734403a96fad68cb2ef2b340adddd9cadd5894007aac703dcdb4a4cb8326c538

max time kernel
233s
max time network
232s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
15-09-2024 22:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MEMZ 3.0/MEMZ.exe
Size

12KB
MD5

a7bcf7ea8e9f3f36ebfb85b823e39d91
SHA1

761168201520c199dba68add3a607922d8d4a86e
SHA256

3ff64f10603f0330fa2386ff99471ca789391ace969bd0ec1c1b8ce1b4a6db42
SHA512

89923b669d31e590189fd06619bf27e47c5a47e82be6ae71fdb1b9b3b30b06fb7ca8ffed6d5c41ac410a367f2eb07589291e95a2644877d6bffd52775a5b1523
SSDEEP

192:HMDLTxWDf/pl3cIEiwqZKBktLe3P+qf2jhP6B5b2yL3:H4IDH3cIqqvUWq+jhyT2yL

Score

6^/10

bootkit discovery persistence

Malware Config

Signatures

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

MEMZ.exe

description ioc process

File opened for modification \??\PhysicalDrive0 MEMZ.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File opened for modification	\??\PhysicalDrive0	MEMZ.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

MEMZ.exeIEXPLORE.EXEregedit.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.execontrol.exewordpad.exeMEMZ.exeIEXPLORE.EXEDllHost.exeregedit.exeIEXPLORE.EXEIEXPLORE.EXEnotepad.exeIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	control.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wordpad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEiexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com\Total = "340"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.google.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "60"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b08d25fbbc07db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.google.com\ = "99"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{28A85EC1-73B0-11EF-ACDF-5EE01BAFE073} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com\Total = "99"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "21"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "99"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000953bd8210872ea40aad5946cc0771cd300000000020000000000106600000001000020000000f3ec5831a0a1125c23aeed4f345a857a6e96c43b2bd599e213f0c03f207c495b000000000e800000000200002000000093bf4e94d6e4a3f7ac38c843ae87241f56a68508c335886a2a1bdde2cb09fc7120000000bbc9acf01499e0327b6450928865cd1315bcd02af8ed74fff3b60edc2495f91d4000000062d638a3631aa4359128242e44514101bfb59edfffdfdcb76845d989ee8722e4e00edd1e8ba51ea164bd9b230288f9e287c0645cde93cbcbc91573a019ab0570	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "340"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000953bd8210872ea40aad5946cc0771cd300000000020000000000106600000001000020000000fd5aaba8ffce76b0017235f10d2fcf099a9bf14991ab80e62d0245c1ed8bfb14000000000e8000000002000020000000814d2ec4134a1cd7a8c5441b2a8c6d222bdd1bc4907219df26e7ff5db4e41f45900000005d820bdb5d4aab6dd9f20e9d91708e593462b73b3ff877f8e27a5ed54d81e4a37462674f032c4165dfe844954e444d165642bd6344047bf9f0d2388e17a7b38524988b6d4a770fcf98a70e491477aec01030750c7a4f17156f869dc599d4980c81c1c89b13c27b321dc537289ce883e088774780fbd64c1f88c66f78fd72c50525c1337d34542132efd22422deea6fe1400000005408077afc621083dbc1894245191c0944394eb3dfd404ac59054465f3c16a140a22f0315ced4961df73670d2e0e27a46fc1246c9d2755a3f1e9676d06291eaf	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com\Total = "21"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com\Total = "60"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.google.com\ = "60"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.google.com\ = "21"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.google.com\ = "340"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe

Runs regedit.exe 2 IoCs

Processes:

regedit.exeregedit.exe

pid process

1276 regedit.exe
2380 regedit.exe

pid	process
1276	regedit.exe
2380	regedit.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

MEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exe

pid	process
2220	MEMZ.exe
2672	MEMZ.exe
2752	MEMZ.exe
2748	MEMZ.exe
2732	MEMZ.exe
2672	MEMZ.exe
2220	MEMZ.exe
2748	MEMZ.exe
2752	MEMZ.exe
2732	MEMZ.exe
2752	MEMZ.exe
2220	MEMZ.exe
2732	MEMZ.exe
2672	MEMZ.exe
2748	MEMZ.exe
2752	MEMZ.exe
2220	MEMZ.exe
2672	MEMZ.exe
2732	MEMZ.exe
2748	MEMZ.exe
2752	MEMZ.exe
2672	MEMZ.exe
2732	MEMZ.exe
2748	MEMZ.exe
2220	MEMZ.exe
2752	MEMZ.exe
2732	MEMZ.exe
2672	MEMZ.exe
2220	MEMZ.exe
2748	MEMZ.exe
2732	MEMZ.exe
2220	MEMZ.exe
2752	MEMZ.exe
2672	MEMZ.exe
2748	MEMZ.exe
2752	MEMZ.exe
2732	MEMZ.exe
2220	MEMZ.exe
2748	MEMZ.exe
2672	MEMZ.exe
2752	MEMZ.exe
2672	MEMZ.exe
2748	MEMZ.exe
2220	MEMZ.exe
2732	MEMZ.exe
2752	MEMZ.exe
2220	MEMZ.exe
2672	MEMZ.exe
2732	MEMZ.exe
2748	MEMZ.exe
2220	MEMZ.exe
2732	MEMZ.exe
2672	MEMZ.exe
2752	MEMZ.exe
2748	MEMZ.exe
2672	MEMZ.exe
2220	MEMZ.exe
2748	MEMZ.exe
2732	MEMZ.exe
2752	MEMZ.exe
2220	MEMZ.exe
2672	MEMZ.exe
2732	MEMZ.exe
2752	MEMZ.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

