14cbefbc702f74028557ace29bf855f9e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
1df4559dc042f51453d31bbd6d406cac

SHA1
defff321b0e39935b0281192bc732a47edc22d84

SHA256
2e5e6363cb570b2bdfef7476d83333ea9e7699f5418fb102d5ffa795f0536d9d

SHA512
c4a96d6fa0d96e706e89a571ad916c8995cb045bc3d30ac8f83b57c95bc1ee59e983ca42534b24f02ad862959826df6b5aac6f4a1288f5a3fb0eaf873f13f731

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4FA45AE1010E09657982D8D28B3BD38E_09E5FD68127B2EBD22C529250B8D2273

Filesize
471B

MD5
cea7f7436b62d1aa1808fbf42c7614e8

SHA1
d8530285ce4e6fd1ca352a617263fe26d46d383a

SHA256
dfddd19826ded2ca69f63200f442f8f4dcf9b5ec1dd78e15d74d015c651ba190

SHA512
3c679f47869a4e78c2b7a5a5ac20ce4ae922e4231f2cee533cf44d25e1ee45e848a3fd55d8e4c3d98bbe357ea2b9825dcbab55d9b71d5472d29b9e77aa86fda0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4FA45AE1010E09657982D8D28B3BD38E_B115649384851BE6BDDEA6DCEC8C2FEC

Filesize
472B

MD5
57fabf8ce960f6516a99cb1065e0f1b5

SHA1
0f06fda5952c1e047f2fdd06a941cde444e7fd1b

SHA256
287c0da810f4506a1fca9807d8457c52631b4f723f272412631a59fdda36d179

SHA512
df597f53035b5dc18aaefbe0fb232e9e2770343319e716a32d416d27be2b4d77e4671786d0e6711549440dda3e68fb122e61c42fc781238cb158d0c4d1546cbe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C02877841121CC45139CB51404116B25_193C88518F770D3F8D3CDA4F180E8635

Filesize
472B

MD5
2e15489eb620ba4779210d523e343152

SHA1
c6674bbf4ad29b2742ab2382f6ce4c17754b05d6

SHA256
04ba2c1f6dde1be4f81cdd43a931f554f357fa751ce75028929f14695995c99e

SHA512
87ea9978c49ce2b715361cdd60900ed5e3a7a589986056f4df3b547ad0168ee3bbe453b0a1a348ce7911a5548bd17cc6918aa88c689b2b46eeb857e2ec9ae471

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199

Filesize
170B

MD5
5dec454ff2073731f0c7eb94d33e953c

SHA1
85015f36d9c8b3e3f391c36f0882ff0760393c39

SHA256
44c795b43d80ba02f7b9c988b4677972a5be2759f86900857a3fc1d9a783b4f1

SHA512
efe107921098e367986c7d72a93e8e193600bc053e8a5f49f2d4ba85fe4e9153cc36f146588f2f954cd3e3af9a7435277594cfa15f603d09c41a45be341ce301

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
d5912db087a1052f1ada5570d1f4d886

SHA1
260dd9b0ef0a88f5bc00e3ac67ff7081edffbdc0

SHA256
bd3cbcddf38e27d83688ca226dac05a1d7bd65e101bf0aaace8dde7fd4992201

SHA512
88d46e231624f1a199668654bccee4d813a87e357f623ebb7c270dd75d54df567437f656a1ee0a8ec9ebf7288d9fcf71dbb9c061673c95ca8f1d891cf383e480

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4FA45AE1010E09657982D8D28B3BD38E_09E5FD68127B2EBD22C529250B8D2273

Filesize
406B

MD5
18312bc8c2728625d41ccf82a8053f63

SHA1
866a1d3a3421f0e131acc2468f22250daaf12527

SHA256
84d821ccfaee29709eb01f5701aae3a956bad9ad93d688db777a095958b601b8

SHA512
72d15f3abc15bce08fd253268da23ba5de75d5672a1c12c267d7633a9a90ec8520f5ea5f6738ed30b07ffa073b37dc8d47424fc88b3c593a9ea39bec88b42ccd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4FA45AE1010E09657982D8D28B3BD38E_B115649384851BE6BDDEA6DCEC8C2FEC

