734403a96fad68cb2ef2b340adddd9cadd5894007aac703dcdb4a4cb8326c538

max time kernel
1742s
max time network
1802s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
15-09-2024 22:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eeeeeeeeeeeeee/Malware_pack_2/Malware_pack_2/MEMZ 3.0 (1)/MEMZ 3.0/MEMZ.exe
Size

12KB
MD5

a7bcf7ea8e9f3f36ebfb85b823e39d91
SHA1

761168201520c199dba68add3a607922d8d4a86e
SHA256

3ff64f10603f0330fa2386ff99471ca789391ace969bd0ec1c1b8ce1b4a6db42
SHA512

89923b669d31e590189fd06619bf27e47c5a47e82be6ae71fdb1b9b3b30b06fb7ca8ffed6d5c41ac410a367f2eb07589291e95a2644877d6bffd52775a5b1523
SSDEEP

192:HMDLTxWDf/pl3cIEiwqZKBktLe3P+qf2jhP6B5b2yL3:H4IDH3cIqqvUWq+jhyT2yL

Score

6^/10

bootkit discovery persistence

Malware Config

Signatures

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

MEMZ.exe

description ioc process

File opened for modification \??\PhysicalDrive0 MEMZ.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	MEMZ.exe

Drops file in System32 directory 9 IoCs

Processes:

mmc.exemmc.exemmc.exemmc.exemmc.exemmc.exemmc.exemmc.exemmc.exe

description	ioc	process
File opened for modification	C:\Windows\System32\devmgmt.msc	mmc.exe
File opened for modification	C:\Windows\System32\devmgmt.msc	mmc.exe
File opened for modification	C:\Windows\System32\devmgmt.msc	mmc.exe
File opened for modification	C:\Windows\System32\devmgmt.msc	mmc.exe
File opened for modification	C:\Windows\System32\devmgmt.msc	mmc.exe
File opened for modification	C:\Windows\System32\devmgmt.msc	mmc.exe
File opened for modification	C:\Windows\System32\devmgmt.msc	mmc.exe
File opened for modification	C:\Windows\System32\devmgmt.msc	mmc.exe
File opened for modification	C:\Windows\System32\devmgmt.msc	mmc.exe

Drops file in Windows directory 4 IoCs

Processes:

mspaint.exemspaint.exemspaint.exemspaint.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

explorer.exeexplorer.exemspaint.exeIEXPLORE.EXEexplorer.exeIEXPLORE.EXEregedit.exeexplorer.exeIEXPLORE.EXEIEXPLORE.EXEexplorer.execontrol.exeexplorer.exemmc.exeregedit.exewordpad.exetaskmgr.exeexplorer.exemmc.exeregedit.exetaskmgr.exeIEXPLORE.EXEnotepad.exemspaint.execalc.exemmc.exeregedit.exemspaint.exewordpad.exeregedit.exeIEXPLORE.EXEIEXPLORE.EXEnotepad.exetaskmgr.exetaskmgr.execmd.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEexplorer.exeIEXPLORE.EXEcalc.exeIEXPLORE.EXEmmc.exeIEXPLORE.EXEcontrol.exetaskmgr.exewordpad.exemmc.exemmc.exetaskmgr.exetaskmgr.execontrol.exetaskmgr.exewordpad.execontrol.exewordpad.exeIEXPLORE.EXEcalc.exenotepad.exemmc.exeregedit.exeMEMZ.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mspaint.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	control.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wordpad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mspaint.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	calc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mspaint.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wordpad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	calc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	control.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wordpad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	control.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wordpad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	control.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wordpad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	calc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeiexplore.exeiexplore.exeiexplore.exeIEXPLORE.EXEiexplore.exeiexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXEiexplore.exeIEXPLORE.EXEiexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{EA17D418-73B6-11EF-80B1-FE6EB537C9A6} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{1B9097C8-73B7-11EF-80B1-FE6EB537C9A6} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 10da99dbc007db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com\Total = "25"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{3BD07B98-73B7-11EF-80B1-FE6EB537C9A6} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff00000000000000008604000065020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "432602122"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe

Runs regedit.exe 9 IoCs

Processes:

regedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exe

pid	process
14752	regedit.exe
3488	regedit.exe
13208	regedit.exe
6476	regedit.exe
8912	regedit.exe
10288	regedit.exe
11960	regedit.exe
4820	regedit.exe
5968	regedit.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

MEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exe

pid	process
2244	MEMZ.exe
2684	MEMZ.exe
2684	MEMZ.exe
2244	MEMZ.exe
2076	MEMZ.exe
2716	MEMZ.exe
2832	MEMZ.exe
2244	MEMZ.exe
2684	MEMZ.exe
2716	MEMZ.exe
2076	MEMZ.exe
2832	MEMZ.exe
2244	MEMZ.exe
2076	MEMZ.exe
2684	MEMZ.exe
2832	MEMZ.exe
2716	MEMZ.exe
2244	MEMZ.exe
2076	MEMZ.exe
2684	MEMZ.exe
2716	MEMZ.exe
2832	MEMZ.exe
2076	MEMZ.exe
2244	MEMZ.exe
2716	MEMZ.exe
2684	MEMZ.exe
2832	MEMZ.exe
2244	MEMZ.exe
2076	MEMZ.exe
2716	MEMZ.exe
2684	MEMZ.exe
2832	MEMZ.exe
2076	MEMZ.exe
2244	MEMZ.exe
2684	MEMZ.exe
2716	MEMZ.exe
2832	MEMZ.exe
2244	MEMZ.exe
2076	MEMZ.exe
2716	MEMZ.exe
2684	MEMZ.exe
2832	MEMZ.exe
2244	MEMZ.exe
2716	MEMZ.exe
2076	MEMZ.exe
2684	MEMZ.exe
2832	MEMZ.exe
2244	MEMZ.exe
2076	MEMZ.exe
2716	MEMZ.exe
2684	MEMZ.exe
2832	MEMZ.exe
2076	MEMZ.exe
2244	MEMZ.exe
2716	MEMZ.exe
2684	MEMZ.exe
2832	MEMZ.exe
2244	MEMZ.exe
2076	MEMZ.exe
2716	MEMZ.exe
2684	MEMZ.exe
2832	MEMZ.exe
2076	MEMZ.exe
2244	MEMZ.exe

Suspicious behavior: GetForegroundWindowSpam 11 IoCs

Processes:

mmc.exetaskmgr.exemmc.exemmc.exeMEMZ.exemmc.exemmc.exemmc.exeiexplore.exemmc.exemmc.exe

pid process

2156 mmc.exe
628 taskmgr.exe
3472 mmc.exe
3164 mmc.exe
2864 MEMZ.exe
3276 mmc.exe
4908 mmc.exe
4140 mmc.exe
2588 iexplore.exe
4736 mmc.exe
2360 mmc.exe

pid	process
2156	mmc.exe
628	taskmgr.exe
3472	mmc.exe
3164	mmc.exe
2864	MEMZ.exe
3276	mmc.exe
4908	mmc.exe
4140	mmc.exe
2588	iexplore.exe
4736	mmc.exe
2360	mmc.exe

Suspicious behavior: SetClipboardViewer 14 IoCs

Processes:

mmc.exemmc.exemmc.exemmc.exemmc.exemmc.exemmc.exemmc.exemmc.exemmc.exemmc.exemmc.exemmc.exemmc.exe

pid	process
3472	mmc.exe
3164	mmc.exe
3276	mmc.exe
4908	mmc.exe
4140	mmc.exe
4736	mmc.exe
2360	mmc.exe
7152	mmc.exe
6352	mmc.exe
8684	mmc.exe
8288	mmc.exe
6712	mmc.exe
7884	mmc.exe
9580	mmc.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

AUDIODG.EXEtaskmgr.exemmc.exemmc.exemmc.exemmc.exemmc.exemmc.exemmc.exemmc.exemmc.exetaskmgr.exemmc.exetaskmgr.exemmc.exemmc.exemmc.exetaskmgr.exe

description	pid	process
Token: 33	1972	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1972	AUDIODG.EXE
Token: 33	1972	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1972	AUDIODG.EXE
Token: SeDebugPrivilege	628	taskmgr.exe
Token: 33	2156	mmc.exe
Token: SeIncBasePriorityPrivilege	2156	mmc.exe
Token: 33	2156	mmc.exe
Token: SeIncBasePriorityPrivilege	2156	mmc.exe
Token: 33	3472	mmc.exe
Token: SeIncBasePriorityPrivilege	3472	mmc.exe
Token: 33	3472	mmc.exe
Token: SeIncBasePriorityPrivilege	3472	mmc.exe
Token: 33	3164	mmc.exe
Token: SeIncBasePriorityPrivilege	3164	mmc.exe
Token: 33	3164	mmc.exe
Token: SeIncBasePriorityPrivilege	3164	mmc.exe
Token: 33	3164	mmc.exe
Token: SeIncBasePriorityPrivilege	3164	mmc.exe
Token: 33	3276	mmc.exe
Token: SeIncBasePriorityPrivilege	3276	mmc.exe
Token: 33	3276	mmc.exe
Token: SeIncBasePriorityPrivilege	3276	mmc.exe
Token: 33	4908	mmc.exe
Token: SeIncBasePriorityPrivilege	4908	mmc.exe
Token: 33	4908	mmc.exe
Token: SeIncBasePriorityPrivilege	4908	mmc.exe
Token: 33	4908	mmc.exe
Token: SeIncBasePriorityPrivilege	4908	mmc.exe
Token: 33	4140	mmc.exe
Token: SeIncBasePriorityPrivilege	4140	mmc.exe
Token: 33	4140	mmc.exe
Token: SeIncBasePriorityPrivilege	4140	mmc.exe
Token: 33	4736	mmc.exe
Token: SeIncBasePriorityPrivilege	4736	mmc.exe
Token: 33	4736	mmc.exe
Token: SeIncBasePriorityPrivilege	4736	mmc.exe
Token: 33	2360	mmc.exe
Token: SeIncBasePriorityPrivilege	2360	mmc.exe
Token: 33	2360	mmc.exe
Token: SeIncBasePriorityPrivilege	2360	mmc.exe
Token: 33	7152	mmc.exe
Token: SeIncBasePriorityPrivilege	7152	mmc.exe
Token: 33	7152	mmc.exe
Token: SeIncBasePriorityPrivilege	7152	mmc.exe
Token: SeDebugPrivilege	7956	taskmgr.exe
Token: 33	6352	mmc.exe
Token: SeIncBasePriorityPrivilege	6352	mmc.exe
Token: 33	6352	mmc.exe
Token: SeIncBasePriorityPrivilege	6352	mmc.exe
Token: SeDebugPrivilege	9304	taskmgr.exe
Token: 33	8684	mmc.exe
Token: SeIncBasePriorityPrivilege	8684	mmc.exe
Token: 33	8684	mmc.exe
Token: SeIncBasePriorityPrivilege	8684	mmc.exe
Token: 33	8288	mmc.exe
Token: SeIncBasePriorityPrivilege	8288	mmc.exe
Token: 33	8288	mmc.exe
Token: SeIncBasePriorityPrivilege	8288	mmc.exe
Token: 33	6712	mmc.exe
Token: SeIncBasePriorityPrivilege	6712	mmc.exe
Token: 33	6712	mmc.exe
Token: SeIncBasePriorityPrivilege	6712	mmc.exe
Token: SeDebugPrivilege	12616	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

iexplore.exetaskmgr.exe

pid	process
2588	iexplore.exe
628	taskmgr.exe
628	taskmgr.exe
628	taskmgr.exe
628	taskmgr.exe
628	taskmgr.exe
628	taskmgr.exe
628	taskmgr.exe
628	taskmgr.exe
628	taskmgr.exe
628	taskmgr.exe
628	taskmgr.exe
628	taskmgr.exe
628	taskmgr.exe
628	taskmgr.exe
628	taskmgr.exe
628	taskmgr.exe
628	taskmgr.exe
628	taskmgr.exe
628	taskmgr.exe
628	taskmgr.exe
628	taskmgr.exe
628	taskmgr.exe
628	taskmgr.exe
628	taskmgr.exe
628	taskmgr.exe
628	taskmgr.exe
628	taskmgr.exe
628	taskmgr.exe
628	taskmgr.exe
628	taskmgr.exe
628	taskmgr.exe
628	taskmgr.exe
628	taskmgr.exe
628	taskmgr.exe
628	taskmgr.exe
628	taskmgr.exe
628	taskmgr.exe
628	taskmgr.exe
628	taskmgr.exe
628	taskmgr.exe
628	taskmgr.exe
628	taskmgr.exe
628	taskmgr.exe
628	taskmgr.exe
628	taskmgr.exe
628	taskmgr.exe
628	taskmgr.exe
628	taskmgr.exe
628	taskmgr.exe
628	taskmgr.exe
628	taskmgr.exe
628	taskmgr.exe
628	taskmgr.exe
628	taskmgr.exe
628	taskmgr.exe
628	taskmgr.exe
628	taskmgr.exe
628	taskmgr.exe
628	taskmgr.exe
628	taskmgr.exe
628	taskmgr.exe
628	taskmgr.exe
628	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

taskmgr.exe

pid	process
628	taskmgr.exe
628	taskmgr.exe
628	taskmgr.exe
628	taskmgr.exe
628	taskmgr.exe
628	taskmgr.exe
628	taskmgr.exe
628	taskmgr.exe
628	taskmgr.exe
628	taskmgr.exe
628	taskmgr.exe
628	taskmgr.exe
628	taskmgr.exe
628	taskmgr.exe
628	taskmgr.exe
628	taskmgr.exe
628	taskmgr.exe
628	taskmgr.exe
628	taskmgr.exe
628	taskmgr.exe
628	taskmgr.exe
628	taskmgr.exe
628	taskmgr.exe
628	taskmgr.exe
628	taskmgr.exe
628	taskmgr.exe
628	taskmgr.exe
628	taskmgr.exe
628	taskmgr.exe
628	taskmgr.exe
628	taskmgr.exe
628	taskmgr.exe
628	taskmgr.exe
628	taskmgr.exe
628	taskmgr.exe
628	taskmgr.exe
628	taskmgr.exe
628	taskmgr.exe
628	taskmgr.exe
628	taskmgr.exe
628	taskmgr.exe
628	taskmgr.exe
628	taskmgr.exe
628	taskmgr.exe
628	taskmgr.exe
628	taskmgr.exe
628	taskmgr.exe
628	taskmgr.exe
628	taskmgr.exe
628	taskmgr.exe
628	taskmgr.exe
628	taskmgr.exe
628	taskmgr.exe
628	taskmgr.exe
628	taskmgr.exe
628	taskmgr.exe
628	taskmgr.exe
628	taskmgr.exe
628	taskmgr.exe
628	taskmgr.exe
628	taskmgr.exe
628	taskmgr.exe
628	taskmgr.exe
628	taskmgr.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEMEMZ.exeIEXPLORE.EXEmmc.exemmc.exeIEXPLORE.EXEwordpad.exeIEXPLORE.EXE

pid	process
2588	iexplore.exe
2588	iexplore.exe
552	IEXPLORE.EXE
552	IEXPLORE.EXE
552	IEXPLORE.EXE
552	IEXPLORE.EXE
2052	IEXPLORE.EXE
2052	IEXPLORE.EXE
2052	IEXPLORE.EXE
2052	IEXPLORE.EXE
2036	IEXPLORE.EXE
2036	IEXPLORE.EXE
2036	IEXPLORE.EXE
2036	IEXPLORE.EXE
768	IEXPLORE.EXE
768	IEXPLORE.EXE
552	IEXPLORE.EXE
552	IEXPLORE.EXE
552	IEXPLORE.EXE
552	IEXPLORE.EXE
2616	IEXPLORE.EXE
2616	IEXPLORE.EXE
2616	IEXPLORE.EXE
2616	IEXPLORE.EXE
2864	MEMZ.exe
2052	IEXPLORE.EXE
2052	IEXPLORE.EXE
2052	IEXPLORE.EXE
2052	IEXPLORE.EXE
1280	IEXPLORE.EXE
1280	IEXPLORE.EXE
1280	IEXPLORE.EXE
1280	IEXPLORE.EXE
2864	MEMZ.exe
2036	IEXPLORE.EXE
2036	IEXPLORE.EXE
2036	IEXPLORE.EXE
2036	IEXPLORE.EXE
2864	MEMZ.exe
2628	mmc.exe
2156	mmc.exe
2156	mmc.exe
2864	MEMZ.exe
2864	MEMZ.exe
2864	MEMZ.exe
2904	IEXPLORE.EXE
2904	IEXPLORE.EXE
2904	IEXPLORE.EXE
2904	IEXPLORE.EXE
3000	wordpad.exe
3000	wordpad.exe
3000	wordpad.exe
2864	MEMZ.exe
3000	wordpad.exe
3000	wordpad.exe
768	IEXPLORE.EXE
768	IEXPLORE.EXE
2864	MEMZ.exe
768	IEXPLORE.EXE
768	IEXPLORE.EXE
1504	IEXPLORE.EXE
1504	IEXPLORE.EXE
2864	MEMZ.exe
2864	MEMZ.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

MEMZ.exeMEMZ.exeiexplore.exe

description	pid	process	target process
PID 1840 wrote to memory of 2684	1840	MEMZ.exe	MEMZ.exe
PID 1840 wrote to memory of 2684	1840	MEMZ.exe	MEMZ.exe
PID 1840 wrote to memory of 2684	1840	MEMZ.exe	MEMZ.exe
PID 1840 wrote to memory of 2684	1840	MEMZ.exe	MEMZ.exe
PID 1840 wrote to memory of 2244	1840	MEMZ.exe	MEMZ.exe
PID 1840 wrote to memory of 2244	1840	MEMZ.exe	MEMZ.exe
PID 1840 wrote to memory of 2244	1840	MEMZ.exe	MEMZ.exe
PID 1840 wrote to memory of 2244	1840	MEMZ.exe	MEMZ.exe
PID 1840 wrote to memory of 2076	1840	MEMZ.exe	MEMZ.exe
PID 1840 wrote to memory of 2076	1840	MEMZ.exe	MEMZ.exe
PID 1840 wrote to memory of 2076	1840	MEMZ.exe	MEMZ.exe
PID 1840 wrote to memory of 2076	1840	MEMZ.exe	MEMZ.exe
PID 1840 wrote to memory of 2716	1840	MEMZ.exe	MEMZ.exe
PID 1840 wrote to memory of 2716	1840	MEMZ.exe	MEMZ.exe
PID 1840 wrote to memory of 2716	1840	MEMZ.exe	MEMZ.exe
PID 1840 wrote to memory of 2716	1840	MEMZ.exe	MEMZ.exe
PID 1840 wrote to memory of 2832	1840	MEMZ.exe	MEMZ.exe
PID 1840 wrote to memory of 2832	1840	MEMZ.exe	MEMZ.exe
PID 1840 wrote to memory of 2832	1840	MEMZ.exe	MEMZ.exe
PID 1840 wrote to memory of 2832	1840	MEMZ.exe	MEMZ.exe
PID 1840 wrote to memory of 2864	1840	MEMZ.exe	MEMZ.exe
PID 1840 wrote to memory of 2864	1840	MEMZ.exe	MEMZ.exe
PID 1840 wrote to memory of 2864	1840	MEMZ.exe	MEMZ.exe
PID 1840 wrote to memory of 2864	1840	MEMZ.exe	MEMZ.exe
PID 2864 wrote to memory of 2584	2864	MEMZ.exe	notepad.exe
PID 2864 wrote to memory of 2584	2864	MEMZ.exe	notepad.exe
PID 2864 wrote to memory of 2584	2864	MEMZ.exe	notepad.exe
PID 2864 wrote to memory of 2584	2864	MEMZ.exe	notepad.exe
PID 2864 wrote to memory of 2588	2864	MEMZ.exe	iexplore.exe
PID 2864 wrote to memory of 2588	2864	MEMZ.exe	iexplore.exe
PID 2864 wrote to memory of 2588	2864	MEMZ.exe	iexplore.exe
PID 2864 wrote to memory of 2588	2864	MEMZ.exe	iexplore.exe
PID 2588 wrote to memory of 552	2588	iexplore.exe	IEXPLORE.EXE
PID 2588 wrote to memory of 552	2588	iexplore.exe	IEXPLORE.EXE
PID 2588 wrote to memory of 552	2588	iexplore.exe	IEXPLORE.EXE
PID 2588 wrote to memory of 552	2588	iexplore.exe	IEXPLORE.EXE
PID 2588 wrote to memory of 2052	2588	iexplore.exe	IEXPLORE.EXE
PID 2588 wrote to memory of 2052	2588	iexplore.exe	IEXPLORE.EXE
PID 2588 wrote to memory of 2052	2588	iexplore.exe	IEXPLORE.EXE
PID 2588 wrote to memory of 2052	2588	iexplore.exe	IEXPLORE.EXE
PID 2588 wrote to memory of 2036	2588	iexplore.exe	IEXPLORE.EXE
PID 2588 wrote to memory of 2036	2588	iexplore.exe	IEXPLORE.EXE
PID 2588 wrote to memory of 2036	2588	iexplore.exe	IEXPLORE.EXE
PID 2588 wrote to memory of 2036	2588	iexplore.exe	IEXPLORE.EXE
PID 2864 wrote to memory of 2500	2864	MEMZ.exe	control.exe
PID 2864 wrote to memory of 2500	2864	MEMZ.exe	control.exe
PID 2864 wrote to memory of 2500	2864	MEMZ.exe	control.exe
PID 2864 wrote to memory of 2500	2864	MEMZ.exe	control.exe
PID 2588 wrote to memory of 768	2588	iexplore.exe	IEXPLORE.EXE
PID 2588 wrote to memory of 768	2588	iexplore.exe	IEXPLORE.EXE
PID 2588 wrote to memory of 768	2588	iexplore.exe	IEXPLORE.EXE
PID 2588 wrote to memory of 768	2588	iexplore.exe	IEXPLORE.EXE
PID 2588 wrote to memory of 2616	2588	iexplore.exe	IEXPLORE.EXE
PID 2588 wrote to memory of 2616	2588	iexplore.exe	IEXPLORE.EXE
PID 2588 wrote to memory of 2616	2588	iexplore.exe	IEXPLORE.EXE
PID 2588 wrote to memory of 2616	2588	iexplore.exe	IEXPLORE.EXE
PID 2864 wrote to memory of 2332	2864	MEMZ.exe	notepad.exe
PID 2864 wrote to memory of 2332	2864	MEMZ.exe	notepad.exe
PID 2864 wrote to memory of 2332	2864	MEMZ.exe	notepad.exe
PID 2864 wrote to memory of 2332	2864	MEMZ.exe	notepad.exe
PID 2588 wrote to memory of 1280	2588	iexplore.exe	IEXPLORE.EXE
PID 2588 wrote to memory of 1280	2588	iexplore.exe	IEXPLORE.EXE
PID 2588 wrote to memory of 1280	2588	iexplore.exe	IEXPLORE.EXE
PID 2588 wrote to memory of 1280	2588	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\eeeeeeeeeeeeee\Malware_pack_2\Malware_pack_2\MEMZ 3.0 (1)\MEMZ 3.0\MEMZ.exe
"C:\Users\Admin\AppData\Local\Temp\eeeeeeeeeeeeee\Malware_pack_2\Malware_pack_2\MEMZ 3.0 (1)\MEMZ 3.0\MEMZ.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1840

C:\Users\Admin\AppData\Local\Temp\eeeeeeeeeeeeee\Malware_pack_2\Malware_pack_2\MEMZ 3.0 (1)\MEMZ 3.0\MEMZ.exe
"C:\Users\Admin\AppData\Local\Temp\eeeeeeeeeeeeee\Malware_pack_2\Malware_pack_2\MEMZ 3.0 (1)\MEMZ 3.0\MEMZ.exe" /watchdog
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2684

C:\Users\Admin\AppData\Local\Temp\eeeeeeeeeeeeee\Malware_pack_2\Malware_pack_2\MEMZ 3.0 (1)\MEMZ 3.0\MEMZ.exe
"C:\Users\Admin\AppData\Local\Temp\eeeeeeeeeeeeee\Malware_pack_2\Malware_pack_2\MEMZ 3.0 (1)\MEMZ 3.0\MEMZ.exe" /watchdog
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2244

C:\Users\Admin\AppData\Local\Temp\eeeeeeeeeeeeee\Malware_pack_2\Malware_pack_2\MEMZ 3.0 (1)\MEMZ 3.0\MEMZ.exe
"C:\Users\Admin\AppData\Local\Temp\eeeeeeeeeeeeee\Malware_pack_2\Malware_pack_2\MEMZ 3.0 (1)\MEMZ 3.0\MEMZ.exe" /watchdog
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2076

C:\Users\Admin\AppData\Local\Temp\eeeeeeeeeeeeee\Malware_pack_2\Malware_pack_2\MEMZ 3.0 (1)\MEMZ 3.0\MEMZ.exe
"C:\Users\Admin\AppData\Local\Temp\eeeeeeeeeeeeee\Malware_pack_2\Malware_pack_2\MEMZ 3.0 (1)\MEMZ 3.0\MEMZ.exe" /watchdog
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2716

C:\Users\Admin\AppData\Local\Temp\eeeeeeeeeeeeee\Malware_pack_2\Malware_pack_2\MEMZ 3.0 (1)\MEMZ 3.0\MEMZ.exe
"C:\Users\Admin\AppData\Local\Temp\eeeeeeeeeeeeee\Malware_pack_2\Malware_pack_2\MEMZ 3.0 (1)\MEMZ 3.0\MEMZ.exe" /watchdog
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2832

C:\Users\Admin\AppData\Local\Temp\eeeeeeeeeeeeee\Malware_pack_2\Malware_pack_2\MEMZ 3.0 (1)\MEMZ 3.0\MEMZ.exe
"C:\Users\Admin\AppData\Local\Temp\eeeeeeeeeeeeee\Malware_pack_2\Malware_pack_2\MEMZ 3.0 (1)\MEMZ 3.0\MEMZ.exe" /main
2⤵
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2864

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\System32\notepad.exe" \note.txt
3⤵
- System Location Discovery: System Language Discovery
PID:2584

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://softonic.com/
3⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2588

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2588 CREDAT:275457 /prefetch:2
4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:552

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2588 CREDAT:209943 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2052

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2588 CREDAT:209973 /prefetch:2
4⤵
- Suspicious use of SetWindowsHookEx
PID:2036

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2588 CREDAT:668692 /prefetch:2
4⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:768

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2588 CREDAT:930852 /prefetch:2
4⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2616

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2588 CREDAT:1455137 /prefetch:2
4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1280

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2588 CREDAT:4142119 /prefetch:2
4⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2904

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2588 CREDAT:799827 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1504

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2588 CREDAT:3748951 /prefetch:2
4⤵
- System Location Discovery: System Language Discovery
PID:988

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2588 CREDAT:1389649 /prefetch:2
4⤵
PID:3724

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2588 CREDAT:3224659 /prefetch:2
4⤵
- Modifies Internet Explorer settings
PID:2576

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2588 CREDAT:1651788 /prefetch:2
4⤵
PID:4076

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2588 CREDAT:1782885 /prefetch:2
4⤵
- Modifies Internet Explorer settings
PID:1660

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2588 CREDAT:1651832 /prefetch:2
4⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
PID:2248

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2588 CREDAT:2110609 /prefetch:2
4⤵
PID:4200

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2588 CREDAT:3486849 /prefetch:2
4⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
PID:1976

C:\Windows\SysWOW64\control.exe
"C:\Windows\System32\control.exe"
3⤵
- System Location Discovery: System Language Discovery
PID:2500

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\System32\notepad.exe"
3⤵
PID:2332

C:\Windows\SysWOW64\taskmgr.exe
"C:\Windows\System32\taskmgr.exe"
3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:628

C:\Windows\SysWOW64\mmc.exe
"C:\Windows\system32\mmc.exe" "C:\Windows\System32\devmgmt.msc"
3⤵
- Suspicious use of SetWindowsHookEx
PID:2628

C:\Windows\system32\mmc.exe
"C:\Windows\System32\devmgmt.msc" "C:\Windows\System32\devmgmt.msc"
4⤵
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2156

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\System32\explorer.exe"
3⤵
- System Location Discovery: System Language Discovery
PID:292

C:\Windows\SysWOW64\calc.exe
"C:\Windows\System32\calc.exe"
3⤵
PID:2408

C:\Windows\SysWOW64\calc.exe
"C:\Windows\System32\calc.exe"
3⤵
- System Location Discovery: System Language Discovery
PID:1000

C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
"C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
3⤵
- Suspicious use of SetWindowsHookEx
PID:3000

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
4⤵
PID:3020

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
- System Location Discovery: System Language Discovery
PID:612

C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
"C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
3⤵
- System Location Discovery: System Language Discovery
PID:3876

C:\Windows\SysWOW64\calc.exe
"C:\Windows\System32\calc.exe"
3⤵
PID:3608

C:\Windows\SysWOW64\mmc.exe
"C:\Windows\system32\mmc.exe" "C:\Windows\System32\devmgmt.msc"
3⤵
PID:3488

C:\Windows\system32\mmc.exe
"C:\Windows\System32\devmgmt.msc" "C:\Windows\System32\devmgmt.msc"
4⤵
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
PID:3472

C:\Windows\SysWOW64\regedit.exe
"C:\Windows\System32\regedit.exe"
3⤵
- System Location Discovery: System Language Discovery
- Runs regedit.exe
PID:3488

C:\Windows\SysWOW64\mmc.exe
"C:\Windows\System32\mmc.exe"
3⤵
- System Location Discovery: System Language Discovery
PID:3172

C:\Windows\system32\mmc.exe
"C:\Windows\system32\mmc.exe"
4⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
PID:3164

C:\Windows\SysWOW64\mmc.exe
"C:\Windows\system32\mmc.exe" "C:\Windows\System32\devmgmt.msc"
3⤵
PID:3300

C:\Windows\system32\mmc.exe
"C:\Windows\System32\devmgmt.msc" "C:\Windows\System32\devmgmt.msc"
4⤵
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
PID:3276

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\System32\notepad.exe"
3⤵
- System Location Discovery: System Language Discovery
PID:2140

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\System32\explorer.exe"
3⤵
PID:3520

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\System32\explorer.exe"
3⤵
- System Location Discovery: System Language Discovery
PID:4088

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\System32\explorer.exe"
3⤵
- System Location Discovery: System Language Discovery
PID:1600

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\System32\explorer.exe"
3⤵
- System Location Discovery: System Language Discovery
PID:3692

C:\Windows\SysWOW64\mmc.exe
"C:\Windows\System32\mmc.exe"
3⤵
PID:4924

C:\Windows\system32\mmc.exe
"C:\Windows\system32\mmc.exe"
4⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
PID:4908

C:\Windows\SysWOW64\mmc.exe
"C:\Windows\system32\mmc.exe" "C:\Windows\System32\devmgmt.msc"
3⤵
PID:2060

C:\Windows\system32\mmc.exe
"C:\Windows\System32\devmgmt.msc" "C:\Windows\System32\devmgmt.msc"
4⤵
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
PID:4140

C:\Windows\SysWOW64\regedit.exe
"C:\Windows\System32\regedit.exe"
3⤵
- Runs regedit.exe
PID:4820

C:\Windows\SysWOW64\taskmgr.exe
"C:\Windows\System32\taskmgr.exe"
3⤵
PID:4148

C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
"C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
3⤵
- System Location Discovery: System Language Discovery
PID:4424

C:\Windows\SysWOW64\mspaint.exe
"C:\Windows\System32\mspaint.exe"
3⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3992

C:\Windows\SysWOW64\calc.exe
"C:\Windows\System32\calc.exe"
3⤵
- System Location Discovery: System Language Discovery
PID:3456

C:\Windows\SysWOW64\taskmgr.exe
"C:\Windows\System32\taskmgr.exe"
3⤵
- System Location Discovery: System Language Discovery
PID:4152

C:\Windows\SysWOW64\mmc.exe
"C:\Windows\System32\mmc.exe"
3⤵
PID:4820

C:\Windows\system32\mmc.exe
"C:\Windows\system32\mmc.exe"
4⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
PID:4736

C:\Windows\SysWOW64\mspaint.exe
"C:\Windows\System32\mspaint.exe"
3⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4720

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\System32\notepad.exe"
3⤵
- System Location Discovery: System Language Discovery
PID:4980

C:\Windows\SysWOW64\regedit.exe
"C:\Windows\System32\regedit.exe"
3⤵
- System Location Discovery: System Language Discovery
- Runs regedit.exe
PID:5968

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\System32\explorer.exe"
3⤵
- System Location Discovery: System Language Discovery
PID:5828

C:\Windows\SysWOW64\mmc.exe
"C:\Windows\system32\mmc.exe" "C:\Windows\System32\devmgmt.msc"
3⤵
PID:5220

C:\Windows\system32\mmc.exe
"C:\Windows\System32\devmgmt.msc" "C:\Windows\System32\devmgmt.msc"
4⤵
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
PID:2360

C:\Windows\SysWOW64\taskmgr.exe
"C:\Windows\System32\taskmgr.exe"
3⤵
- System Location Discovery: System Language Discovery
PID:5620

C:\Windows\SysWOW64\calc.exe
"C:\Windows\System32\calc.exe"
3⤵
- System Location Discovery: System Language Discovery
PID:5680

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:3344

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\System32\notepad.exe"
3⤵
PID:5876

C:\Windows\SysWOW64\mmc.exe
"C:\Windows\System32\mmc.exe"
3⤵
- System Location Discovery: System Language Discovery
PID:7140

C:\Windows\system32\mmc.exe
"C:\Windows\system32\mmc.exe"
4⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
PID:7152

C:\Windows\SysWOW64\mspaint.exe
"C:\Windows\System32\mspaint.exe"
3⤵
- Drops file in Windows directory
PID:6460

C:\Windows\SysWOW64\control.exe
"C:\Windows\System32\control.exe"
3⤵
- System Location Discovery: System Language Discovery
PID:3136

C:\Windows\SysWOW64\calc.exe
"C:\Windows\System32\calc.exe"
3⤵
PID:6884

C:\Windows\SysWOW64\regedit.exe
"C:\Windows\System32\regedit.exe"
3⤵
- Runs regedit.exe
PID:6476

C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
"C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
3⤵
PID:6148

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\System32\explorer.exe"
3⤵
- System Location Discovery: System Language Discovery
PID:6476

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\System32\explorer.exe"
3⤵
- System Location Discovery: System Language Discovery
PID:7056

C:\Windows\SysWOW64\taskmgr.exe
"C:\Windows\System32\taskmgr.exe"
3⤵
- System Location Discovery: System Language Discovery
PID:6904

C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
"C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
3⤵
PID:6944

C:\Windows\SysWOW64\control.exe
"C:\Windows\System32\control.exe"
3⤵
- System Location Discovery: System Language Discovery
PID:7328

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:7788

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://pcoptimizerpro.com/
3⤵
PID:7336

C:\Windows\SysWOW64\taskmgr.exe
"C:\Windows\System32\taskmgr.exe"
3⤵
- System Location Discovery: System Language Discovery
PID:7632

C:\Windows\SysWOW64\taskmgr.exe
"C:\Windows\System32\taskmgr.exe"
3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:7956

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:5204

C:\Windows\SysWOW64\mmc.exe
"C:\Windows\System32\mmc.exe"
3⤵
- System Location Discovery: System Language Discovery
PID:7260

C:\Windows\system32\mmc.exe
"C:\Windows\system32\mmc.exe"
4⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
PID:6352

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://google.co.ck/search?q=minecraft+hax+download+no+virus
3⤵
PID:8520

C:\Windows\SysWOW64\mmc.exe
"C:\Windows\system32\mmc.exe" "C:\Windows\System32\devmgmt.msc"
3⤵
- System Location Discovery: System Language Discovery
PID:8660

C:\Windows\system32\mmc.exe
"C:\Windows\System32\devmgmt.msc" "C:\Windows\System32\devmgmt.msc"
4⤵
- Drops file in System32 directory
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
PID:8684

C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
"C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
3⤵
- System Location Discovery: System Language Discovery
PID:8940

C:\Windows\SysWOW64\mmc.exe
"C:\Windows\system32\mmc.exe" "C:\Windows\System32\devmgmt.msc"
3⤵
PID:8268

C:\Windows\system32\mmc.exe
"C:\Windows\System32\devmgmt.msc" "C:\Windows\System32\devmgmt.msc"
4⤵
- Drops file in System32 directory
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
PID:8288

C:\Windows\SysWOW64\taskmgr.exe
"C:\Windows\System32\taskmgr.exe"
3⤵
PID:8560

C:\Windows\SysWOW64\mspaint.exe
"C:\Windows\System32\mspaint.exe"
3⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:9196

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\System32\notepad.exe"
3⤵
PID:8736

C:\Windows\SysWOW64\mmc.exe
"C:\Windows\System32\mmc.exe"
3⤵
PID:8924

C:\Windows\system32\mmc.exe
"C:\Windows\system32\mmc.exe"
4⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
PID:6712

C:\Windows\SysWOW64\regedit.exe
"C:\Windows\System32\regedit.exe"
3⤵
- System Location Discovery: System Language Discovery
- Runs regedit.exe
PID:8912

C:\Windows\SysWOW64\taskmgr.exe
"C:\Windows\System32\taskmgr.exe"
3⤵
- System Location Discovery: System Language Discovery
PID:7796

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\System32\explorer.exe"
3⤵
PID:8268

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:8464

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://google.co.ck/search?q=how+to+create+your+own+ransomware
3⤵
- Modifies Internet Explorer settings
PID:8924

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:8924 CREDAT:275457 /prefetch:2
4⤵
- System Location Discovery: System Language Discovery
PID:9280

C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
"C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
3⤵
- System Location Discovery: System Language Discovery
PID:8412

C:\Windows\SysWOW64\mmc.exe
"C:\Windows\system32\mmc.exe" "C:\Windows\System32\devmgmt.msc"
3⤵
- System Location Discovery: System Language Discovery
PID:8512

C:\Windows\system32\mmc.exe
"C:\Windows\System32\devmgmt.msc" "C:\Windows\System32\devmgmt.msc"
4⤵
- Drops file in System32 directory
- Suspicious behavior: SetClipboardViewer
PID:7884

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://google.co.ck/search?q=bonzi+buddy+download+free
3⤵
- Modifies Internet Explorer settings
PID:7504

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:7504 CREDAT:275457 /prefetch:2
4⤵
PID:9616

C:\Windows\SysWOW64\mmc.exe
"C:\Windows\system32\mmc.exe" "C:\Windows\System32\devmgmt.msc"
3⤵
- System Location Discovery: System Language Discovery
PID:9432

C:\Windows\system32\mmc.exe
"C:\Windows\System32\devmgmt.msc" "C:\Windows\System32\devmgmt.msc"
4⤵
- Drops file in System32 directory
- Suspicious behavior: SetClipboardViewer
PID:9580

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://google.co.ck/search?q=how+to+remove+memz+trojan+virus
3⤵
- Modifies Internet Explorer settings
PID:9504

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:9504 CREDAT:275457 /prefetch:2
4⤵
- System Location Discovery: System Language Discovery
PID:9992

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://google.co.ck/search?q=my+computer+is+doing+weird+things+wtf+is+happenin+plz+halp
3⤵
- Modifies Internet Explorer settings
PID:9888

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:9888 CREDAT:275457 /prefetch:2
4⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
PID:9272

C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
"C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
3⤵
PID:9956

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://pcoptimizerpro.com/
3⤵
- Modifies Internet Explorer settings
PID:10144

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:10144 CREDAT:275457 /prefetch:2
4⤵
- System Location Discovery: System Language Discovery
PID:7452

C:\Windows\SysWOW64\taskmgr.exe
"C:\Windows\System32\taskmgr.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:9304

C:\Windows\SysWOW64\calc.exe
"C:\Windows\System32\calc.exe"
3⤵
PID:9732

C:\Windows\SysWOW64\control.exe
"C:\Windows\System32\control.exe"
3⤵
PID:9864

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://google.co.ck/search?q=how+to+create+your+own+ransomware
3⤵
- Modifies Internet Explorer settings
PID:9536

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:9536 CREDAT:275457 /prefetch:2
4⤵
- System Location Discovery: System Language Discovery
PID:8516

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://google.co.ck/search?q=virus+builder+legit+free+download
3⤵
- Modifies Internet Explorer settings
PID:8640

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:8640 CREDAT:275457 /prefetch:2
4⤵
PID:10324

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://google.co.ck/search?q=minecraft+hax+download+no+virus
3⤵
- Modifies Internet Explorer settings
PID:7264

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:7264 CREDAT:275457 /prefetch:2
4⤵
- System Location Discovery: System Language Discovery
PID:10648

C:\Windows\SysWOW64\regedit.exe
"C:\Windows\System32\regedit.exe"
3⤵
- System Location Discovery: System Language Discovery
- Runs regedit.exe
PID:10288

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://google.co.ck/search?q=how+to+code+a+virus+in+visual+basic
3⤵
- Modifies Internet Explorer settings
PID:11056

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:11056 CREDAT:275457 /prefetch:2
4⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
PID:1864

C:\Windows\SysWOW64\control.exe
"C:\Windows\System32\control.exe"
3⤵
- System Location Discovery: System Language Discovery
PID:11176

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\System32\notepad.exe"
3⤵
PID:8408

C:\Windows\SysWOW64\regedit.exe
"C:\Windows\System32\regedit.exe"
3⤵
- System Location Discovery: System Language Discovery
- Runs regedit.exe
PID:11960

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\System32\explorer.exe"
3⤵
- System Location Discovery: System Language Discovery
PID:12516

C:\Windows\SysWOW64\taskmgr.exe
"C:\Windows\System32\taskmgr.exe"
3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:12616

C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
"C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
3⤵
- System Location Discovery: System Language Discovery
PID:12696

C:\Windows\SysWOW64\mmc.exe
"C:\Windows\system32\mmc.exe" "C:\Windows\System32\devmgmt.msc"
3⤵
PID:12800

C:\Windows\system32\mmc.exe
"C:\Windows\System32\devmgmt.msc" "C:\Windows\System32\devmgmt.msc"
4⤵
PID:13156

C:\Windows\SysWOW64\regedit.exe
"C:\Windows\System32\regedit.exe"
3⤵
- System Location Discovery: System Language Discovery
- Runs regedit.exe
PID:13208

C:\Windows\SysWOW64\mmc.exe
"C:\Windows\System32\mmc.exe"
3⤵
- System Location Discovery: System Language Discovery
PID:12364

C:\Windows\system32\mmc.exe
"C:\Windows\system32\mmc.exe"
4⤵
PID:12396

C:\Windows\SysWOW64\calc.exe
"C:\Windows\System32\calc.exe"
3⤵
PID:8704

C:\Windows\SysWOW64\control.exe
"C:\Windows\System32\control.exe"
3⤵
PID:12228

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\System32\notepad.exe"
3⤵
PID:13336

C:\Windows\SysWOW64\mmc.exe
"C:\Windows\System32\mmc.exe"
3⤵
PID:14148

C:\Windows\system32\mmc.exe
"C:\Windows\system32\mmc.exe"
4⤵
PID:14624

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\System32\notepad.exe"
3⤵
PID:9868

C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
"C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
3⤵
PID:14568

C:\Windows\SysWOW64\regedit.exe
"C:\Windows\System32\regedit.exe"
3⤵
- Runs regedit.exe
PID:14752

C:\Windows\SysWOW64\calc.exe
"C:\Windows\System32\calc.exe"
3⤵
PID:15080

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:2484

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4e0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\05DDC6AA91765AACACDB0A5F96DF8199

Filesize
854B

MD5
e935bc5762068caf3e24a2683b1b8a88

SHA1
82b70eb774c0756837fe8d7acbfeec05ecbf5463

SHA256
a8accfcfeb51bd73df23b91f4d89ff1a9eb7438ef5b12e8afda1a6ff1769e89d

SHA512
bed4f6f5357b37662623f1f8afed1a3ebf3810630b2206a0292052a2e754af9dcfe34ee15c289e3d797a8f33330e47c14cbefbc702f74028557ace29bf855f9e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
1df4559dc042f51453d31bbd6d406cac

SHA1
defff321b0e39935b0281192bc732a47edc22d84

SHA256
2e5e6363cb570b2bdfef7476d83333ea9e7699f5418fb102d5ffa795f0536d9d

SHA512
c4a96d6fa0d96e706e89a571ad916c8995cb045bc3d30ac8f83b57c95bc1ee59e983ca42534b24f02ad862959826df6b5aac6f4a1288f5a3fb0eaf873f13f731

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4FA45AE1010E09657982D8D28B3BD38E_09E5FD68127B2EBD22C529250B8D2273

Filesize
471B

MD5
cea7f7436b62d1aa1808fbf42c7614e8

SHA1
d8530285ce4e6fd1ca352a617263fe26d46d383a

SHA256
dfddd19826ded2ca69f63200f442f8f4dcf9b5ec1dd78e15d74d015c651ba190

SHA512
3c679f47869a4e78c2b7a5a5ac20ce4ae922e4231f2cee533cf44d25e1ee45e848a3fd55d8e4c3d98bbe357ea2b9825dcbab55d9b71d5472d29b9e77aa86fda0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4FA45AE1010E09657982D8D28B3BD38E_B115649384851BE6BDDEA6DCEC8C2FEC

Filesize
472B

MD5
57fabf8ce960f6516a99cb1065e0f1b5

SHA1
0f06fda5952c1e047f2fdd06a941cde444e7fd1b

SHA256
287c0da810f4506a1fca9807d8457c52631b4f723f272412631a59fdda36d179

SHA512
df597f53035b5dc18aaefbe0fb232e9e2770343319e716a32d416d27be2b4d77e4671786d0e6711549440dda3e68fb122e61c42fc781238cb158d0c4d1546cbe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C02877841121CC45139CB51404116B25_193C88518F770D3F8D3CDA4F180E8635

Filesize
472B

MD5
2e15489eb620ba4779210d523e343152

SHA1
c6674bbf4ad29b2742ab2382f6ce4c17754b05d6

SHA256
04ba2c1f6dde1be4f81cdd43a931f554f357fa751ce75028929f14695995c99e

SHA512
87ea9978c49ce2b715361cdd60900ed5e3a7a589986056f4df3b547ad0168ee3bbe453b0a1a348ce7911a5548bd17cc6918aa88c689b2b46eeb857e2ec9ae471

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199

Filesize
170B

MD5
95396c7b405bd3922c15a64123d1e1ed

SHA1
b8b1b09065bc0c8bb7028649f498e8b57b51c578

SHA256
e92c8aa30d33d2b3fcb5469309bbb1ebfad3e6bf8cb726b149d3382e9dbe7b86

SHA512
ea4a0e4325d6d8a42d65fb99f11409da114309b1696f4bb29b79b7900bdba14cb47fa7675f607a1ad838000efe5c0d8152f2cc1b826142a4c4e66ba09fccd465

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
938581538c47953b7486713ec5068e93

SHA1
361a0e8aab41ace068503e9cc9d062bf25567f97

SHA256
6714f28cce0318b188e7e25b9bf5294ca32a9873028756c6acf5b17177740079

SHA512
30a7280b0c4b36d9b007db6d7b1337bacdfb1676ce278cb4e22144e7cd32d81584a0cd5c21a9976d191d03c7638d34175fc7e54deb9e7ca023f6f898e8441a5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4FA45AE1010E09657982D8D28B3BD38E_09E5FD68127B2EBD22C529250B8D2273

Filesize
406B

MD5
0e394aa8904a20d06f3e028a478e60d8

SHA1
d75542d1f6f6bee1dd57aa6487b93a5e8d8326c0

SHA256
fd96106f81c83e89753b181e3f15d62e53b6664c5ea23b421e660be83d732b2f

SHA512
e908999e62d4a2bc768d40fa2f1f21e5acde9ad6dc76f6b4b998ac30d3b8db840fa251cb24e3802c06c3af35c04f04bf837aee4ed735272c145dda00da5085a3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4FA45AE1010E09657982D8D28B3BD38E_B115649384851BE6BDDEA6DCEC8C2FEC

Filesize
398B

MD5
6f0bbb0fe55535c2bdcc69cbc6291ba7

SHA1
bd49bc23e8c2d061cc76a22a4e60fb8d60580414

SHA256
d760c8b224890a830357f17ef54e2b57561e9e2e1d922e96b1786e25ed93138f

SHA512
71207731ffbfdff27a17690b631a9e21f65bd193c2ce29eed6712c5fa7ec3397b5ca125a000f9fddfd55da3b147db15ecd3e5632d52b9fefd4f7a593b881c901

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
107645d2b3e1d61d396c0c9245243339

SHA1
9e7d0ba307300617bd5a9ee393b8d3b696b1db97

SHA256
d69df2a7d48f90bc61af9855b53615f9780db6c3af4d3f1ff66efe3eda4df4c4

SHA512
96b10e8018794cae7902d3a227c3152506ee2b169d4f5c31c8c036ccbe80f02e9da1c44d7ef1053da31eac0e6aca528383fd1f9b58a1e84dea54393d8dc48b76

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f461903717db271371bb34bf0f3493f4

SHA1
723519336322d5cf362ca46d42677d55316668e2

SHA256
ee9f1d35a7d887c1a73558021c9d3187e76171d3acf8f4a446f9f45d0dc3c08f

SHA512
c5030f3dba768006bba23ba7aac7913b931bcc9b725209ad62b6c9223963dde6b5903f0e07796b97e22a0ea0b63f2061a8aa267d51a33245c4ec4140aded1246

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0fdecf83900b653055f612615637f3ab

SHA1
c87c47014217b84c12f833dd567fde86219db527

SHA256
5d2fdc62c6e9b8d206388122e9709f45464b58e510fdff4f06f2c41fb6173270

SHA512
6d43540bba8d69ba16e3fb8fe7d3f9c6d5dec668f8fcb5932bd540190bef93a20b25f1ac859415f8a5f764ffdb4c8ca0aefcb53e48ee42e1fdceac180afa2977

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
404f1c038cce9e9087579aa2bf6ada17

SHA1
d970307c8b481ab936d8428108e644927f0065d1

SHA256
f29ae1be2a57e221501c6bef65cac2362422495559878cd89297445bc19ce6dc

SHA512
397a726cdf3d2b9b9f4f1ae242e176a9abfbe590e17764cd9cd7ab7bda0d92d618535541ae474f6dbdfcde3b21271bca04ce1fba8751ef640fc34b6f6f71a0d9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9cd03b1bcbdb184914a6253c9cbaf6ea

SHA1
7ca0d5a7d9b1707f05998588c9362eba0db94050

SHA256
d1097212dd152bc0720cf26fd40586f2be79e81c4e36630c2d477ae79e8e844d

SHA512
6292329f36583a92d6e84ef593c2c71282a9eb13a082021d09ea820753efd4475883d1ee904f5676f0337851e082282f0198c6b58c1d33de64cebe58bfea9d1a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e879cd64560fd0a223d38bd1d8e7b718

SHA1
21e9fa0e04878947c28c3bc2eaba2727f69102d7

SHA256
69a0db1e9a25e458e006a89022e6acc1da4f35491eb268d8d89d19d6a915abd5

SHA512
7f6542e48ce3b66ba9592c0dd18d52c78b6f51ecdb36b454f5d9d542eef5065ee8b01a740a5f2c8aff28d2a776d80a4bf0f82a2d93501aebfc84a6fd75a54009

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8f35ae522a2d3ac2532818b21d73ff5e

SHA1
1cc6026dbe957d087c2eef3debc540b7086717d1

SHA256
cca1a89be8c0238e85470310808a97ccf137c166f9402482314793439a667039

SHA512
fe8f1ad0c2a05f588ab5322632f4856befc0f6766ce14d23efde57561334990d29cbbc8059d40cf91d9dc16cd26a2029d4aa4cbd0232548b0d5656c76706e2c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2884ce1bc7cfae3e4bf1001e86f983f6

SHA1
71dde10b40aa16df926ce5d8c8bb86d8dd371ce5

SHA256
22e77b8bbdd68606c04f928693d118425993e0adc30b281c65c479dcdcf8c16e

SHA512
bf74c5f2c07395d1509a5f9e87527d108749d46b781c338dfb3fcbf77ebfab942f60c7b280a5e4ad2735b6bdafcebca1b321c0c4516088f4ff48e9cc934b4daa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2d4ed45a638c5b2d025979645ea0df92

SHA1
2c3bdb8e760b275ae2493e48abdb08ddc25116f9

SHA256
a4924774d5bb8f097ddd2aaf7687c2e6e793aa6cede5d99774aa3558b5cd4451

SHA512
c879a354cdcec08daa5d9a8d6486b4e61cfe605dbee36e9265d012f5aa63a12277798cee43f48b9ff90d9487714054965de81a8df8436ad9cedea1e931d49d12

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4d25d02acab78cef6de075a923623dc0

SHA1
8d4914e11e4a473a1337a542517560883cacb872

SHA256
3822acf203aa948ee7d431124babb58b582877b672385b171342b2db3dd6c360

SHA512
73c90d16f8b9939eef977469ec2c4e046ea4f7816336021f6c7108a2cb0426973e13d31d0c1cbb123bf9430800c026c3bac6cf6523255df93da010b1f902c990

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dff04a30ddf8d0de5a0a29979d404e22

SHA1
831f02523bd2259ee89a0e8bd548d04d6cb6e9c9

SHA256
e0420b87d85e80486193ac26c36cb10bcf4e8e9b4fba41bbd4e690d2b841c9b8

SHA512
35aa40d6db818f68e5990d6d7305d19a5cb05654df766c941c2e16b6caf03e0f4b3f60b51147204843fa643b1038d4fd3ba0c269b9dfaf223d427603373fa800

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
99e42b495a3e9c052196aa3b47ca272a

SHA1
e2727c13775a08216fbccac670edfdc7ee85b8e8

SHA256
ee86814257901f18fd2c66865a43b26fb9f04665e46ae291e4ee41ef09422873

SHA512
f293f412dbc256bf730759da353fe2b8b6bee0703875beeccd74496338d0432e023c33e8e67b7f93915d476afc173d0457f303edf77fa393f0c2d83a49483839

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
496a74ba95833f032ec49ea3e9392bb9

SHA1
831f318dd59daa9b483a214b6e179d8b41aba62c

SHA256
adb96be482762a67b22cd9a42c246b5e6a2a0e4f6e686850a2385bb7a3a40f9b

SHA512
8143adf2830cc13e674e0af58635edc9ef8a7b9c3bd8689b32cc4bdab7040bd9218b7be13d4a0e0d31c40bc20c886bed61a6d07ffd54b0a1a855e145ebd2ee25

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fefba73bb412f91450c06b1bf444dd3e

SHA1
7ed61f19281e81d7ae52024d8d6fcea8a33f4891

SHA256
738bbc980419e5e5f82c9f18b29ac6a1ce95a4a3e726eac56ad07974abf3acdb

SHA512
9ac61aa482c7e4a069d3b18ef6a610c4b56e5cd1fa4e3d5f8ab77a39f3b739a0adb1dd2acb39b8f76d0e9c8f39a6543885df8a1c55c7f8445b2e5e3761e93f99

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
56fb3696e54c16c9f70685459a768009

SHA1
683a99b268f74cf0e4323c352544fc1b650700db

SHA256
aacfa8080c3328714442d2419356b346ca6bacbd2ee48058e502aebd33e1951a

SHA512
32cd43c387d1a6d1071372f4c3b8f36dd4e032ceec7775928bbb9914e5be506a8a4642d98ece3fcfcfc33495782ec9d44d112654ae0e1501e79f7687828028ce

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1bb128c08e5821dd050c81d0aaf8e1ac

SHA1
5f329faec075510281ec6ff9382d2f699dee2feb

SHA256
703c79eb203630288c76b6d3a18df798480955999ca06b1b4d21d87e665b6709

SHA512
cde54ade3bfcdb4aac48da59388937f38774a1cbcd1369768c7527cedbca6aecf8f8e2565bcafcc3b7b716f7a9803e73d90f358d2d56f60e528823d1b462e59e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6d9c907e2b404c54e7cf2f038921c6a9

SHA1
bd050337af1405cbfc7180bc2aeb54c22dc7290c

SHA256
e1c62c47bde6e54809abafcc51b3c477f20a71866c94b37ff4e434aa718f940e

SHA512
274a1e4e8992d52c8190fac6464640db3decb1b5fa4dde070c290342ce8210f28d4c1d7b7823b23c9bc46f2c9827b4a0873f5c125df8b8bc84fb8bc306e66f63

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2973f675064709a053f525a39b278076

SHA1
b2cb03203bfca4f7dd41dfbe48477b053baf604e

SHA256
6827cc1e946b856632524748fd7885b52067b38357472d596c6c5ef47152845e

SHA512
a49a8300dfbc7720dbc7cfb0c907643253b27e8e67b13c4e5293ba22564eb909b6f74727132bd0306f1fb2196cc0e64f3b0b00edc3d73ec665fcc3957c8645e0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3f19801215ede3b6e9d8183ca02c64d1

SHA1
1d668623c5fbc74efda426b7f7bc9684e2574ee5

SHA256
a760c769f05f6fe5be174972d26622bb568f7e0fb78cfb1e55d558708a7537d1

SHA512
45043f6dcc9ea8b29ea62f388de7d0ec3ea7bd8243755884f0c636e5b9e61a4a21e669fa2e2271fecb1ede7b9f3e929f346ba1c724de8a28d6d4b26a8a2cec27

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a876464a0a0b062a5332e18d206534f2

SHA1
999ccb0b6616254b2249d7614bcad03d1ab92bfc

SHA256
787d37eaa97ac9092d7a2b02e5de50ea9fbbf5e8516b97f9e318083c75a77929

SHA512
b395391aeba89e07865427900f35634c5212d8adce12dbec5da634112dfca16eea0c8d2426ee3f5d206bb89431d63afbb6c9c430b472204bc2862d589714eb68

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d99fca44710841b4b098e9709f2cc2ec

SHA1
21a4d170a0c004587f97c109e28b38d9a1cab0bf

SHA256
8c7b0cdd24916b97e9223098aa98dfa803e53edcd35b22994c61dde2afa85fbb

SHA512
a9e5a98ede064f89bd50769d7fedf6d9052a0bef2c351fb4f28f3a49ff719458a6c3b3751b757968b0dd2443466ba23132bd8ac0302c6c7e0149b5fabf93685a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C02877841121CC45139CB51404116B25_193C88518F770D3F8D3CDA4F180E8635

Filesize
398B

MD5
39727d6f610d7d9364e7299a6b39efdd

SHA1
37f2a28c469b3477b1efb26de84578ba0d075116

SHA256
42bcadbdd26a1fc4e0f676bd7be5ebb9c68b6d2ea681d5c8ceb0389dc12f1323

SHA512
47156d74f3ae51abbffe1c4e4c07fb00da5c31163536e1d7cbee1060ac23660f7873ce68739ed1df05ac21c979d247f4013383e1a6802275cd5e2b24b8c63fe2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\ZFFA7FX8\www.google[1].xml

Filesize
99B

MD5
46004f190a2c1efa8b723c4d40c833e7

SHA1
5fdb8693a53d1df18ebb13e88f135df4a5e9bae1

SHA256
689f658731a800930cef8dc1f794b45a5e529f909f2f2ae8c24729dbf3478f7d

SHA512
52404bcd7134493dbdd214a8189b5ba9217d7ff20bfec5111c49c9e257ee1e41e30eb6350322e79f5302ef06d411338e27c9de4b5c0301f97fa67999460ad241

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{C3217A80-73B6-11EF-80B1-FE6EB537C9A6}.dat

Filesize
5KB

MD5
67907da85aa08710f05e34910049b537

SHA1
2944b3a1f2e6938d8625d5f80e7a0ca56546dedf

SHA256
19bca2a04df76e17f755a075740421ca2319cc404eefff63c5090adf2193ab1c

SHA512
fb51f094af2a8efa587e82248dd695e09b3ebb375eb959eef5aa40fa3232577a69f712e5c8ee11f7fa1c5419117377fcc31355e2dc3461e52dc891bab58e21b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{D8B10A50-73B6-11EF-80B1-FE6EB537C9A6}.dat

Filesize
3KB

MD5
b429f55171b2d678d752e2a1e6835361

SHA1
8b245b0d2fb8ec7c63abefb81f8d7aee19875369

SHA256
fb5c880c09c99116982a44cc81d98cbc1a0333a8ad8ec3d92028cd61907d6da5

SHA512
4bafde5958d6ab7dbee13a8f7e60e302d9cbd83bcc91a797bae61382d27d88d653f7caa85413c3c84405a89d98e97b385d66de4df907db61d2f96cb21bb6e754

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\e1ur8h2\imagestore.dat

Filesize
5KB

MD5
1df61deba1928f863867edf6c96e02ca

SHA1
a363f91e838d3d28969f5a56731ad49c946c6599

SHA256
b2766bf493925fdc7fc36bf271dc4310b9cae3a501224873d900f40e343f855e

SHA512
3cd37409641e6d32c0bfea184f2d52f3aaaffb4e44a2691f122a172f239ec68bc932a85cec85322a1d962999519d3ff690f0d781b0248961bfcb8295a7922fd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9UR26M8S\lKPp_8x8SVU7b6KN44fvdWMof2HELUnUniMVUZmLxyE[1].js

Filesize
25KB

MD5
d79fe6b03d76ee6e31126e039d9e14be

SHA1
e0053872adb800706efe2d5bd425e27a9afebeee

SHA256
94a3e9ffcc7c49553b6fa28de387ef7563287f61c42d49d49e231551998bc721

SHA512
30c9ccdad80c81807da0045df2d950d5c1dea51a475597ecccf36ba3b69025412e5fce1d640d6c5b8cbfb7a517ca0d1195bcfecebbc593c19e8eb77fd9373da7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9UR26M8S\logo_48[1].png

Filesize
2KB

MD5
ef9941290c50cd3866e2ba6b793f010d

SHA1
4736508c795667dcea21f8d864233031223b7832

SHA256
1b9efb22c938500971aac2b2130a475fa23684dd69e43103894968df83145b8a

SHA512
a0c69c70117c5713caf8b12f3b6e8bbb9cdaf72768e5db9db5831a3c37541b87613c6b020dd2f9b8760064a8c7337f175e7234bfe776eee5e3588dc5662419d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9UR26M8S\recaptcha__en[1].js

Filesize
537KB

MD5
c7be68088b0a823f1a4c1f77c702d1b4

SHA1
05d42d754afd21681c0e815799b88fbe1fbabf4e

SHA256
4943e91f7f53318d481ca07297395abbc52541c2be55d7276ecda152cd7ad9c3

SHA512
cb76505845e7fc0988ade0598e6ea80636713e20209e1260ee4413423b45235f57cb0a33fca7baf223e829835cb76a52244c3197e4c0c166dad9b946b9285222

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\AS91FDNI\KFOlCnqEu92Fr1MmEU9fBBc9[1].ttf

Filesize
34KB

MD5
4d88404f733741eaacfda2e318840a98

SHA1
49e0f3d32666ac36205f84ac7457030ca0a9d95f

SHA256
b464107219af95400af44c949574d9617de760e100712d4dec8f51a76c50dda1

SHA512
2e5d3280d5f7e70ca3ea29e7c01f47feb57fe93fc55fd0ea63641e99e5d699bb4b1f1f686da25c91ba4f64833f9946070f7546558cbd68249b0d853949ff85c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\AS91FDNI\KFOlCnqEu92Fr1MmYUtfBBc9[1].ttf

Filesize
34KB

MD5
4d99b85fa964307056c1410f78f51439

SHA1
f8e30a1a61011f1ee42435d7e18ba7e21d4ee894

SHA256
01027695832f4a3850663c9e798eb03eadfd1462d0b76e7c5ac6465d2d77dbd0

SHA512
13d93544b16453fe9ac9fc025c3d4320c1c83a2eca4cd01132ce5c68b12e150bc7d96341f10cbaa2777526cf72b2ca0cd64458b3df1875a184bbb907c5e3d731

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\AS91FDNI\KFOmCnqEu92Fr1Mu4mxP[1].ttf

Filesize
34KB

MD5
372d0cc3288fe8e97df49742baefce90

SHA1
754d9eaa4a009c42e8d6d40c632a1dad6d44ec21

SHA256
466989fd178ca6ed13641893b7003e5d6ec36e42c2a816dee71f87b775ea097f

SHA512
8447bc59795b16877974cd77c52729f6ff08a1e741f68ff445c087ecc09c8c4822b83e8907d156a00be81cb2c0259081926e758c12b3aea023ac574e4a6c9885

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\AS91FDNI\styles__ltr[1].css

Filesize
55KB

MD5
4adccf70587477c74e2fcd636e4ec895

SHA1
af63034901c98e2d93faa7737f9c8f52e302d88b

SHA256
0e04cd9eec042868e190cbdabf2f8f0c7172dcc54ab87eb616eca14258307b4d

SHA512
d3f071c0a0aa7f2d3b8e584c67d4a1adf1a9a99595cffc204bf43b99f5b19c4b98cec8b31e65a46c01509fc7af8787bd7839299a683d028e388fdc4ded678cb3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S8GI6B9B\-HiUwdQxDKLzt71CPYD-hKnPnujfGhcYgWkgX6BRpVU[1].js

Filesize
24KB

MD5
242324a437f1e8dfa268b1be80e57fdc

SHA1
2198c8b982542d263d2df13efc9e476563b5874f

SHA256
f87894c1d4310ca2f3b7bd423d80fe84a9cf9ee8df1a17188169205fa051a555

SHA512
74d8caa815fbae1b8510c883da00cec7f43fed56890c50eb24e44d281e31d9579b592553be87d2ce8ccb04cb2e3f78eaa8889068762fa36b1143b85cb21f3410

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S8GI6B9B\api[1].js

Filesize
870B

MD5
db3f5a748364d84b2b5f75e3d4e851d0

SHA1
17b34ff20d429abee726b4b74530e5af2819f7bc

SHA256
343ed5ecd144d781de67aa8638b1ca4fce5772faedbb72720daacb250884f4e1

SHA512
3ee552fff8e93097120367c7f5f6aed88145150d706349542e8800e65722f4e6507bc0802e41a305cda56aaf4bcd40c036ad7a4d2aabea9dc70f908bf400dd90

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S8GI6B9B\errorPageStrings[1]

Filesize
2KB

MD5
e3e4a98353f119b80b323302f26b78fa

SHA1
20ee35a370cdd3a8a7d04b506410300fd0a6a864

SHA256
9466d620dc57835a2475f8f71e304f54aee7160e134ba160baae0f19e5e71e66

SHA512
d8e4d73c76804a5abebd5dbc3a86dcdb6e73107b873175a8de67332c113fb7c4899890bf7972e467866fa4cd100a7e2a10a770e5a9c41cbf23b54351b771dcee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZKZ95V4R\NewErrorPageTemplate[1]

Filesize
1KB

MD5
cdf81e591d9cbfb47a7f97a2bcdb70b9

SHA1
8f12010dfaacdecad77b70a3e781c707cf328496

SHA256
204d95c6fb161368c795bb63e538fe0b11f9e406494bb5758b3b0d60c5f651bd

SHA512
977dcc2c6488acaf0e5970cef1a7a72c9f9dc6bb82da54f057e0853c8e939e4ab01b163eb7a5058e093a8bc44ecad9d06880fdc883e67e28ac67fee4d070a4cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZKZ95V4R\dnserror[2]

Filesize
1KB

MD5
73c70b34b5f8f158d38a94b9d7766515

SHA1
e9eaa065bd6585a1b176e13615fd7e6ef96230a9

SHA256
3ebd34328a4386b4eba1f3d5f1252e7bd13744a6918720735020b4689c13fcf4

SHA512
927dcd4a8cfdeb0f970cb4ee3f059168b37e1e4e04733ed3356f77ca0448d2145e1abdd4f7ce1c6ca23c1e3676056894625b17987cc56c84c78e73f60e08fc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZKZ95V4R\favicon[2].ico

Filesize
5KB

MD5
f3418a443e7d841097c714d69ec4bcb8

SHA1
49263695f6b0cdd72f45cf1b775e660fdc36c606

SHA256
6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770

SHA512
82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZKZ95V4R\httpErrorPagesScripts[1]

Filesize
8KB

MD5
3f57b781cb3ef114dd0b665151571b7b

SHA1
ce6a63f996df3a1cccb81720e21204b825e0238c

SHA256
46e019fa34465f4ed096a9665d1827b54553931ad82e98be01edb1ddbc94d3ad

SHA512
8cbf4ef582332ae7ea605f910ad6f8a4bc28513482409fa84f08943a72cac2cf0fa32b6af4c20c697e1fac2c5ba16b5a64a23af0c11eefbf69625b8f9f90c8fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZKZ95V4R\webworker[1].js

Filesize
102B

MD5
ad5e6a567d064cba36f2a56caab2d866

SHA1
a3b46ea0ca5df5a6b6ab6bb228cf805065523cd1

SHA256
e70942d2b905910af2538c685c2223c25e5068bfbccb9742cfa5ffa48150d291

SHA512
ba45b3d74c0d2e0ac22bc97bacb6df549d7a4eae8d64050af41167376926f4379ccb6be84a666ba615caa7c5ee6838f98020c530f5c2ce51f71dad369d130681

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab80B7.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar8118.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFB3DAEB4A2AD841AF.TMP

Filesize
16KB

MD5
bdd9803d5ed64de9f02e2072a95e5026

SHA1
ec74b54457e12bfd849283f6d692e9fe8a537334

SHA256
6785a86738850e47a302aec0059542216c7d30920ecee2d90b8cc10effade603

SHA512
a3c03f096ad84854a98291445a6d84319149d25572471be2ac49703158712a7ec0f5c7b6124e0610ec76af4b5dd684fabb7e9c1066190f15bb98a7b49d11f08a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\CFL4QFUK.txt

Filesize
405B

MD5
be676df900dd5cd646591192ca1a9b15

SHA1
541dbb6682e0485cbc5af8047dae2cf8aa67d02e

SHA256
f9a85b0bc3bf839c3f3859b479e9fbb55f0d7d80039f5ff650a7a425cb3faef3

SHA512
8fa57c7fc21234fb4c0927c10cd4f5470d37d00e27220f60e0bb86a2adc7a0de09f98ed1aeb07550a9a943c8108e09c82ec4ae3a39d3352e6a5cabe086952378

Download Submit
C:\note.txt

Filesize
218B

MD5
afa6955439b8d516721231029fb9ca1b

SHA1
087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

SHA256
8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

SHA512
5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

Download Submit
memory/2156-1082-0x000007FEF6170000-0x000007FEF61AA000-memory.dmp

Filesize
232KB

Download
memory/2156-1218-0x000007FEF5CC0000-0x000007FEF5CFA000-memory.dmp

Filesize
232KB

Download
memory/2156-1171-0x000007FEF5D00000-0x000007FEF5D3A000-memory.dmp

Filesize
232KB

Download
memory/2156-1725-0x000007FEF5C10000-0x000007FEF5C4A000-memory.dmp

Filesize
232KB

Download
memory/2156-1050-0x000007FEF6170000-0x000007FEF61AA000-memory.dmp

Filesize
232KB

Download
memory/2156-1122-0x000007FEF5D00000-0x000007FEF5D3A000-memory.dmp

Filesize
232KB

Download
memory/2156-1266-0x000007FEF5CC0000-0x000007FEF5CFA000-memory.dmp

Filesize
232KB

Download
memory/2156-1466-0x000007FEF5B30000-0x000007FEF5B6A000-memory.dmp

Filesize
232KB

Download
memory/2156-1393-0x000007FEF5B30000-0x000007FEF5B6A000-memory.dmp

Filesize
232KB

Download
memory/2360-1396-0x000007FEF5BD0000-0x000007FEF5C0A000-memory.dmp

Filesize
232KB

Download
memory/2360-1723-0x000007FEF5C10000-0x000007FEF5C4A000-memory.dmp

Filesize
232KB

Download
memory/2360-1471-0x000007FEF5BD0000-0x000007FEF5C0A000-memory.dmp

Filesize
232KB

Download
memory/3276-1467-0x000007FEF5B30000-0x000007FEF5B6A000-memory.dmp

Filesize
232KB

Download
memory/3276-1219-0x000007FEF5D00000-0x000007FEF5D3A000-memory.dmp

Filesize
232KB

Download
memory/3276-1748-0x000007FEF5AF0000-0x000007FEF5B2A000-memory.dmp

Filesize
232KB

Download
memory/3276-1394-0x000007FEF5B30000-0x000007FEF5B6A000-memory.dmp

Filesize
232KB

Download
memory/3276-1144-0x000007FEF5D00000-0x000007FEF5D3A000-memory.dmp

Filesize
232KB

Download
memory/3276-1312-0x000007FEF5D00000-0x000007FEF5D3A000-memory.dmp

Filesize
232KB

Download
memory/3276-1267-0x000007FEF5D00000-0x000007FEF5D3A000-memory.dmp

Filesize
232KB

Download
memory/3472-1143-0x000007FEF5D00000-0x000007FEF5D3A000-memory.dmp

Filesize
232KB

Download
memory/3472-1395-0x000007FEF5C10000-0x000007FEF5C4A000-memory.dmp

Filesize
232KB

Download
memory/3472-1217-0x000007FEF5D00000-0x000007FEF5D3A000-memory.dmp

Filesize
232KB

Download
memory/3472-1173-0x000007FEF5CC0000-0x000007FEF5CFA000-memory.dmp

Filesize
232KB

Download
memory/3472-1470-0x000007FEF5C10000-0x000007FEF5C4A000-memory.dmp

Filesize
232KB

Download
memory/3472-1724-0x000007FEF5BD0000-0x000007FEF5C0A000-memory.dmp

Filesize
232KB

Download
memory/3472-1123-0x000007FEF5CC0000-0x000007FEF5CFA000-memory.dmp

Filesize
232KB

Download
memory/3472-1732-0x000007FEF5BD0000-0x000007FEF5C0A000-memory.dmp

Filesize
232KB

Download
memory/3472-1751-0x000007FEF5BD0000-0x000007FEF5C0A000-memory.dmp

Filesize
232KB

Download
memory/4140-1392-0x000007FEF5B30000-0x000007FEF5B6A000-memory.dmp

Filesize
232KB

Download
memory/4140-1746-0x000007FEF5C10000-0x000007FEF5C4A000-memory.dmp

Filesize
232KB

Download
memory/4140-1313-0x000007FEF5CC0000-0x000007FEF5CFA000-memory.dmp

Filesize
232KB

Download
memory/4140-1465-0x000007FEF5B30000-0x000007FEF5B6A000-memory.dmp

Filesize
232KB

Download
memory/8288-1843-0x000007FEF5C10000-0x000007FEF5C4A000-memory.dmp

Filesize
232KB

Download
memory/8684-1747-0x000007FEF5AF0000-0x000007FEF5B2A000-memory.dmp

Filesize
232KB

Download
memory/8684-1737-0x000007FEF5AF0000-0x000007FEF5B2A000-memory.dmp

Filesize
232KB

Download