Overview
overview
10Static
static
3eeeeeeeeee...00.exe
windows7-x64
eeeeeeeeee...um.exe
windows7-x64
10eeeeeeeeee...ug.exe
windows7-x64
6eeeeeeeeee...le.exe
windows7-x64
3eeeeeeeeee...er.exe
windows7-x64
7eeeeeeeeee...us.exe
windows7-x64
3MEMZ 3.0/MEMZ.bat
windows7-x64
7MEMZ 3.0/MEMZ.exe
windows7-x64
6eeeeeeeeee...MZ.bat
windows7-x64
7eeeeeeeeee...MZ.exe
windows7-x64
6eeeeeeeeee...ld.exe
windows7-x64
3eeeeeeeeee....A.exe
windows7-x64
6eeeeeeeeee...al.exe
windows7-x64
7eeeeeeeeee...15.exe
windows7-x64
3eeeeeeeeee...al.exe
windows7-x64
7eeeeeeeeee...0r.exe
windows7-x64
10eeeeeeeeee...ro.exe
windows7-x64
eeeeeeeeee...od.exe
windows7-x64
10eeeeeeeeee...ts.dll
windows7-x64
1eeeeeeeeee...ts.dll
windows7-x64
3eeeeeeeeee...ot.exe
windows7-x64
3Resubmissions
15-09-2024 23:12
240915-27aqvsxhjq 815-09-2024 23:02
240915-21efgaxake 815-09-2024 22:58
240915-2xypyaxdkj 315-09-2024 22:56
240915-2wn44sxcpk 315-09-2024 22:43
240915-2np2fawhpr 315-09-2024 22:42
240915-2m3k5swhmk 1015-09-2024 22:33
240915-2gqdmawbja 815-09-2024 22:27
240915-2de4gswekk 715-09-2024 22:15
240915-16esravenh 10Analysis
-
max time kernel
1742s -
max time network
1802s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
15-09-2024 22:42
Static task
static1
Behavioral task
behavioral1
Sample
eeeeeeeeeeeeee/Malware_pack_2/Malware_pack_2/000/[email protected]
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
eeeeeeeeeeeeee/Malware_pack_2/Malware_pack_2/Antivirus Platinum/[email protected]
Resource
win7-20240903-en
Behavioral task
behavioral3
Sample
eeeeeeeeeeeeee/Malware_pack_2/Malware_pack_2/ColorBug/[email protected]
Resource
win7-20240704-en
Behavioral task
behavioral4
Sample
eeeeeeeeeeeeee/Malware_pack_2/Malware_pack_2/DesktopPuzzle/[email protected]
Resource
win7-20240903-en
Behavioral task
behavioral5
Sample
eeeeeeeeeeeeee/Malware_pack_2/Malware_pack_2/FakeActivation/[email protected]
Resource
win7-20240729-en
Behavioral task
behavioral6
Sample
eeeeeeeeeeeeee/Malware_pack_2/Malware_pack_2/Happy Antivirus/[email protected]
Resource
win7-20240903-en
Behavioral task
behavioral7
Sample
MEMZ 3.0/MEMZ.bat
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
MEMZ 3.0/MEMZ.exe
Resource
win7-20240903-en
Behavioral task
behavioral9
Sample
eeeeeeeeeeeeee/Malware_pack_2/Malware_pack_2/MEMZ 3.0 (1)/MEMZ 3.0/MEMZ.bat
Resource
win7-20240708-en
Behavioral task
behavioral10
Sample
eeeeeeeeeeeeee/Malware_pack_2/Malware_pack_2/MEMZ 3.0 (1)/MEMZ 3.0/MEMZ.exe
Resource
win7-20240903-en
Behavioral task
behavioral11
Sample
eeeeeeeeeeeeee/Malware_pack_2/Malware_pack_2/NavaShield/[email protected]
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
eeeeeeeeeeeeee/Malware_pack_2/Malware_pack_2/Petya.A/[email protected]
Resource
win7-20240708-en
Behavioral task
behavioral13
Sample
eeeeeeeeeeeeee/Malware_pack_2/Malware_pack_2/Security Central/[email protected]
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
eeeeeeeeeeeeee/Malware_pack_2/Malware_pack_2/Security Defender 2015/[email protected]
Resource
win7-20240903-en
Behavioral task
behavioral15
Sample
eeeeeeeeeeeeee/Malware_pack_2/Malware_pack_2/VineMEMZ-Original.exe
Resource
win7-20240704-en
Behavioral task
behavioral16
Sample
eeeeeeeeeeeeee/Malware_pack_2/Malware_pack_2/WannaCrypt0r/[email protected]
Resource
win7-20240708-en
Behavioral task
behavioral17
Sample
eeeeeeeeeeeeee/Malware_pack_2/Malware_pack_2/Windows Accelerator Pro/[email protected]
Resource
win7-20240903-en
Behavioral task
behavioral18
Sample
eeeeeeeeeeeeee/Malware_pack_2/Malware_pack_2/Winlocker.VB6.Blacksod/[email protected]
Resource
win7-20240903-en
Behavioral task
behavioral19
Sample
eeeeeeeeeeeeee/Malware_pack_2/Malware_pack_2/YouAreAnIdiot/AxInterop.ShockwaveFlashObjects.dll
Resource
win7-20240903-en
Behavioral task
behavioral20
Sample
eeeeeeeeeeeeee/Malware_pack_2/Malware_pack_2/YouAreAnIdiot/Interop.ShockwaveFlashObjects.dll
Resource
win7-20240729-en
Behavioral task
behavioral21
Sample
eeeeeeeeeeeeee/Malware_pack_2/Malware_pack_2/YouAreAnIdiot/YouAreAnIdiot.exe
Resource
win7-20240903-en
General
-
Target
eeeeeeeeeeeeee/Malware_pack_2/Malware_pack_2/MEMZ 3.0 (1)/MEMZ 3.0/MEMZ.exe
-
Size
12KB
-
MD5
a7bcf7ea8e9f3f36ebfb85b823e39d91
-
SHA1
761168201520c199dba68add3a607922d8d4a86e
-
SHA256
3ff64f10603f0330fa2386ff99471ca789391ace969bd0ec1c1b8ce1b4a6db42
-
SHA512
89923b669d31e590189fd06619bf27e47c5a47e82be6ae71fdb1b9b3b30b06fb7ca8ffed6d5c41ac410a367f2eb07589291e95a2644877d6bffd52775a5b1523
-
SSDEEP
192:HMDLTxWDf/pl3cIEiwqZKBktLe3P+qf2jhP6B5b2yL3:H4IDH3cIqqvUWq+jhyT2yL
Malware Config
Signatures
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 MEMZ.exe -
Drops file in System32 directory 9 IoCs
description ioc Process File opened for modification C:\Windows\System32\devmgmt.msc mmc.exe File opened for modification C:\Windows\System32\devmgmt.msc mmc.exe File opened for modification C:\Windows\System32\devmgmt.msc mmc.exe File opened for modification C:\Windows\System32\devmgmt.msc mmc.exe File opened for modification C:\Windows\System32\devmgmt.msc mmc.exe File opened for modification C:\Windows\System32\devmgmt.msc mmc.exe File opened for modification C:\Windows\System32\devmgmt.msc mmc.exe File opened for modification C:\Windows\System32\devmgmt.msc mmc.exe File opened for modification C:\Windows\System32\devmgmt.msc mmc.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\Debug\WIA\wiatrace.log mspaint.exe File opened for modification C:\Windows\Debug\WIA\wiatrace.log mspaint.exe File opened for modification C:\Windows\Debug\WIA\wiatrace.log mspaint.exe File opened for modification C:\Windows\Debug\WIA\wiatrace.log mspaint.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mspaint.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regedit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language control.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regedit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wordpad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regedit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mspaint.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language calc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regedit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mspaint.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wordpad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regedit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language calc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language control.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wordpad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language control.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wordpad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language control.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wordpad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language calc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regedit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MEMZ.exe -