Filesize
398B

MD5
09e2a419d1515a36c24f47cc94bceb24

SHA1
b5b853bdadb8128284f39d00fcf733793e7c9056

SHA256
2aea46ffe41a4f9d13f51c323c2706ef2ee6b7f44f277796dc78bc41de6a831b

SHA512
6ebb7b95e60f4bb7210b76dd39ef56de28eddd0d7e98125375df9a5f6fe23e0f25fa67c54920bc1d9adf5802d67ad70126f0a30c48b1a72de8a74b52621771e4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c3835232124d197e15516d471ed2146f

SHA1
e3305a74175181dc6f5c9365ad7ad8069f2d1fda

SHA256
7f1eeb397b2ba6e3ccca8485ffaaf7a893584d51fc6e158b5f64efc86f2571c2

SHA512
a188b2f9b5728414f12faa04a9abf8da71331b44536df37dabca03aec460d2bd8e8d61819c9a0d6fa8dac4a536f5b777ac1a7088adc8930bd8a095a3d5fe351b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d0a83398686962071d1b9068d3e69789

SHA1
b41bb709c030cab45c888d41dc664721b053f54c

SHA256
cf630ff69be7bc5a5fbadf88a78018f0086f553df62daf06e55e989c00868306

SHA512
52a675ada4aabbdb21d0975aff8724661328355204347a78811eeb35478c48e0e4f3231655407f5cf00f7444d3bf40127c07f64fa0392aaae351df0068758550

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e4bd697e65c7254a64c3ac681da77707

SHA1
136db779da3f4cb9377be3f2b37b2d69d3ddde26

SHA256
85c84e5d95d2b2286a8b95b3130e7244af81563ff5d0f689888d38c849ecdd89

SHA512
8ad9de1facaca88cb594eb3b8c767ba105d04f236708b2557c32e5de9fb64f2ece195e1807c6475259726c254d51bf8c0613fb32a94575480c96abb2d2f77634

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c791e67b90876f025d5368235b848ed1

SHA1
7b1b4fcde5a2bae80327675923642be3146f4ab9

SHA256
e0835ae34740f4977da34752db38a4826f7565a0da24d5c97d540d7541c772ad

SHA512
e80eb189a493f9ab3510f21698dcd8ef765e65d18df06ca790e41df9c8b01d8049e462efaaaf478218b82d50bedcae93ba9643bb219dc74ed5174bbb2a2d39a2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5887efa622a43f078ac33c122a8c54b1

SHA1
1aa7634427386ee9b8266c863d797026af39bdbb

SHA256
ee74ef66c3f2fa6f45fd6d0dc4167e3643896f6e568fee87939177b1598e99cd

SHA512
4abbed3fa766adc7af4b6fa1aff72b4054dbdbfea3cba0ec8d2abeb6e8e19a7b0e88d211590e7232a6cff9a6951c6fe0270e7933a99b83620433b5a29ebf5233

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d00a39063e758563e9d6a69612bfea1a

SHA1
29b4a6ed4f86b7b96c4837cc9cebc045a9194d82

SHA256
1852573eda48d6b0514bf9b08e701f94b2b35e1bb05aeeb048c7df5c66b98f41

SHA512
055db2419055ed70c5143d6009f0c446b36465ed9a52859b5233e92432521473b4bf39cfe676e8dc9d5c2536be0241fe07696035629fc5b6a257d5f3db19ba43

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a8931f75c8097414d304698e5f047649