Processes:

IEXPLORE.EXEregedit.exeMEMZ.exe

pid process

2600 IEXPLORE.EXE
1276 regedit.exe
2752 MEMZ.exe

pid	process
2600	IEXPLORE.EXE
1276	regedit.exe
2752	MEMZ.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

AUDIODG.EXEMEMZ.exeMEMZ.exe

description	pid	process
Token: 33	2728	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2728	AUDIODG.EXE
Token: 33	2728	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2728	AUDIODG.EXE
Token: SeShutdownPrivilege	2732	MEMZ.exe
Token: SeShutdownPrivilege	2220	MEMZ.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

2712 iexplore.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEMEMZ.exeIEXPLORE.EXEwordpad.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exe

pid	process
2712	iexplore.exe
2712	iexplore.exe
2600	IEXPLORE.EXE
2600	IEXPLORE.EXE
2600	IEXPLORE.EXE
2600	IEXPLORE.EXE
2384	IEXPLORE.EXE
2384	IEXPLORE.EXE
2788	IEXPLORE.EXE
2788	IEXPLORE.EXE
2800	IEXPLORE.EXE
2800	IEXPLORE.EXE
2600	IEXPLORE.EXE
2600	IEXPLORE.EXE
2212	IEXPLORE.EXE
2212	IEXPLORE.EXE
2696	MEMZ.exe
2384	IEXPLORE.EXE
2384	IEXPLORE.EXE
2384	IEXPLORE.EXE
2384	IEXPLORE.EXE
2696	MEMZ.exe
2572	IEXPLORE.EXE
2572	IEXPLORE.EXE
2572	IEXPLORE.EXE
2572	IEXPLORE.EXE
2464	wordpad.exe
2464	wordpad.exe
2464	wordpad.exe
2464	wordpad.exe
2464	wordpad.exe
2696	MEMZ.exe
2788	IEXPLORE.EXE
2788	IEXPLORE.EXE
2752	MEMZ.exe
2752	MEMZ.exe
2672	MEMZ.exe
2748	MEMZ.exe
2220	MEMZ.exe
2732	MEMZ.exe
2220	MEMZ.exe
2732	MEMZ.exe
2752	MEMZ.exe
2752	MEMZ.exe
2672	MEMZ.exe
2748	MEMZ.exe
2732	MEMZ.exe
2220	MEMZ.exe
2752	MEMZ.exe
2672	MEMZ.exe
2748	MEMZ.exe
2752	MEMZ.exe
2220	MEMZ.exe
2732	MEMZ.exe
2752	MEMZ.exe
2752	MEMZ.exe
2672	MEMZ.exe
2748	MEMZ.exe
2732	MEMZ.exe
2220	MEMZ.exe
2752	MEMZ.exe
2752	MEMZ.exe
2672	MEMZ.exe
2748	MEMZ.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

MEMZ.exeMEMZ.exeiexplore.exe

description	pid	process	target process
PID 2288 wrote to memory of 2220	2288	MEMZ.exe	MEMZ.exe
PID 2288 wrote to memory of 2220	2288	MEMZ.exe	MEMZ.exe
PID 2288 wrote to memory of 2220	2288	MEMZ.exe	MEMZ.exe
PID 2288 wrote to memory of 2220	2288	MEMZ.exe	MEMZ.exe
PID 2288 wrote to memory of 2672	2288	MEMZ.exe	MEMZ.exe
PID 2288 wrote to memory of 2672	2288	MEMZ.exe	MEMZ.exe
PID 2288 wrote to memory of 2672	2288	MEMZ.exe	MEMZ.exe
PID 2288 wrote to memory of 2672	2288	MEMZ.exe	MEMZ.exe
PID 2288 wrote to memory of 2732	2288	MEMZ.exe	MEMZ.exe
PID 2288 wrote to memory of 2732	2288	MEMZ.exe	MEMZ.exe
PID 2288 wrote to memory of 2732	2288	MEMZ.exe	MEMZ.exe
PID 2288 wrote to memory of 2732	2288	MEMZ.exe	MEMZ.exe
PID 2288 wrote to memory of 2748	2288	MEMZ.exe	MEMZ.exe
PID 2288 wrote to memory of 2748	2288	MEMZ.exe	MEMZ.exe
PID 2288 wrote to memory of 2748	2288	MEMZ.exe	MEMZ.exe
PID 2288 wrote to memory of 2748	2288	MEMZ.exe	MEMZ.exe
PID 2288 wrote to memory of 2752	2288	MEMZ.exe	MEMZ.exe
PID 2288 wrote to memory of 2752	2288	MEMZ.exe	MEMZ.exe
PID 2288 wrote to memory of 2752	2288	MEMZ.exe	MEMZ.exe
PID 2288 wrote to memory of 2752	2288	MEMZ.exe	MEMZ.exe
PID 2288 wrote to memory of 2696	2288	MEMZ.exe	MEMZ.exe
PID 2288 wrote to memory of 2696	2288	MEMZ.exe	MEMZ.exe
PID 2288 wrote to memory of 2696	2288	MEMZ.exe	MEMZ.exe
PID 2288 wrote to memory of 2696	2288	MEMZ.exe	MEMZ.exe
PID 2696 wrote to memory of 2840	2696	MEMZ.exe	notepad.exe
PID 2696 wrote to memory of 2840	2696	MEMZ.exe	notepad.exe
PID 2696 wrote to memory of 2840	2696	MEMZ.exe	notepad.exe
PID 2696 wrote to memory of 2840	2696	MEMZ.exe	notepad.exe
PID 2696 wrote to memory of 2712	2696	MEMZ.exe	iexplore.exe
PID 2696 wrote to memory of 2712	2696	MEMZ.exe	iexplore.exe
PID 2696 wrote to memory of 2712	2696	MEMZ.exe	iexplore.exe
PID 2696 wrote to memory of 2712	2696	MEMZ.exe	iexplore.exe
PID 2712 wrote to memory of 2600	2712	iexplore.exe	IEXPLORE.EXE
PID 2712 wrote to memory of 2600	2712	iexplore.exe	IEXPLORE.EXE
PID 2712 wrote to memory of 2600	2712	iexplore.exe	IEXPLORE.EXE
PID 2712 wrote to memory of 2600	2712	iexplore.exe	IEXPLORE.EXE
PID 2712 wrote to memory of 2384	2712	iexplore.exe	IEXPLORE.EXE
PID 2712 wrote to memory of 2384	2712	iexplore.exe	IEXPLORE.EXE
PID 2712 wrote to memory of 2384	2712	iexplore.exe	IEXPLORE.EXE
PID 2712 wrote to memory of 2384	2712	iexplore.exe	IEXPLORE.EXE
PID 2712 wrote to memory of 2788	2712	iexplore.exe	IEXPLORE.EXE
PID 2712 wrote to memory of 2788	2712	iexplore.exe	IEXPLORE.EXE
PID 2712 wrote to memory of 2788	2712	iexplore.exe	IEXPLORE.EXE
PID 2712 wrote to memory of 2788	2712	iexplore.exe	IEXPLORE.EXE
PID 2712 wrote to memory of 2800	2712	iexplore.exe	IEXPLORE.EXE
PID 2712 wrote to memory of 2800	2712	iexplore.exe	IEXPLORE.EXE
PID 2712 wrote to memory of 2800	2712	iexplore.exe	IEXPLORE.EXE
PID 2712 wrote to memory of 2800	2712	iexplore.exe	IEXPLORE.EXE
PID 2696 wrote to memory of 1276	2696	MEMZ.exe	regedit.exe
PID 2696 wrote to memory of 1276	2696	MEMZ.exe	regedit.exe
PID 2696 wrote to memory of 1276	2696	MEMZ.exe	regedit.exe
PID 2696 wrote to memory of 1276	2696	MEMZ.exe	regedit.exe
PID 2712 wrote to memory of 2212	2712	iexplore.exe	IEXPLORE.EXE
PID 2712 wrote to memory of 2212	2712	iexplore.exe	IEXPLORE.EXE
PID 2712 wrote to memory of 2212	2712	iexplore.exe	IEXPLORE.EXE
PID 2712 wrote to memory of 2212	2712	iexplore.exe	IEXPLORE.EXE
PID 2696 wrote to memory of 1952	2696	MEMZ.exe	control.exe
PID 2696 wrote to memory of 1952	2696	MEMZ.exe	control.exe
PID 2696 wrote to memory of 1952	2696	MEMZ.exe	control.exe
PID 2696 wrote to memory of 1952	2696	MEMZ.exe	control.exe
PID 2696 wrote to memory of 2380	2696	MEMZ.exe	regedit.exe
PID 2696 wrote to memory of 2380	2696	MEMZ.exe	regedit.exe
PID 2696 wrote to memory of 2380	2696	MEMZ.exe	regedit.exe
PID 2696 wrote to memory of 2380	2696	MEMZ.exe	regedit.exe

C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\MEMZ.exe
"C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\MEMZ.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2288
- C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\MEMZ.exe
  "C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\MEMZ.exe" /watchdog
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2220
- C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\MEMZ.exe
  "C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\MEMZ.exe" /watchdog
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2672
- C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\MEMZ.exe
  "C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\MEMZ.exe" /watchdog
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2732
- C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\MEMZ.exe
  "C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\MEMZ.exe" /watchdog
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2748
- C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\MEMZ.exe
  "C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\MEMZ.exe" /watchdog
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:2752
- C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\MEMZ.exe
  "C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\MEMZ.exe" /main
  2⤵
  - Writes to the Master Boot Record (MBR)
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2696
- - C:\Windows\SysWOW64\notepad.exe
    "C:\Windows\System32\notepad.exe" \note.txt
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2840
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" https://google.co.ck/search?q=facebook+hacking+tool+free+download+no+virus+working+2016
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2712
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2712 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      PID:2600
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2712 CREDAT:734221 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2384
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2712 CREDAT:275486 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2788
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2712 CREDAT:603178 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2800
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2712 CREDAT:1520664 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2212
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2712 CREDAT:1979428 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2572
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Runs regedit.exe
    - Suspicious behavior: GetForegroundWindowSpam
    PID:1276
- - C:\Windows\SysWOW64\control.exe
    "C:\Windows\System32\control.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1952
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Runs regedit.exe
    PID:2380
- - C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
    "C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2464
  - - C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      4⤵
      PID:2824

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x540
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2728

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
- System Location Discovery: System Language Discovery
PID:2852

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:3056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\05DDC6AA91765AACACDB0A5F96DF8199

Filesize
854B

MD5
e935bc5762068caf3e24a2683b1b8a88

SHA1
82b70eb774c0756837fe8d7acbfeec05ecbf5463

SHA256
a8accfcfeb51bd73df23b91f4d89ff1a9eb7438ef5b12e8afda1a6ff1769e89d

SHA512
bed4f6f5357b37662623f1f8afed1a3ebf3810630b2206a0292052a2e754af9dcfe34ee15c289e3d797a8f33330e47c14cbefbc702f74028557ace29bf855f9e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
1df4559dc042f51453d31bbd6d406cac

SHA1
defff321b0e39935b0281192bc732a47edc22d84

SHA256
2e5e6363cb570b2bdfef7476d83333ea9e7699f5418fb102d5ffa795f0536d9d

SHA512
c4a96d6fa0d96e706e89a571ad916c8995cb045bc3d30ac8f83b57c95bc1ee59e983ca42534b24f02ad862959826df6b5aac6f4a1288f5a3fb0eaf873f13f731

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4FA45AE1010E09657982D8D28B3BD38E_09E5FD68127B2EBD22C529250B8D2273

Filesize
471B

MD5
cea7f7436b62d1aa1808fbf42c7614e8

SHA1
d8530285ce4e6fd1ca352a617263fe26d46d383a

SHA256
dfddd19826ded2ca69f63200f442f8f4dcf9b5ec1dd78e15d74d015c651ba190

SHA512
3c679f47869a4e78c2b7a5a5ac20ce4ae922e4231f2cee533cf44d25e1ee45e848a3fd55d8e4c3d98bbe357ea2b9825dcbab55d9b71d5472d29b9e77aa86fda0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4FA45AE1010E09657982D8D28B3BD38E_B115649384851BE6BDDEA6DCEC8C2FEC

Filesize
472B

MD5
57fabf8ce960f6516a99cb1065e0f1b5

SHA1
0f06fda5952c1e047f2fdd06a941cde444e7fd1b

SHA256
287c0da810f4506a1fca9807d8457c52631b4f723f272412631a59fdda36d179

SHA512
df597f53035b5dc18aaefbe0fb232e9e2770343319e716a32d416d27be2b4d77e4671786d0e6711549440dda3e68fb122e61c42fc781238cb158d0c4d1546cbe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199

Filesize
170B

MD5
1079d29a4d62b0b959d7e02b5c1977a2

SHA1
e498cb6d3e13dae55bad80b97d7a89950752c39e

SHA256
97927961d81c29655e2d0759d309088f06ddab022a18d337b724815534927743

SHA512
887e396e14551f68099caa8b68984ea9d48ce3e807191bd21ee9b020545b82fcbd2fe6ba5c5c167d4e9ca1f0a90c18375f6a3b15fff6f08730a77b88ad0f4d99

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
f6cbd61371851ad31deb3591120c77c3

SHA1
c4e31565b1282dab6af0b8ad31089f0f4a777548

SHA256
0dbe6c20254e2bd1b5285dc9b8af663a1deda5b5677552534396b10cbac6dfe2

SHA512
f2949eaac54e3778d765fc19df098a9c81748c3b5eaa968e9260c5c6b9d138f4539244de04b0eae1e2459a542ec1197a42233ca4a6bacf4232a5fb09c10c9dee

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4FA45AE1010E09657982D8D28B3BD38E_09E5FD68127B2EBD22C529250B8D2273

Filesize
406B

MD5
1dd19dcb23f12e9a0624e51964375aec

SHA1
bf5b40259048cacbab29f0f62248f7b5b0045b6f

SHA256
eb4d58b28194f45cd21eecae5547ba9e75fa0b7ccd7f1a713c9016ad2a85f91a

SHA512
63f378b3302bc4896c667f4f74b9a393157283a0c917d0b53174ffb87e5b4787af82a68c304492e60ff0796f8aad1951355699a0a18d8dafe81c21a80af92ee3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4FA45AE1010E09657982D8D28B3BD38E_B115649384851BE6BDDEA6DCEC8C2FEC

Filesize
398B

MD5
876288aebb093d83d662a149bae3dd53

SHA1
6fa1c4d15b592621c9a80c7bdfa51e66629f97b5

SHA256
1ac1a18c843acf54a8a74a43ad0b1f775668a722175191ddfd18a04ee72e249f

SHA512
ffa1f8deb39cb67e63e5235bd0a9595d73830c9bc7ec287de0a078db15b768ac752af59257ca2c63712a965b547289833376bb3e9bc782336aa5a464831a2b70

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cd85e1163e6f0df7066f05884b686898

SHA1
02ec67d00299e41ee0c8088bb8497468d70ad23c

SHA256
13e59d3c536f84c0849012dc9bdf3b3f0fb99cde0d4641fe488ff1b60ca89ae1

SHA512
53c064b1e6a16cb10d78be52ab982c2ba2675d789e5174b2c48f7636c2c437c271c9f449083bef32e14ad13654e1ede1f0ead96e32055e72a0925a12ea9ab2a7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
899ac3274e15185a260877abf0f5e602

SHA1
e2524b327046019f02cf218844e084f82b204ccb

SHA256
a43b7de0f73c0a9ac8cd932a67974d2fe5034be6c5c1f7b8066868f9a066e897

SHA512
8156482a25a0f3487f4fd2348dc2bbfd1adb2ab8ee1112c87caf7f732c08e9c480cced58ea8ab205e4daf32858ba7ae6f06b8f996688665b813296203b78ec29

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
96b4cc61e3f020460b9da5fa97e2c37f

SHA1
8dba0540bca3a8dbfcb00a66d6f478db6efa618c

SHA256
b240d39a44cde1ebda136ac9878b346c3eb6bc062e6b02812c822ff48adf963b

SHA512
c63f7007fee2d0183f484a227f19275139575adde2eaebc5c8172f3cbe9fd0fae305a5c79c58b6519e745b88d9f57fc5da4950418ee365e17ef1d79dfa55dcab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b2f43f09fee1a29e5657b80806bb7aac

SHA1
f701d83fdebb861378711c256395550ca90488dc

SHA256
b92595b34cf6ce83c2aa09763309b815afd11e7ed22d543b32ddc6b7e37d3b6e

SHA512
7dc98353b875b9cb7a4a0f0f8cd9b224bf8ff3d53556aeb4b9471226dcc9ffe0abd44881417b1a9fe08fc054081b3ceab3be5fb8c9b5005039f82daf3bbd8e68

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
505d897ebc57c91a43a3b179cadff530

SHA1
35ecba1c68cbd55a700aa19f0bab4b793e71dba0

SHA256
e08e12cff280bcbf27515c68157ec93461d9631463769d107882ebb9370b4e36

SHA512
f7b56d96c3c160964c4b08d2775fc82bf845415376263815e89e2a637ee3023d5fdbca362e51411dafd2a5d9442eb3eb2f37749e0afdb671813a9d4238532b6d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
62782793421b74e2b500946953cae720

SHA1
7635c81700510260d3d9d2220e82a5b2e19bebf7

SHA256
68c2f7eadcdcedbaff1e0c7516036dd0f679f7f186ae509108163cb4d4a84855

SHA512
d5e0a27d0b5a3bc9d7fd440ebb40ea2937648814d2a1a3f40fd81914f0a78617d2381c68ba208001e24b9acfe32f91acadaa63280912777c6324479d943226a2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
de6194ba81df3b1a0b063f98100e83d7

SHA1
f471251bb695e7976f9d37558351286555a78546

SHA256
fb506eb9cde938851ea7218ecea1503631960543e56ebb4acd466c6e17de95e9

SHA512
15a89824ff6a2d16d3e5747d64ba8cb7420bce2e40339d802663922c3d018418d45a75ad9afb95579732b1af2d76dff640660a1b494989243f461ba9835443ce

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
71566b2f95dfea1f240cbe17fce91e67

SHA1
47e58f24b523e3c95eee970c6fff839d3b15a5ad

SHA256
39f7912ec6c428d1edf242daf459e48034b3479f5948c3a29adfa38e4442f21a

SHA512
edd1bd82ad91744c996a4f0a5984c794ffeb13c3b406b3f0f5fd799306221b7d8857299ef3fa6bb6e281a5a36e395b116b153cf1258cc80fed8a272bb50f8929

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1ea1d3b532cbec11eda7a7fff7fc8ded

SHA1
888f8dad2b5121195442694ed550e6689cb487cc

SHA256
1fab6b8d41720494ac190bdfc5c2fccbc76681c2dc2b0968e5d56b2c19a2ce2c

SHA512
ec8c4b91cdda4216ec0cbd1053ea4824587ac3557f0785e5c0e6664a9f2f7989647fafe9d2535d930bef8744b3082d07c5f99a67b46c29fe63317d2025342c97

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fa93b3561a7d42d306646a3d33e6ee99

SHA1
6df7c5f26ea4ff2e12d1c9995f5d9e3bdcd71396

SHA256
4aa3306d889daac6fe82c81081d8a3373ef79fa5d38ee013b1fc160a2b384eb2

SHA512
f3f547067e76e8f17ed435c9a775363e3a2a8683878fe5222aa17f1fe451b744bec917c4ac55e6ab33978784724646abe993ed2962a48217ad600fafa06e154b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a2a68c04660a4fa1278b19642766d76a

SHA1
f7986a8f42ac81c03b742587246bdabe764b6fd8

SHA256
a532a1dff69a7d0d91e3c0ec5bb074b0ed06509a21506fd1564bd4484855a587

SHA512
e043cbf85a69ce32c6a21034ca04b789a4d0914df1e80b5edb45d396f0a4c31bac42f390f54406ce735c4ec5f71e9b57c37b4327e301712fe129c7ce9d872076

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
194f3b9e3d98e4e4a5b6dd610ec4710a

SHA1
a1262c670e796d1fdc03e6ec37a808eebdc6d841

SHA256
69f9af468df798b45f96cda7409baf723c3033754144ad9c1a754581c6af33d4

SHA512
b70e06862f52db2711d7eea1ea974c513c5f8cda31fcbce5fcf60319eb17969dbfc540cbb95df6244dc5c3c5c25bd12abef714b8c0a09e05d368a6fe64187694

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
afa482725fa20e5308294b60d681b02a

SHA1
6739407119a4bdb7161e30595fc2ec60d7774127

SHA256
50cb9304a9110353674d25c843e8f5eed0f98620d11cbf41e2cd6d91d7ec405c

SHA512
0fd2735dade21a15de10d37f1f8eb12ed5a505776ad656d19ce8865cddf0b3cd2eb3555131dd3669b59536f4ba4cc673a4af88954c869923ee6f3bdfb271f3fa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4672d4a9d72a7779a76bbc7e9a840dd6

SHA1
a779be9135f0f7393f3652b39c5eae5dc4b68781

SHA256
fe115e304befd3333d42229103bbc5314c27e229dd3d7b4838fe4efa4a5a8255

SHA512
1704d2e5ebbd661adb3a6a87edaf8bf0de0c02bd8c924c7c14f24c4c61d94b06c0dc0163e001d75acd9cd648df9c7cc337fecc0c0af610550c1f8c8f031c6dc2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ae0e322f3288cb896ee7d7264244dea0

SHA1
efeddf1c67c9f90649bfa3ed479f3fe208feff14

SHA256
33204c0fddfa65186d149f4ee2f962175926d0a8632a51b23fbfb658e8fe97b6

SHA512
fbd94774f3c139993aa2ca4116f42c34b22f15d38ab741c79e033709ce61de4ff1b2ed2163c20021390f3635c5517f023b76b64bbf24f769941ecd2230826417

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9c3ee9269e29f93c91e25966256ae99e

SHA1
468d3e7e111438da7b6a119d4fd9f742983f0eb4

SHA256
e864a02fd04bea388b70c2370335df83aaf8d7845e7f66e8181be457cd37946b

SHA512
b2b0efb9c91b7835a506f7c4412f7a5482bfa796b733eb2a6900ea12926be228e3bd05d82855ed429fadd4dd4bf0eb15d7dcb6ae1999be287310b1015e0c5718

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8527b8c47fe8a6d63c5b0bd5dbcffd8d

SHA1
fcb9efb3f1fa3bc04a047ee83f6113f60e0c0f47

SHA256
d948b1909a9fa1c3558765385fbf21e0ec0bcbd4dc4539d332660a4440b5c4ac

SHA512
bf24c164f3f22fd930a9f76345ac8b9e76dda76251fefcb5e30aa928f06ad9a9effc3824c5b3869c1a6f5e0f662ad7ee85d70b8bf6f8209a80cc38bfe685fa49

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2e225130080641fe8a5b4fdd0f5f725a

SHA1
222bba5954f596516008941f8d0dfb95818f13b8

SHA256
3a1d22bf38f9f1443a2c8f41199c644dc3250d8dea5fadc82f89567b9fd6f271

SHA512
aef5ad54b2d4cb0d76786d1297b5cd5b5478eccac0622afd896e048f8e4b09df264e0658c8115915086771b80be7178227ef9c978469c2445a16b96da8c650bd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fab75d8b22c8b47a436b07b5de59241d

SHA1
92453303a2bb0540790e14978b9ef22a45418306

SHA256
022ddfc785d1ef9c874b6ac4aae1816d617b63b08d66e77d5170a128c53320be

SHA512
67035235ab0d4807eb9e73e849be9ba74b3ebced39511b5babd92aaa210aa69ec7d232552fa201207d86ce5e96c534ce151e5a2181909e10a7a27dbe3d4be00c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
60efe0784de4ae147fd4156803877304

SHA1
e2e9035ed12a03c641db5728552477d5a9f5b6bd

SHA256
e981289361f492c5d7ea88a67fdedd253c05e968af74a81f5677b87aadadcc1b

SHA512
796bac73c81f2b661a005672edbfa20f13cd3de362fba1d56b70a7a568db6132381ea26ff13852f32971cbc1db6639d1e0046ae7e5f5b0df1225d61142e36006

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0c0178d0ac23d3cf7ea4a87bdeae65bb

SHA1
90b771bc0a0771477689fc5ad2d06fe7320464be

SHA256
37a5d9052cc44f07c875f64ed872c61ab5d8ec9ce75071e7b6166a30abee3439

SHA512
502bf403693df0df08d5184c02f8940e8748c93bba7572362541049a9b0e2185f9cf66c603d8fed13c77c562c4a08eeae851445bac26e2e5e8278cd859a6553f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b97a3b9df6a072458d993513598c1608

SHA1
af4987451b3f26b7b8daa6e69b9c89fbee88bc0d

SHA256
0d66e6fd89d6a8ea3db3d66e0a1358dc1d8db462ea12d89f30012ec1f5fd54d3

SHA512
6f17350560829e55ec3caf36b5fab271a614d5073a16f51bcbee96616e667d1dab72dddd9cd88f1bba67e964e085175be6636a466ca23342b484dedf0e999208

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
209fe534092cf4e34616af7a2da943ab

SHA1
8b5cd2daab8c949e0385cffbd8bf3312db4c5478

SHA256
25b1d367cb40e7e15b036ae654f0713756d444dadc251ad58e46f4cbf040d07b

SHA512
175a35ed723b9a8ff571aa2e155fa1b140e6a101d4aa1cd25e39d9f580cc1d7d166820dca8310da8801ab2e36c86937633f80dfc8a11bae98f63eb7ac7be2da0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\9GB16XXW\www.google[1].xml

Filesize
536B

MD5
56aeb85762b9558e9725733e3783b75e

SHA1
a9c4188069977ce67e9ac6d2563ed7f8dba46da2

SHA256
581b3598e1fc8494e98a824fdf7b599759857df007f4716201d52c3be0e81f2f

SHA512
1cf7f14fa609275da6001e07e87ceffb30d9d1807292165c0b781640141ace598b974f2bf1ed05c3846dd75fcc52fbb70be91856efcaffa4a90828b7cf60f3a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\9GB16XXW\www.google[1].xml

Filesize
234B

MD5
c2bbf36609f077928463a0bff3fa3eff

SHA1
f0165a327d7080d8b4e8763fd0b84b21a155e20d

SHA256
525e4a95a5aee8328c23c8d5835d2e2cf3a41d4e237509ff791e61686b6a7559

SHA512
9983288c69a05274f5ebeb7092af8ffbe859e8381f5f10f4e327afd187e2a1adde582468204637afe63897bccebc0e29df3c2c9b17affd2b2147c7a381a9f71a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\9GB16XXW\www.google[1].xml

Filesize
95B

MD5
18d16b12d8c06ef80b20e13ad6aedf60

SHA1
f605442e29e30d37e2750bf140d25e381c813d4a

SHA256
e49ba4e09c965cca02e6a58448cea6ecec0d1f59668af09247fea7fbf1b95c74

SHA512
9c95d68a8cf7cdc1ffbb36474baa18cdd9330839fb026cce8276b0aee143b50589eccbc7b8652b872ffea8a4b3aec2b32bc1bcc42049936b391400e2c095cc41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\guoemn1\imagestore.dat

Filesize
5KB

MD5
07b868cd94e28e123ddab89f3006fdc6

SHA1
1e89c79aee418aa7054b069a0a7e3d0d5f50fcd6

SHA256
3392378d94d9d54baa75d74935d117efc84f4b0035fe87a5ddd9a5876382c16d

SHA512
14e30c42a7ceedf10b4320ea609c51e3c294e9818dadc10bbd5d4b03acadadee8eaf177a08fc22c6ef683893e412a831874e4241cf23e2273b2c18154a9934d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EB0KZ1Y4\styles__ltr[1].css

Filesize
55KB

MD5
4adccf70587477c74e2fcd636e4ec895

SHA1
af63034901c98e2d93faa7737f9c8f52e302d88b

SHA256
0e04cd9eec042868e190cbdabf2f8f0c7172dcc54ab87eb616eca14258307b4d

SHA512
d3f071c0a0aa7f2d3b8e584c67d4a1adf1a9a99595cffc204bf43b99f5b19c4b98cec8b31e65a46c01509fc7af8787bd7839299a683d028e388fdc4ded678cb3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WCATT3E5\-HiUwdQxDKLzt71CPYD-hKnPnujfGhcYgWkgX6BRpVU[1].js

Filesize
24KB

MD5
242324a437f1e8dfa268b1be80e57fdc

SHA1
2198c8b982542d263d2df13efc9e476563b5874f

SHA256
f87894c1d4310ca2f3b7bd423d80fe84a9cf9ee8df1a17188169205fa051a555

SHA512
74d8caa815fbae1b8510c883da00cec7f43fed56890c50eb24e44d281e31d9579b592553be87d2ce8ccb04cb2e3f78eaa8889068762fa36b1143b85cb21f3410

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WCATT3E5\api[1].js

Filesize
870B

MD5
db3f5a748364d84b2b5f75e3d4e851d0

SHA1
17b34ff20d429abee726b4b74530e5af2819f7bc

SHA256
343ed5ecd144d781de67aa8638b1ca4fce5772faedbb72720daacb250884f4e1

SHA512
3ee552fff8e93097120367c7f5f6aed88145150d706349542e8800e65722f4e6507bc0802e41a305cda56aaf4bcd40c036ad7a4d2aabea9dc70f908bf400dd90

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WUBCGJ0A\logo_48[1].png

Filesize
2KB

MD5
ef9941290c50cd3866e2ba6b793f010d

SHA1
4736508c795667dcea21f8d864233031223b7832

SHA256
1b9efb22c938500971aac2b2130a475fa23684dd69e43103894968df83145b8a

SHA512
a0c69c70117c5713caf8b12f3b6e8bbb9cdaf72768e5db9db5831a3c37541b87613c6b020dd2f9b8760064a8c7337f175e7234bfe776eee5e3588dc5662419d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WUBCGJ0A\recaptcha__en[1].js

Filesize
537KB

MD5
c7be68088b0a823f1a4c1f77c702d1b4

SHA1
05d42d754afd21681c0e815799b88fbe1fbabf4e

SHA256
4943e91f7f53318d481ca07297395abbc52541c2be55d7276ecda152cd7ad9c3

SHA512
cb76505845e7fc0988ade0598e6ea80636713e20209e1260ee4413423b45235f57cb0a33fca7baf223e829835cb76a52244c3197e4c0c166dad9b946b9285222

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WUBCGJ0A\webworker[1].js

Filesize
102B

MD5
ad5e6a567d064cba36f2a56caab2d866

SHA1
a3b46ea0ca5df5a6b6ab6bb228cf805065523cd1

SHA256
e70942d2b905910af2538c685c2223c25e5068bfbccb9742cfa5ffa48150d291

SHA512
ba45b3d74c0d2e0ac22bc97bacb6df549d7a4eae8d64050af41167376926f4379ccb6be84a666ba615caa7c5ee6838f98020c530f5c2ce51f71dad369d130681

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZOGPI1N2\KFOlCnqEu92Fr1MmEU9fBBc9[1].ttf

Filesize
34KB

MD5
4d88404f733741eaacfda2e318840a98

SHA1
49e0f3d32666ac36205f84ac7457030ca0a9d95f

SHA256
b464107219af95400af44c949574d9617de760e100712d4dec8f51a76c50dda1

SHA512
2e5d3280d5f7e70ca3ea29e7c01f47feb57fe93fc55fd0ea63641e99e5d699bb4b1f1f686da25c91ba4f64833f9946070f7546558cbd68249b0d853949ff85c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZOGPI1N2\KFOlCnqEu92Fr1MmYUtfBBc9[1].ttf

Filesize
34KB

MD5
4d99b85fa964307056c1410f78f51439

SHA1
f8e30a1a61011f1ee42435d7e18ba7e21d4ee894

SHA256
01027695832f4a3850663c9e798eb03eadfd1462d0b76e7c5ac6465d2d77dbd0

SHA512
13d93544b16453fe9ac9fc025c3d4320c1c83a2eca4cd01132ce5c68b12e150bc7d96341f10cbaa2777526cf72b2ca0cd64458b3df1875a184bbb907c5e3d731

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZOGPI1N2\KFOmCnqEu92Fr1Mu4mxP[1].ttf

Filesize
34KB

MD5
372d0cc3288fe8e97df49742baefce90

SHA1
754d9eaa4a009c42e8d6d40c632a1dad6d44ec21

SHA256
466989fd178ca6ed13641893b7003e5d6ec36e42c2a816dee71f87b775ea097f

SHA512
8447bc59795b16877974cd77c52729f6ff08a1e741f68ff445c087ecc09c8c4822b83e8907d156a00be81cb2c0259081926e758c12b3aea023ac574e4a6c9885

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZOGPI1N2\favicon[1].ico

Filesize
5KB

MD5
f3418a443e7d841097c714d69ec4bcb8

SHA1
49263695f6b0cdd72f45cf1b775e660fdc36c606

SHA256
6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770

SHA512
82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabEC05.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarEC18.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\6HALL4JE.txt

Filesize
405B

MD5
b35e73b07f54a1a63a47afeaddb49a67

SHA1
382c9143961763772bc7ca32dcb7e29b6f4b5abb

SHA256
5f128687fae28b30e429143de607f7ded8e99dcc21a09c5dbfc62185c2e584b7

SHA512
6fbb82a02aa8ed71def7cf9e6aa5d002560545662620c02f4166d0625f7f94f9d67e430a1d5866c8ac7d762377cfdba5ecc6014810bee715269a290b35ec96a3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\OJYHUCAL.txt

Filesize
174B

MD5
eda44b3988203942d619ee528eff6a78

SHA1
25b92cfff3d9d90c0913b6e937be30d50675cfe2

SHA256
a35efcce77c395afcaf24af39685383ebe31ddc4993297cc3db5a10eec41c057

SHA512
e7cbc1a6d3d2aa8413406a891a6686a22e4b243be4e7b060dfe534df9dcc9d55f59f91f7b94626b55c02f34a7912f242f836677fc93b730739e3578ca71bbb14

Download Submit
C:\note.txt

Filesize
218B

MD5
afa6955439b8d516721231029fb9ca1b

SHA1
087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

SHA256
8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

SHA512
5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

Download Submit