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{EA17D418-73B6-11EF-80B1-FE6EB537C9A6} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{1B9097C8-73B7-11EF-80B1-FE6EB537C9A6} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 10da99dbc007db01 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com\Total = "25" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{3BD07B98-73B7-11EF-80B1-FE6EB537C9A6} = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff00000000000000008604000065020000 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "432602122" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe -
Runs regedit.exe 9 IoCs
pid Process 14752 regedit.exe 3488 regedit.exe 13208 regedit.exe 6476 regedit.exe 8912 regedit.exe 10288 regedit.exe 11960 regedit.exe 4820 regedit.exe 5968 regedit.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2244 MEMZ.exe 2684 MEMZ.exe 2684 MEMZ.exe 2244 MEMZ.exe 2076 MEMZ.exe 2716 MEMZ.exe 2832 MEMZ.exe 2244 MEMZ.exe 2684 MEMZ.exe 2716 MEMZ.exe 2076 MEMZ.exe 2832 MEMZ.exe 2244 MEMZ.exe 2076 MEMZ.exe 2684 MEMZ.exe 2832 MEMZ.exe 2716 MEMZ.exe 2244 MEMZ.exe 2076 MEMZ.exe 2684 MEMZ.exe 2716 MEMZ.exe 2832 MEMZ.exe 2076 MEMZ.exe 2244 MEMZ.exe 2716 MEMZ.exe 2684 MEMZ.exe 2832 MEMZ.exe 2244 MEMZ.exe 2076 MEMZ.exe 2716 MEMZ.exe 2684 MEMZ.exe 2832 MEMZ.exe 2076 MEMZ.exe 2244 MEMZ.exe 2684 MEMZ.exe 2716 MEMZ.exe 2832 MEMZ.exe 2244 MEMZ.exe 2076 MEMZ.exe 2716 MEMZ.exe 2684 MEMZ.exe 2832 MEMZ.exe 2244 MEMZ.exe 2716 MEMZ.exe 2076 MEMZ.exe 2684 MEMZ.exe 2832 MEMZ.exe 2244 MEMZ.exe 2076 MEMZ.exe 2716 MEMZ.exe 2684 MEMZ.exe 2832 MEMZ.exe 2076 MEMZ.exe 2244 MEMZ.exe 2716 MEMZ.exe 2684 MEMZ.exe 2832 MEMZ.exe 2244 MEMZ.exe 2076 MEMZ.exe 2716 MEMZ.exe 2684 MEMZ.exe 2832 MEMZ.exe 2076 MEMZ.exe 2244 MEMZ.exe -
Suspicious behavior: GetForegroundWindowSpam 11 IoCs
pid Process 2156 mmc.exe 628 taskmgr.exe 3472 mmc.exe 3164 mmc.exe 2864 MEMZ.exe 3276 mmc.exe 4908 mmc.exe 4140 mmc.exe 2588 iexplore.exe 4736 mmc.exe 2360 mmc.exe -
Suspicious behavior: SetClipboardViewer 14 IoCs
pid Process 3472 mmc.exe 3164 mmc.exe 3276 mmc.exe 4908 mmc.exe 4140 mmc.exe 4736 mmc.exe 2360 mmc.exe 7152 mmc.exe 6352 mmc.exe 8684 mmc.exe 8288 mmc.exe 6712 mmc.exe 7884 mmc.exe 9580 mmc.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: 33 1972 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1972 AUDIODG.EXE Token: 33 1972 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1972 AUDIODG.EXE Token: SeDebugPrivilege 628 taskmgr.exe Token: 33 2156 mmc.exe Token: SeIncBasePriorityPrivilege 2156 mmc.exe Token: 33 2156 mmc.exe Token: SeIncBasePriorityPrivilege 2156 mmc.exe Token: 33 3472 mmc.exe Token: SeIncBasePriorityPrivilege 3472 mmc.exe Token: 33 3472 mmc.exe Token: SeIncBasePriorityPrivilege 3472 mmc.exe Token: 33 3164 mmc.exe Token: SeIncBasePriorityPrivilege 3164 mmc.exe Token: 33 3164 mmc.exe Token: SeIncBasePriorityPrivilege 3164 mmc.exe Token: 33 3164 mmc.exe Token: SeIncBasePriorityPrivilege 3164 mmc.exe Token: 33 3276 mmc.exe Token: SeIncBasePriorityPrivilege 3276 mmc.exe Token: 33 3276 mmc.exe Token: SeIncBasePriorityPrivilege 3276 mmc.exe Token: 33 4908 mmc.exe Token: SeIncBasePriorityPrivilege 4908 mmc.exe Token: 33 4908 mmc.exe Token: SeIncBasePriorityPrivilege 4908 mmc.exe Token: 33 4908 mmc.exe Token: SeIncBasePriorityPrivilege 4908 mmc.exe Token: 33 4140 mmc.exe Token: SeIncBasePriorityPrivilege 4140 mmc.exe Token: 33 4140 mmc.exe Token: SeIncBasePriorityPrivilege 4140 mmc.exe Token: 33 4736 mmc.exe Token: SeIncBasePriorityPrivilege 4736 mmc.exe Token: 33 4736 mmc.exe Token: SeIncBasePriorityPrivilege 4736 mmc.exe Token: 33 2360 mmc.exe Token: SeIncBasePriorityPrivilege 2360 mmc.exe Token: 33 2360 mmc.exe Token: SeIncBasePriorityPrivilege 2360 mmc.exe Token: 33 7152 mmc.exe Token: SeIncBasePriorityPrivilege 7152 mmc.exe Token: 33 7152 mmc.exe Token: SeIncBasePriorityPrivilege 7152 mmc.exe Token: SeDebugPrivilege 7956 taskmgr.exe Token: 33 6352 mmc.exe Token: SeIncBasePriorityPrivilege 6352 mmc.exe Token: 33 6352 mmc.exe Token: SeIncBasePriorityPrivilege 6352 mmc.exe Token: SeDebugPrivilege 9304 taskmgr.exe Token: 33 8684 mmc.exe Token: SeIncBasePriorityPrivilege 8684 mmc.exe Token: 33 8684 mmc.exe Token: SeIncBasePriorityPrivilege 8684 mmc.exe Token: 33 8288 mmc.exe Token: SeIncBasePriorityPrivilege 8288 mmc.exe Token: 33 8288 mmc.exe Token: SeIncBasePriorityPrivilege 8288 mmc.exe Token: 33 6712 mmc.exe Token: SeIncBasePriorityPrivilege 6712 mmc.exe Token: 33 6712 mmc.exe Token: SeIncBasePriorityPrivilege 6712 mmc.exe Token: SeDebugPrivilege 12616 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2588 iexplore.exe 628 taskmgr.exe 628 taskmgr.exe 628 taskmgr.exe 628 taskmgr.exe 628 taskmgr.exe 628 taskmgr.exe 628 taskmgr.exe 628 taskmgr.exe 628 taskmgr.exe 628 taskmgr.exe 628 taskmgr.exe 628 taskmgr.exe 628 taskmgr.exe 628 taskmgr.exe 628 taskmgr.exe 628 taskmgr.exe 628 taskmgr.exe 628 taskmgr.exe 628 taskmgr.exe 628 taskmgr.exe 628 taskmgr.exe 628 taskmgr.exe 628 taskmgr.exe 628 taskmgr.exe 628 taskmgr.exe 628 taskmgr.exe 628 taskmgr.exe 628 taskmgr.exe 628 taskmgr.exe 628 taskmgr.exe 628 taskmgr.exe 628 taskmgr.exe 628 taskmgr.exe 628 taskmgr.exe 628 taskmgr.exe 628 taskmgr.exe 628 taskmgr.exe 628 taskmgr.exe 628 taskmgr.exe 628 taskmgr.exe 628 taskmgr.exe 628 taskmgr.exe 628 taskmgr.exe 628 taskmgr.exe 628 taskmgr.exe 628 taskmgr.exe 628 taskmgr.exe 628 taskmgr.exe 628 taskmgr.exe 628 taskmgr.exe 628 taskmgr.exe 628 taskmgr.exe 628 taskmgr.exe 628 taskmgr.exe 628 taskmgr.exe 628 taskmgr.exe 628 taskmgr.exe 628 taskmgr.exe 628 taskmgr.exe 628 taskmgr.exe 628 taskmgr.exe 628 taskmgr.exe 628 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 628 taskmgr.exe 628 taskmgr.exe 628 taskmgr.exe 628 taskmgr.exe 628 taskmgr.exe 628 taskmgr.exe 628 taskmgr.exe 628 taskmgr.exe 628 taskmgr.exe 628 taskmgr.exe 628 taskmgr.exe 628 taskmgr.exe 628 taskmgr.exe 628 taskmgr.exe 628 taskmgr.exe 628 taskmgr.exe 628 taskmgr.exe 628 taskmgr.exe 628 taskmgr.exe 628 taskmgr.exe 628 taskmgr.exe 628 taskmgr.exe 628 taskmgr.exe 628 taskmgr.exe 628 taskmgr.exe 628 taskmgr.exe 628 taskmgr.exe 628 taskmgr.exe 628 taskmgr.exe 628 taskmgr.exe 628 taskmgr.exe 628 taskmgr.exe 628 taskmgr.exe 628 taskmgr.exe 628 taskmgr.exe 628 taskmgr.exe 628 taskmgr.exe 628 taskmgr.exe 628 taskmgr.exe 628 taskmgr.exe 628 taskmgr.exe 628 taskmgr.exe 628 taskmgr.exe 628 taskmgr.exe 628 taskmgr.exe 628 taskmgr.exe 628 taskmgr.exe 628 taskmgr.exe 628 taskmgr.exe 628 taskmgr.exe 628 taskmgr.exe 628 taskmgr.exe 628 taskmgr.exe 628 taskmgr.exe 628 taskmgr.exe 628 taskmgr.exe 628 taskmgr.exe 628 taskmgr.exe 628 taskmgr.exe 628 taskmgr.exe 628 taskmgr.exe 628 taskmgr.exe 628 taskmgr.exe 628 taskmgr.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 2588 iexplore.exe 2588 iexplore.exe 552 IEXPLORE.EXE 552 IEXPLORE.EXE 552 IEXPLORE.EXE 552 IEXPLORE.EXE 2052 IEXPLORE.EXE 2052 IEXPLORE.EXE 2052 IEXPLORE.EXE 2052 IEXPLORE.EXE 2036 IEXPLORE.EXE 2036 IEXPLORE.EXE 2036 IEXPLORE.EXE 2036 IEXPLORE.EXE 768 IEXPLORE.EXE 768 IEXPLORE.EXE 552 IEXPLORE.EXE 552 IEXPLORE.EXE 552 IEXPLORE.EXE 552 IEXPLORE.EXE 2616 IEXPLORE.EXE 2616 IEXPLORE.EXE 2616 IEXPLORE.EXE 2616 IEXPLORE.EXE 2864 MEMZ.exe 2052 IEXPLORE.EXE 2052 IEXPLORE.EXE 2052 IEXPLORE.EXE 2052 IEXPLORE.EXE 1280 IEXPLORE.EXE 1280 IEXPLORE.EXE 1280 IEXPLORE.EXE 1280 IEXPLORE.EXE 2864 MEMZ.exe 2036 IEXPLORE.EXE 2036 IEXPLORE.EXE 2036 IEXPLORE.EXE 2036 IEXPLORE.EXE 2864 MEMZ.exe 2628 mmc.exe 2156 mmc.exe 2156 mmc.exe 2864 MEMZ.exe 2864 MEMZ.exe 2864 MEMZ.exe 2904 IEXPLORE.EXE 2904 IEXPLORE.EXE 2904 IEXPLORE.EXE 2904 IEXPLORE.EXE 3000 wordpad.exe 3000 wordpad.exe 3000 wordpad.exe 2864 MEMZ.exe 3000 wordpad.exe 3000 wordpad.exe 768 IEXPLORE.EXE 768 IEXPLORE.EXE 2864 MEMZ.exe 768 IEXPLORE.EXE 768 IEXPLORE.EXE 1504 IEXPLORE.EXE 1504 IEXPLORE.EXE 2864 MEMZ.exe 2864 MEMZ.