SHA1
e9152a96c8bded63b06899a2694a0250f9313907

SHA256
163056943b2427a47d0630a39700d11a06ea6dc3148bc5057690fbc9af6c1e4c

SHA512
790710516ae2bac94ee1ad0ff4189d62cd6cba4d2cbc8624fccf28d8dd95257f82cd9681708c403e82fde3c5ab7fc94b8556ae9a94908d8503b3b5515c656d8d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fe00e6d8b4b72d2e680a8cfd25194cfd

SHA1
90ca13b5d009b297ea4f0f7504374afff53ba61d

SHA256
02190106dc66b5b22c778d7c763de30e0c4e1cb0fbfc04f69e41834123118327

SHA512
ea6335cfd5e96fdd0c3f3a2a5f6343bfc23df70938584d4fe371e80c97c201ed81ff3927f497f71866c2bfa505acd705c651213c1149097b08dfb0a9f4ee7828

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a3acde4c08b4bf8c3ed62606ee6332ce

SHA1
e23c11b0364c747789b9819caf1d0861634c1709

SHA256
c70417c37551ca0c59d4521f1970fc6ca5f763df845eef5c3fb858f027d45082

SHA512
dc068b52c061b5921fa8b901da485032fd43010750e21c4ee82d5cb7af655c551924f0f415a05f8e33803136299e7c4606d2e16fe0c7a264fb0a809890e11749

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
19f9adeef9f25ba9b7e908ecb755abd3

SHA1
854a50a4d121af95bae5ea39cd0e4ba734c76c4c

SHA256
160dc8398661e95a8ee34d03bea0817b5164e8723636d6e3810e5f86816c8be0

SHA512
c4790acf8d48d1c4f298d9d3629b327ecc43108b340ed36035bcd3258c47d9505c9ae7c9760157a7b9f04b9dc3a7089389e0eaafe0fc5d8f6dea5f07c23bc4af

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4c4cba53701568e0a20dcb4924346a55

SHA1
dc52fa281b979b89ea448bf6fab891324ef88ce1

SHA256
1351fa465e96250519607f344da662b3a2f0661dc6780ecd7ef6cdd43603da46

SHA512
85faa4e4b49535f400fdfca40b0b25d823cdcd1ab83fabbc44f2fdbf867e02abe8b31d5d31c404145011f813edea38b71be8f38295a46c8fedc8b305a2b07c7b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7ecaf4577d5cb32b417045cb7ba8c090

SHA1
ae4fd020737dde8f43f3daab30d80fd0e3dea41a

SHA256
7c0bbccd8ce763ddb68fbb251206c85046b5dd1a0477964edda66a9d79cac2a5

SHA512
a782706568b77ed2a704bac270df6693df53ad692d1774a89863bed8b0f9bbf53e98a3f11aa9f4700ba639a14b3dbca4b7106c2c1eb908f08ff48a14b56c2099

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
10701c34ac8b4f25db868d83d33aa8a9

SHA1
7e96675822f76ed81d101c61ed0ec491b53f594f

SHA256
c6165b257d5d4a56c4dbb1655f217fdf5b2dee2f771534a2f74ae3ccadbf1683

SHA512
eba6d7b21f21a0a76e43646fe08903921b9f838b31dc985f43e012a4e90770adf3b9c03c3fccaf69d974785100bae038d1d05537ca8f43a769617357770a1ebe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
153760752bea7a83dfd1af440bf7fa49

SHA1
437e7582f2456cad1d31142c67014ff68c951e4e

SHA256
7d927b5cc52b601a4f3e4e0fabd95aac8621271de91da62be6530b672f566384

SHA512
45954b05c9e7032eae7bf5c0d1b7df64279958b8b15ce47d65d50065ca159212b6bb4a3d9039ac849767cbac5f65db6aa87aa243af78488cdc8cca4437615b7f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1f9e8b0cb554710582eeb2ddfdb9d214

SHA1
e3fcfac04dfa2ce7fdfd90cca10b6d85ecb14fec

SHA256
8c96fe49a926a64c39e5bf0e886e8dd6d144529bb0a1d01ad27a30199c89efa3

SHA512
ddc7e6d371e9b53b657ce5f7677891e34feaf49c4b726d92d497dd644f488c56cbf86a47118a86fd75b2e496426d3ee0bc55fba2d1df7bfcb2c338079683ee28

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ddf0fd4cabd8e7c3ca6eeedd55d47562

SHA1
14a2b0f1652eeb360ce7c97528752487cc929874

SHA256
e7c02ed04dca77bb9e44440096c83a6127a7da7e2d96955984d23ad4e8a289de

SHA512
9844b121a6a24c95cbcffeae9963b1d591ba861fc4a01f754b4b7bbef72c0895fb2a8906b587a0f40153c28e7cd02239b789312ca0160a4ffbb4e562a0ef02da

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9b692629a16549e37a09ee4c2b8e24f3

SHA1
90887a59944e89020a8b2d0be2683a273887a954

SHA256
1d4e39d6a1133779f8915f7b18d37e385b0e80fe24548b7ea4e0e8a15d15287f

SHA512
587452f7671ea7628c0464955b53a9eb632df9b04bb56fb96174ed8f01b91e938d2a3b8e28e9471d2c5aef55b6262671bcd739902bf3ff5ce6410b689afea5ca

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c531eef051e6c34f66bebcdc5f4e3695

SHA1
d696d564ec863da896be8ad1a4d2fe87c648aa9a

SHA256
a1be30d088bd396ae072be4832b5f17869424b2983c1943670afa2e3696efac0

SHA512
885cbb79508474f294ce2482bec469f6be4b49c0de046e7ecf0440590dc9bcb32a3477dec052889f1b37b385b3ab969b605286d9cf6c7e5a3cae127d819ec631

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0b75e83b6c5c06a912165f282d5c5264

SHA1
b588eb26a7ee08ebebfd472a84a60dc9174eac65

SHA256
df443dba5d69f32ce8dd09250b8d730eb70fe28a1a46613c4717e6fa6217f087

SHA512
8d8f87fc600a7136f5a508c8e2932cfe2d099c6b4b0d8dc939e274816d9d5fb76c5ceebbe32789ab4c5d3b57fce40cc60fe5498f5946bb63972d3bdb1bae83c0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dd71bda753c6fdd6dce7f40e048d9cdf

SHA1
bcaefbab06308d50d8184de51d22c5a0d79bf3ac

SHA256
b085d737e71ab233667679549572df6b31b658669dec14b9a4bcdad3215efbd7

SHA512
fc0f61b91b6ccc5dbbd0d578be41eeb83f637607bc57c691832e89dc19180f05b24eb4793a30d48d141aab3999103e7da4b57687acf7730e46c8b9867cfc1f95

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
95bb2e019f03b486eed53ce091f4ace5

SHA1
00b6c4475455eb04ef2c86efedb04e31be49d716

SHA256
84b13fff71077f413017d90e1efe9b91a8c39709cc59a94cdcb51bca2c7957e9

SHA512
2e287d6a7581e3078ba6d5519caad74d29df51d30cf18ede949527b6a7bffc272a9b9146b9f7690fc0af613aa13374799e2f7e12c417630979af2346ba84ed0c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f28b2e82c11bd941ddfe00500a18721b

SHA1
e79e357230b67659e3a01d7a89b62d4c99169f82

SHA256
e95ff40e1f1a69decafb11fbd792efea89f2f2fee5b9315e0b21fc00fc49f3c1

SHA512
1be46342c4c2321decbb763a74c9c3406ac0ae596a37cd3285ca5aed73bdc6ecc060179af61691fb715b4a5b34d563e3199b0cf197e4e133bdd9a1b5c9df3af0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C02877841121CC45139CB51404116B25_193C88518F770D3F8D3CDA4F180E8635

Filesize
398B

MD5
a25e8d82f98527f172c814be043cad4b

SHA1
2e5b584c64319245fe51d805cc80233a117806f9

SHA256
c386522223b7b1cedab490375aa489b61f80ba529de735228d308de515cb8917

SHA512
c9074a783d04b85636e1399aa464293af54c83e50066abec49531aef082175497e262fca8ba61ab844e38730b2fbf88fac8d6948ecf5dc506dbf7f97ae5c28b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\PSZZU9ZV\www.google[1].xml

Filesize
95B

MD5
8bb56fa8aaa8e008b8a25ac0503e40c8

SHA1
78bd70b60a6195086c9f678c8ccbbbeecb06a784

SHA256
39076e72f63f4a1d88d1f3efe7c8d38e1b8b909f9aa9e0283ef580fec90813fa

SHA512
58c1f1f3044507418a2ef791dda20a5f21e9d576a51e3e9d31c2be86ce063a309a88668b082524e9562827f06a2e73e60b6ff37638c782fe863c92f123b3a9cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\yiu0yt6\imagestore.dat

Filesize
5KB

MD5
22b4a016347f8fee02e86fd1343683a2

SHA1
78dca504771ea0e5a91fdde681c262fc74251c76

SHA256
5340e3631018b74c88ccf6ca6b2677f9eaa95b7723be7f05f71fc39a252e5a8c

SHA512
58bfe3213c61b012e55d57434bda2002b31944a97372fcb5a7c9daae14e46433859c679f6a876407e1a4d015e1f4432338c0b44df12e0447bc9af78bfeb6151a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DJB1KT77\-HiUwdQxDKLzt71CPYD-hKnPnujfGhcYgWkgX6BRpVU[1].js

Filesize
24KB

MD5
242324a437f1e8dfa268b1be80e57fdc

SHA1
2198c8b982542d263d2df13efc9e476563b5874f

SHA256
f87894c1d4310ca2f3b7bd423d80fe84a9cf9ee8df1a17188169205fa051a555

SHA512
74d8caa815fbae1b8510c883da00cec7f43fed56890c50eb24e44d281e31d9579b592553be87d2ce8ccb04cb2e3f78eaa8889068762fa36b1143b85cb21f3410

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DJB1KT77\api[1].js

Filesize
870B

MD5
db3f5a748364d84b2b5f75e3d4e851d0

SHA1
17b34ff20d429abee726b4b74530e5af2819f7bc

SHA256
343ed5ecd144d781de67aa8638b1ca4fce5772faedbb72720daacb250884f4e1

SHA512
3ee552fff8e93097120367c7f5f6aed88145150d706349542e8800e65722f4e6507bc0802e41a305cda56aaf4bcd40c036ad7a4d2aabea9dc70f908bf400dd90

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DJB1KT77\dnserror[1]

Filesize
1KB

MD5
73c70b34b5f8f158d38a94b9d7766515

SHA1
e9eaa065bd6585a1b176e13615fd7e6ef96230a9

SHA256
3ebd34328a4386b4eba1f3d5f1252e7bd13744a6918720735020b4689c13fcf4

SHA512
927dcd4a8cfdeb0f970cb4ee3f059168b37e1e4e04733ed3356f77ca0448d2145e1abdd4f7ce1c6ca23c1e3676056894625b17987cc56c84c78e73f60e08fc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DJB1KT77\errorPageStrings[1]

Filesize
2KB

MD5
e3e4a98353f119b80b323302f26b78fa

SHA1
20ee35a370cdd3a8a7d04b506410300fd0a6a864

SHA256
9466d620dc57835a2475f8f71e304f54aee7160e134ba160baae0f19e5e71e66

SHA512
d8e4d73c76804a5abebd5dbc3a86dcdb6e73107b873175a8de67332c113fb7c4899890bf7972e467866fa4cd100a7e2a10a770e5a9c41cbf23b54351b771dcee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F91VN88R\NewErrorPageTemplate[1]

Filesize
1KB

MD5
cdf81e591d9cbfb47a7f97a2bcdb70b9

SHA1
8f12010dfaacdecad77b70a3e781c707cf328496

SHA256
204d95c6fb161368c795bb63e538fe0b11f9e406494bb5758b3b0d60c5f651bd

SHA512
977dcc2c6488acaf0e5970cef1a7a72c9f9dc6bb82da54f057e0853c8e939e4ab01b163eb7a5058e093a8bc44ecad9d06880fdc883e67e28ac67fee4d070a4cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F91VN88R\favicon[1].ico

Filesize
5KB

MD5
f3418a443e7d841097c714d69ec4bcb8

SHA1
49263695f6b0cdd72f45cf1b775e660fdc36c606

SHA256
6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770

SHA512
82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F91VN88R\lKPp_8x8SVU7b6KN44fvdWMof2HELUnUniMVUZmLxyE[1].js

Filesize
25KB

MD5
d79fe6b03d76ee6e31126e039d9e14be

SHA1
e0053872adb800706efe2d5bd425e27a9afebeee

SHA256
94a3e9ffcc7c49553b6fa28de387ef7563287f61c42d49d49e231551998bc721

SHA512
30c9ccdad80c81807da0045df2d950d5c1dea51a475597ecccf36ba3b69025412e5fce1d640d6c5b8cbfb7a517ca0d1195bcfecebbc593c19e8eb77fd9373da7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F91VN88R\webworker[1].js

Filesize
102B

MD5
ad5e6a567d064cba36f2a56caab2d866

SHA1
a3b46ea0ca5df5a6b6ab6bb228cf805065523cd1

SHA256
e70942d2b905910af2538c685c2223c25e5068bfbccb9742cfa5ffa48150d291

SHA512
ba45b3d74c0d2e0ac22bc97bacb6df549d7a4eae8d64050af41167376926f4379ccb6be84a666ba615caa7c5ee6838f98020c530f5c2ce51f71dad369d130681

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KIYAG1MM\KFOlCnqEu92Fr1MmEU9fBBc9[1].ttf

Filesize
34KB

MD5
4d88404f733741eaacfda2e318840a98

SHA1
49e0f3d32666ac36205f84ac7457030ca0a9d95f

SHA256
b464107219af95400af44c949574d9617de760e100712d4dec8f51a76c50dda1

SHA512
2e5d3280d5f7e70ca3ea29e7c01f47feb57fe93fc55fd0ea63641e99e5d699bb4b1f1f686da25c91ba4f64833f9946070f7546558cbd68249b0d853949ff85c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KIYAG1MM\KFOlCnqEu92Fr1MmYUtfBBc9[1].ttf

Filesize
34KB

MD5
4d99b85fa964307056c1410f78f51439

SHA1
f8e30a1a61011f1ee42435d7e18ba7e21d4ee894

SHA256
01027695832f4a3850663c9e798eb03eadfd1462d0b76e7c5ac6465d2d77dbd0

SHA512
13d93544b16453fe9ac9fc025c3d4320c1c83a2eca4cd01132ce5c68b12e150bc7d96341f10cbaa2777526cf72b2ca0cd64458b3df1875a184bbb907c5e3d731

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KIYAG1MM\KFOmCnqEu92Fr1Mu4mxP[1].ttf

Filesize
34KB

MD5
372d0cc3288fe8e97df49742baefce90

SHA1
754d9eaa4a009c42e8d6d40c632a1dad6d44ec21

SHA256
466989fd178ca6ed13641893b7003e5d6ec36e42c2a816dee71f87b775ea097f

SHA512
8447bc59795b16877974cd77c52729f6ff08a1e741f68ff445c087ecc09c8c4822b83e8907d156a00be81cb2c0259081926e758c12b3aea023ac574e4a6c9885

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KIYAG1MM\styles__ltr[1].css

Filesize
55KB

MD5
4adccf70587477c74e2fcd636e4ec895

SHA1
af63034901c98e2d93faa7737f9c8f52e302d88b

SHA256
0e04cd9eec042868e190cbdabf2f8f0c7172dcc54ab87eb616eca14258307b4d

SHA512
d3f071c0a0aa7f2d3b8e584c67d4a1adf1a9a99595cffc204bf43b99f5b19c4b98cec8b31e65a46c01509fc7af8787bd7839299a683d028e388fdc4ded678cb3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MPUI9R2R\httpErrorPagesScripts[2]

Filesize
8KB

MD5
3f57b781cb3ef114dd0b665151571b7b

SHA1
ce6a63f996df3a1cccb81720e21204b825e0238c

SHA256
46e019fa34465f4ed096a9665d1827b54553931ad82e98be01edb1ddbc94d3ad

SHA512
8cbf4ef582332ae7ea605f910ad6f8a4bc28513482409fa84f08943a72cac2cf0fa32b6af4c20c697e1fac2c5ba16b5a64a23af0c11eefbf69625b8f9f90c8fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MPUI9R2R\logo_48[1].png

Filesize
2KB

MD5
ef9941290c50cd3866e2ba6b793f010d

SHA1
4736508c795667dcea21f8d864233031223b7832

SHA256
1b9efb22c938500971aac2b2130a475fa23684dd69e43103894968df83145b8a

SHA512
a0c69c70117c5713caf8b12f3b6e8bbb9cdaf72768e5db9db5831a3c37541b87613c6b020dd2f9b8760064a8c7337f175e7234bfe776eee5e3588dc5662419d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MPUI9R2R\recaptcha__en[1].js

Filesize
537KB

MD5
c7be68088b0a823f1a4c1f77c702d1b4

SHA1
05d42d754afd21681c0e815799b88fbe1fbabf4e

SHA256
4943e91f7f53318d481ca07297395abbc52541c2be55d7276ecda152cd7ad9c3

SHA512
cb76505845e7fc0988ade0598e6ea80636713e20209e1260ee4413423b45235f57cb0a33fca7baf223e829835cb76a52244c3197e4c0c166dad9b946b9285222

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab52F3.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar52F4.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DF47B5D2CFA4943E46.TMP

Filesize
16KB

MD5
bdd9803d5ed64de9f02e2072a95e5026

SHA1
ec74b54457e12bfd849283f6d692e9fe8a537334

SHA256
6785a86738850e47a302aec0059542216c7d30920ecee2d90b8cc10effade603

SHA512
a3c03f096ad84854a98291445a6d84319149d25572471be2ac49703158712a7ec0f5c7b6124e0610ec76af4b5dd684fabb7e9c1066190f15bb98a7b49d11f08a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\WS699C75.txt

Filesize
406B

MD5
7c15cac26dd6aed99cc74a54640d7654

SHA1
7965d1c58c866caca899beaf4bf8b771c5f979d3

SHA256
035c6d099de57047fc5325126d0d545754b17099540a67464ff6916c2a2c8943

SHA512
e96ae9fc5cbd086340af9158749b6fbabfb75f553c709c66f48709050cc62ee3b5a7dfc5fae50b6045e42ce4de087371feb6a9dfa2317e41a9d10f5c626de40f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\28c8b86deab549a1.customDestinations-ms

Filesize
3KB

MD5
277558d675997627fd0fad5dba59b246

SHA1
d890b041bb7f80931ce566f7848d17e98f893031

SHA256
46753cffe32b48540cfdfe6bda483f3b5b13db7e7af0d1969e58a8d7a40a83df

SHA512
97a7509ab8e7fbfa73480d8f6251ab40a3a2bbc57c4539b862e8b53beb8f18facb5ce23808be4723805d175430b09a4615b1939f9b423a4931a8fa6983d330a2

Download Submit
C:\note.txt

Filesize
218B

MD5
afa6955439b8d516721231029fb9ca1b

SHA1
087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

SHA256
8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

SHA512
5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

Download Submit
memory/3660-1570-0x000007FEF7750000-0x000007FEF778A000-memory.dmp

Filesize
232KB

Download
memory/3660-1862-0x000007FEF7750000-0x000007FEF778A000-memory.dmp

Filesize
232KB

Download
memory/3660-1841-0x000007FEF46B0000-0x000007FEF46EA000-memory.dmp

Filesize
232KB

Download
memory/3660-1733-0x000007FEF46B0000-0x000007FEF46EA000-memory.dmp

Filesize
232KB

Download
memory/3660-1656-0x000007FEF7750000-0x000007FEF778A000-memory.dmp

Filesize
232KB

Download
memory/3660-1579-0x000007FEF7750000-0x000007FEF778A000-memory.dmp

Filesize
232KB

Download
memory/3660-1471-0x000007FEF7750000-0x000007FEF778A000-memory.dmp

Filesize
232KB

Download
memory/5140-1582-0x000007FEF46B0000-0x000007FEF46EA000-memory.dmp

Filesize
232KB

Download
memory/5140-1860-0x000007FEF7750000-0x000007FEF778A000-memory.dmp

Filesize
232KB

Download
memory/5140-1566-0x000007FEF7750000-0x000007FEF778A000-memory.dmp

Filesize
232KB

Download
memory/5140-1448-0x000007FEF7750000-0x000007FEF778A000-memory.dmp

Filesize
232KB

Download
memory/5140-1506-0x000007FEF7750000-0x000007FEF778A000-memory.dmp

Filesize
232KB

Download
memory/5140-1731-0x000007FEF7750000-0x000007FEF778A000-memory.dmp

Filesize
232KB

Download
memory/5140-1660-0x000007FEF46B0000-0x000007FEF46EA000-memory.dmp

Filesize
232KB

Download
memory/5140-1469-0x000007FEF7750000-0x000007FEF778A000-memory.dmp

Filesize
232KB

Download
memory/5668-1569-0x000007FEF46B0000-0x000007FEF46EA000-memory.dmp

Filesize
232KB

Download
memory/5668-1464-0x000007FEF7750000-0x000007FEF778A000-memory.dmp

Filesize
232KB

Download
memory/5668-1657-0x000007FEF46B0000-0x000007FEF46EA000-memory.dmp

Filesize
232KB

Download
memory/5668-1864-0x000007FEF46B0000-0x000007FEF46EA000-memory.dmp

Filesize
232KB

Download
memory/5668-1580-0x000007FEF46B0000-0x000007FEF46EA000-memory.dmp

Filesize
232KB

Download
memory/5668-1403-0x000007FEF7750000-0x000007FEF778A000-memory.dmp

Filesize
232KB

Download
memory/5668-1470-0x000007FEF46B0000-0x000007FEF46EA000-memory.dmp

Filesize
232KB

Download
memory/5668-1449-0x000007FEF46B0000-0x000007FEF46EA000-memory.dmp

Filesize
232KB

Download
memory/5668-1507-0x000007FEF46B0000-0x000007FEF46EA000-memory.dmp

Filesize
232KB

Download
memory/5668-1839-0x000007FEF7750000-0x000007FEF778A000-memory.dmp

Filesize
232KB

Download
memory/5704-1861-0x000007FEF46B0000-0x000007FEF46EA000-memory.dmp

Filesize
232KB

Download
memory/5704-1732-0x000007FEF46B0000-0x000007FEF46EA000-memory.dmp

Filesize
232KB

Download
memory/5704-1581-0x000007FEF7750000-0x000007FEF778A000-memory.dmp

Filesize
232KB

Download
memory/5704-1658-0x000007FEF7750000-0x000007FEF778A000-memory.dmp

Filesize
232KB

Download
memory/8432-1734-0x000007FEF7750000-0x000007FEF778A000-memory.dmp

Filesize
232KB

Download
memory/8432-1863-0x000007FEF7750000-0x000007FEF778A000-memory.dmp

Filesize
232KB

Download
memory/9704-1865-0x000007FEF7750000-0x000007FEF778A000-memory.dmp

Filesize
232KB

Download