734403a96fad68cb2ef2b340adddd9cadd5894007aac703dcdb4a4cb8326c538

max time kernel
391s
max time network
685s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
15-09-2024 22:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MEMZ 3.0/MEMZ.bat
Size

12KB
MD5

13a43c26bb98449fd82d2a552877013a
SHA1

71eb7dc393ac1f204488e11f5c1eef56f1e746af
SHA256

5f52365accb76d679b2b3946870439a62eb8936b9a0595f0fb0198138106b513
SHA512

602518b238d80010fa88c2c88699f70645513963ef4f148a0345675738cf9b0c23b9aeb899d9f7830cc1e5c7e9c7147b2dc4a9222770b4a052ee0c879062cd5a
SSDEEP

384:nnLhRNiqt0kCH2LR0GPXxGiZgCz+KG/yKhLdW79HOli+lz3:nLhRN9t0SR4iZtzlREBWhuF

Score

7^/10

bootkit discovery execution persistence

Malware Config

Signatures

Executes dropped EXE 7 IoCs

pid	Process
940	MEMZ.exe
2784	MEMZ.exe
2924	MEMZ.exe
2844	MEMZ.exe
2628	MEMZ.exe
1736	MEMZ.exe
1760	MEMZ.exe

Loads dropped DLL 27 IoCs

pid	Process
940	MEMZ.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	MEMZ.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\devmgmt.msc	mmc.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 26 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	control.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	calc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	control.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mspaint.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	calc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskmgr.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "25"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff00000000000000008604000065020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff4b00000000000000d104000065020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff6400000019000000ea0400007e020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007b88b8645d6de74ab21efaf0de98379b00000000020000000000106600000001000020000000f0633cdbcc29ae5de805be1d5e21b0baf462bd639cd12e19191b0cbf0d248ca5000000000e80000000020000200000006fd2b3c68cdd281a28a85ed523fc48a2ef58b304ebd34989b2d06287ce1697c890000000e20cd7b0ff586863609fc8f3656029a3bd0d8ffc70df50ca4f069080ab0104e453338a7e08ef15669a63c79c42ab724638bb8e1ffdffe2ef9240ac82bbc1f646913b8e524f462fbf7770c45f5fb790805a558466ec2a618e48fea2d44dcea1a8e6074e1e28aef6e5a0963b7e4f9ffc687dc393a2b4f54b5672f7b9cbc8146cd07b34ffc966ca20bd2a158e00df0ab55a4000000040b638a1b97c4f7e524ec41a81072ac79be5dff9d918aafcfdc46d9d96c008070e99fe5753c736b9fe586ad863b18ea61549e3fc28ffc1b1768c57528c19f2b9	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3200000032000000b804000097020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.google.com	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007b88b8645d6de74ab21efaf0de98379b00000000020000000000106600000001000020000000ecd9c1a242fe9a82d282b4c255d46392594c60a21e686f7da73e98e66a30ac5d000000000e8000000002000020000000894210ce72ae50ec12c73b414c2cdf2de62163206cb88af0cec9eaa09f597d0720000000b45a02dfe4f3b5c8f21d5766bfe4aa546383946ce91b6fb1d9895d2566af24af40000000735cccabfafc07e5d87e435bdd13b5444126e8af9726f3de3f7096cfa51d5a8c11713c38691a0d86e2838e7ec9750f98b2cbf64e2483573258f02574e1dc2444	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff6f00000019000000f50400007e020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe

Runs regedit.exe 1 IoCs

pid	Process
3280	regedit.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
940	MEMZ.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2784	MEMZ.exe
2784	MEMZ.exe
2784	MEMZ.exe
2784	MEMZ.exe
2844	MEMZ.exe
2924	MEMZ.exe
2784	MEMZ.exe
2844	MEMZ.exe
2844	MEMZ.exe
2784	MEMZ.exe
2924	MEMZ.exe
2628	MEMZ.exe
1736	MEMZ.exe
2844	MEMZ.exe
2784	MEMZ.exe
1736	MEMZ.exe
2628	MEMZ.exe
2924	MEMZ.exe
2844	MEMZ.exe
2784	MEMZ.exe
1736	MEMZ.exe
2844	MEMZ.exe
2628	MEMZ.exe
1736	MEMZ.exe
2924	MEMZ.exe
2784	MEMZ.exe
2628	MEMZ.exe
2844	MEMZ.exe
2924	MEMZ.exe
1736	MEMZ.exe
2784	MEMZ.exe
2844	MEMZ.exe
2924	MEMZ.exe
1736	MEMZ.exe
2628	MEMZ.exe
2784	MEMZ.exe
2784	MEMZ.exe
1736	MEMZ.exe
2628	MEMZ.exe
2844	MEMZ.exe
2924	MEMZ.exe
2784	MEMZ.exe
1736	MEMZ.exe
2628	MEMZ.exe
2844	MEMZ.exe
1736	MEMZ.exe
2784	MEMZ.exe
2924	MEMZ.exe
2844	MEMZ.exe
2628	MEMZ.exe
1736	MEMZ.exe
2628	MEMZ.exe
2844	MEMZ.exe
2784	MEMZ.exe
2924	MEMZ.exe
1736	MEMZ.exe
2844	MEMZ.exe
2628	MEMZ.exe
2784	MEMZ.exe
1736	MEMZ.exe
2844	MEMZ.exe
2784	MEMZ.exe
2924	MEMZ.exe
2628	MEMZ.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
3008	mmc.exe
2900	mmc.exe

Suspicious behavior: SetClipboardViewer 2 IoCs

pid	Process
2900	mmc.exe
3744	mmc.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: 33	3008	mmc.exe
Token: SeIncBasePriorityPrivilege	3008	mmc.exe
Token: 33	3008	mmc.exe
Token: SeIncBasePriorityPrivilege	3008	mmc.exe
Token: 33	3008	mmc.exe
Token: SeIncBasePriorityPrivilege	3008	mmc.exe
Token: 33	2776	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2776	AUDIODG.EXE
Token: 33	2776	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2776	AUDIODG.EXE
Token: 33	2900	mmc.exe
Token: SeIncBasePriorityPrivilege	2900	mmc.exe
Token: 33	2900	mmc.exe
Token: SeIncBasePriorityPrivilege	2900	mmc.exe
Token: 33	3744	mmc.exe
Token: SeIncBasePriorityPrivilege	3744	mmc.exe
Token: 33	3744	mmc.exe
Token: SeIncBasePriorityPrivilege	3744	mmc.exe
Token: 33	3744	mmc.exe
Token: SeIncBasePriorityPrivilege	3744	mmc.exe
Token: SeDebugPrivilege	3344	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2636	cscript.exe
1996	iexplore.exe
1996	iexplore.exe
1996	iexplore.exe
1996	iexplore.exe
1996	iexplore.exe
1996	iexplore.exe
1996	iexplore.exe
1996	iexplore.exe
1996	iexplore.exe
1996	iexplore.exe
1996	iexplore.exe
1996	iexplore.exe
1996	iexplore.exe
1996	iexplore.exe
1996	iexplore.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe

Suspicious use of SendNotifyMessage 58 IoCs

pid	Process
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1996	iexplore.exe
1996	iexplore.exe
2236	IEXPLORE.EXE
2236	IEXPLORE.EXE
2464	mmc.exe
3008	mmc.exe
3008	mmc.exe
1996	iexplore.exe
1996	iexplore.exe
2504	IEXPLORE.EXE
2504	IEXPLORE.EXE
1996	iexplore.exe
1996	iexplore.exe
3028	IEXPLORE.EXE
3028	IEXPLORE.EXE
1996	iexplore.exe
1996	iexplore.exe
2376	IEXPLORE.EXE
2376	IEXPLORE.EXE
1760	MEMZ.exe
1996	iexplore.exe
1996	iexplore.exe
2236	IEXPLORE.EXE
2236	IEXPLORE.EXE
1760	MEMZ.exe
1996	iexplore.exe
1996	iexplore.exe
2152	IEXPLORE.EXE
2152	IEXPLORE.EXE
1996	iexplore.exe
1996	iexplore.exe
2504	IEXPLORE.EXE
2504	IEXPLORE.EXE
1760	MEMZ.exe
1972	mmc.exe
2900	mmc.exe
2900	mmc.exe
1760	MEMZ.exe
1996	iexplore.exe
1996	iexplore.exe
2420	IEXPLORE.EXE
2420	IEXPLORE.EXE
1996	iexplore.exe
1996	iexplore.exe
3028	IEXPLORE.EXE
3028	IEXPLORE.EXE
1760	MEMZ.exe
1996	iexplore.exe
1996	iexplore.exe
2384	IEXPLORE.EXE
2384	IEXPLORE.EXE
1760	MEMZ.exe
1996	iexplore.exe
1996	iexplore.exe
2376	IEXPLORE.EXE
2376	IEXPLORE.EXE
2376	IEXPLORE.EXE
2376	IEXPLORE.EXE
1996	iexplore.exe
1996	iexplore.exe
2144	IEXPLORE.EXE
2144	IEXPLORE.EXE
1760	MEMZ.exe
1996	iexplore.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1568 wrote to memory of 2636	1568	cmd.exe	30
PID 1568 wrote to memory of 2636	1568	cmd.exe	30
PID 1568 wrote to memory of 2636	1568	cmd.exe	30
PID 1568 wrote to memory of 940	1568	cmd.exe	31
PID 1568 wrote to memory of 940	1568	cmd.exe	31
PID 1568 wrote to memory of 940	1568	cmd.exe	31
PID 1568 wrote to memory of 940	1568	cmd.exe	31
PID 940 wrote to memory of 2784	940	MEMZ.exe	32
PID 940 wrote to memory of 2784	940	MEMZ.exe	32
PID 940 wrote to memory of 2784	940	MEMZ.exe	32
PID 940 wrote to memory of 2784	940	MEMZ.exe	32
PID 940 wrote to memory of 2924	940	MEMZ.exe	33
PID 940 wrote to memory of 2924	940	MEMZ.exe	33
PID 940 wrote to memory of 2924	940	MEMZ.exe	33
PID 940 wrote to memory of 2924	940	MEMZ.exe	33
PID 940 wrote to memory of 2844	940	MEMZ.exe	34
PID 940 wrote to memory of 2844	940	MEMZ.exe	34
PID 940 wrote to memory of 2844	940	MEMZ.exe	34
PID 940 wrote to memory of 2844	940	MEMZ.exe	34
PID 940 wrote to memory of 2628	940	MEMZ.exe	35
PID 940 wrote to memory of 2628	940	MEMZ.exe	35
PID 940 wrote to memory of 2628	940	MEMZ.exe	35
PID 940 wrote to memory of 2628	940	MEMZ.exe	35
PID 940 wrote to memory of 1736	940	MEMZ.exe	36
PID 940 wrote to memory of 1736	940	MEMZ.exe	36
PID 940 wrote to memory of 1736	940	MEMZ.exe	36
PID 940 wrote to memory of 1736	940	MEMZ.exe	36
PID 940 wrote to memory of 1760	940	MEMZ.exe	37
PID 940 wrote to memory of 1760	940	MEMZ.exe	37
PID 940 wrote to memory of 1760	940	MEMZ.exe	37
PID 940 wrote to memory of 1760	940	MEMZ.exe	37
PID 1760 wrote to memory of 2228	1760	MEMZ.exe	38
PID 1760 wrote to memory of 2228	1760	MEMZ.exe	38
PID 1760 wrote to memory of 2228	1760	MEMZ.exe	38
PID 1760 wrote to memory of 2228	1760	MEMZ.exe	38
PID 1760 wrote to memory of 1200	1760	MEMZ.exe	39
PID 1760 wrote to memory of 1200	1760	MEMZ.exe	39
PID 1760 wrote to memory of 1200	1760	MEMZ.exe	39
PID 1760 wrote to memory of 1200	1760	MEMZ.exe	39
PID 1760 wrote to memory of 1516	1760	MEMZ.exe	41
PID 1760 wrote to memory of 1516	1760	MEMZ.exe	41
PID 1760 wrote to memory of 1516	1760	MEMZ.exe	41
PID 1760 wrote to memory of 1516	1760	MEMZ.exe	41
PID 1760 wrote to memory of 1996	1760	MEMZ.exe	43
PID 1760 wrote to memory of 1996	1760	MEMZ.exe	43
PID 1760 wrote to memory of 1996	1760	MEMZ.exe	43
PID 1760 wrote to memory of 1996	1760	MEMZ.exe	43
PID 1996 wrote to memory of 2236	1996	iexplore.exe	44
PID 1996 wrote to memory of 2236	1996	iexplore.exe	44
PID 1996 wrote to memory of 2236	1996	iexplore.exe	44
PID 1996 wrote to memory of 2236	1996	iexplore.exe	44
PID 1760 wrote to memory of 2464	1760	MEMZ.exe	46
PID 1760 wrote to memory of 2464	1760	MEMZ.exe	46
PID 1760 wrote to memory of 2464	1760	MEMZ.exe	46
PID 1760 wrote to memory of 2464	1760	MEMZ.exe	46
PID 2464 wrote to memory of 3008	2464	mmc.exe	47
PID 2464 wrote to memory of 3008	2464	mmc.exe	47
PID 2464 wrote to memory of 3008	2464	mmc.exe	47
PID 2464 wrote to memory of 3008	2464	mmc.exe	47
PID 1760 wrote to memory of 2368	1760	MEMZ.exe	48
PID 1760 wrote to memory of 2368	1760	MEMZ.exe	48
PID 1760 wrote to memory of 2368	1760	MEMZ.exe	48
PID 1760 wrote to memory of 2368	1760	MEMZ.exe	48
PID 1996 wrote to memory of 2504	1996	iexplore.exe	49

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\MEMZ.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1568
- C:\Windows\system32\cscript.exe
  cscript x.js
  2⤵
  - Suspicious use of FindShellTrayWindow
  PID:2636
- C:\Users\Admin\AppData\Roaming\MEMZ.exe
  "C:\Users\Admin\AppData\Roaming\MEMZ.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious use of WriteProcessMemory
  PID:940
- - C:\Users\Admin\AppData\Roaming\MEMZ.exe
    "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2784
- - C:\Users\Admin\AppData\Roaming\MEMZ.exe
    "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2924
- - C:\Users\Admin\AppData\Roaming\MEMZ.exe
    "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2844
- - C:\Users\Admin\AppData\Roaming\MEMZ.exe
    "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2628
- - C:\Users\Admin\AppData\Roaming\MEMZ.exe
    "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1736
- - C:\Users\Admin\AppData\Roaming\MEMZ.exe
    "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /main
    3⤵
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1760
  - - C:\Windows\SysWOW64\notepad.exe
      "C:\Windows\System32\notepad.exe" \note.txt
      4⤵
      System Location Discovery: System Language Discovery
      PID:2228
  - - C:\Windows\SysWOW64\explorer.exe
      "C:\Windows\System32\explorer.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1200
  - - C:\Windows\SysWOW64\control.exe
      "C:\Windows\System32\control.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1516
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" https://google.co.ck/search?q=what+happens+if+you+delete+system32
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1996
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1996 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2236
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1996 CREDAT:603148 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2504
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1996 CREDAT:406545 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:3028
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1996 CREDAT:209971 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2376
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1996 CREDAT:734224 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2152
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1996 CREDAT:210002 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2420
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1996 CREDAT:996387 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2384
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1996 CREDAT:1324073 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2144
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1996 CREDAT:210057 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        
        PID:2736
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1996 CREDAT:1061975 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        
        PID:3512
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1996 CREDAT:2176052 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        
        PID:828
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1996 CREDAT:2110522 /prefetch:2
        5⤵
        
        PID:3320
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1996 CREDAT:3748955 /prefetch:2
        5⤵
        
        PID:2032
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1996 CREDAT:2962512 /prefetch:2
        5⤵
        
        PID:3308
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1996 CREDAT:1651791 /prefetch:2
        5⤵
        
        PID:3572
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1996 CREDAT:3814496 /prefetch:2
        5⤵
        
        PID:4256
  - - C:\Windows\SysWOW64\mmc.exe
      "C:\Windows\System32\mmc.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2464
    - - C:\Windows\system32\mmc.exe
        
        "C:\Windows\system32\mmc.exe"
        5⤵
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:3008
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" https://google.co.ck/search?q=how+to+create+your+own+ransomware
      4⤵
      PID:2368
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" https://google.co.ck/search?q=g3t+r3kt
      4⤵
      PID:3060
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" https://google.co.ck/search?q=bonzi+buddy+download+free
      4⤵
      PID:2044
  - - C:\Windows\SysWOW64\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2108
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" https://google.co.ck/search?q=how+2+buy+weed
      4⤵
      PID:2004
  - - C:\Windows\SysWOW64\control.exe
      "C:\Windows\System32\control.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2696
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" https://google.co.ck/search?q=virus.exe
      4⤵
      PID:2036
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" https://google.co.ck/search?q=how+2+remove+a+virus
      4⤵
      PID:1864
  - - C:\Windows\SysWOW64\mmc.exe
      "C:\Windows\system32\mmc.exe" "C:\Windows\System32\devmgmt.msc"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1972
    - - C:\Windows\system32\mmc.exe
        
        "C:\Windows\System32\devmgmt.msc" "C:\Windows\System32\devmgmt.msc"
        5⤵
        Drops file in System32 directory
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious behavior: SetClipboardViewer
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2900
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" https://google.co.ck/search?q=how+2+buy+weed
      4⤵
      PID:2012
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" https://google.co.ck/search?q=how+2+remove+a+virus
      4⤵
      PID:900
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" https://google.co.ck/search?q=minecraft+hax+download+no+virus
      4⤵
      PID:1380
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" https://google.co.ck/search?q=facebook+hacking+tool+free+download+no+virus+working+2016
      4⤵
      PID:2644
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://softonic.com/
      4⤵
      PID:2860
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" https://google.co.ck/search?q=bonzi+buddy+download+free
      4⤵
      PID:2180
  - - C:\Windows\SysWOW64\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2556
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" https://google.co.ck/search?q=facebook+hacking+tool+free+download+no+virus+working+2016
      4⤵
      PID:2436
  - - C:\Windows\SysWOW64\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      PID:2444
  - - C:\Windows\SysWOW64\mmc.exe
      "C:\Windows\System32\mmc.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3712
    - - C:\Windows\system32\mmc.exe
        
        "C:\Windows\system32\mmc.exe"
        5⤵
        Suspicious behavior: SetClipboardViewer
        Suspicious use of AdjustPrivilegeToken
        
        PID:3744
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" https://google.co.ck/search?q=how+2+buy+weed
      4⤵
      PID:3476
  - - C:\Windows\SysWOW64\taskmgr.exe
      "C:\Windows\System32\taskmgr.exe"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:3344
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" https://google.co.ck/search?q=how+to+remove+memz+trojan+virus
      4⤵
      PID:3404
  - - C:\Windows\SysWOW64\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3412
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" https://google.co.ck/search?q=virus.exe
      4⤵
      PID:3280
  - - C:\Windows\SysWOW64\regedit.exe
      "C:\Windows\System32\regedit.exe"
      4⤵
      Runs regedit.exe
      PID:3280
  - - C:\Windows\SysWOW64\mmc.exe
      "C:\Windows\System32\mmc.exe"
      4⤵
      PID:3828
    - - C:\Windows\system32\mmc.exe
        
        "C:\Windows\system32\mmc.exe"
        5⤵
        
        PID:3688
  - - C:\Windows\SysWOW64\control.exe
      "C:\Windows\System32\control.exe"
      4⤵
      PID:4028
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" https://google.co.ck/search?q=how+to+get+money
      4⤵
      PID:3160
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" https://google.co.ck/search?q=what+happens+if+you+delete+system32
      4⤵
      PID:3572
  - - C:\Windows\SysWOW64\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:3452
  - - C:\Windows\SysWOW64\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      PID:1400
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" https://google.co.ck/search?q=what+happens+if+you+delete+system32
      4⤵
      PID:3648
  - - C:\Windows\SysWOW64\taskmgr.exe
      "C:\Windows\System32\taskmgr.exe"
      4⤵
      PID:4040
  - - C:\Windows\SysWOW64\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:1856
  - - C:\Windows\SysWOW64\mmc.exe
      "C:\Windows\System32\mmc.exe"
      4⤵
      PID:3356
    - - C:\Windows\system32\mmc.exe
        
        "C:\Windows\system32\mmc.exe"
        5⤵
        
        PID:4116
  - - C:\Windows\SysWOW64\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:4716
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" https://google.co.ck/search?q=best+way+to+kill+yourself
      4⤵
      PID:4272
  - - C:\Windows\SysWOW64\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      PID:4940
  - - C:\Windows\SysWOW64\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:4956
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" https://google.co.ck/search?q=how+2+remove+a+virus
      4⤵
      PID:5008
  - - C:\Windows\SysWOW64\mmc.exe
      "C:\Windows\system32\mmc.exe" "C:\Windows\System32\devmgmt.msc"
      4⤵
      PID:4904
    - - C:\Windows\system32\mmc.exe
        
        "C:\Windows\System32\devmgmt.msc" "C:\Windows\System32\devmgmt.msc"
        5⤵
        
        PID:4832
  - - C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
      "C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
      4⤵
      PID:4796
    - - C:\Windows\splwow64.exe
        
        C:\Windows\splwow64.exe 12288
        5⤵
        
        PID:4144
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" https://google.co.ck/search?q=facebook+hacking+tool+free+download+no+virus+working+2016
      4⤵
      PID:4768
  - - C:\Windows\SysWOW64\control.exe
      "C:\Windows\System32\control.exe"
      4⤵
      PID:4392

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
- System Location Discovery: System Language Discovery
PID:2464

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x50c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\05DDC6AA91765AACACDB0A5F96DF8199

Filesize
854B

MD5
e935bc5762068caf3e24a2683b1b8a88

SHA1
82b70eb774c0756837fe8d7acbfeec05ecbf5463

SHA256
a8accfcfeb51bd73df23b91f4d89ff1a9eb7438ef5b12e8afda1a6ff1769e89d

SHA512
bed4f6f5357b37662623f1f8afed1a3ebf3810630b2206a0292052a2e754af9dcfe34ee15c289e3d797a8f33330e47c14cbefbc702f74028557ace29bf855f9e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
1df4559dc042f51453d31bbd6d406cac

SHA1
defff321b0e39935b0281192bc732a47edc22d84

SHA256
2e5e6363cb570b2bdfef7476d83333ea9e7699f5418fb102d5ffa795f0536d9d

SHA512
c4a96d6fa0d96e706e89a571ad916c8995cb045bc3d30ac8f83b57c95bc1ee59e983ca42534b24f02ad862959826df6b5aac6f4a1288f5a3fb0eaf873f13f731

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4FA45AE1010E09657982D8D28B3BD38E_09E5FD68127B2EBD22C529250B8D2273

Filesize
471B

MD5
cea7f7436b62d1aa1808fbf42c7614e8

SHA1
d8530285ce4e6fd1ca352a617263fe26d46d383a

SHA256
dfddd19826ded2ca69f63200f442f8f4dcf9b5ec1dd78e15d74d015c651ba190

SHA512
3c679f47869a4e78c2b7a5a5ac20ce4ae922e4231f2cee533cf44d25e1ee45e848a3fd55d8e4c3d98bbe357ea2b9825dcbab55d9b71d5472d29b9e77aa86fda0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4FA45AE1010E09657982D8D28B3BD38E_B115649384851BE6BDDEA6DCEC8C2FEC

Filesize
472B

MD5
57fabf8ce960f6516a99cb1065e0f1b5

SHA1
0f06fda5952c1e047f2fdd06a941cde444e7fd1b

SHA256
287c0da810f4506a1fca9807d8457c52631b4f723f272412631a59fdda36d179

SHA512
df597f53035b5dc18aaefbe0fb232e9e2770343319e716a32d416d27be2b4d77e4671786d0e6711549440dda3e68fb122e61c42fc781238cb158d0c4d1546cbe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199

Filesize
170B

MD5
77bed814b1cbbee1af7ed2ffb94db5f7

SHA1
eedcece0a260ec76a31e05ac10c2ff94f18f898b

SHA256
f9e9e6bb3b4d31bde3dd3bc178b3b7e76634ad2a4b8b4abb52bb1ed10050f5c7

SHA512
b6db8f475506142d51331108e52b91dfd91ef584a4e0b8234324c3803a6eeabac79871c7e9e42edab01e813acef3053a6266a42f80c13cc07c145025f2d32f3e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
0cbbc0f815b507a1e7abb7599590a172

SHA1
c6a75986e2648264fa9be3d3e7dc29f90adc3c88

SHA256
9708ecba375532714b0e9b972690f5531135bee2381940f7c5ba2e7935d9d397

SHA512
9f306ec5f75b6f2ac9038717ca70db920f320fd9663186afbe0dcef9b71f32f8037d0965173f48d3dbdbdc977a565aac42338f5c3caf8d7474e200e216b6d842

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4FA45AE1010E09657982D8D28B3BD38E_09E5FD68127B2EBD22C529250B8D2273

Filesize
406B

MD5
ceed0e5d39899f17a1af40ff698c4907

SHA1
478dd196ce0879a00c4d969fd1a0d29026ca77d5

SHA256
80b21fc9ec7c31c5054c82015e9d96d8efd5f29b7b184c338a9c78bf57575b06

SHA512
ea177499ed8920280502e0c1a05d05896a12ebbfb1f0372ef072f1922a87262c9f454c47017cfeb6bfbf08bea01a4ce359ce43dff46de7c294c89fddcc38c9ea

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4FA45AE1010E09657982D8D28B3BD38E_B115649384851BE6BDDEA6DCEC8C2FEC

Filesize
398B

MD5
1263c24980a5251b93eb1f465b365fd2

SHA1
d1af440013c53a8118ef741556a73b38337fd900

SHA256
bfbce54abb73b7e5ac4a3d29d3e09a49af5d40e5fa7f51b8b8dde7eff153085e

SHA512
5bc19fd02da51ac1c227e7be99991701c1cafbbd47ccc81b65a204baf6c72331824d9702f5c842f2c50a8a33eba29bc53493ad9172515248f002e06f9557f224

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f1b81fc980a9836577917e70c563a6f4

SHA1
b678cdb3a5472052aa819b2ee7fb93963791a3d5

SHA256
60571d1be6e4960ff23600ff0037442454ddd4da7089221a351caa3197d8556f

SHA512
7d7b308ff160a062cae808f5c783f30b3c8d8b12e4f424803329524077c9e7c197fa5343cbfb2456522791ef9813b947ea2034fef7499dfbe1dd2c05486ca5e7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f4a46c81346e800eb9a4d2ac1f9c5e9b

SHA1
a86fe20b6d8acc277477a98067e7f7174b2c8299

SHA256
398cd60abba764365761498a6126db224a19976766ec1a78ce9255ebbcd5df09

SHA512
f5531f73fbab529798adb5d04df7c26b840390c31845dd96ad487ef2be5fb225f5ac0e10ca80bf7a5d86e4d99839719d9c88ceeba85042a9ad7485874cd5030d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a69f4be5364f8622c16c3307dd826be3

SHA1
d9bf63d22cb86326b0f4bed8082fbd4ce75a3888

SHA256
691d2893be8fdf5dae60b5233d0c077e71345b4752650c68ee72c671a6f32eae

SHA512
cb92f94ece149cd4e5ede46c89fd0f7801b1c862b8f3b587e5ca0838aae66f67ec6d241f38d11014fd46a921cf99960325e4ebfccb6d49d18ae6a11e07568a89

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
14febb044458a7a9b9ccf99008f49d22

SHA1
75be3ba55598e3aabcf34d68ea0fac1fa9bda109

SHA256
e88dfb88c61db345fd308530a04e1cbb10731cbebcbde3651b0608ea3f664958

SHA512
9e39b9d30735e3802286180efaa316bdbf55872ebf930d0097107860f1ae5a5bbec3916beef2bad46ac2f9289e5447ac707b2d5e516a8a91dd3b43e7ce086d64

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ea5576f3254da33da66fb66f7495558f

SHA1
a119c18abe6149d6329a405d026445861e4d55cb

SHA256
86d7e76c766bafd4e4f872cd37cee14ee929e07c9b037955399020f9c3b037b2

SHA512
e7d58f517f118dec1de3c432c98f972490e619fc6798e1dc7150370cb823abc99ce27488dce58e319bf0eab8932ac67b59fc3c1a5bdb08590651b5bf7b7533e6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c9ded551f901479efc8ef0758917e6cf

SHA1
5e37a077a412e33664a553c26db482336e655353

SHA256
9de8cd5e948994e18266b655cc79aff2c77f31424022c4e56f5e963a3d572728

SHA512
18f09b65cf9af48f25f2420836c8d268cbe4b238f8d562a37d0bd6626daf69b0833dba2356c3b1a46c0129f7d3f783ae9e33a07bf31bd12ed3e5253cdb0f3a24

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e8fc0f13a7c8f4c39c7e8b33662a1524

SHA1
6ad44a9f8c90dbe157fd3478a71f074367d9dec6

SHA256
42a85d545f656c2f23ccf7f97c038541ab3c12894b2f43db9a697a669e8edfb4

SHA512
81064df050e0fc811ce951a6d782d3eb7295ec5696939fba48d661c59df8a87cf25ed246ff9aabb213a93dff9785481026dff7fae3dd66ab6cf31713b47de248

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1ad1da8cb9c32adba434a32786d252cc

SHA1
dfda26e615ed3cf32a65aec71b412b0c0adf3a99

SHA256
07016fac0381658a900704fc5f8718f0e1b932c3990dc676653a5628485f64ea

SHA512
85acf79d433ebaf0f6056fbaa9aae84f68b9ed2c39d837c136900d4b21de230aa45483a2c42f84a971d90996f7c8017bef087e4839c107c567575cdb604e1528

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
35bdbbecd664483ca6e9f5f1e7c8ac13

SHA1
9e362fcf52fbab22ee1d91a06baaba652fb4237e

SHA256
340a1b6322e90b268624eac44c677edcadd2ec5359e99afce7460290722f573a

SHA512
c82fc18bcad5ab57eadf76fcca70b31dfc326e3da5e87feff0d5e957064c455a87fb0900d713b19b2c24e581a1a665d647256a0a56144150e9fa50d1c5f6ea57

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5f8ba6ddfb4c1da15c5cf393a0677e5d

SHA1
4007d90fc6bfd4bd15ed2830a850f67ef838c2eb

SHA256
be345b45d1a72eaef3395035de1f366b4fc87426b8d4dd1c046483d86dacb0b7

SHA512
7c64487ee8985c09e0a1ba563567e1bbbfa231856fb3b581fa187a827a12e92ddc39b423d325f8a73107acf151906a4c5db7b1e185d7649ebcf8afd2e37f87d5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6c97a78ab1709cc8ef23ebf84a3ea058

SHA1
8f69129b36d5f55e233ba8da20cb3a9b0e924c4f

SHA256
d0e395678dbb5e3eec07d2ee7b1d527cfd26c3fbbcd8202e045b2c948167a226

SHA512
71a36cb71d9b1fa5875b009e1ddf2ea01d8bd3c0799d2c53ee833ae3d0b3f0deba8156fbf6667d77ede97e6618c88870a27723343476e2f3ecb20b7bc7105843

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
592f3b00301e5be2be978e8d52e30692

SHA1
eda0058b84900c7a140d9b764b98aeb1f68c799b

SHA256
437bf5b73c889c72bd8303ef74e29ea4b086484bd0866964ceea6685536f9883

SHA512
e708f6d27365f73e3f4672c76431742d9e7ae798e90645d725d90a78854800622916543fac3a970ecf7231da21359a35aec9a1e4417e45a0ad51f88748406099

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f64684eaa231bd42918d919a80b731af

SHA1
c1e1042d05942a3ddb2c93c145258c6f9761ea3b

SHA256
899752e7b7026aa4713cf766a48870d5dbd7231bedea65142aca713f3dcefb88

SHA512
1f2a632f38d73ea9ebb8be2763496aeb5dd622e4ff51167f79f762cabb31570c895187a567b79cfc60562b87fb6c739ef01320b60e4a2be6e94e8010581ea321

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1b369ef0deea1408aea97b98ea8c5fad

SHA1
574a27a75b00fb749a8ae47adaab5911a9bfa3eb

SHA256
cd48e6eb67bb20da602edf6a2eced51620a3f63f558a181a6a164a494a8d158c

SHA512
4ff03feba9ed705ed4de1833ce652506e4091db1714ae225e90198ebb9cee3ec7d0c246bc46d27123bfae889297e7da9f6d79dcc06798e656951e182e593292a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8a291d8de53fe2d2c9981dcac6c6ffca

SHA1
2527d22122518b8e9932546f2e163f2af473097b

SHA256
1226b31a6dea2054d5f8f6a0bb1cf96f03a769a49a7157429d437df8b18fb22e

SHA512
d49b75e309ee2c0ff2920c43cffc7845a685aae489de510e63804fb9b551b3168945254f643e5f602902fe95478820f46c005ccf2c6705c62e58c742fbe20d83

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
eec91d18509d45d2d304dfed21ec5a4f

SHA1
913f902ceac1705cabff4048425aa1278348c307

SHA256
fcd90c78e314c2751fe23c02b2bf72357263b825da327dbd7b7978b0790f5fd4

SHA512
030332015f40c5f605e2a93ea295ce2ed3e2b39dfc7d0f768d1d00adfd32d67158805414df0ce7a148b28cd9988a997a7cf9c68dfe814c6a875f6573e56e8e30

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7a736e448fc4c803122c50b003a18024

SHA1
aec56069133b66d9031516d97f9c80d7938ae6e1

SHA256
edc7a154946cb6b93dc707e37fc72aa02d25637ca81e67236b9eed4fe4a81209

SHA512
72e5572ee9d283b980bee1c9d5601f9e2f4de18968275e774c03c84a05b9c21da72fdc08806a8e6682c02fa278afa18a3d92d69eb2734275b4cc63301b0764c4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0c7d6db8d6c01aa59cf3aa0d132409ae

SHA1
e3469b3b00255558553222c746f314590fc4c886

SHA256
dfa44247b1bc0b41db2cb3802a4631e503235abb86a8b77c0d123166c1157216

SHA512
1b218600acb8d3d0da947b4a40373094059ef315eefe52d54d19cd230573f8aa1270e667c8a94caa676a42be0cf237c45297922c4bb1abe539ec105cbd79b830

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e304f8c48ef0e1f2f1bc034edda5203d

SHA1
3686bb8729e347c7c6d0d3b0c945016dc137427f

SHA256
9c8c18def939ef75f19542dfe73ad7f29cd7b28ad200bc539c7aacf7ded33357

SHA512
9762e76cfd26d98e9fb4ba6246eb37ed2bfbedc0802d1d04267d9fb489ce7fbb09d02632d28c71324a478eb8ce35b7d47c46118a9df31bb0dac7643564948a31

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b6ce1fab405cefe195946ef93bbeb105

SHA1
07e8fe72ea9bb4bfdf34e45d4e2912498228b05f

SHA256
f6029cbd1f7d63ac9de93857c25aa3b40f7b3054726d662ca2a7826aef63e0dd

SHA512
32131c0765b10a411caad8a9cae2e5a090c2f004135907fa287075639d38af53eedf4c0fce5b400331ebf8c7a909f0d26be53a3b30d07ecafb0cbb5230bfbda6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fe45be6885e243b21a16f9715a503671

SHA1
3bddab6c045bdcbedd59df7e2be15846ca6e8365

SHA256
759b740322a19f12722d44aca4648e8e8ed56bdf24a992c8f61d4a07b5579e09

SHA512
00d2720295aa29a6cabf31a3c91a0066becfbb97c76b7a92d6c0cf2e2073c3e21e0830f57a4633d587799a2b79164cdae3a6819bbd1961ab516bfdab15a1dd95

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\515D10ZI\www.google[1].xml

Filesize
98B

MD5
666c445b980f4f0867f14eb275d917be

SHA1
c0ddf0d37bde54f3fa5a34c44b7b5132c1366480

SHA256
d05d6143ea1828c96517d5af2fd8b3703a2e7eafcc6da5911324c6eaf3d78e56

SHA512
b777f178bec313b86b570e1ac501c5aee5522594e1759543646bc3b1a13ea8feb83088238784aefcd248c9ddaaaded293dc7b44ad55ca4e49d3a9cc202bd39ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\lutsxto\imagestore.dat

Filesize
5KB

MD5
dacaa76b4cb946cbd8ad6bfd127d5982

SHA1
f4329d429ba1b220c721a87ee35100c548caaaaa

SHA256
51e5c4a2af48d122cddeba86447367864c5a883a3b65f64e563152edb62f9645

SHA512
fad23803d756665e74c653e893dd85ff5240bb1016e3bd04b4d97df6d33973d4d90d14dbf630be4c9082017153f5bf989dfddc51de3fdb58ee3a2a7a3736e9ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\56KJ964X\-HiUwdQxDKLzt71CPYD-hKnPnujfGhcYgWkgX6BRpVU[1].js

Filesize
24KB

MD5
242324a437f1e8dfa268b1be80e57fdc

SHA1
2198c8b982542d263d2df13efc9e476563b5874f

SHA256
f87894c1d4310ca2f3b7bd423d80fe84a9cf9ee8df1a17188169205fa051a555

SHA512
74d8caa815fbae1b8510c883da00cec7f43fed56890c50eb24e44d281e31d9579b592553be87d2ce8ccb04cb2e3f78eaa8889068762fa36b1143b85cb21f3410

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\56KJ964X\NewErrorPageTemplate[1]

Filesize
1KB

MD5
cdf81e591d9cbfb47a7f97a2bcdb70b9

SHA1
8f12010dfaacdecad77b70a3e781c707cf328496

SHA256
204d95c6fb161368c795bb63e538fe0b11f9e406494bb5758b3b0d60c5f651bd

SHA512
977dcc2c6488acaf0e5970cef1a7a72c9f9dc6bb82da54f057e0853c8e939e4ab01b163eb7a5058e093a8bc44ecad9d06880fdc883e67e28ac67fee4d070a4cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\56KJ964X\api[1].js

Filesize
870B

MD5
db3f5a748364d84b2b5f75e3d4e851d0

SHA1
17b34ff20d429abee726b4b74530e5af2819f7bc

SHA256
343ed5ecd144d781de67aa8638b1ca4fce5772faedbb72720daacb250884f4e1

SHA512
3ee552fff8e93097120367c7f5f6aed88145150d706349542e8800e65722f4e6507bc0802e41a305cda56aaf4bcd40c036ad7a4d2aabea9dc70f908bf400dd90

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8H7UVK5L\dnserror[1]

Filesize
1KB

MD5
73c70b34b5f8f158d38a94b9d7766515

SHA1
e9eaa065bd6585a1b176e13615fd7e6ef96230a9

SHA256
3ebd34328a4386b4eba1f3d5f1252e7bd13744a6918720735020b4689c13fcf4

SHA512
927dcd4a8cfdeb0f970cb4ee3f059168b37e1e4e04733ed3356f77ca0448d2145e1abdd4f7ce1c6ca23c1e3676056894625b17987cc56c84c78e73f60e08fc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8H7UVK5L\httpErrorPagesScripts[1]

Filesize
8KB

MD5
3f57b781cb3ef114dd0b665151571b7b

SHA1
ce6a63f996df3a1cccb81720e21204b825e0238c

SHA256
46e019fa34465f4ed096a9665d1827b54553931ad82e98be01edb1ddbc94d3ad

SHA512
8cbf4ef582332ae7ea605f910ad6f8a4bc28513482409fa84f08943a72cac2cf0fa32b6af4c20c697e1fac2c5ba16b5a64a23af0c11eefbf69625b8f9f90c8fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8H7UVK5L\styles__ltr[1].css

Filesize
55KB

MD5
4adccf70587477c74e2fcd636e4ec895

SHA1
af63034901c98e2d93faa7737f9c8f52e302d88b

SHA256
0e04cd9eec042868e190cbdabf2f8f0c7172dcc54ab87eb616eca14258307b4d

SHA512
d3f071c0a0aa7f2d3b8e584c67d4a1adf1a9a99595cffc204bf43b99f5b19c4b98cec8b31e65a46c01509fc7af8787bd7839299a683d028e388fdc4ded678cb3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NQU8S4LJ\KFOlCnqEu92Fr1MmYUtfBBc9[1].ttf

Filesize
34KB

MD5
4d99b85fa964307056c1410f78f51439

SHA1
f8e30a1a61011f1ee42435d7e18ba7e21d4ee894

SHA256
01027695832f4a3850663c9e798eb03eadfd1462d0b76e7c5ac6465d2d77dbd0

SHA512
13d93544b16453fe9ac9fc025c3d4320c1c83a2eca4cd01132ce5c68b12e150bc7d96341f10cbaa2777526cf72b2ca0cd64458b3df1875a184bbb907c5e3d731

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NQU8S4LJ\KFOmCnqEu92Fr1Mu4mxP[1].ttf

Filesize
34KB

MD5
372d0cc3288fe8e97df49742baefce90

SHA1
754d9eaa4a009c42e8d6d40c632a1dad6d44ec21

SHA256
466989fd178ca6ed13641893b7003e5d6ec36e42c2a816dee71f87b775ea097f

SHA512
8447bc59795b16877974cd77c52729f6ff08a1e741f68ff445c087ecc09c8c4822b83e8907d156a00be81cb2c0259081926e758c12b3aea023ac574e4a6c9885

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NQU8S4LJ\favicon[1].ico

Filesize
5KB

MD5
f3418a443e7d841097c714d69ec4bcb8

SHA1
49263695f6b0cdd72f45cf1b775e660fdc36c606

SHA256
6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770

SHA512
82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NQU8S4LJ\webworker[1].js

Filesize
102B

MD5
ad5e6a567d064cba36f2a56caab2d866

SHA1
a3b46ea0ca5df5a6b6ab6bb228cf805065523cd1

SHA256
e70942d2b905910af2538c685c2223c25e5068bfbccb9742cfa5ffa48150d291

SHA512
ba45b3d74c0d2e0ac22bc97bacb6df549d7a4eae8d64050af41167376926f4379ccb6be84a666ba615caa7c5ee6838f98020c530f5c2ce51f71dad369d130681

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YTZJPBOG\KFOlCnqEu92Fr1MmEU9fBBc9[1].ttf

Filesize
34KB

MD5
4d88404f733741eaacfda2e318840a98

SHA1
49e0f3d32666ac36205f84ac7457030ca0a9d95f

SHA256
b464107219af95400af44c949574d9617de760e100712d4dec8f51a76c50dda1

SHA512
2e5d3280d5f7e70ca3ea29e7c01f47feb57fe93fc55fd0ea63641e99e5d699bb4b1f1f686da25c91ba4f64833f9946070f7546558cbd68249b0d853949ff85c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YTZJPBOG\errorPageStrings[1]

Filesize
2KB

MD5
e3e4a98353f119b80b323302f26b78fa

SHA1
20ee35a370cdd3a8a7d04b506410300fd0a6a864

SHA256
9466d620dc57835a2475f8f71e304f54aee7160e134ba160baae0f19e5e71e66

SHA512
d8e4d73c76804a5abebd5dbc3a86dcdb6e73107b873175a8de67332c113fb7c4899890bf7972e467866fa4cd100a7e2a10a770e5a9c41cbf23b54351b771dcee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YTZJPBOG\logo_48[1].png

Filesize
2KB

MD5
ef9941290c50cd3866e2ba6b793f010d

SHA1
4736508c795667dcea21f8d864233031223b7832

SHA256
1b9efb22c938500971aac2b2130a475fa23684dd69e43103894968df83145b8a

SHA512
a0c69c70117c5713caf8b12f3b6e8bbb9cdaf72768e5db9db5831a3c37541b87613c6b020dd2f9b8760064a8c7337f175e7234bfe776eee5e3588dc5662419d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YTZJPBOG\recaptcha__en[1].js

Filesize
537KB

MD5
c7be68088b0a823f1a4c1f77c702d1b4

SHA1
05d42d754afd21681c0e815799b88fbe1fbabf4e

SHA256
4943e91f7f53318d481ca07297395abbc52541c2be55d7276ecda152cd7ad9c3

SHA512
cb76505845e7fc0988ade0598e6ea80636713e20209e1260ee4413423b45235f57cb0a33fca7baf223e829835cb76a52244c3197e4c0c166dad9b946b9285222

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab8826.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\x

Filesize
10KB

MD5
fc59b7d2eb1edbb9c8cb9eb08115a98e

SHA1
90a6479ce14f8548df54c434c0a524e25efd9d17

SHA256
a05b9be9dd87492f265094146e18d628744c6b09c0e7efaabf228a9f1091a279

SHA512
3392cfc0dbddb37932e76da5a49f4e010a49aaa863c882b85cccab676cd458cfc8f880d8a0e0dc7581175f447e6b0a002da1591ecd14756650bb74996eacd2b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\x

Filesize
4KB

MD5
b6873c6cbfc8482c7f0e2dcb77fb7f12

SHA1
844b14037e1f90973a04593785dc88dfca517673

SHA256
0a0cad82d9284ccc3c07de323b76ee2d1c0b328bd2ce59073ed5ac4eb7609bd1

SHA512
f3aa3d46d970db574113f40f489ff8a5f041606e79c4ab02301b283c66ff05732be4c5edc1cf4a851da9fbaaa2f296b97fc1135210966a0e2dfc3763398dfcaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\x.js

Filesize
448B

MD5
8eec8704d2a7bc80b95b7460c06f4854

SHA1
1b34585c1fa7ec0bd0505478ac9dbb8b8d19f326

SHA256
aa01b8864b43e92077a106ed3d4656a511f3ba1910fba40c78a32ee6a621d596

SHA512
e274b92810e9a30627a65f87448d784967a2fcfbf49858cbe6ccb841f09e0f53fde253ecc1ea0c7de491d8cc56a6cf8c79d1b7c657e72928cfb0479d11035210

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEMZ3~1.0\z.zip

Filesize
7KB

MD5
cf0c19ef6909e5c1f10c8460ba9299d8

SHA1
875b575c124acfc1a4a21c1e05acb9690e50b880

SHA256
abb834ebd4b7d7f8ddf545976818f41b3cb51d2b895038a56457616d3a2c6776

SHA512
d930a022a373c283f35d103e277487c2034a0b0814913b8f6ec695b45e20528667aa830eeab58e4483d523bd6a755a16a5379095cb137db6c91909a545a19a2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar8816.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DF421A984DF03241D7.TMP

Filesize
16KB

MD5
bdd9803d5ed64de9f02e2072a95e5026

SHA1
ec74b54457e12bfd849283f6d692e9fe8a537334

SHA256
6785a86738850e47a302aec0059542216c7d30920ecee2d90b8cc10effade603

SHA512
a3c03f096ad84854a98291445a6d84319149d25572471be2ac49703158712a7ec0f5c7b6124e0610ec76af4b5dd684fabb7e9c1066190f15bb98a7b49d11f08a

Download Submit
C:\Users\Admin\AppData\Roaming\MEMZ.exe

Filesize
12KB

MD5
a7bcf7ea8e9f3f36ebfb85b823e39d91

SHA1
761168201520c199dba68add3a607922d8d4a86e

SHA256
3ff64f10603f0330fa2386ff99471ca789391ace969bd0ec1c1b8ce1b4a6db42

SHA512
89923b669d31e590189fd06619bf27e47c5a47e82be6ae71fdb1b9b3b30b06fb7ca8ffed6d5c41ac410a367f2eb07589291e95a2644877d6bffd52775a5b1523

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\9HSEI8D9.txt

Filesize
403B

MD5
d1668a6fa8a0b0f0194a3a6aa43c543a

SHA1
d2c9f5973fabcd5e5224aee6c90c3501f089b418

SHA256
7fad0331c287a63ba064c5299fc81324ba1b8863b24e12ec5b0208e28516aab2

SHA512
ba8d91c84fb09352ac51ba5f388432b0c7d91b1227d011d29ff69bdf8e026fef744449ddce575e1e7bcb641bb8cc6acc54a7b85d244a0ca76217a49dfdfce506

Download Submit
C:\note.txt

Filesize
218B

MD5
afa6955439b8d516721231029fb9ca1b

SHA1
087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

SHA256
8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

SHA512
5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

Download Submit
memory/2636-150-0x00000000023B0000-0x00000000023B1000-memory.dmp

Filesize
4KB

Download
memory/2900-1261-0x000007FEF7920000-0x000007FEF795A000-memory.dmp

Filesize
232KB

Download
memory/2900-1213-0x000007FEF7920000-0x000007FEF795A000-memory.dmp

Filesize
232KB

Download
memory/2900-1443-0x000007FEF7A40000-0x000007FEF7A7A000-memory.dmp

Filesize
232KB

Download
memory/4832-1444-0x000007FEF7920000-0x000007FEF795A000-memory.dmp

Filesize
232KB

Download