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1840 wrote to memory of 2684 1840 MEMZ.exe 31 PID 1840 wrote to memory of 2684 1840 MEMZ.exe 31 PID 1840 wrote to memory of 2684 1840 MEMZ.exe 31 PID 1840 wrote to memory of 2684 1840 MEMZ.exe 31 PID 1840 wrote to memory of 2244 1840 MEMZ.exe 32 PID 1840 wrote to memory of 2244 1840 MEMZ.exe 32 PID 1840 wrote to memory of 2244 1840 MEMZ.exe 32 PID 1840 wrote to memory of 2244 1840 MEMZ.exe 32 PID 1840 wrote to memory of 2076 1840 MEMZ.exe 33 PID 1840 wrote to memory of 2076 1840 MEMZ.exe 33 PID 1840 wrote to memory of 2076 1840 MEMZ.exe 33 PID 1840 wrote to memory of 2076 1840 MEMZ.exe 33 PID 1840 wrote to memory of 2716 1840 MEMZ.exe 34 PID 1840 wrote to memory of 2716 1840 MEMZ.exe 34 PID 1840 wrote to memory of 2716 1840 MEMZ.exe 34 PID 1840 wrote to memory of 2716 1840 MEMZ.exe 34 PID 1840 wrote to memory of 2832 1840 MEMZ.exe 35 PID 1840 wrote to memory of 2832 1840 MEMZ.exe 35 PID 1840 wrote to memory of 2832 1840 MEMZ.exe 35 PID 1840 wrote to memory of 2832 1840 MEMZ.exe 35 PID 1840 wrote to memory of 2864 1840 MEMZ.exe 36 PID 1840 wrote to memory of 2864 1840 MEMZ.exe 36 PID 1840 wrote to memory of 2864 1840 MEMZ.exe 36 PID 1840 wrote to memory of 2864 1840 MEMZ.exe 36 PID 2864 wrote to memory of 2584 2864 MEMZ.exe 37 PID 2864 wrote to memory of 2584 2864 MEMZ.exe 37 PID 2864 wrote to memory of 2584 2864 MEMZ.exe 37 PID 2864 wrote to memory of 2584 2864 MEMZ.exe 37 PID 2864 wrote to memory of 2588 2864 MEMZ.exe 38 PID 2864 wrote to memory of 2588 2864 MEMZ.exe 38 PID 2864 wrote to memory of 2588 2864 MEMZ.exe 38 PID 2864 wrote to memory of 2588 2864 MEMZ.exe 38 PID 2588 wrote to memory of 552 2588 iexplore.exe 39 PID 2588 wrote to memory of 552 2588 iexplore.exe 39 PID 2588 wrote to memory of 552 2588 iexplore.exe 39 PID 2588 wrote to memory of 552 2588 iexplore.exe 39 PID 2588 wrote to memory of 2052 2588 iexplore.exe 41 PID 2588 wrote to memory of 2052 2588 iexplore.exe 41 PID 2588 wrote to memory of 2052 2588 iexplore.exe 41 PID 2588 wrote to memory of 2052 2588 iexplore.exe 41 PID 2588 wrote to memory of 2036 2588 iexplore.exe 43 PID 2588 wrote to memory of 2036 2588 iexplore.exe 43 PID 2588 wrote to memory of 2036 2588 iexplore.exe 43 PID 2588 wrote to memory of 2036 2588 iexplore.exe 43 PID 2864 wrote to memory of 2500 2864 MEMZ.exe 44 PID 2864 wrote to memory of 2500 2864 MEMZ.exe 44 PID 2864 wrote to memory of 2500 2864 MEMZ.exe 44 PID 2864 wrote to memory of 2500 2864 MEMZ.exe 44 PID 2588 wrote to memory of 768 2588 iexplore.exe 46 PID 2588 wrote to memory of 768 2588 iexplore.exe 46 PID 2588 wrote to memory of 768 2588 iexplore.exe 46 PID 2588 wrote to memory of 768 2588 iexplore.exe 46 PID 2588 wrote to memory of 2616 2588 iexplore.exe 48 PID 2588 wrote to memory of 2616 2588 iexplore.exe 48 PID 2588 wrote to memory of 2616 2588 iexplore.exe 48 PID 2588 wrote to memory of 2616 2588 iexplore.exe 48 PID 2864 wrote to memory of 2332 2864 MEMZ.exe 49 PID 2864 wrote to memory of 2332 2864 MEMZ.exe 49 PID 2864 wrote to memory of 2332 2864 MEMZ.exe 49 PID 2864 wrote to memory of 2332 2864 MEMZ.exe 49 PID 2588 wrote to memory of 1280 2588 iexplore.exe 50 PID 2588 wrote to memory of 1280 2588 iexplore.exe 50 PID 2588 wrote to memory of 1280 2588 iexplore.exe 50 PID 2588 wrote to memory of 1280 2588 iexplore.exe 50
Processes
-
C:\Users\Admin\AppData\Local\Temp\eeeeeeeeeeeeee\Malware_pack_2\Malware_pack_2\MEMZ 3.0 (1)\MEMZ 3.0\MEMZ.exe"C:\Users\Admin\AppData\Local\Temp\eeeeeeeeeeeeee\Malware_pack_2\Malware_pack_2\MEMZ 3.0 (1)\MEMZ 3.0\MEMZ.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1840 -
C:\Users\Admin\AppData\Local\Temp\eeeeeeeeeeeeee\Malware_pack_2\Malware_pack_2\MEMZ 3.0 (1)\MEMZ 3.0\MEMZ.exe"C:\Users\Admin\AppData\Local\Temp\eeeeeeeeeeeeee\Malware_pack_2\Malware_pack_2\MEMZ 3.0 (1)\MEMZ 3.0\MEMZ.exe" /watchdog2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2684
-
-
C:\Users\Admin\AppData\Local\Temp\eeeeeeeeeeeeee\Malware_pack_2\Malware_pack_2\MEMZ 3.0 (1)\MEMZ 3.0\MEMZ.exe"C:\Users\Admin\AppData\Local\Temp\eeeeeeeeeeeeee\Malware_pack_2\Malware_pack_2\MEMZ 3.0 (1)\MEMZ 3.0\MEMZ.exe" /watchdog2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2244
-
-
C:\Users\Admin\AppData\Local\Temp\eeeeeeeeeeeeee\Malware_pack_2\Malware_pack_2\MEMZ 3.0 (1)\MEMZ 3.0\MEMZ.exe"C:\Users\Admin\AppData\Local\Temp\eeeeeeeeeeeeee\Malware_pack_2\Malware_pack_2\MEMZ 3.0 (1)\MEMZ 3.0\MEMZ.exe" /watchdog2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2076
-
-
C:\Users\Admin\AppData\Local\Temp\eeeeeeeeeeeeee\Malware_pack_2\Malware_pack_2\MEMZ 3.0 (1)\MEMZ 3.0\MEMZ.exe"C:\Users\Admin\AppData\Local\Temp\eeeeeeeeeeeeee\Malware_pack_2\Malware_pack_2\MEMZ 3.0 (1)\MEMZ 3.0\MEMZ.exe" /watchdog2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2716
-
-
C:\Users\Admin\AppData\Local\Temp\eeeeeeeeeeeeee\Malware_pack_2\Malware_pack_2\MEMZ 3.0 (1)\MEMZ 3.0\MEMZ.exe"C:\Users\Admin\AppData\Local\Temp\eeeeeeeeeeeeee\Malware_pack_2\Malware_pack_2\MEMZ 3.0 (1)\MEMZ 3.0\MEMZ.exe" /watchdog2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2832
-
-
C:\Users\Admin\AppData\Local\Temp\eeeeeeeeeeeeee\Malware_pack_2\Malware_pack_2\MEMZ 3.0 (1)\MEMZ 3.0\MEMZ.exe"C:\Users\Admin\AppData\Local\Temp\eeeeeeeeeeeeee\Malware_pack_2\Malware_pack_2\MEMZ 3.0 (1)\MEMZ 3.0\MEMZ.exe" /main2⤵
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\SysWOW64\notepad.exe"C:\Windows\System32\notepad.exe" \note.txt3⤵
- System Location Discovery: System Language Discovery
PID:2584
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://softonic.com/3⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2588 CREDAT:275457 /prefetch:24⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:552
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2588 CREDAT:209943 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2052
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2588 CREDAT:209973 /prefetch:24⤵
- Suspicious use of SetWindowsHookEx
PID:2036
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2588 CREDAT:668692 /prefetch:24⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:768
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2588 CREDAT:930852 /prefetch:24⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2616
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2588 CREDAT:1455137 /prefetch:24⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1280
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2588 CREDAT:4142119 /prefetch:24⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2904
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2588 CREDAT:799827 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1504
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2588 CREDAT:3748951 /prefetch:24⤵
- System Location Discovery: System Language Discovery
PID:988
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2588 CREDAT:1389649 /prefetch:24⤵PID:3724
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2588 CREDAT:3224659 /prefetch:24⤵
- Modifies Internet Explorer settings
PID:2576
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2588 CREDAT:1651788 /prefetch:24⤵PID:4076
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2588 CREDAT:1782885 /prefetch:24⤵
- Modifies Internet Explorer settings
PID:1660
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2588 CREDAT:1651832 /prefetch:24⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
PID:2248
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2588 CREDAT:2110609 /prefetch:24⤵PID:4200
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2588 CREDAT:3486849 /prefetch:24⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
PID:1976
-
-
-
C:\Windows\SysWOW64\control.exe"C:\Windows\System32\control.exe"3⤵
- System Location Discovery: System Language Discovery
PID:2500
-
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\System32\notepad.exe"3⤵PID:2332
-
-
C:\Windows\SysWOW64\taskmgr.exe"C:\Windows\System32\taskmgr.exe"3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:628
-
-
C:\Windows\SysWOW64\mmc.exe"C:\Windows\system32\mmc.exe" "C:\Windows\System32\devmgmt.msc"3⤵
- Suspicious use of SetWindowsHookEx
PID:2628 -
C:\Windows\system32\mmc.exe"C:\Windows\System32\devmgmt.msc" "C:\Windows\System32\devmgmt.msc"4⤵
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2156
-
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\System32\explorer.exe"3⤵
- System Location Discovery: System Language Discovery
PID:292
-
-
C:\Windows\SysWOW64\calc.exe"C:\Windows\System32\calc.exe"3⤵PID:2408
-
-
C:\Windows\SysWOW64\calc.exe"C:\Windows\System32\calc.exe"3⤵
- System Location Discovery: System Language Discovery
PID:1000
-
-
C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"3⤵
- Suspicious use of SetWindowsHookEx
PID:3000 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122884⤵PID:3020
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"3⤵
- System Location Discovery: System Language Discovery
PID:612
-
-
C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"3⤵
- System Location Discovery: System Language Discovery
PID:3876
-
-
C:\Windows\SysWOW64\calc.exe"C:\Windows\System32\calc.exe"3⤵PID:3608
-
-
C:\Windows\SysWOW64\mmc.exe"C:\Windows\system32\mmc.exe" "C:\Windows\System32\devmgmt.msc"3⤵PID:3488
-
C:\Windows\system32\mmc.exe"C:\Windows\System32\devmgmt.msc" "C:\Windows\System32\devmgmt.msc"4⤵
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
PID:3472
-
-
-
C:\Windows\SysWOW64\regedit.exe"C:\Windows\System32\regedit.exe"3⤵
- System Location Discovery: System Language Discovery
- Runs regedit.exe
PID:3488
-
-
C:\Windows\SysWOW64\mmc.exe"C:\Windows\System32\mmc.exe"3⤵
- System Location Discovery: System Language Discovery
PID:3172 -
C:\Windows\system32\mmc.exe"C:\Windows\system32\mmc.exe"4⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
PID:3164
-
-
-
C:\Windows\SysWOW64\mmc.exe"C:\Windows\system32\mmc.exe" "C:\Windows\System32\devmgmt.msc"3⤵PID:3300
-
C:\Windows\system32\mmc.exe"C:\Windows\System32\devmgmt.msc" "C:\Windows\System32\devmgmt.msc"4⤵
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
PID:3276
-
-
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\System32\notepad.exe"3⤵
- System Location Discovery: System Language Discovery
PID:2140
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\System32\explorer.exe"3⤵PID:3520
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\System32\explorer.exe"3⤵
- System Location Discovery: System Language Discovery
PID:4088
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\System32\explorer.exe"3⤵
- System Location Discovery: System Language Discovery
PID:1600
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\System32\explorer.exe"3⤵
- System Location Discovery: System Language Discovery
PID:3692
-
-
C:\Windows\SysWOW64\mmc.exe"C:\Windows\System32\mmc.exe"3⤵PID:4924
-
C:\Windows\system32\mmc.exe"C:\Windows\system32\mmc.exe"4⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
PID:4908
-
-
-
C:\Windows\SysWOW64\mmc.exe"C:\Windows\system32\mmc.exe" "C:\Windows\System32\devmgmt.msc"3⤵PID:2060
-
C:\Windows\system32\mmc.exe"C:\Windows\System32\devmgmt.msc" "C:\Windows\System32\devmgmt.msc"4⤵
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
PID:4140
-
-
-
C:\Windows\SysWOW64\regedit.exe"C:\Windows\System32\regedit.exe"3⤵
- Runs regedit.exe
PID:4820
-
-
C:\Windows\SysWOW64\taskmgr.exe"C:\Windows\System32\taskmgr.exe"3⤵PID:4148
-
-
C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"3⤵
- System Location Discovery: System Language Discovery
PID:4424
-
-
C:\Windows\SysWOW64\mspaint.exe"C:\Windows\System32\mspaint.exe"3⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3992
-
-
C:\Windows\SysWOW64\calc.exe"C:\Windows\System32\calc.exe"3⤵
- System Location Discovery: System Language Discovery
PID:3456
-
-
C:\Windows\SysWOW64\taskmgr.exe"C:\Windows\System32\taskmgr.exe"3⤵
- System Location Discovery: System Language Discovery
PID:4152
-
-
C:\Windows\SysWOW64\mmc.exe"C:\Windows\System32\mmc.exe"3⤵PID:4820
-
C:\Windows\system32\mmc.exe"C:\Windows\system32\mmc.exe"4⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
PID:4736
-
-
-
C:\Windows\SysWOW64\mspaint.exe"C:\Windows\System32\mspaint.exe"3⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4720
-
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\System32\notepad.exe"3⤵
- System Location Discovery: System Language Discovery
PID:4980
-
-
C:\Windows\SysWOW64\regedit.exe"C:\Windows\System32\regedit.exe"3⤵
- System Location Discovery: System Language Discovery
- Runs regedit.exe
PID:5968
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\System32\explorer.exe"3⤵
- System Location Discovery: System Language Discovery
PID:5828
-
-
C:\Windows\SysWOW64\mmc.exe"C:\Windows\system32\mmc.exe" "C:\Windows\System32\devmgmt.msc"3⤵PID:5220
-
C:\Windows\system32\mmc.exe"C:\Windows\System32\devmgmt.msc" "C:\Windows\System32\devmgmt.msc"4⤵
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
PID:2360
-
-
-
C:\Windows\SysWOW64\taskmgr.exe"C:\Windows\System32\taskmgr.exe"3⤵
- System Location Discovery: System Language Discovery
PID:5620
-
-
C:\Windows\SysWOW64\calc.exe"C:\Windows\System32\calc.exe"3⤵
- System Location Discovery: System Language Discovery
PID:5680
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"3⤵PID:3344
-
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\System32\notepad.exe"3⤵PID:5876
-
-
C:\Windows\SysWOW64\mmc.exe"C:\Windows\System32\mmc.exe"3⤵
- System Location Discovery: System Language Discovery
PID:7140 -
C:\Windows\system32\mmc.exe"C:\Windows\system32\mmc.exe"4⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
PID:7152
-
-
-
C:\Windows\SysWOW64\mspaint.exe"C:\Windows\System32\mspaint.exe"3⤵
- Drops file in Windows directory
PID:6460
-
-
C:\Windows\SysWOW64\control.exe"C:\Windows\System32\control.exe"3⤵
- System Location Discovery: System Language Discovery
PID:3136
-
-
C:\Windows\SysWOW64\calc.exe"C:\Windows\System32\calc.exe"3⤵PID:6884
-
-
C:\Windows\SysWOW64\regedit.exe"C:\Windows\System32\regedit.exe"3⤵
- Runs regedit.exe
PID:6476
-
-
C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"3⤵PID:6148
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\System32\explorer.exe"3⤵
- System Location Discovery: System Language Discovery
PID:6476
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\System32\explorer.exe"3⤵
- System Location Discovery: System Language Discovery
PID:7056
-
-
C:\Windows\SysWOW64\taskmgr.exe"C:\Windows\System32\taskmgr.exe"3⤵
- System Location Discovery: System Language Discovery
PID:6904
-
-
C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"3⤵PID:6944
-
-
C:\Windows\SysWOW64\control.exe"C:\Windows\System32\control.exe"3⤵
- System Location Discovery: System Language Discovery
PID:7328
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"3⤵PID:7788
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://pcoptimizerpro.com/3⤵PID:7336
-
-
C:\Windows\SysWOW64\taskmgr.exe"C:\Windows\System32\taskmgr.exe"3⤵
- System Location Discovery: System Language Discovery
PID:7632
-
-
C:\Windows\SysWOW64\taskmgr.exe"C:\Windows\System32\taskmgr.exe"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:7956
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"3⤵PID:5204
-
-
C:\Windows\SysWOW64\mmc.exe"C:\Windows\System32\mmc.exe"3⤵
- System Location Discovery: System Language Discovery
PID:7260 -
C:\Windows\system32\mmc.exe"C:\Windows\system32\mmc.exe"4⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
PID:6352
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://google.co.ck/search?q=minecraft+hax+download+no+virus3⤵PID:8520
-
-
C:\Windows\SysWOW64\mmc.exe"C:\Windows\system32\mmc.exe" "C:\Windows\System32\devmgmt.msc"3⤵
- System Location Discovery: System Language Discovery
PID:8660 -
C:\Windows\system32\mmc.exe"C:\Windows\System32\devmgmt.msc" "C:\Windows\System32\devmgmt.msc"4⤵
- Drops file in System32 directory
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
PID:8684
-
-
-
C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"3⤵
- System Location Discovery: System Language Discovery
PID:8940
-
-
C:\Windows\SysWOW64\mmc.exe"C:\Windows\system32\mmc.exe" "C:\Windows\System32\devmgmt.msc"3⤵PID:8268
-
C:\Windows\system32\mmc.exe"C:\Windows\System32\devmgmt.msc" "C:\Windows\System32\devmgmt.msc"4⤵
- Drops file in System32 directory
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
PID:8288
-
-
-
C:\Windows\SysWOW64\taskmgr.exe"C:\Windows\System32\taskmgr.exe"3⤵PID:8560
-
-
C:\Windows\SysWOW64\mspaint.exe"C:\Windows\System32\mspaint.exe"3⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:9196
-
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\System32\notepad.exe"3⤵PID:8736
-
-
C:\Windows\SysWOW64\mmc.exe"C:\Windows\System32\mmc.exe"3⤵PID:8924
-
C:\Windows\system32\mmc.exe"C:\Windows\system32\mmc.exe"4⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
PID:6712
-
-
-
C:\Windows\SysWOW64\regedit.exe"C:\Windows\System32\regedit.exe"3⤵
- System Location Discovery: System Language Discovery
- Runs regedit.exe
PID:8912
-
-
C:\Windows\SysWOW64\taskmgr.exe"C:\Windows\System32\taskmgr.exe"3⤵
- System Location Discovery: System Language Discovery
PID:7796
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\System32\explorer.exe"3⤵PID:8268
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"3⤵PID:8464
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://google.co.ck/search?q=how+to+create+your+own+ransomware3⤵
- Modifies Internet Explorer settings
PID:8924 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:8924 CREDAT:275457 /prefetch:24⤵
- System Location Discovery: System Language Discovery
PID:9280
-
-
-
C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"3⤵
- System Location Discovery: System Language Discovery
PID:8412
-
-
C:\Windows\SysWOW64\mmc.exe"C:\Windows\system32\mmc.exe" "C:\Windows\System32\devmgmt.msc"3⤵
- System Location Discovery: System Language Discovery
PID:8512 -
C:\Windows\system32\mmc.exe"C:\Windows\System32\devmgmt.msc" "C:\Windows\System32\devmgmt.msc"4⤵
- Drops file in System32 directory
- Suspicious behavior: SetClipboardViewer
PID:7884
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://google.co.ck/search?q=bonzi+buddy+download+free3⤵
- Modifies Internet Explorer settings
PID:7504 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:7504 CREDAT:275457 /prefetch:24⤵PID:9616
-
-
-
C:\Windows\SysWOW64\mmc.exe"C:\Windows\system32\mmc.exe" "C:\Windows\System32\devmgmt.msc"3⤵
- System Location Discovery: System Language Discovery
PID:9432 -
C:\Windows\system32\mmc.exe"C:\Windows\System32\devmgmt.msc" "C:\Windows\System32\devmgmt.msc"4⤵
- Drops file in System32 directory
- Suspicious behavior: SetClipboardViewer
PID:9580
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://google.co.ck/search?q=how+to+remove+memz+trojan+virus3⤵
- Modifies Internet Explorer settings
PID:9504 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:9504 CREDAT:275457 /prefetch:24⤵
- System Location Discovery: System Language Discovery
PID:9992
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://google.co.ck/search?q=my+computer+is+doing+weird+things+wtf+is+happenin+plz+halp3⤵
- Modifies Internet Explorer settings
PID:9888 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:9888 CREDAT:275457 /prefetch:24⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
PID:9272
-
-
-
C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"3⤵PID:9956
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://pcoptimizerpro.com/3⤵
- Modifies Internet Explorer settings
PID:10144 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:10144 CREDAT:275457 /prefetch:24⤵
- System Location Discovery: System Language Discovery
PID:7452
-
-
-
C:\Windows\SysWOW64\taskmgr.exe"C:\Windows\System32\taskmgr.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:9304
-
-
C:\Windows\SysWOW64\calc.exe"C:\Windows\System32\calc.exe"3⤵PID:9732
-
-
C:\Windows\SysWOW64\control.exe"C:\Windows\System32\control.exe"3⤵PID:9864
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://google.co.ck/search?q=how+to+create+your+own+ransomware3⤵
- Modifies Internet Explorer settings
PID:9536 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:9536 CREDAT:275457 /prefetch:24⤵
- System Location Discovery: System Language Discovery
PID:8516
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://google.co.ck/search?q=virus+builder+legit+free+download3⤵
- Modifies Internet Explorer settings
PID:8640 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:8640 CREDAT:275457 /prefetch:24⤵PID:10324
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://google.co.ck/search?q=minecraft+hax+download+no+virus3⤵
- Modifies Internet Explorer settings
PID:7264 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:7264 CREDAT:275457 /prefetch:24⤵
- System Location Discovery: System Language Discovery
PID:10648
-
-
-
C:\Windows\SysWOW64\regedit.exe"C:\Windows\System32\regedit.exe"3⤵
- System Location Discovery: System Language Discovery
- Runs regedit.exe
PID:10288
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://google.co.ck/search?q=how+to+code+a+virus+in+visual+basic3⤵
- Modifies Internet Explorer settings
PID:11056 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:11056 CREDAT:275457 /prefetch:24⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
PID:1864
-
-
-
C:\Windows\SysWOW64\control.exe"C:\Windows\System32\control.exe"3⤵
- System Location Discovery: System Language Discovery
PID:11176
-
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\System32\notepad.exe"3⤵PID:8408
-
-
C:\Windows\SysWOW64\regedit.exe"C:\Windows\System32\regedit.exe"3⤵
- System Location Discovery: System Language Discovery
- Runs regedit.exe
PID:11960
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\System32\explorer.exe"3⤵
- System Location Discovery: System Language Discovery
PID:12516
-
-
C:\Windows\SysWOW64\taskmgr.exe"C:\Windows\System32\taskmgr.exe"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:12616
-
-
C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"3⤵
- System Location Discovery: System Language Discovery
PID:12696
-
-
C:\Windows\SysWOW64\mmc.exe"C:\Windows\system32\mmc.exe" "C:\Windows\System32\devmgmt.msc"3⤵PID:12800
-
C:\Windows\system32\mmc.exe"C:\Windows\System32\devmgmt.msc" "C:\Windows\System32\devmgmt.msc"4⤵PID:13156
-
-
-
C:\Windows\SysWOW64\regedit.exe"C:\Windows\System32\regedit.exe"3⤵
- System Location Discovery: System Language Discovery
- Runs regedit.exe
PID:13208
-
-
C:\Windows\SysWOW64\mmc.exe"C:\Windows\System32\mmc.exe"3⤵
- System Location Discovery: System Language Discovery
PID:12364 -
C:\Windows\system32\mmc.exe"C:\Windows\system32\mmc.exe"4⤵PID:12396
-
-
-
C:\Windows\SysWOW64\calc.exe"C:\Windows\System32\calc.exe"3⤵PID:8704
-
-
C:\Windows\SysWOW64\control.exe"C:\Windows\System32\control.exe"3⤵PID:12228
-
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\System32\notepad.exe"3⤵PID:13336
-
-
C:\Windows\SysWOW64\mmc.exe"C:\Windows\System32\mmc.exe"3⤵PID:14148
-
C:\Windows\system32\mmc.exe"C:\Windows\system32\mmc.exe"4⤵PID:14624
-
-
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\System32\notepad.exe"3⤵PID:9868
-
-
C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"3⤵PID:14568
-
-
C:\Windows\SysWOW64\regedit.exe"C:\Windows\System32\regedit.exe"3⤵
- Runs regedit.exe
PID:14752
-
-
C:\Windows\SysWOW64\calc.exe"C:\Windows\System32\calc.exe"3⤵PID:15080
-
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}1⤵PID:2484
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4e01⤵
- Suspicious use of AdjustPrivilegeToken
PID:1972
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
854B
MD5e935bc5762068caf3e24a2683b1b8a88
SHA182b70eb774c0756837fe8d7acbfeec05ecbf5463
SHA256a8accfcfeb51bd73df23b91f4d89ff1a9eb7438ef5b12e8afda1a6ff1769e89d
SHA512bed4f6f5357b37662623f1f8afed1a3ebf3810630b2206a0292052a2e754af9dcfe34ee15c289e3d797a8f33330e47c14cbefbc702f74028557ace29bf855f9e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize1KB
MD51df4559dc042f51453d31bbd6d406cac
SHA1defff321b0e39935b0281192bc732a47edc22d84
SHA2562e5e6363cb570b2bdfef7476d83333ea9e7699f5418fb102d5ffa795f0536d9d
SHA512c4a96d6fa0d96e706e89a571ad916c8995cb045bc3d30ac8f83b57c95bc1ee59e983ca42534b24f02ad862959826df6b5aac6f4a1288f5a3fb0eaf873f13f731
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4FA45AE1010E09657982D8D28B3BD38E_09E5FD68127B2EBD22C529250B8D2273
Filesize471B
MD5cea7f7436b62d1aa1808fbf42c7614e8
SHA1d8530285ce4e6fd1ca352a617263fe26d46d383a
SHA256dfddd19826ded2ca69f63200f442f8f4dcf9b5ec1dd78e15d74d015c651ba190
SHA5123c679f47869a4e78c2b7a5a5ac20ce4ae922e4231f2cee533cf44d25e1ee45e848a3fd55d8e4c3d98bbe357ea2b9825dcbab55d9b71d5472d29b9e77aa86fda0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4FA45AE1010E09657982D8D28B3BD38E_B115649384851BE6BDDEA6DCEC8C2FEC
Filesize472B
MD557fabf8ce960f6516a99cb1065e0f1b5
SHA10f06fda5952c1e047f2fdd06a941cde444e7fd1b
SHA256287c0da810f4506a1fca9807d8457c52631b4f723f272412631a59fdda36d179
SHA512df597f53035b5dc18aaefbe0fb232e9e2770343319e716a32d416d27be2b4d77e4671786d0e6711549440dda3e68fb122e61c42fc781238cb158d0c4d1546cbe
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C02877841121CC45139CB51404116B25_193C88518F770D3F8D3CDA4F180E8635
Filesize472B
MD52e15489eb620ba4779210d523e343152
SHA1c6674bbf4ad29b2742ab2382f6ce4c17754b05d6
SHA25604ba2c1f6dde1be4f81cdd43a931f554f357fa751ce75028929f14695995c99e
SHA51287ea9978c49ce2b715361cdd60900ed5e3a7a589986056f4df3b547ad0168ee3bbe453b0a1a348ce7911a5548bd17cc6918aa88c689b2b46eeb857e2ec9ae471
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199
Filesize170B
MD595396c7b405bd3922c15a64123d1e1ed
SHA1b8b1b09065bc0c8bb7028649f498e8b57b51c578
SHA256e92c8aa30d33d2b3fcb5469309bbb1ebfad3e6bf8cb726b149d3382e9dbe7b86
SHA512ea4a0e4325d6d8a42d65fb99f11409da114309b1696f4bb29b79b7900bdba14cb47fa7675f607a1ad838000efe5c0d8152f2cc1b826142a4c4e66ba09fccd465
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize410B
MD5938581538c47953b7486713ec5068e93
SHA1361a0e8aab41ace068503e9cc9d062bf25567f97
SHA2566714f28cce0318b188e7e25b9bf5294ca32a9873028756c6acf5b17177740079
SHA51230a7280b0c4b36d9b007db6d7b1337bacdfb1676ce278cb4e22144e7cd32d81584a0cd5c21a9976d191d03c7638d34175fc7e54deb9e7ca023f6f898e8441a5b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4FA45AE1010E09657982D8D28B3BD38E_09E5FD68127B2EBD22C529250B8D2273
Filesize406B
MD50e394aa8904a20d06f3e028a478e60d8
SHA1d75542d1f6f6bee1dd57aa6487b93a5e8d8326c0
SHA256fd96106f81c83e89753b181e3f15d62e53b6664c5ea23b421e660be83d732b2f
SHA512e908999e62d4a2bc768d40fa2f1f21e5acde9ad6dc76f6b4b998ac30d3b8db840fa251cb24e3802c06c3af35c04f04bf837aee4ed735272c145dda00da5085a3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4FA45AE1010E09657982D8D28B3BD38E_B115649384851BE6BDDEA6DCEC8C2FEC
Filesize398B
MD56f0bbb0fe55535c2bdcc69cbc6291ba7
SHA1bd49bc23e8c2d061cc76a22a4e60fb8d60580414
SHA256d760c8b224890a830357f17ef54e2b57561e9e2e1d922e96b1786e25ed93138f
SHA51271207731ffbfdff27a17690b631a9e21f65bd193c2ce29eed6712c5fa7ec3397b5ca125a000f9fddfd55da3b147db15ecd3e5632d52b9fefd4f7a593b881c901
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5107645d2b3e1d61d396c0c9245243339
SHA19e7d0ba307300617bd5a9ee393b8d3b696b1db97
SHA256d69df2a7d48f90bc61af9855b53615f9780db6c3af4d3f1ff66efe3eda4df4c4
SHA51296b10e8018794cae7902d3a227c3152506ee2b169d4f5c31c8c036ccbe80f02e9da1c44d7ef1053da31eac0e6aca528383fd1f9b58a1e84dea54393d8dc48b76
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5f461903717db271371bb34bf0f3493f4
SHA1723519336322d5cf362ca46d42677d55316668e2
SHA256ee9f1d35a7d887c1a73558021c9d3187e76171d3acf8f4a446f9f45d0dc3c08f
SHA512c5030f3dba768006bba23ba7aac7913b931bcc9b725209ad62b6c9223963dde6b5903f0e07796b97e22a0ea0b63f2061a8aa267d51a33245c4ec4140aded1246
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD50fdecf83900b653055f612615637f3ab
SHA1c87c47014217b84c12f833dd567fde86219db527
SHA2565d2fdc62c6e9b8d206388122e9709f45464b58e510fdff4f06f2c41fb6173270
SHA5126d43540bba8d69ba16e3fb8fe7d3f9c6d5dec668f8fcb5932bd540190bef93a20b25f1ac859415f8a5f764ffdb4c8ca0aefcb53e48ee42e1fdceac180afa2977
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5404f1c038cce9e9087579aa2bf6ada17
SHA1d970307c8b481ab936d8428108e644927f0065d1
SHA256f29ae1be2a57e221501c6bef65cac2362422495559878cd89297445bc19ce6dc
SHA512397a726cdf3d2b9b9f4f1ae242e176a9abfbe590e17764cd9cd7ab7bda0d92d618535541ae474f6dbdfcde3b21271bca04ce1fba8751ef640fc34b6f6f71a0d9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD59cd03b1bcbdb184914a6253c9cbaf6ea
SHA17ca0d5a7d9b1707f05998588c9362eba0db94050
SHA256d1097212dd152bc0720cf26fd40586f2be79e81c4e36630c2d477ae79e8e844d
SHA5126292329f36583a92d6e84ef593c2c71282a9eb13a082021d09ea820753efd4475883d1ee904f5676f0337851e082282f0198c6b58c1d33de64cebe58bfea9d1a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e879cd64560fd0a223d38bd1d8e7b718
SHA121e9fa0e04878947c28c3bc2eaba2727f69102d7
SHA25669a0db1e9a25e458e006a89022e6acc1da4f35491eb268d8d89d19d6a915abd5
SHA5127f6542e48ce3b66ba9592c0dd18d52c78b6f51ecdb36b454f5d9d542eef5065ee8b01a740a5f2c8aff28d2a776d80a4bf0f82a2d93501aebfc84a6fd75a54009
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD58f35ae522a2d3ac2532818b21d73ff5e
SHA11cc6026dbe957d087c2eef3debc540b7086717d1
SHA256cca1a89be8c0238e85470310808a97ccf137c166f9402482314793439a667039
SHA512fe8f1ad0c2a05f588ab5322632f4856befc0f6766ce14d23efde57561334990d29cbbc8059d40cf91d9dc16cd26a2029d4aa4cbd0232548b0d5656c76706e2c9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD52884ce1bc7cfae3e4bf1001e86f983f6
SHA171dde10b40aa16df926ce5d8c8bb86d8dd371ce5
SHA25622e77b8bbdd68606c04f928693d118425993e0adc30b281c65c479dcdcf8c16e
SHA512bf74c5f2c07395d1509a5f9e87527d108749d46b781c338dfb3fcbf77ebfab942f60c7b280a5e4ad2735b6bdafcebca1b321c0c4516088f4ff48e9cc934b4daa
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD52d4ed45a638c5b2d025979645ea0df92
SHA12c3bdb8e760b275ae2493e48abdb08ddc25116f9
SHA256a4924774d5bb8f097ddd2aaf7687c2e6e793aa6cede5d99774aa3558b5cd4451
SHA512c879a354cdcec08daa5d9a8d6486b4e61cfe605dbee36e9265d012f5aa63a12277798cee43f48b9ff90d9487714054965de81a8df8436ad9cedea1e931d49d12
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD54d25d02acab78cef6de075a923623dc0
SHA18d4914e11e4a473a1337a542517560883cacb872
SHA2563822acf203aa948ee7d431124babb58b582877b672385b171342b2db3dd6c360
SHA51273c90d16f8b9939eef977469ec2c4e046ea4f7816336021f6c7108a2cb0426973e13d31d0c1cbb123bf9430800c026c3bac6cf6523255df93da010b1f902c990
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5dff04a30ddf8d0de5a0a29979d404e22
SHA1831f02523bd2259ee89a0e8bd548d04d6cb6e9c9
SHA256e0420b87d85e80486193ac26c36cb10bcf4e8e9b4fba41bbd4e690d2b841c9b8
SHA51235aa40d6db818f68e5990d6d7305d19a5cb05654df766c941c2e16b6caf03e0f4b3f60b51147204843fa643b1038d4fd3ba0c269b9dfaf223d427603373fa800
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD599e42b495a3e9c052196aa3b47ca272a
SHA1e2727c13775a08216fbccac670edfdc7ee85b8e8
SHA256ee86814257901f18fd2c66865a43b26fb9f04665e46ae291e4ee41ef09422873
SHA512f293f412dbc256bf730759da353fe2b8b6bee0703875beeccd74496338d0432e023c33e8e67b7f93915d476afc173d0457f303edf77fa393f0c2d83a49483839
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5496a74ba95833f032ec49ea3e9392bb9
SHA1831f318dd59daa9b483a214b6e179d8b41aba62c
SHA256adb96be482762a67b22cd9a42c246b5e6a2a0e4f6e686850a2385bb7a3a40f9b
SHA5128143adf2830cc13e674e0af58635edc9ef8a7b9c3bd8689b32cc4bdab7040bd9218b7be13d4a0e0d31c40bc20c886bed61a6d07ffd54b0a1a855e145ebd2ee25
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5fefba73bb412f91450c06b1bf444dd3e
SHA17ed61f19281e81d7ae52024d8d6fcea8a33f4891
SHA256738bbc980419e5e5f82c9f18b29ac6a1ce95a4a3e726eac56ad07974abf3acdb
SHA5129ac61aa482c7e4a069d3b18ef6a610c4b56e5cd1fa4e3d5f8ab77a39f3b739a0adb1dd2acb39b8f76d0e9c8f39a6543885df8a1c55c7f8445b2e5e3761e93f99
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD556fb3696e54c16c9f70685459a768009
SHA1683a99b268f74cf0e4323c352544fc1b650700db
SHA256aacfa8080c3328714442d2419356b346ca6bacbd2ee48058e502aebd33e1951a
SHA51232cd43c387d1a6d1071372f4c3b8f36dd4e032ceec7775928bbb9914e5be506a8a4642d98ece3fcfcfc33495782ec9d44d112654ae0e1501e79f7687828028ce
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD51bb128c08e5821dd050c81d0aaf8e1ac
SHA15f329faec075510281ec6ff9382d2f699dee2feb
SHA256703c79eb203630288c76b6d3a18df798480955999ca06b1b4d21d87e665b6709
SHA512cde54ade3bfcdb4aac48da59388937f38774a1cbcd1369768c7527cedbca6aecf8f8e2565bcafcc3b7b716f7a9803e73d90f358d2d56f60e528823d1b462e59e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD56d9c907e2b404c54e7cf2f038921c6a9
SHA1bd050337af1405cbfc7180bc2aeb54c22dc7290c
SHA256e1c62c47bde6e54809abafcc51b3c477f20a71866c94b37ff4e434aa718f940e
SHA512274a1e4e8992d52c8190fac6464640db3decb1b5fa4dde070c290342ce8210f28d4c1d7b7823b23c9bc46f2c9827b4a0873f5c125df8b8bc84fb8bc306e66f63
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD52973f675064709a053f525a39b278076
SHA1b2cb03203bfca4f7dd41dfbe48477b053baf604e
SHA2566827cc1e946b856632524748fd7885b52067b38357472d596c6c5ef47152845e
SHA512a49a8300dfbc7720dbc7cfb0c907643253b27e8e67b13c4e5293ba22564eb909b6f74727132bd0306f1fb2196cc0e64f3b0b00edc3d73ec665fcc3957c8645e0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD53f19801215ede3b6e9d8183ca02c64d1
SHA11d668623c5fbc74efda426b7f7bc9684e2574ee5
SHA256a760c769f05f6fe5be174972d26622bb568f7e0fb78cfb1e55d558708a7537d1
SHA51245043f6dcc9ea8b29ea62f388de7d0ec3ea7bd8243755884f0c636e5b9e61a4a21e669fa2e2271fecb1ede7b9f3e929f346ba1c724de8a28d6d4b26a8a2cec27
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a876464a0a0b062a5332e18d206534f2
SHA1999ccb0b6616254b2249d7614bcad03d1ab92bfc
SHA256787d37eaa97ac9092d7a2b02e5de50ea9fbbf5e8516b97f9e318083c75a77929
SHA512b395391aeba89e07865427900f35634c5212d8adce12dbec5da634112dfca16eea0c8d2426ee3f5d206bb89431d63afbb6c9c430b472204bc2862d589714eb68
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5d99fca44710841b4b098e9709f2cc2ec
SHA121a4d170a0c004587f97c109e28b38d9a1cab0bf
SHA2568c7b0cdd24916b97e9223098aa98dfa803e53edcd35b22994c61dde2afa85fbb
SHA512a9e5a98ede064f89bd50769d7fedf6d9052a0bef2c351fb4f28f3a49ff719458a6c3b3751b757968b0dd2443466ba23132bd8ac0302c6c7e0149b5fabf93685a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C02877841121CC45139CB51404116B25_193C88518F770D3F8D3CDA4F180E8635
Filesize398B
MD539727d6f610d7d9364e7299a6b39efdd
SHA137f2a28c469b3477b1efb26de84578ba0d075116
SHA25642bcadbdd26a1fc4e0f676bd7be5ebb9c68b6d2ea681d5c8ceb0389dc12f1323
SHA51247156d74f3ae51abbffe1c4e4c07fb00da5c31163536e1d7cbee1060ac23660f7873ce68739ed1df05ac21c979d247f4013383e1a6802275cd5e2b24b8c63fe2
-
Filesize
99B
MD546004f190a2c1efa8b723c4d40c833e7
SHA15fdb8693a53d1df18ebb13e88f135df4a5e9bae1
SHA256689f658731a800930cef8dc1f794b45a5e529f909f2f2ae8c24729dbf3478f7d
SHA51252404bcd7134493dbdd214a8189b5ba9217d7ff20bfec5111c49c9e257ee1e41e30eb6350322e79f5302ef06d411338e27c9de4b5c0301f97fa67999460ad241
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{C3217A80-73B6-11EF-80B1-FE6EB537C9A6}.dat
Filesize5KB
MD567907da85aa08710f05e34910049b537
SHA12944b3a1f2e6938d8625d5f80e7a0ca56546dedf
SHA25619bca2a04df76e17f755a075740421ca2319cc404eefff63c5090adf2193ab1c
SHA512fb51f094af2a8efa587e82248dd695e09b3ebb375eb959eef5aa40fa3232577a69f712e5c8ee11f7fa1c5419117377fcc31355e2dc3461e52dc891bab58e21b1
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{D8B10A50-73B6-11EF-80B1-FE6EB537C9A6}.dat
Filesize3KB
MD5b429f55171b2d678d752e2a1e6835361
SHA18b245b0d2fb8ec7c63abefb81f8d7aee19875369
SHA256fb5c880c09c99116982a44cc81d98cbc1a0333a8ad8ec3d92028cd61907d6da5
SHA5124bafde5958d6ab7dbee13a8f7e60e302d9cbd83bcc91a797bae61382d27d88d653f7caa85413c3c84405a89d98e97b385d66de4df907db61d2f96cb21bb6e754
-
Filesize
5KB
MD51df61deba1928f863867edf6c96e02ca
SHA1a363f91e838d3d28969f5a56731ad49c946c6599
SHA256b2766bf493925fdc7fc36bf271dc4310b9cae3a501224873d900f40e343f855e
SHA5123cd37409641e6d32c0bfea184f2d52f3aaaffb4e44a2691f122a172f239ec68bc932a85cec85322a1d962999519d3ff690f0d781b0248961bfcb8295a7922fd3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9UR26M8S\lKPp_8x8SVU7b6KN44fvdWMof2HELUnUniMVUZmLxyE[1].js
Filesize25KB
MD5d79fe6b03d76ee6e31126e039d9e14be
SHA1e0053872adb800706efe2d5bd425e27a9afebeee
SHA25694a3e9ffcc7c49553b6fa28de387ef7563287f61c42d49d49e231551998bc721
SHA51230c9ccdad80c81807da0045df2d950d5c1dea51a475597ecccf36ba3b69025412e5fce1d640d6c5b8cbfb7a517ca0d1195bcfecebbc593c19e8eb77fd9373da7
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9UR26M8S\logo_48[1].png
Filesize2KB
MD5ef9941290c50cd3866e2ba6b793f010d
SHA14736508c795667dcea21f8d864233031223b7832
SHA2561b9efb22c938500971aac2b2130a475fa23684dd69e43103894968df83145b8a
SHA512a0c69c70117c5713caf8b12f3b6e8bbb9cdaf72768e5db9db5831a3c37541b87613c6b020dd2f9b8760064a8c7337f175e7234bfe776eee5e3588dc5662419d9
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9UR26M8S\recaptcha__en[1].js
Filesize537KB
MD5c7be68088b0a823f1a4c1f77c702d1b4
SHA105d42d754afd21681c0e815799b88fbe1fbabf4e
SHA2564943e91f7f53318d481ca07297395abbc52541c2be55d7276ecda152cd7ad9c3
SHA512cb76505845e7fc0988ade0598e6ea80636713e20209e1260ee4413423b45235f57cb0a33fca7baf223e829835cb76a52244c3197e4c0c166dad9b946b9285222
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\AS91FDNI\KFOlCnqEu92Fr1MmEU9fBBc9[1].ttf
Filesize34KB
MD54d88404f733741eaacfda2e318840a98
SHA149e0f3d32666ac36205f84ac7457030ca0a9d95f
SHA256b464107219af95400af44c949574d9617de760e100712d4dec8f51a76c50dda1
SHA5122e5d3280d5f7e70ca3ea29e7c01f47feb57fe93fc55fd0ea63641e99e5d699bb4b1f1f686da25c91ba4f64833f9946070f7546558cbd68249b0d853949ff85c5
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\AS91FDNI\KFOlCnqEu92Fr1MmYUtfBBc9[1].ttf
Filesize34KB
MD54d99b85fa964307056c1410f78f51439
SHA1f8e30a1a61011f1ee42435d7e18ba7e21d4ee894
SHA25601027695832f4a3850663c9e798eb03eadfd1462d0b76e7c5ac6465d2d77dbd0
SHA51213d93544b16453fe9ac9fc025c3d4320c1c83a2eca4cd01132ce5c68b12e150bc7d96341f10cbaa2777526cf72b2ca0cd64458b3df1875a184bbb907c5e3d731
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\AS91FDNI\KFOmCnqEu92Fr1Mu4mxP[1].ttf
Filesize34KB
MD5372d0cc3288fe8e97df49742baefce90
SHA1754d9eaa4a009c42e8d6d40c632a1dad6d44ec21
SHA256466989fd178ca6ed13641893b7003e5d6ec36e42c2a816dee71f87b775ea097f
SHA5128447bc59795b16877974cd77c52729f6ff08a1e741f68ff445c087ecc09c8c4822b83e8907d156a00be81cb2c0259081926e758c12b3aea023ac574e4a6c9885
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\AS91FDNI\styles__ltr[1].css
Filesize55KB
MD54adccf70587477c74e2fcd636e4ec895
SHA1af63034901c98e2d93faa7737f9c8f52e302d88b
SHA2560e04cd9eec042868e190cbdabf2f8f0c7172dcc54ab87eb616eca14258307b4d
SHA512d3f071c0a0aa7f2d3b8e584c67d4a1adf1a9a99595cffc204bf43b99f5b19c4b98cec8b31e65a46c01509fc7af8787bd7839299a683d028e388fdc4ded678cb3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S8GI6B9B\-HiUwdQxDKLzt71CPYD-hKnPnujfGhcYgWkgX6BRpVU[1].js
Filesize24KB
MD5242324a437f1e8dfa268b1be80e57fdc
SHA12198c8b982542d263d2df13efc9e476563b5874f
SHA256f87894c1d4310ca2f3b7bd423d80fe84a9cf9ee8df1a17188169205fa051a555
SHA51274d8caa815fbae1b8510c883da00cec7f43fed56890c50eb24e44d281e31d9579b592553be87d2ce8ccb04cb2e3f78eaa8889068762fa36b1143b85cb21f3410
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S8GI6B9B\api[1].js
Filesize870B
MD5db3f5a748364d84b2b5f75e3d4e851d0
SHA117b34ff20d429abee726b4b74530e5af2819f7bc
SHA256343ed5ecd144d781de67aa8638b1ca4fce5772faedbb72720daacb250884f4e1
SHA5123ee552fff8e93097120367c7f5f6aed88145150d706349542e8800e65722f4e6507bc0802e41a305cda56aaf4bcd40c036ad7a4d2aabea9dc70f908bf400dd90
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S8GI6B9B\errorPageStrings[1]
Filesize2KB
MD5e3e4a98353f119b80b323302f26b78fa
SHA120ee35a370cdd3a8a7d04b506410300fd0a6a864
SHA2569466d620dc57835a2475f8f71e304f54aee7160e134ba160baae0f19e5e71e66
SHA512d8e4d73c76804a5abebd5dbc3a86dcdb6e73107b873175a8de67332c113fb7c4899890bf7972e467866fa4cd100a7e2a10a770e5a9c41cbf23b54351b771dcee
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZKZ95V4R\NewErrorPageTemplate[1]
Filesize1KB
MD5cdf81e591d9cbfb47a7f97a2bcdb70b9
SHA18f12010dfaacdecad77b70a3e781c707cf328496
SHA256204d95c6fb161368c795bb63e538fe0b11f9e406494bb5758b3b0d60c5f651bd
SHA512977dcc2c6488acaf0e5970cef1a7a72c9f9dc6bb82da54f057e0853c8e939e4ab01b163eb7a5058e093a8bc44ecad9d06880fdc883e67e28ac67fee4d070a4cc
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZKZ95V4R\dnserror[2]
Filesize1KB
MD573c70b34b5f8f158d38a94b9d7766515
SHA1e9eaa065bd6585a1b176e13615fd7e6ef96230a9
SHA2563ebd34328a4386b4eba1f3d5f1252e7bd13744a6918720735020b4689c13fcf4
SHA512927dcd4a8cfdeb0f970cb4ee3f059168b37e1e4e04733ed3356f77ca0448d2145e1abdd4f7ce1c6ca23c1e3676056894625b17987cc56c84c78e73f60e08fc0d
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZKZ95V4R\favicon[2].ico
Filesize5KB
MD5f3418a443e7d841097c714d69ec4bcb8
SHA149263695f6b0cdd72f45cf1b775e660fdc36c606
SHA2566da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770
SHA51282d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZKZ95V4R\httpErrorPagesScripts[1]
Filesize8KB
MD53f57b781cb3ef114dd0b665151571b7b
SHA1ce6a63f996df3a1cccb81720e21204b825e0238c
SHA25646e019fa34465f4ed096a9665d1827b54553931ad82e98be01edb1ddbc94d3ad
SHA5128cbf4ef582332ae7ea605f910ad6f8a4bc28513482409fa84f08943a72cac2cf0fa32b6af4c20c697e1fac2c5ba16b5a64a23af0c11eefbf69625b8f9f90c8fa
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZKZ95V4R\webworker[1].js
Filesize102B
MD5ad5e6a567d064cba36f2a56caab2d866
SHA1a3b46ea0ca5df5a6b6ab6bb228cf805065523cd1
SHA256e70942d2b905910af2538c685c2223c25e5068bfbccb9742cfa5ffa48150d291
SHA512ba45b3d74c0d2e0ac22bc97bacb6df549d7a4eae8d64050af41167376926f4379ccb6be84a666ba615caa7c5ee6838f98020c530f5c2ce51f71dad369d130681
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
16KB
MD5bdd9803d5ed64de9f02e2072a95e5026
SHA1ec74b54457e12bfd849283f6d692e9fe8a537334
SHA2566785a86738850e47a302aec0059542216c7d30920ecee2d90b8cc10effade603
SHA512a3c03f096ad84854a98291445a6d84319149d25572471be2ac49703158712a7ec0f5c7b6124e0610ec76af4b5dd684fabb7e9c1066190f15bb98a7b49d11f08a
-
Filesize
405B
MD5be676df900dd5cd646591192ca1a9b15
SHA1541dbb6682e0485cbc5af8047dae2cf8aa67d02e
SHA256f9a85b0bc3bf839c3f3859b479e9fbb55f0d7d80039f5ff650a7a425cb3faef3
SHA5128fa57c7fc21234fb4c0927c10cd4f5470d37d00e27220f60e0bb86a2adc7a0de09f98ed1aeb07550a9a943c8108e09c82ec4ae3a39d3352e6a5cabe086952378
-
Filesize
218B
MD5afa6955439b8d516721231029fb9ca1b
SHA1087a043cc123c0c0df2ffadcf8e71e3ac86bbae9
SHA2568e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270
SHA5125da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf