Overview
overview
10Static
static
3eeeeeeeeee...00.exe
windows7-x64
eeeeeeeeee...um.exe
windows7-x64
10eeeeeeeeee...ug.exe
windows7-x64
6eeeeeeeeee...le.exe
windows7-x64
3eeeeeeeeee...er.exe
windows7-x64
7eeeeeeeeee...us.exe
windows7-x64
3MEMZ 3.0/MEMZ.bat
windows7-x64
7MEMZ 3.0/MEMZ.exe
windows7-x64
6eeeeeeeeee...MZ.bat
windows7-x64
7eeeeeeeeee...MZ.exe
windows7-x64
6eeeeeeeeee...ld.exe
windows7-x64
3eeeeeeeeee....A.exe
windows7-x64
6eeeeeeeeee...al.exe
windows7-x64
7eeeeeeeeee...15.exe
windows7-x64
3eeeeeeeeee...al.exe
windows7-x64
7eeeeeeeeee...0r.exe
windows7-x64
10eeeeeeeeee...ro.exe
windows7-x64
eeeeeeeeee...od.exe
windows7-x64
10eeeeeeeeee...ts.dll
windows7-x64
1eeeeeeeeee...ts.dll
windows7-x64
3eeeeeeeeee...ot.exe
windows7-x64
3Resubmissions
15-09-2024 23:12
240915-27aqvsxhjq 815-09-2024 23:02
240915-21efgaxake 815-09-2024 22:58
240915-2xypyaxdkj 315-09-2024 22:56
240915-2wn44sxcpk 315-09-2024 22:43
240915-2np2fawhpr 315-09-2024 22:42
240915-2m3k5swhmk 1015-09-2024 22:33
240915-2gqdmawbja 815-09-2024 22:27
240915-2de4gswekk 715-09-2024 22:15
240915-16esravenh 10Analysis
-
max time kernel
1479s -
max time network
1794s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
15-09-2024 22:42
Static task
static1
Behavioral task
behavioral1
Sample
eeeeeeeeeeeeee/Malware_pack_2/Malware_pack_2/000/[email protected]
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
eeeeeeeeeeeeee/Malware_pack_2/Malware_pack_2/Antivirus Platinum/[email protected]
Resource
win7-20240903-en
Behavioral task
behavioral3
Sample
eeeeeeeeeeeeee/Malware_pack_2/Malware_pack_2/ColorBug/[email protected]
Resource
win7-20240704-en
Behavioral task
behavioral4
Sample
eeeeeeeeeeeeee/Malware_pack_2/Malware_pack_2/DesktopPuzzle/[email protected]
Resource
win7-20240903-en
Behavioral task
behavioral5
Sample
eeeeeeeeeeeeee/Malware_pack_2/Malware_pack_2/FakeActivation/[email protected]
Resource
win7-20240729-en
Behavioral task
behavioral6
Sample
eeeeeeeeeeeeee/Malware_pack_2/Malware_pack_2/Happy Antivirus/[email protected]
Resource
win7-20240903-en
Behavioral task
behavioral7
Sample
MEMZ 3.0/MEMZ.bat
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
MEMZ 3.0/MEMZ.exe
Resource
win7-20240903-en
Behavioral task
behavioral9
Sample
eeeeeeeeeeeeee/Malware_pack_2/Malware_pack_2/MEMZ 3.0 (1)/MEMZ 3.0/MEMZ.bat
Resource
win7-20240708-en
Behavioral task
behavioral10
Sample
eeeeeeeeeeeeee/Malware_pack_2/Malware_pack_2/MEMZ 3.0 (1)/MEMZ 3.0/MEMZ.exe
Resource
win7-20240903-en
Behavioral task
behavioral11
Sample
eeeeeeeeeeeeee/Malware_pack_2/Malware_pack_2/NavaShield/[email protected]
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
eeeeeeeeeeeeee/Malware_pack_2/Malware_pack_2/Petya.A/[email protected]
Resource
win7-20240708-en
Behavioral task
behavioral13
Sample
eeeeeeeeeeeeee/Malware_pack_2/Malware_pack_2/Security Central/[email protected]
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
eeeeeeeeeeeeee/Malware_pack_2/Malware_pack_2/Security Defender 2015/[email protected]
Resource
win7-20240903-en
Behavioral task
behavioral15
Sample
eeeeeeeeeeeeee/Malware_pack_2/Malware_pack_2/VineMEMZ-Original.exe
Resource
win7-20240704-en
Behavioral task
behavioral16
Sample
eeeeeeeeeeeeee/Malware_pack_2/Malware_pack_2/WannaCrypt0r/[email protected]
Resource
win7-20240708-en
Behavioral task
behavioral17
Sample
eeeeeeeeeeeeee/Malware_pack_2/Malware_pack_2/Windows Accelerator Pro/[email protected]
Resource
win7-20240903-en
Behavioral task
behavioral18
Sample
eeeeeeeeeeeeee/Malware_pack_2/Malware_pack_2/Winlocker.VB6.Blacksod/[email protected]
Resource
win7-20240903-en
Behavioral task
behavioral19
Sample
eeeeeeeeeeeeee/Malware_pack_2/Malware_pack_2/YouAreAnIdiot/AxInterop.ShockwaveFlashObjects.dll
Resource
win7-20240903-en
Behavioral task
behavioral20
Sample
eeeeeeeeeeeeee/Malware_pack_2/Malware_pack_2/YouAreAnIdiot/Interop.ShockwaveFlashObjects.dll
Resource
win7-20240729-en
Behavioral task
behavioral21
Sample
eeeeeeeeeeeeee/Malware_pack_2/Malware_pack_2/YouAreAnIdiot/YouAreAnIdiot.exe
Resource
win7-20240903-en
General
-
Target
MEMZ 3.0/MEMZ.bat
-
Size
12KB
-
MD5
13a43c26bb98449fd82d2a552877013a
-
SHA1
71eb7dc393ac1f204488e11f5c1eef56f1e746af
-
SHA256
5f52365accb76d679b2b3946870439a62eb8936b9a0595f0fb0198138106b513
-
SHA512
602518b238d80010fa88c2c88699f70645513963ef4f148a0345675738cf9b0c23b9aeb899d9f7830cc1e5c7e9c7147b2dc4a9222770b4a052ee0c879062cd5a
-
SSDEEP
384:nnLhRNiqt0kCH2LR0GPXxGiZgCz+KG/yKhLdW79HOli+lz3:nLhRN9t0SR4iZtzlREBWhuF
Malware Config
Signatures
-
Executes dropped EXE 7 IoCs
pid Process 2416 MEMZ.exe 2996 MEMZ.exe 2512 MEMZ.exe 2420 MEMZ.exe 648 MEMZ.exe 1176 MEMZ.exe 2236 MEMZ.exe -
Loads dropped DLL 64 IoCs
pid Process 2416 MEMZ.exe 2416 MEMZ.exe 2416 MEMZ.exe 2416 MEMZ.exe 2416 MEMZ.exe 2416 MEMZ.exe 2416 MEMZ.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 3916 taskmgr.exe 3916 taskmgr.exe 3916 taskmgr.exe 3916 taskmgr.exe 3916 taskmgr.exe 3916 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 3916 taskmgr.exe 3916 taskmgr.exe 2904 taskmgr.exe 3916 taskmgr.exe 2904 taskmgr.exe 3916 taskmgr.exe 2904 taskmgr.exe 3916 taskmgr.exe 2904 taskmgr.exe 3916 taskmgr.exe 2904 taskmgr.exe 3916 taskmgr.exe 2904 taskmgr.exe 3916 taskmgr.exe 2904 taskmgr.exe 3916 taskmgr.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 MEMZ.exe -
Drops file in System32 directory 8 IoCs
description ioc Process File opened for modification C:\Windows\System32\devmgmt.msc mmc.exe File opened for modification C:\Windows\System32\devmgmt.msc mmc.exe File opened for modification C:\Windows\System32\devmgmt.msc mmc.exe File opened for modification C:\Windows\System32\devmgmt.msc mmc.exe File opened for modification C:\Windows\System32\devmgmt.msc mmc.exe File opened for modification C:\Windows\System32\devmgmt.msc mmc.exe File opened for modification C:\Windows\System32\devmgmt.msc mmc.exe File opened for modification C:\Windows\System32\devmgmt.msc mmc.exe -
Drops file in Windows directory 8 IoCs
description ioc Process File opened for modification C:\Windows\Debug\WIA\wiatrace.log mspaint.exe File opened for modification C:\Windows\Debug\WIA\wiatrace.log mspaint.exe File opened for modification C:\Windows\Debug\WIA\wiatrace.log mspaint.exe File opened for modification C:\Windows\Debug\WIA\wiatrace.log mspaint.exe File opened for modification C:\Windows\Debug\WIA\wiatrace.log mspaint.exe File opened for modification C:\Windows\Debug\WIA\wiatrace.log mspaint.exe File opened for modification C:\Windows\Debug\WIA\wiatrace.log mspaint.exe File opened for modification C:\Windows\Debug\WIA\wiatrace.log mspaint.exe -
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language control.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mspaint.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language control.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language control.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wordpad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language calc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regedit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language calc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wordpad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regedit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wordpad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regedit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mspaint.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language control.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regedit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mspaint.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language control.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language control.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language control.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language calc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regedit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MEMZ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wordpad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mspaint.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b8d48fc8adfa6b4a805f1a4a681aaa6f000000000200000000001066000000010000200000005a695ce791727edcce1b96e2c554c02d57196f45c8c0203922725d0ca410baba000000000e80000000020000200000009c1dbe0ebbe51755fe75866c39e31adfca5150b46a806600005bfa340fe8f87f9000000005aa434ab9444fec9f22ef52457a38efdacaa74bfd060c37138d2dfc8a6ef7cc4a72b51257c1b2f24b491b0ca8b06e2bf73e1fe430ac65ca0e7d691d5981bd426397f05f32d7e5c6571da8e803c179ba100b1439c2fa22d8cf089f15a3427fe963e622c1e7cc292e92c335bf7573f4d835e371b42e43c81274b1073b0d11c6899cb1178913e85d172ba2833536bff30240000000a79af0096a3fadacab5ca6d958f8232da5a46da15d8571fea8e5a422733efbe5bda69716326804d392a4f1dcfad91c2ba07b2b5de27a9f95177b6ebabc5e1305 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{2C92BBF0-73B7-11EF-A0E3-4E0B11BE40FD} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{063C01A0-73B7-11EF-A0E3-4E0B11BE40FD} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE -
Runs regedit.exe 8 IoCs
pid Process 7716 regedit.exe 9040 regedit.exe 1432 regedit.exe 1636 regedit.exe 4032 regedit.exe 4400 regedit.exe 4428 regedit.exe 6100 regedit.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
pid Process 2416 MEMZ.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2996 MEMZ.exe 2996 MEMZ.exe 2512 MEMZ.exe 2420 MEMZ.exe 2512 MEMZ.exe 648 MEMZ.exe 2996 MEMZ.exe 2420 MEMZ.exe 2512 MEMZ.exe 648 MEMZ.exe 2996 MEMZ.exe 2420 MEMZ.exe 1176 MEMZ.exe 2512 MEMZ.exe 648 MEMZ.exe 2996 MEMZ.exe 2420 MEMZ.exe 1176 MEMZ.exe 2512 MEMZ.exe 648 MEMZ.exe 2420 MEMZ.exe 2996 MEMZ.exe 1176 MEMZ.exe 2512 MEMZ.exe 648 MEMZ.exe 2420 MEMZ.exe 2996 MEMZ.exe 1176 MEMZ.exe 2512 MEMZ.exe 648 MEMZ.exe 2420 MEMZ.exe 2996 MEMZ.exe 1176 MEMZ.exe 2512 MEMZ.exe 648 MEMZ.exe 2420 MEMZ.exe 2996 MEMZ.exe 1176 MEMZ.exe 2512 MEMZ.exe 648 MEMZ.exe 2420 MEMZ.exe 2996 MEMZ.exe 1176 MEMZ.exe 2512 MEMZ.exe 648 MEMZ.exe 2420 MEMZ.exe 2996 MEMZ.exe 1176 MEMZ.exe 2512 MEMZ.exe 2420 MEMZ.exe 648 MEMZ.exe 2996 MEMZ.exe 1176 MEMZ.exe 2512 MEMZ.exe 648 MEMZ.exe 1176 MEMZ.exe 2420 MEMZ.exe 2996 MEMZ.exe 2512 MEMZ.exe 648 MEMZ.exe 1176 MEMZ.exe 2420 MEMZ.exe 2996 MEMZ.exe 2512 MEMZ.exe -
Suspicious behavior: GetForegroundWindowSpam 15 IoCs
pid Process 1432 regedit.exe 2904 taskmgr.exe 2600 mmc.exe 2568 mmc.exe 1528 mmc.exe 2236 MEMZ.exe 3504 mmc.exe 3672 mmc.exe 3772 mmc.exe 2356 iexplore.exe 4264 mmc.exe 3916 taskmgr.exe 6700 mmc.exe 6308 mmc.exe 5628 mmc.exe -
Suspicious behavior: SetClipboardViewer 13 IoCs
pid Process 2568 mmc.exe 1528 mmc.exe 3504 mmc.exe 3672 mmc.exe 3772 mmc.exe 4264 mmc.exe 6700 mmc.exe 6308 mmc.exe 5628 mmc.exe 7556 mmc.exe 8640 mmc.exe 8236 mmc.exe 9512 mmc.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: 33 828 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 828 AUDIODG.EXE Token: 33 828 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 828 AUDIODG.EXE Token: SeDebugPrivilege 2904 taskmgr.exe Token: 33 2600 mmc.exe Token: SeIncBasePriorityPrivilege 2600 mmc.exe Token: 33 2600 mmc.exe Token: SeIncBasePriorityPrivilege 2600 mmc.exe Token: 33 2568 mmc.exe Token: SeIncBasePriorityPrivilege 2568 mmc.exe Token: 33 2568 mmc.exe Token: SeIncBasePriorityPrivilege 2568 mmc.exe Token: 33 2568 mmc.exe Token: SeIncBasePriorityPrivilege 2568 mmc.exe Token: 33 1528 mmc.exe Token: SeIncBasePriorityPrivilege 1528 mmc.exe Token: 33 1528 mmc.exe Token: SeIncBasePriorityPrivilege 1528 mmc.exe Token: 33 3504 mmc.exe Token: SeIncBasePriorityPrivilege 3504 mmc.exe Token: 33 3504 mmc.exe Token: SeIncBasePriorityPrivilege 3504 mmc.exe Token: 33 3504 mmc.exe Token: SeIncBasePriorityPrivilege 3504 mmc.exe Token: 33 3672 mmc.exe Token: SeIncBasePriorityPrivilege 3672 mmc.exe Token: 33 3672 mmc.exe Token: SeIncBasePriorityPrivilege 3672 mmc.exe Token: 33 3672 mmc.exe Token: SeIncBasePriorityPrivilege 3672 mmc.exe Token: 33 3772 mmc.exe Token: SeIncBasePriorityPrivilege 3772 mmc.exe Token: 33 3772 mmc.exe Token: SeIncBasePriorityPrivilege 3772 mmc.exe Token: 33 4264 mmc.exe Token: SeIncBasePriorityPrivilege 4264 mmc.exe Token: 33 4264 mmc.exe Token: SeIncBasePriorityPrivilege 4264 mmc.exe Token: SeDebugPrivilege 3916 taskmgr.exe Token: 33 6700 mmc.exe Token: SeIncBasePriorityPrivilege 6700 mmc.exe Token: 33 6700 mmc.exe Token: SeIncBasePriorityPrivilege 6700 mmc.exe Token: 33 6308 mmc.exe Token: SeIncBasePriorityPrivilege 6308 mmc.exe Token: 33 6308 mmc.exe Token: SeIncBasePriorityPrivilege 6308 mmc.exe Token: 33 5628 mmc.exe Token: SeIncBasePriorityPrivilege 5628 mmc.exe Token: 33 5628 mmc.exe Token: SeIncBasePriorityPrivilege 5628 mmc.exe Token: 33 7556 mmc.exe Token: SeIncBasePriorityPrivilege 7556 mmc.exe Token: 33 7556 mmc.exe Token: SeIncBasePriorityPrivilege 7556 mmc.exe Token: 33 8640 mmc.exe Token: SeIncBasePriorityPrivilege 8640 mmc.exe Token: 33 8640 mmc.exe Token: SeIncBasePriorityPrivilege 8640 mmc.exe Token: 33 8236 mmc.exe Token: SeIncBasePriorityPrivilege 8236 mmc.exe Token: 33 8236 mmc.exe Token: SeIncBasePriorityPrivilege 8236 mmc.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2456 cscript.exe 2356 iexplore.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe 2904 taskmgr.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 1704 wordpad.exe 1704 wordpad.exe 1704 wordpad.exe 1704 wordpad.exe 1704 wordpad.exe 2356 iexplore.exe 2356 iexplore.exe 1928 IEXPLORE.EXE 1928 IEXPLORE.EXE 1928 IEXPLORE.EXE 1928 IEXPLORE.EXE 1356 IEXPLORE.EXE 1356 IEXPLORE.EXE 1356 IEXPLORE.EXE 1356 IEXPLORE.EXE 924 IEXPLORE.EXE 924 IEXPLORE.EXE 924 IEXPLORE.EXE 924 IEXPLORE.EXE 1348 wordpad.exe 1348 wordpad.exe 1348 wordpad.exe 1348 wordpad.exe 1348 wordpad.exe 1064 IEXPLORE.EXE 1064 IEXPLORE.EXE 1064 IEXPLORE.EXE 1064 IEXPLORE.EXE 2236 MEMZ.exe 1928 IEXPLORE.EXE 1928 IEXPLORE.EXE 1928 IEXPLORE.EXE 1928 IEXPLORE.EXE 588 IEXPLORE.EXE 588 IEXPLORE.EXE 2236 MEMZ.exe 1356 IEXPLORE.EXE 1356 IEXPLORE.EXE 588 IEXPLORE.EXE 588 IEXPLORE.EXE 1356 IEXPLORE.EXE 1356 IEXPLORE.EXE 2236 MEMZ.exe 2972 IEXPLORE.EXE 2972 IEXPLORE.EXE 2236 MEMZ.exe 924 IEXPLORE.EXE 924 IEXPLORE.EXE 2972 IEXPLORE.EXE 2972 IEXPLORE.EXE 924 IEXPLORE.EXE 924 IEXPLORE.EXE 2236 MEMZ.exe 1364 mmc.exe 2600 mmc.exe 2600 mmc.exe 1208 mmc.exe 2568 mmc.exe 2568 mmc.exe 2236 MEMZ.exe 2624 IEXPLORE.EXE 2624 IEXPLORE.EXE 2236 MEMZ.exe 2236 MEMZ.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2692 wrote to memory of 2456 2692 cmd.exe 31 PID 2692 wrote to memory of 2456 2692 cmd.exe 31 PID 2692 wrote to memory of 2456 2692 cmd.exe 31 PID 2692 wrote to memory of 2416 2692 cmd.exe 32 PID 2692 wrote to memory of 2416 2692 cmd.exe 32 PID 2692 wrote to memory of 2416 2692 cmd.exe 32 PID 2692 wrote to memory of 2416 2692 cmd.exe 32 PID 2416 wrote to memory of 2996 2416 MEMZ.exe 33 PID 2416 wrote to memory of 2996 2416 MEMZ.exe 33 PID 2416 wrote to memory of 2996 2416 MEMZ.exe 33 PID 2416 wrote to memory of 2996 2416 MEMZ.exe 33 PID 2416 wrote to memory of 2512 2416 MEMZ.exe 34 PID 2416 wrote to memory of 2512 2416 MEMZ.exe 34 PID 2416 wrote to memory of 2512 2416 MEMZ.exe 34 PID 2416 wrote to memory of 2512 2416 MEMZ.exe 34 PID 2416 wrote to memory of 2420 2416 MEMZ.exe 35 PID 2416 wrote to memory of 2420 2416 MEMZ.exe 35 PID 2416 wrote to memory of 2420 2416 MEMZ.exe 35 PID 2416 wrote to memory of 2420 2416 MEMZ.exe 35 PID 2416 wrote to memory of 648 2416 MEMZ.exe 36 PID 2416 wrote to memory of 648 2416 MEMZ.exe 36 PID 2416 wrote to memory of 648 2416 MEMZ.exe 36 PID 2416 wrote to memory of 648 2416 MEMZ.exe 36 PID 2416 wrote to memory of 1176 2416 MEMZ.exe 37 PID 2416 wrote to memory of 1176 2416 MEMZ.exe 37 PID 2416 wrote to memory of 1176 2416 MEMZ.exe 37 PID 2416 wrote to memory of 1176 2416 MEMZ.exe 37 PID 2416 wrote to memory of 2236 2416 MEMZ.exe 38 PID 2416 wrote to memory of 2236 2416 MEMZ.exe 38 PID 2416 wrote to memory of 2236 2416 MEMZ.exe 38 PID 2416 wrote to memory of 2236 2416 MEMZ.exe 38 PID 2236 wrote to memory of 1792 2236 MEMZ.exe 39 PID 2236 wrote to memory of 1792 2236 MEMZ.exe 39 PID 2236 wrote to memory of 1792 2236 MEMZ.exe 39 PID 2236 wrote to memory of 1792 2236 MEMZ.exe 39 PID 2236 wrote to memory of 1704 2236 MEMZ.exe 40 PID 2236 wrote to memory of 1704 2236 MEMZ.exe 40 PID 2236 wrote to memory of 1704 2236 MEMZ.exe 40 PID 2236 wrote to memory of 1704 2236 MEMZ.exe 40 PID 1704 wrote to memory of 2460 1704 wordpad.exe 41 PID 1704 wrote to memory of 2460 1704 wordpad.exe 41 PID 1704 wrote to memory of 2460 1704 wordpad.exe 41 PID 1704 wrote to memory of 2460 1704 wordpad.exe 41 PID 2236 wrote to memory of 2356 2236 MEMZ.exe 42 PID 2236 wrote to memory of 2356 2236 MEMZ.exe 42 PID 2236 wrote to memory of 2356 2236 MEMZ.exe 42 PID 2236 wrote to memory of 2356 2236 MEMZ.exe 42 PID 2356 wrote to memory of 1928 2356 iexplore.exe 43 PID 2356 wrote to memory of 1928 2356 iexplore.exe 43 PID 2356 wrote to memory of 1928 2356 iexplore.exe 43 PID 2356 wrote to memory of 1928 2356 iexplore.exe 43 PID 2356 wrote to memory of 1356 2356 iexplore.exe 46 PID 2356 wrote to memory of 1356 2356 iexplore.exe 46 PID 2356 wrote to memory of 1356 2356 iexplore.exe 46 PID 2356 wrote to memory of 1356 2356 iexplore.exe 46 PID 2356 wrote to memory of 924 2356 iexplore.exe 47 PID 2356 wrote to memory of 924 2356 iexplore.exe 47 PID 2356 wrote to memory of 924 2356 iexplore.exe 47 PID 2356 wrote to memory of 924 2356 iexplore.exe 47 PID 2236 wrote to memory of 1348 2236 MEMZ.exe 48 PID 2236 wrote to memory of 1348 2236 MEMZ.exe 48 PID 2236 wrote to memory of 1348 2236 MEMZ.exe 48 PID 2236 wrote to memory of 1348 2236 MEMZ.exe 48 PID 2356 wrote to memory of 1064 2356 iexplore.exe 50 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\MEMZ.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\system32\cscript.execscript x.js2⤵
- Suspicious use of FindShellTrayWindow
PID:2456
-
-
C:\Users\Admin\AppData\Roaming\MEMZ.exe"C:\Users\Admin\AppData\Roaming\MEMZ.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Users\Admin\AppData\Roaming\MEMZ.exe"C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2996
-
-
C:\Users\Admin\AppData\Roaming\MEMZ.exe"C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2512
-
-
C:\Users\Admin\AppData\Roaming\MEMZ.exe"C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2420
-
-
C:\Users\Admin\AppData\Roaming\MEMZ.exe"C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:648
-
-
C:\Users\Admin\AppData\Roaming\MEMZ.exe"C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1176
-
-
C:\Users\Admin\AppData\Roaming\MEMZ.exe"C:\Users\Admin\AppData\Roaming\MEMZ.exe" /main3⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Windows\SysWOW64\notepad.exe"C:\Windows\System32\notepad.exe" \note.txt4⤵
- System Location Discovery: System Language Discovery
PID:1792
-
-
C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122885⤵PID:2460
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://play.clubpenguin.com/4⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2356 CREDAT:275457 /prefetch:25⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1928
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2356 CREDAT:275478 /prefetch:25⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1356
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2356 CREDAT:603159 /prefetch:25⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:924
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2356 CREDAT:406567 /prefetch:25⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1064
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2356 CREDAT:2176026 /prefetch:25⤵
- Suspicious use of SetWindowsHookEx
PID:588
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2356 CREDAT:406607 /prefetch:25⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2972
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2356 CREDAT:2831408 /prefetch:25⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2624
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2356 CREDAT:2700360 /prefetch:25⤵
- System Location Discovery: System Language Discovery
PID:1960
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2356 CREDAT:3486783 /prefetch:25⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
PID:3580
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2356 CREDAT:2700394 /prefetch:25⤵
- System Location Discovery: System Language Discovery
PID:3248
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2356 CREDAT:3748969 /prefetch:25⤵
- Modifies Internet Explorer settings
PID:2176
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2356 CREDAT:3945576 /prefetch:25⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
PID:2888
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2356 CREDAT:275583 /prefetch:25⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
PID:1144
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2356 CREDAT:2569312 /prefetch:25⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
PID:1860
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2356 CREDAT:2110604 /prefetch:25⤵
- Modifies Internet Explorer settings
PID:4216
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2356 CREDAT:3945630 /prefetch:25⤵
- System Location Discovery: System Language Discovery
PID:4852
-
-
-
C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"4⤵
- Suspicious use of SetWindowsHookEx
PID:1348
-
-
C:\Windows\SysWOW64\taskmgr.exe"C:\Windows\System32\taskmgr.exe"4⤵
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2904
-
-
C:\Windows\SysWOW64\regedit.exe"C:\Windows\System32\regedit.exe"4⤵
- System Location Discovery: System Language Discovery
- Runs regedit.exe
- Suspicious behavior: GetForegroundWindowSpam
PID:1432
-
-
C:\Windows\SysWOW64\regedit.exe"C:\Windows\System32\regedit.exe"4⤵
- Runs regedit.exe
PID:1636
-
-
C:\Windows\SysWOW64\mmc.exe"C:\Windows\system32\mmc.exe" "C:\Windows\System32\devmgmt.msc"4⤵
- Suspicious use of SetWindowsHookEx
PID:1364 -
C:\Windows\system32\mmc.exe"C:\Windows\System32\devmgmt.msc" "C:\Windows\System32\devmgmt.msc"5⤵
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2600
-
-
-
C:\Windows\SysWOW64\mmc.exe"C:\Windows\System32\mmc.exe"4⤵
- Suspicious use of SetWindowsHookEx
PID:1208 -
C:\Windows\system32\mmc.exe"C:\Windows\system32\mmc.exe"5⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2568
-
-
-
C:\Windows\SysWOW64\control.exe"C:\Windows\System32\control.exe"4⤵
- System Location Discovery: System Language Discovery
PID:2544
-
-
C:\Windows\SysWOW64\mmc.exe"C:\Windows\system32\mmc.exe" "C:\Windows\System32\devmgmt.msc"4⤵PID:2808
-
C:\Windows\system32\mmc.exe"C:\Windows\System32\devmgmt.msc" "C:\Windows\System32\devmgmt.msc"5⤵
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
PID:1528
-
-
-
C:\Windows\SysWOW64\control.exe"C:\Windows\System32\control.exe"4⤵PID:3464
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\System32\explorer.exe"4⤵
- System Location Discovery: System Language Discovery
PID:3336
-
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\System32\notepad.exe"4⤵PID:2044
-
-
C:\Windows\SysWOW64\mspaint.exe"C:\Windows\System32\mspaint.exe"4⤵
- Drops file in Windows directory
PID:4064
-
-
C:\Windows\SysWOW64\regedit.exe"C:\Windows\System32\regedit.exe"4⤵
- Runs regedit.exe
PID:4032
-
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\System32\notepad.exe"4⤵
- System Location Discovery: System Language Discovery
PID:4036
-
-
C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"4⤵PID:3268
-
-
C:\Windows\SysWOW64\mmc.exe"C:\Windows\System32\mmc.exe"4⤵PID:2908
-
C:\Windows\system32\mmc.exe"C:\Windows\system32\mmc.exe"5⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
PID:3504
-
-
-
C:\Windows\SysWOW64\calc.exe"C:\Windows\System32\calc.exe"4⤵
- System Location Discovery: System Language Discovery
PID:3440
-
-
C:\Windows\SysWOW64\mmc.exe"C:\Windows\System32\mmc.exe"4⤵
- System Location Discovery: System Language Discovery
PID:348 -
C:\Windows\system32\mmc.exe"C:\Windows\system32\mmc.exe"5⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
PID:3672
-
-
-
C:\Windows\SysWOW64\control.exe"C:\Windows\System32\control.exe"4⤵PID:4356
-
-
C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"4⤵
- System Location Discovery: System Language Discovery
PID:2416
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\System32\explorer.exe"4⤵PID:4496
-
-
C:\Windows\SysWOW64\regedit.exe"C:\Windows\System32\regedit.exe"4⤵
- System Location Discovery: System Language Discovery
- Runs regedit.exe
PID:4400
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\System32\explorer.exe"4⤵
- System Location Discovery: System Language Discovery
PID:4764
-
-
C:\Windows\SysWOW64\regedit.exe"C:\Windows\System32\regedit.exe"4⤵
- Runs regedit.exe
PID:4428
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
- System Location Discovery: System Language Discovery
PID:4832
-
-
C:\Windows\SysWOW64\mspaint.exe"C:\Windows\System32\mspaint.exe"4⤵
- Drops file in Windows directory
PID:4464
-
-
C:\Windows\SysWOW64\mmc.exe"C:\Windows\system32\mmc.exe" "C:\Windows\System32\devmgmt.msc"4⤵PID:4872
-
C:\Windows\system32\mmc.exe"C:\Windows\System32\devmgmt.msc" "C:\Windows\System32\devmgmt.msc"5⤵
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
PID:3772
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
- System Location Discovery: System Language Discovery
PID:4856
-
-
C:\Windows\SysWOW64\calc.exe"C:\Windows\System32\calc.exe"4⤵PID:476
-
-
C:\Windows\SysWOW64\mspaint.exe"C:\Windows\System32\mspaint.exe"4⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2840
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:5948
-
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\System32\notepad.exe"4⤵
- System Location Discovery: System Language Discovery
PID:5128
-
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\System32\notepad.exe"4⤵
- System Location Discovery: System Language Discovery
PID:5312
-
-
C:\Windows\SysWOW64\mmc.exe"C:\Windows\system32\mmc.exe" "C:\Windows\System32\devmgmt.msc"4⤵
- System Location Discovery: System Language Discovery
PID:4236 -
C:\Windows\system32\mmc.exe"C:\Windows\System32\devmgmt.msc" "C:\Windows\System32\devmgmt.msc"5⤵
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
PID:4264
-
-
-
C:\Windows\SysWOW64\regedit.exe"C:\Windows\System32\regedit.exe"4⤵
- System Location Discovery: System Language Discovery
- Runs regedit.exe
PID:6100
-
-
C:\Windows\SysWOW64\taskmgr.exe"C:\Windows\System32\taskmgr.exe"4⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3916
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
- System Location Discovery: System Language Discovery
PID:5436
-
-
C:\Windows\SysWOW64\calc.exe"C:\Windows\System32\calc.exe"4⤵
- System Location Discovery: System Language Discovery
PID:5780
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
- System Location Discovery: System Language Discovery
PID:5132
-
-
C:\Windows\SysWOW64\control.exe"C:\Windows\System32\control.exe"4⤵PID:5652
-
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\System32\notepad.exe"4⤵
- System Location Discovery: System Language Discovery
PID:6164
-
-
C:\Windows\SysWOW64\mmc.exe"C:\Windows\system32\mmc.exe" "C:\Windows\System32\devmgmt.msc"4⤵
- System Location Discovery: System Language Discovery
PID:6696 -
C:\Windows\system32\mmc.exe"C:\Windows\System32\devmgmt.msc" "C:\Windows\System32\devmgmt.msc"5⤵
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
PID:6700
-
-
-
C:\Windows\SysWOW64\mmc.exe"C:\Windows\system32\mmc.exe" "C:\Windows\System32\devmgmt.msc"4⤵
- System Location Discovery: System Language Discovery
PID:6304 -
C:\Windows\system32\mmc.exe"C:\Windows\System32\devmgmt.msc" "C:\Windows\System32\devmgmt.msc"5⤵
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
PID:6308
-
-
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\System32\notepad.exe"4⤵
- System Location Discovery: System Language Discovery
PID:6360
-
-
C:\Windows\SysWOW64\control.exe"C:\Windows\System32\control.exe"4⤵
- System Location Discovery: System Language Discovery
PID:6748
-
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\System32\notepad.exe"4⤵PID:4344
-
-
C:\Windows\SysWOW64\control.exe"C:\Windows\System32\control.exe"4⤵
- System Location Discovery: System Language Discovery
PID:7072
-
-
C:\Windows\SysWOW64\mspaint.exe"C:\Windows\System32\mspaint.exe"4⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:6720
-
-
C:\Windows\SysWOW64\mmc.exe"C:\Windows\system32\mmc.exe" "C:\Windows\System32\devmgmt.msc"4⤵
- System Location Discovery: System Language Discovery
PID:6628 -
C:\Windows\system32\mmc.exe"C:\Windows\System32\devmgmt.msc" "C:\Windows\System32\devmgmt.msc"5⤵
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
PID:5628
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
- System Location Discovery: System Language Discovery
PID:7172
-
-
C:\Windows\SysWOW64\mmc.exe"C:\Windows\system32\mmc.exe" "C:\Windows\System32\devmgmt.msc"4⤵
- System Location Discovery: System Language Discovery
PID:7508 -
C:\Windows\system32\mmc.exe"C:\Windows\System32\devmgmt.msc" "C:\Windows\System32\devmgmt.msc"5⤵
- Drops file in System32 directory
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
PID:7556
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
- System Location Discovery: System Language Discovery
PID:7816
-
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\System32\notepad.exe"4⤵PID:7408
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\System32\explorer.exe"4⤵PID:1876
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:7216
-
-
C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"4⤵
- System Location Discovery: System Language Discovery
PID:7436
-
-
C:\Windows\SysWOW64\mspaint.exe"C:\Windows\System32\mspaint.exe"4⤵
- Drops file in Windows directory
PID:8148
-
-
C:\Windows\SysWOW64\control.exe"C:\Windows\System32\control.exe"4⤵
- System Location Discovery: System Language Discovery
PID:7760
-
-
C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"4⤵
- System Location Discovery: System Language Discovery
PID:7836
-
-
C:\Windows\SysWOW64\control.exe"C:\Windows\System32\control.exe"4⤵PID:7356
-
-
C:\Windows\SysWOW64\mspaint.exe"C:\Windows\System32\mspaint.exe"4⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:8132
-
-
C:\Windows\SysWOW64\regedit.exe"C:\Windows\System32\regedit.exe"4⤵
- System Location Discovery: System Language Discovery
- Runs regedit.exe
PID:7716
-
-
C:\Windows\SysWOW64\mmc.exe"C:\Windows\System32\mmc.exe"4⤵PID:8624
-
C:\Windows\system32\mmc.exe"C:\Windows\system32\mmc.exe"5⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
PID:8640
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://google.co.ck/search?q=my+computer+is+doing+weird+things+wtf+is+happenin+plz+halp4⤵PID:8548
-
-
C:\Windows\SysWOW64\regedit.exe"C:\Windows\System32\regedit.exe"4⤵
- System Location Discovery: System Language Discovery
- Runs regedit.exe
PID:9040
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\System32\explorer.exe"4⤵
- System Location Discovery: System Language Discovery
PID:9200
-
-
C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"4⤵PID:8924
-
-
C:\Windows\SysWOW64\calc.exe"C:\Windows\System32\calc.exe"4⤵
- System Location Discovery: System Language Discovery
PID:8656
-
-
C:\Windows\SysWOW64\calc.exe"C:\Windows\System32\calc.exe"4⤵PID:8872
-
-
C:\Windows\SysWOW64\mmc.exe"C:\Windows\System32\mmc.exe"4⤵
- System Location Discovery: System Language Discovery
PID:5072 -
C:\Windows\system32\mmc.exe"C:\Windows\system32\mmc.exe"5⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
PID:8236
-
-
-
C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"4⤵PID:9504
-
-
C:\Windows\SysWOW64\mmc.exe"C:\Windows\System32\mmc.exe"4⤵
- System Location Discovery: System Language Discovery
PID:9416 -
C:\Windows\system32\mmc.exe"C:\Windows\system32\mmc.exe"5⤵
- Suspicious behavior: SetClipboardViewer
PID:9512
-
-
-
C:\Windows\SysWOW64\control.exe"C:\Windows\System32\control.exe"4⤵
- System Location Discovery: System Language Discovery
PID:9620
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://google.co.ck/search?q=how+to+get+money4⤵
- Modifies Internet Explorer settings
PID:9748 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:9748 CREDAT:275457 /prefetch:25⤵PID:9480
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://google.co.ck/search?q=how+to+get+money4⤵
- Modifies Internet Explorer settings
PID:10072 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:10072 CREDAT:275457 /prefetch:25⤵PID:9532
-
-
-
C:\Windows\SysWOW64\control.exe"C:\Windows\System32\control.exe"4⤵
- System Location Discovery: System Language Discovery
PID:9736
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://google.co.ck/search?q=how+to+create+your+own+ransomware4⤵
- Modifies Internet Explorer settings
PID:9336 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:9336 CREDAT:275457 /prefetch:25⤵
- Modifies Internet Explorer settings
PID:10444
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://google.co.ck/search?q=how+to+create+your+own+ransomware4⤵
- Modifies Internet Explorer settings
PID:7984 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:7984 CREDAT:275457 /prefetch:25⤵
- System Location Discovery: System Language Discovery
PID:10796
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://softonic.com/4⤵
- Modifies Internet Explorer settings
PID:10340 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:10340 CREDAT:275457 /prefetch:25⤵PID:10808
-
-
-
C:\Windows\SysWOW64\mspaint.exe"C:\Windows\System32\mspaint.exe"4⤵
- Drops file in Windows directory
PID:10436
-
-
C:\Windows\SysWOW64\taskmgr.exe"C:\Windows\System32\taskmgr.exe"4⤵
- System Location Discovery: System Language Discovery
PID:10544
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://google.co.ck/search?q=how+to+get+money4⤵
- Modifies Internet Explorer settings
PID:10772 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:10772 CREDAT:275457 /prefetch:25⤵PID:11228
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://google.co.ck/search?q=mcafee+vs+norton4⤵
- Modifies Internet Explorer settings
PID:11016 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:11016 CREDAT:275457 /prefetch:25⤵
- Modifies Internet Explorer settings
PID:9884
-
-
-
C:\Windows\SysWOW64\mspaint.exe"C:\Windows\System32\mspaint.exe"4⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:11156
-
-
C:\Windows\SysWOW64\control.exe"C:\Windows\System32\control.exe"4⤵
- System Location Discovery: System Language Discovery
PID:9224
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://google.co.ck/search?q=my+computer+is+doing+weird+things+wtf+is+happenin+plz+halp4⤵
- Modifies Internet Explorer settings
PID:9132 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:9132 CREDAT:275457 /prefetch:25⤵
- System Location Discovery: System Language Discovery
PID:11288
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://play.clubpenguin.com/4⤵
- Modifies Internet Explorer settings
PID:9816 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:9816 CREDAT:275457 /prefetch:25⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
PID:11560
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://google.co.ck/search?q=batch+virus+download4⤵
- Modifies Internet Explorer settings
PID:11552 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:11552 CREDAT:275457 /prefetch:25⤵
- Modifies Internet Explorer settings
PID:12000
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://google.co.ck/search?q=facebook+hacking+tool+free+download+no+virus+working+20164⤵
- Modifies Internet Explorer settings
PID:11884 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:11884 CREDAT:275457 /prefetch:25⤵PID:11344
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://pcoptimizerpro.com/4⤵PID:7632
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:7632 CREDAT:275457 /prefetch:25⤵PID:12048
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://google.co.ck/search?q=internet+explorer+is+the+best+browser4⤵PID:11532
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:11532 CREDAT:275457 /prefetch:25⤵PID:12520
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://softonic.com/4⤵PID:12404
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:12404 CREDAT:275457 /prefetch:25⤵PID:12932
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://google.co.ck/search?q=best+way+to+kill+yourself4⤵PID:13236
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:13236 CREDAT:275457 /prefetch:25⤵PID:11460
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://google.co.ck/search?q=facebook+hacking+tool+free+download+no+virus+working+20164⤵PID:13712
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:13712 CREDAT:275457 /prefetch:25⤵PID:14324
-
-
-
C:\Windows\SysWOW64\mmc.exe"C:\Windows\System32\mmc.exe"4⤵PID:12988
-
-
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x2181⤵
- Suspicious use of AdjustPrivilegeToken
PID:828
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}1⤵PID:2564
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
854B
MD5e935bc5762068caf3e24a2683b1b8a88
SHA182b70eb774c0756837fe8d7acbfeec05ecbf5463
SHA256a8accfcfeb51bd73df23b91f4d89ff1a9eb7438ef5b12e8afda1a6ff1769e89d
SHA512bed4f6f5357b37662623f1f8afed1a3ebf3810630b2206a0292052a2e754af9dcfe34ee15c289e3d797a8f33330e47c14cbefbc702f74028557ace29bf855f9e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize1KB
MD51df4559dc042f51453d31bbd6d406cac
SHA1defff321b0e39935b0281192bc732a47edc22d84
SHA2562e5e6363cb570b2bdfef7476d83333ea9e7699f5418fb102d5ffa795f0536d9d
SHA512c4a96d6fa0d96e706e89a571ad916c8995cb045bc3d30ac8f83b57c95bc1ee59e983ca42534b24f02ad862959826df6b5aac6f4a1288f5a3fb0eaf873f13f731
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4FA45AE1010E09657982D8D28B3BD38E_09E5FD68127B2EBD22C529250B8D2273
Filesize471B
MD5cea7f7436b62d1aa1808fbf42c7614e8
SHA1d8530285ce4e6fd1ca352a617263fe26d46d383a
SHA256dfddd19826ded2ca69f63200f442f8f4dcf9b5ec1dd78e15d74d015c651ba190
SHA5123c679f47869a4e78c2b7a5a5ac20ce4ae922e4231f2cee533cf44d25e1ee45e848a3fd55d8e4c3d98bbe357ea2b9825dcbab55d9b71d5472d29b9e77aa86fda0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4FA45AE1010E09657982D8D28B3BD38E_B115649384851BE6BDDEA6DCEC8C2FEC
Filesize472B
MD557fabf8ce960f6516a99cb1065e0f1b5
SHA10f06fda5952c1e047f2fdd06a941cde444e7fd1b
SHA256287c0da810f4506a1fca9807d8457c52631b4f723f272412631a59fdda36d179
SHA512df597f53035b5dc18aaefbe0fb232e9e2770343319e716a32d416d27be2b4d77e4671786d0e6711549440dda3e68fb122e61c42fc781238cb158d0c4d1546cbe
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C02877841121CC45139CB51404116B25_193C88518F770D3F8D3CDA4F180E8635
Filesize472B
MD52e15489eb620ba4779210d523e343152
SHA1c6674bbf4ad29b2742ab2382f6ce4c17754b05d6
SHA25604ba2c1f6dde1be4f81cdd43a931f554f357fa751ce75028929f14695995c99e
SHA51287ea9978c49ce2b715361cdd60900ed5e3a7a589986056f4df3b547ad0168ee3bbe453b0a1a348ce7911a5548bd17cc6918aa88c689b2b46eeb857e2ec9ae471
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199
Filesize170B
MD52963d8dbac114be70d6d3393346b3180
SHA14c190ee5b4dade71509d637fcfcd2383643255bf
SHA25626f39b30b7452b9bf7c98b602b1f3232b6608fcd4054483a0c080aa7f71314e3
SHA512c6cb31397545d5637747da26b194e9d582987ffa0fe1fac5e599fd8eb9cc972e1ccb560fa9ebdde62754d843f27656ce0418da0296d43e019401228ef3068aeb
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize410B
MD5689377deeda99e17e03512783d3ae0a3
SHA1bb931d2981531984277544143b3753e1d2d0775c
SHA256b124221dc8968ba6d44bb3a73776232e5a16b14c2def108c75b0d92a752224d6
SHA5123e44edee7f761570689a15f4727cf6263aa866d84fc27c9fdebf7e824e966ac5b991be0c74c5d38d5208468392c9af2f52c1d2f9c26b741c5fd4d9b45462244e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4FA45AE1010E09657982D8D28B3BD38E_09E5FD68127B2EBD22C529250B8D2273
Filesize406B
MD533f3d144177eb4675a453b38b141ddbd
SHA1296bc1fa1d7b587f7308b91023af1ba75683dd8d
SHA25672a34c68a867c43646fc2d36090a00af5ea5c01e70e3c193f06cb7c48ffc9e25
SHA51221199c546f07e46e3c9d25e4e4a3d0c03b5a5a086a77e92ff0c4a452a26a0c5793e7e88a83c767b3a0f1c108ca4e904174597aad9efb04470127be29100a6383
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4FA45AE1010E09657982D8D28B3BD38E_B115649384851BE6BDDEA6DCEC8C2FEC
Filesize398B
MD5ebe8cf1303cb86c26484ded0525d4a37
SHA1cef839c3ec2a7b7005e15bdd532a011ec6a2ebe2
SHA2565b510f25ece15eace7a38777346658c6fc37c54697154b9a1c58431b3797e782
SHA51258778afe4d64442c392029481065c2bf46c8540bf37aed84a479e657a769031e5812ddba62564ecf424c07afa36587ca317955f26ae85c545786c79e47f314db
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD53af9f8cbe1156397e511fb32e4e47fb9
SHA1cfa0424429a6f06a4b544893a2d6d1ade478b819
SHA2568e130f1d217d1f84c1f70feed43723fd4013299f6fc1034b371b44aef290420c
SHA5129e22da3d981b20552789d020e5dff9aa85e00726eb6b6a4d767e2f268e29fdc5c8682a9dc5506373dc7ad0fab7ef0bcea137edfabd06a11b69f174ab5efef17f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ffa709e3aa8387c50af2d43906393278
SHA10db18222fb38815c4c20cb6d4aafa7d0d932978c
SHA2563f0614f24c198792cbcf887e3451278a8ec5c6ac01a134694d96414c94c78a1d
SHA512b33a18ebc667dbfa76d5e4a503ebece3468e45b1e9c3e866c07a7704cac193cb0ee1e1e982aa8c3c8fca07890998f792bb8649fd0ef8ed07260428491ae684ed
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD53767cf08945c69c628fa4bd2d7f3ff46
SHA11daaa7cb29a1760b17220bd47417199386829750
SHA256e4f7da7659fd3ac794edebd85a53f35d218df24d6e37842fb3b106da2a60c988
SHA51257c51c7cb2cffbc2645bb20d147bb8cdcb2c6bb35796ee2297953bcecbae39673860d7607c0bb2136a5ec8e775b6755263d08c704b1b503686a8573a9916fe63
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a2dc0cb418f5046ffb886568fcef410e
SHA173c3d84a00a82614181e19b427a7a619ea63d791
SHA256f0f1b3a0f876326851234e324ba637c9fcc6948bd140e3e451fd418b8a75fff3
SHA512192fa188e61d78e761c54e9a29c12a33f6c23803cf9e0a72b443f276e83f47687de88454f96a0f0c5529fb4ab78fd3c715fed074345dfdad90ff802dcb20fa0b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5fadab9a49eebd8865e2b117382127bf2
SHA1b303a7f961130b61a948dc5378d185579fcc3791
SHA25651eec4b26d8caf591bdd98aef1589dc97f47570cd1b78812b76dbec2f185651b
SHA512118b9730651d165ac2fcfcc6dbaeba80c9516db8ab4d435f46bb00ac418a190cbbbf76e147ee6310f3f43c9c51bc925caeb26dd825c8fac6560cd1fb73583259
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5844601dd618ecd46ec850a2a7736d0ee
SHA1b169b0cd254982bbf0b9f7e27d946a4f489a1b85
SHA2569ae0052ff7ebe350ba52368f78519a9433e92682d81787eea75feb162fc704fc
SHA5125595ea42f4189b4efe9d62442485f2c79cabb6039be8f738e08d48f25653573c8da892ce3ec9abca2b308f891e32853a3c13833104984fe9789b9bf26b09663f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD58bb1af639877ea1176c8aa4b8c821da0
SHA168492a57433213900d41b3c9eacfa9264701defc
SHA256c8c98064d245cb3f86ee63bdffc4e83a2a4faf2bcd3f647f85fcf423a7c0b987
SHA512b28613d559000756019e258752ebcfd68d283bdaf208d2a54e092331bfca4d6609edcf5bf24bc915cd8e5a18f7b07a80ba2003140f6cd04e4d7608c4b8ed6114
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD53f1abe2ab1fae85cf9d78b7f57dda0ff
SHA184155950234334f22644eb08c09738ef345e3ebd
SHA256df9864a362e03e16f1f54c53be9ff25ca68d8562bc889a3fb9b0b8a617894c88
SHA512ad6721d1c7db0c341be5ca93df92bf176550ec722cc4f28a5e6372ee047df8b8e4eacdb3e271b1e8462897af89dba0370be2998accf99f6a37da90850d653ee3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD507cf76ece9999d5a431d61fa8f8d875f
SHA136506d100fda36518c76b18248205e6dad2f0f31
SHA25657f83da2b78c5dfce1567cb26df15ad76202bafdfb2e049480c15bf36f716233
SHA512e78aa68fb804e3c06c63856c4acb6abad7082a3f48f08fa7642b10c90299acc7983a66ea8e9b74472c2b36d1bb19bb77295fd75d15373e29829e6beddb2f6ae5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b60cfd34e3e8e5e491acb06001b6667d
SHA1dc3892e7539921b5bb8a7f2b40ac066e5082dd43
SHA2569eec0103a0d13372b3263e16b9c7d0a081009a8960b1a2f480fbae40e7ac71c5
SHA51228c8efb29f23180507fa552cc2a4fd910e50ac70d15b07d0644ce0bcc82410fd03b06a0cc9312d13504f27b9d4a7ee711ef30d903b846ec5be77c13c3250181b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5fc5beaecfaf781e5b9b4c96a05f3c4b8
SHA1e04ce667bc312b7ed1d1cfaffe27bc0b1595934e
SHA256b6a6b6f553d5a122ce891778e8680bb52643d0b66ecdc15bc83510b059b9b517
SHA5126440974772fffc05eecef0bd9c22ee0fa402c70bd713c9d537c1303564b5d4955a6d950c71819bd0e4d9e8954ad42a0f7f271b1bf7b60a453adc612829823a60
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD51932f97bac72807aaa11d7d6484b2daa
SHA1dcad6bbdb526be08d191bf449d7ed06083009a24
SHA256b505d5ea76a1242736b38b0c6b3ad73501932927c0b5ddd0233db42a4521a3e3
SHA5120090c4cce5759982e913933588728b33cb2948b7fe8d8032689ccedb9066c73cc2abdbe3bb54eb825e89ca37da65123bf45ac5f2fb008865864f155787c7646f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD51c6950d774442ad89bbf0ada4eb9ac09
SHA1c7a180bd7f6db1ab1f72069a9c1987b55d0bad9a
SHA2569105942b95b3dd593359616779d4b9300bd33653fc3078523e418c3047343cd6
SHA5123dc69dd8c84ebec0a87aa4a3c34bfa58508fae5236484a9d420fdf8937a6063a976728c41389e91e8c8613f01ee5992171980d51c87c42e9189de1eac3437aec
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD55e28f8f47eebb80f39d5c1782dcfdb82
SHA1f307de14973696f5d8dd7f3b32bd8b297ee418b9
SHA256cf4a32c5d365f476875e41c5b558d3097a93adb87d7058246b8c20ca1bb434ce
SHA51204ddeca900273465b656e995ef78567705e6b16da75cfef403e8ccb5e85c231a4da476b20c6ea928a57817639d12190261ac4e23e7df27a0cf73aead36633020
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5205f3054cc284070d39c2294c80eb5e1
SHA1c099a2b8889d974022025c532b05fab285bf273d
SHA256f5f7219195b978851b1ed903bc330500696f07ff61e6af674a7cb823b3e220f3
SHA512af64bd56c7b15b946c246fdbb7ecf8d30930fc227207f5c57c48276d6ec2d2a280f1cb14642472507998df0bd9d924dd19bb89598d1e2613447e4211b36eeb77
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD595bfb2c0910afa851f6a2b78285640fc
SHA10506710acd81481b3452eb0240c1a934718a9cd3
SHA2564b3bfa23f30ab7bf89d22a86862e67a33901a8765c96d375dc384c70c9ddc567
SHA512b52c464167d9288565399eebe7b6f1fa07a189ef0c72613f47ca88365850d1d09acbbd10cdb450ee607941e4c63724a31e7150dc91bacf5cc9eff44da9214650
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5538bdd0e6a09b31dad7a04ac1ebdbe19
SHA1da18efb4e79402a080106bd41cf3200bfa6b4396
SHA256c059f21019d5b3af83144fc972a4dc5b0201facca28cf254362451840625bae4
SHA51264202a1a52e2048488310333cce40fcb3efc4b1debc92bf040b4ef1f351f17396fdc163538ac83ea31f081f968239c0ee9303dbb52c539856b64a6e113b78195
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD577fc53da3d75fb27e593a80d59ce9d08
SHA1ed54b2c44b98a10b523db1fb898b38585ce00fa4
SHA25641be1abe9e2d0197e6489907c2774c255101d086d68733894b5debb557ed7a08
SHA51287e410fe185fb26bb79838e3ae5fcb9476423d588fa7efbb9b3e25a1cd4d193e2718a3c958c700159dfe1e8dc085614701020ca699a0a67aad081c3d8501ffc9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5904dece8c0b6c019c6fd6303dbc0651d
SHA1264caacb27a8605055e5a50c91ad6d6c956b8627
SHA256d5defc107aae4db2c189b4a3c5f8fb7613e1b84eae899ad9d37e65a0ddb877b0
SHA512cc840de10fb32adfca056ca2b3bbe31065b27a6d6df4bef5d7835dbc53d472c2993fe41fcd094211d039fea9092c681dc614425c0683dbce99cc322c913702f2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5abb9ffdd3a2c4bdd84fe169318aaed15
SHA10061e48df8eb150b8dfff47d7695be84244eea9a
SHA256cd094b07b63ce7cb605c08d5d9cd1652b066da4bc8b606f957be4185c29d3f22
SHA5128eb99214b9c7119f3cc7183f817e0a7c3aa2b0ae27615eb71f961c2ddbf8b9d24af67131c461178d11d86d79d07b691f680fa485d157a85df8c0bd97dea052bd
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5700ea03cee0e731f144e73d779344d39
SHA15ed64d0b206417f73a6ac4e99ea7ac5733d972f1
SHA256d96b2e5f728d0ea96fe2d724d91ff3090759220bb79de1e06cb4db3869ca2f8c
SHA5124d35559a06d94e0eecf1c25198174a5ce87f92cbf5d71ab991006c855c026b0683fd93bc83c091c6577b799f5d4ec3a086df3e174267ede0da0d187047e80920
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C02877841121CC45139CB51404116B25_193C88518F770D3F8D3CDA4F180E8635
Filesize398B
MD5ba4ef8578d4337c536bef70aeababa21
SHA1b349df7da762af3b8f96349487f91f00d29063cc
SHA256250b8279f573ad3b4c2be51562f85f1015a80d73c61f49e029bd1be62d6b0e5e
SHA51211d7b311646db1b436c771b78ad4512a3c3319236a9cacc048dbfbc9b22de32be2bc29513a00ac34f7b7604e97c4e3edf2aa5073179ebd0b5adced35b67dbedb
-
Filesize
98B
MD56ed7551f28132708bc9eead02dbc740d
SHA11fc7a512bb38a810eb317c7176e15e840776962d
SHA2569d13ed2da2c7fce0d5a11a2f139560c704fc799708fcc5d1747ed6f64a17b6f7
SHA5125c00455ae054e8ae60a02ebc02206bd04acc7ad84e818877761f0798046f083483b40b1c2c9143b52a78585acb2ef0e4e483d36e78d644aae6abfa6837d5ff7e
-
Filesize
5KB
MD5a1ebe06fce5f53d8f215c581ee873dd7
SHA1e72b2c80d8689723d48cf6289325adabc1429700
SHA25679010309c20d3d468e6cc81fe152ab42789cd42b2394b7f53f616bf1c870c402
SHA5123a90727f0ca3114496f71e8e461c5d33c15fe75b5ff3b6edf9c88c108eb3150e9942968d26f9317a8004c595cb31e13e6a1164c918fef686f4e1d521a1c483f7
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BQQODH7V\-HiUwdQxDKLzt71CPYD-hKnPnujfGhcYgWkgX6BRpVU[1].js
Filesize24KB
MD5242324a437f1e8dfa268b1be80e57fdc
SHA12198c8b982542d263d2df13efc9e476563b5874f
SHA256f87894c1d4310ca2f3b7bd423d80fe84a9cf9ee8df1a17188169205fa051a555
SHA51274d8caa815fbae1b8510c883da00cec7f43fed56890c50eb24e44d281e31d9579b592553be87d2ce8ccb04cb2e3f78eaa8889068762fa36b1143b85cb21f3410
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BQQODH7V\NewErrorPageTemplate[1]
Filesize1KB
MD5cdf81e591d9cbfb47a7f97a2bcdb70b9
SHA18f12010dfaacdecad77b70a3e781c707cf328496
SHA256204d95c6fb161368c795bb63e538fe0b11f9e406494bb5758b3b0d60c5f651bd
SHA512977dcc2c6488acaf0e5970cef1a7a72c9f9dc6bb82da54f057e0853c8e939e4ab01b163eb7a5058e093a8bc44ecad9d06880fdc883e67e28ac67fee4d070a4cc
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BQQODH7V\dnserror[2]
Filesize1KB
MD573c70b34b5f8f158d38a94b9d7766515
SHA1e9eaa065bd6585a1b176e13615fd7e6ef96230a9
SHA2563ebd34328a4386b4eba1f3d5f1252e7bd13744a6918720735020b4689c13fcf4
SHA512927dcd4a8cfdeb0f970cb4ee3f059168b37e1e4e04733ed3356f77ca0448d2145e1abdd4f7ce1c6ca23c1e3676056894625b17987cc56c84c78e73f60e08fc0d
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BQQODH7V\httpErrorPagesScripts[1]
Filesize8KB
MD53f57b781cb3ef114dd0b665151571b7b
SHA1ce6a63f996df3a1cccb81720e21204b825e0238c
SHA25646e019fa34465f4ed096a9665d1827b54553931ad82e98be01edb1ddbc94d3ad
SHA5128cbf4ef582332ae7ea605f910ad6f8a4bc28513482409fa84f08943a72cac2cf0fa32b6af4c20c697e1fac2c5ba16b5a64a23af0c11eefbf69625b8f9f90c8fa
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Q4648X1K\errorPageStrings[1]
Filesize2KB
MD5e3e4a98353f119b80b323302f26b78fa
SHA120ee35a370cdd3a8a7d04b506410300fd0a6a864
SHA2569466d620dc57835a2475f8f71e304f54aee7160e134ba160baae0f19e5e71e66
SHA512d8e4d73c76804a5abebd5dbc3a86dcdb6e73107b873175a8de67332c113fb7c4899890bf7972e467866fa4cd100a7e2a10a770e5a9c41cbf23b54351b771dcee
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Q4648X1K\favicon[2].ico
Filesize5KB
MD5f3418a443e7d841097c714d69ec4bcb8
SHA149263695f6b0cdd72f45cf1b775e660fdc36c606
SHA2566da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770
SHA51282d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Q4648X1K\webworker[1].js
Filesize102B
MD5ad5e6a567d064cba36f2a56caab2d866
SHA1a3b46ea0ca5df5a6b6ab6bb228cf805065523cd1
SHA256e70942d2b905910af2538c685c2223c25e5068bfbccb9742cfa5ffa48150d291
SHA512ba45b3d74c0d2e0ac22bc97bacb6df549d7a4eae8d64050af41167376926f4379ccb6be84a666ba615caa7c5ee6838f98020c530f5c2ce51f71dad369d130681
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ROLMKJ86\api[1].js
Filesize870B
MD5db3f5a748364d84b2b5f75e3d4e851d0
SHA117b34ff20d429abee726b4b74530e5af2819f7bc
SHA256343ed5ecd144d781de67aa8638b1ca4fce5772faedbb72720daacb250884f4e1
SHA5123ee552fff8e93097120367c7f5f6aed88145150d706349542e8800e65722f4e6507bc0802e41a305cda56aaf4bcd40c036ad7a4d2aabea9dc70f908bf400dd90
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ROLMKJ86\logo_48[1].png
Filesize2KB
MD5ef9941290c50cd3866e2ba6b793f010d
SHA14736508c795667dcea21f8d864233031223b7832
SHA2561b9efb22c938500971aac2b2130a475fa23684dd69e43103894968df83145b8a
SHA512a0c69c70117c5713caf8b12f3b6e8bbb9cdaf72768e5db9db5831a3c37541b87613c6b020dd2f9b8760064a8c7337f175e7234bfe776eee5e3588dc5662419d9
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ROLMKJ86\recaptcha__en[1].js
Filesize537KB
MD5c7be68088b0a823f1a4c1f77c702d1b4
SHA105d42d754afd21681c0e815799b88fbe1fbabf4e
SHA2564943e91f7f53318d481ca07297395abbc52541c2be55d7276ecda152cd7ad9c3
SHA512cb76505845e7fc0988ade0598e6ea80636713e20209e1260ee4413423b45235f57cb0a33fca7baf223e829835cb76a52244c3197e4c0c166dad9b946b9285222
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Y8UFEBH5\KFOlCnqEu92Fr1MmEU9fBBc9[1].ttf
Filesize34KB
MD54d88404f733741eaacfda2e318840a98
SHA149e0f3d32666ac36205f84ac7457030ca0a9d95f
SHA256b464107219af95400af44c949574d9617de760e100712d4dec8f51a76c50dda1
SHA5122e5d3280d5f7e70ca3ea29e7c01f47feb57fe93fc55fd0ea63641e99e5d699bb4b1f1f686da25c91ba4f64833f9946070f7546558cbd68249b0d853949ff85c5
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Y8UFEBH5\KFOlCnqEu92Fr1MmYUtfBBc9[1].ttf
Filesize34KB
MD54d99b85fa964307056c1410f78f51439
SHA1f8e30a1a61011f1ee42435d7e18ba7e21d4ee894
SHA25601027695832f4a3850663c9e798eb03eadfd1462d0b76e7c5ac6465d2d77dbd0
SHA51213d93544b16453fe9ac9fc025c3d4320c1c83a2eca4cd01132ce5c68b12e150bc7d96341f10cbaa2777526cf72b2ca0cd64458b3df1875a184bbb907c5e3d731
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Y8UFEBH5\KFOmCnqEu92Fr1Mu4mxP[1].ttf
Filesize34KB
MD5372d0cc3288fe8e97df49742baefce90
SHA1754d9eaa4a009c42e8d6d40c632a1dad6d44ec21
SHA256466989fd178ca6ed13641893b7003e5d6ec36e42c2a816dee71f87b775ea097f
SHA5128447bc59795b16877974cd77c52729f6ff08a1e741f68ff445c087ecc09c8c4822b83e8907d156a00be81cb2c0259081926e758c12b3aea023ac574e4a6c9885
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Y8UFEBH5\styles__ltr[1].css
Filesize55KB
MD54adccf70587477c74e2fcd636e4ec895
SHA1af63034901c98e2d93faa7737f9c8f52e302d88b
SHA2560e04cd9eec042868e190cbdabf2f8f0c7172dcc54ab87eb616eca14258307b4d
SHA512d3f071c0a0aa7f2d3b8e584c67d4a1adf1a9a99595cffc204bf43b99f5b19c4b98cec8b31e65a46c01509fc7af8787bd7839299a683d028e388fdc4ded678cb3
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
10KB
MD5fc59b7d2eb1edbb9c8cb9eb08115a98e
SHA190a6479ce14f8548df54c434c0a524e25efd9d17
SHA256a05b9be9dd87492f265094146e18d628744c6b09c0e7efaabf228a9f1091a279
SHA5123392cfc0dbddb37932e76da5a49f4e010a49aaa863c882b85cccab676cd458cfc8f880d8a0e0dc7581175f447e6b0a002da1591ecd14756650bb74996eacd2b1
-
Filesize
4KB
MD5ca007256308ca202d3a6cd78687ef75e
SHA1652b87f0593dbf757438fb5144a73a01faf25ad2
SHA25643d289cfea55e70b8a5a82b55f3a4a59599225069456b320bbc4053ac6655570
SHA512c58035d54bef93d88c5937675f708a9fde9d40612fc601a350809f2edc521e776a3c6b5dc05143e557e0fa2ab570421ec7ed724a16c8df305e2a34ac32fd916c
-
Filesize
448B
MD58eec8704d2a7bc80b95b7460c06f4854
SHA11b34585c1fa7ec0bd0505478ac9dbb8b8d19f326
SHA256aa01b8864b43e92077a106ed3d4656a511f3ba1910fba40c78a32ee6a621d596
SHA512e274b92810e9a30627a65f87448d784967a2fcfbf49858cbe6ccb841f09e0f53fde253ecc1ea0c7de491d8cc56a6cf8c79d1b7c657e72928cfb0479d11035210
-
Filesize
7KB
MD5cf0c19ef6909e5c1f10c8460ba9299d8
SHA1875b575c124acfc1a4a21c1e05acb9690e50b880
SHA256abb834ebd4b7d7f8ddf545976818f41b3cb51d2b895038a56457616d3a2c6776
SHA512d930a022a373c283f35d103e277487c2034a0b0814913b8f6ec695b45e20528667aa830eeab58e4483d523bd6a755a16a5379095cb137db6c91909a545a19a2f
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
16KB
MD5bdd9803d5ed64de9f02e2072a95e5026
SHA1ec74b54457e12bfd849283f6d692e9fe8a537334
SHA2566785a86738850e47a302aec0059542216c7d30920ecee2d90b8cc10effade603
SHA512a3c03f096ad84854a98291445a6d84319149d25572471be2ac49703158712a7ec0f5c7b6124e0610ec76af4b5dd684fabb7e9c1066190f15bb98a7b49d11f08a
-
Filesize
12KB
MD5a7bcf7ea8e9f3f36ebfb85b823e39d91
SHA1761168201520c199dba68add3a607922d8d4a86e
SHA2563ff64f10603f0330fa2386ff99471ca789391ace969bd0ec1c1b8ce1b4a6db42
SHA51289923b669d31e590189fd06619bf27e47c5a47e82be6ae71fdb1b9b3b30b06fb7ca8ffed6d5c41ac410a367f2eb07589291e95a2644877d6bffd52775a5b1523
-
Filesize
401B
MD5e8e4c662a14a7995a467d70820bc89d7
SHA10c2ce8ea048da71ce855a88b3b7d5070db44e25e
SHA25691f54984d83fc1b245d5f54b07a32b1f0a9d2eeb6fd11c57ec5a6fb2e4fcecc9
SHA512b37a244a0c38d591f1931d575b8ad6da67856d6c27733ad523f62b59a301d6583bdb43a9257c8a5fa66b3bd7f384ce9917a239c9e06251a80a2e759ed7fae400
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\28c8b86deab549a1.customDestinations-ms
Filesize3KB
MD5084306083cd7e9e8f11131783cc4d587
SHA1239246ad649f71042d72567722e0aff7bc32f469
SHA2561f6113ea79226d59e853b502a9ad6f9b961c0d9554c7249b9e78819b5b368654
SHA5120525aed23573ecd858c54fe4b65b2c1151577fe191cbdb6217c6eea42ea7847d4e8410d0eb86bab4a6fa2b449821b0a2e24c5fa98e0fac56b460560a2e2a81f7
-
Filesize
218B
MD5afa6955439b8d516721231029fb9ca1b
SHA1087a043cc123c0c0df2ffadcf8e71e3ac86bbae9
SHA2568e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270
SHA5125da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf