734403a96fad68cb2ef2b340adddd9cadd5894007aac703dcdb4a4cb8326c538

max time kernel
1211s
max time network
1802s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
15-09-2024 22:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MEMZ 3.0/MEMZ.exe
Size

12KB
MD5

a7bcf7ea8e9f3f36ebfb85b823e39d91
SHA1

761168201520c199dba68add3a607922d8d4a86e
SHA256

3ff64f10603f0330fa2386ff99471ca789391ace969bd0ec1c1b8ce1b4a6db42
SHA512

89923b669d31e590189fd06619bf27e47c5a47e82be6ae71fdb1b9b3b30b06fb7ca8ffed6d5c41ac410a367f2eb07589291e95a2644877d6bffd52775a5b1523
SSDEEP

192:HMDLTxWDf/pl3cIEiwqZKBktLe3P+qf2jhP6B5b2yL3:H4IDH3cIqqvUWq+jhyT2yL

Score

6^/10

bootkit discovery persistence

Malware Config

Signatures

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

MEMZ.exe

description ioc process

File opened for modification \??\PhysicalDrive0 MEMZ.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	MEMZ.exe

Drops file in System32 directory 3 IoCs

Processes:

mmc.exemmc.exemmc.exe

description	ioc	process
File opened for modification	C:\Windows\System32\devmgmt.msc	mmc.exe
File opened for modification	C:\Windows\System32\devmgmt.msc	mmc.exe
File opened for modification	C:\Windows\System32\devmgmt.msc	mmc.exe

Drops file in Windows directory 8 IoCs

Processes:

mspaint.exemspaint.exemspaint.exemspaint.exemspaint.exemspaint.exemspaint.exemspaint.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

IEXPLORE.EXEtaskmgr.exemmc.exemspaint.exetaskmgr.exeIEXPLORE.EXEcmd.execalc.execmd.exewordpad.exemmc.exeIEXPLORE.EXEIEXPLORE.EXEmmc.exeIEXPLORE.EXEIEXPLORE.EXEregedit.exeIEXPLORE.EXEcalc.exetaskmgr.exeIEXPLORE.EXEmmc.exewordpad.exemmc.execmd.execontrol.exeIEXPLORE.EXEmspaint.execontrol.exemmc.exetaskmgr.exeIEXPLORE.EXEwordpad.exemmc.exeIEXPLORE.EXEMEMZ.exenotepad.execalc.exemmc.exetaskmgr.exeDllHost.execmd.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEcmd.exewordpad.execmd.exeMEMZ.exeIEXPLORE.EXEIEXPLORE.EXEtaskmgr.exewordpad.exeexplorer.exemmc.exeexplorer.exenotepad.exenotepad.execmd.exemspaint.exewordpad.execontrol.exeexplorer.exemspaint.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mspaint.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	calc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wordpad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	calc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wordpad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	control.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mspaint.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	control.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wordpad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	calc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wordpad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wordpad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mspaint.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wordpad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	control.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mspaint.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEiexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEiexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEiexplore.exeIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.google.com\ = "25"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B97CCA20-73B6-11EF-B594-F245C6AC432F} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 90dd3bd4c007db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a7e3310a2b0e6e498bd88e48ec67abf6000000000200000000001066000000010000200000004181793c61c7cb3c04d22736d0ac1b8dc8d764203f0be2159ba0f01b5a0a4fa7000000000e8000000002000020000000e8f99bdbc75479dab07cde2218d158171bebba519999e4fa4f6e98ee0f993f40900000008f178ef1310f559538a6baa813efdd0558457512d70ef30cdb69e52c7300169d777f9b17606c169407c6de30b4cb95c88fa0d0db8817d11683ca8dc1870ed25d8d065f1af4116c1f33645f6c9e2327e6187e2abc44f0cd59a001c5eeaedcf7a23e6df6d0bc489005ff29114d86673969a450e4994908981cc0484c61bd80b457b1de06cb4d3096e06ec17760e72639b64000000076739ab850cd71bee3047157a5d88ef472bd3cba6c354a2eb71abe24c6feb0a58285d1f60b9600174667414c4fc8acffe89b754a3ad20929fb0d49c2c7e9240e	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "432602102"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{FD32F491-73B3-11EF-B594-F245C6AC432F} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe

Runs regedit.exe 3 IoCs

Processes:

regedit.exeregedit.exeregedit.exe

pid process

2808 regedit.exe
6336 regedit.exe
11392 regedit.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

MEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exe

pid	process
1732	MEMZ.exe
1572	MEMZ.exe
1864	MEMZ.exe
1864	MEMZ.exe
1572	MEMZ.exe
1652	MEMZ.exe
1732	MEMZ.exe
1324	MEMZ.exe
1572	MEMZ.exe
1732	MEMZ.exe
1864	MEMZ.exe
1324	MEMZ.exe
1652	MEMZ.exe
1324	MEMZ.exe
1732	MEMZ.exe
1864	MEMZ.exe
1572	MEMZ.exe
1652	MEMZ.exe
1732	MEMZ.exe
1572	MEMZ.exe
1864	MEMZ.exe
1324	MEMZ.exe
1652	MEMZ.exe
1324	MEMZ.exe
1732	MEMZ.exe
1864	MEMZ.exe
1572	MEMZ.exe
1652	MEMZ.exe
1324	MEMZ.exe
1572	MEMZ.exe
1732	MEMZ.exe
1864	MEMZ.exe
1652	MEMZ.exe
1864	MEMZ.exe
1324	MEMZ.exe
1652	MEMZ.exe
1732	MEMZ.exe
1572	MEMZ.exe
1324	MEMZ.exe
1732	MEMZ.exe
1864	MEMZ.exe
1572	MEMZ.exe
1652	MEMZ.exe
1324	MEMZ.exe
1732	MEMZ.exe
1864	MEMZ.exe
1572	MEMZ.exe
1652	MEMZ.exe
1572	MEMZ.exe
1732	MEMZ.exe
1864	MEMZ.exe
1324	MEMZ.exe
1652	MEMZ.exe
1652	MEMZ.exe
1732	MEMZ.exe
1864	MEMZ.exe
1324	MEMZ.exe
1572	MEMZ.exe
1732	MEMZ.exe
1652	MEMZ.exe
1324	MEMZ.exe
1864	MEMZ.exe
1572	MEMZ.exe
1732	MEMZ.exe

Suspicious behavior: GetForegroundWindowSpam 12 IoCs

Processes:

regedit.exemmc.exemmc.exeMEMZ.exeiexplore.exemmc.exemmc.exemmc.exetaskmgr.exetaskmgr.exemmc.exetaskmgr.exe

pid	process
2808	regedit.exe
1876	mmc.exe
3620	mmc.exe
2268	MEMZ.exe
2708	iexplore.exe
3868	mmc.exe
4744	mmc.exe
3084	mmc.exe
4944	taskmgr.exe
1060	taskmgr.exe
4424	mmc.exe
5944	taskmgr.exe

Suspicious behavior: SetClipboardViewer 8 IoCs

Processes:

mmc.exemmc.exemmc.exemmc.exemmc.exemmc.exemmc.exemmc.exe

pid process

3620 mmc.exe
4744 mmc.exe
3868 mmc.exe
3084 mmc.exe
4424 mmc.exe
6804 mmc.exe
8396 mmc.exe
7344 mmc.exe

pid	process
3620	mmc.exe
4744	mmc.exe
3868	mmc.exe
3084	mmc.exe
4424	mmc.exe
6804	mmc.exe
8396	mmc.exe
7344	mmc.exe

Suspicious use of AdjustPrivilegeToken 40 IoCs

Processes:

AUDIODG.EXEmmc.exemmc.exemmc.exemmc.exemmc.exetaskmgr.exetaskmgr.exemmc.exetaskmgr.exemmc.exemmc.exetaskmgr.exe

description	pid	process
Token: 33	2592	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2592	AUDIODG.EXE
Token: 33	2592	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2592	AUDIODG.EXE
Token: 33	1876	mmc.exe
Token: SeIncBasePriorityPrivilege	1876	mmc.exe
Token: 33	1876	mmc.exe
Token: SeIncBasePriorityPrivilege	1876	mmc.exe
Token: 33	3620	mmc.exe
Token: SeIncBasePriorityPrivilege	3620	mmc.exe
Token: 33	3620	mmc.exe
Token: SeIncBasePriorityPrivilege	3620	mmc.exe
Token: 33	4744	mmc.exe
Token: SeIncBasePriorityPrivilege	4744	mmc.exe
Token: 33	4744	mmc.exe
Token: SeIncBasePriorityPrivilege	4744	mmc.exe
Token: 33	3868	mmc.exe
Token: SeIncBasePriorityPrivilege	3868	mmc.exe
Token: 33	3868	mmc.exe
Token: SeIncBasePriorityPrivilege	3868	mmc.exe
Token: 33	3084	mmc.exe
Token: SeIncBasePriorityPrivilege	3084	mmc.exe
Token: 33	3084	mmc.exe
Token: SeIncBasePriorityPrivilege	3084	mmc.exe
Token: SeDebugPrivilege	4944	taskmgr.exe
Token: SeDebugPrivilege	1060	taskmgr.exe
Token: 33	4424	mmc.exe
Token: SeIncBasePriorityPrivilege	4424	mmc.exe
Token: 33	4424	mmc.exe
Token: SeIncBasePriorityPrivilege	4424	mmc.exe
Token: SeDebugPrivilege	5944	taskmgr.exe
Token: 33	6804	mmc.exe
Token: SeIncBasePriorityPrivilege	6804	mmc.exe
Token: 33	6804	mmc.exe
Token: SeIncBasePriorityPrivilege	6804	mmc.exe
Token: 33	8396	mmc.exe
Token: SeIncBasePriorityPrivilege	8396	mmc.exe
Token: 33	8396	mmc.exe
Token: SeIncBasePriorityPrivilege	8396	mmc.exe
Token: SeDebugPrivilege	8584	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

iexplore.exetaskmgr.exe

pid	process
2708	iexplore.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

taskmgr.exe

pid	process
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEMEMZ.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEmmc.exe

pid	process
2708	iexplore.exe
2708	iexplore.exe
2656	IEXPLORE.EXE
2656	IEXPLORE.EXE
2656	IEXPLORE.EXE
2656	IEXPLORE.EXE
3000	IEXPLORE.EXE
3000	IEXPLORE.EXE
3000	IEXPLORE.EXE
3000	IEXPLORE.EXE
1932	IEXPLORE.EXE
1932	IEXPLORE.EXE
1932	IEXPLORE.EXE
1932	IEXPLORE.EXE
1704	IEXPLORE.EXE
1704	IEXPLORE.EXE
1704	IEXPLORE.EXE
1704	IEXPLORE.EXE
2656	IEXPLORE.EXE
2656	IEXPLORE.EXE
2268	MEMZ.exe
2520	IEXPLORE.EXE
2520	IEXPLORE.EXE
2520	IEXPLORE.EXE
2520	IEXPLORE.EXE
3000	IEXPLORE.EXE
3000	IEXPLORE.EXE
2268	MEMZ.exe
3000	IEXPLORE.EXE
3000	IEXPLORE.EXE
2576	IEXPLORE.EXE
2576	IEXPLORE.EXE
2576	IEXPLORE.EXE
2576	IEXPLORE.EXE
1932	IEXPLORE.EXE
1932	IEXPLORE.EXE
2268	MEMZ.exe
1932	IEXPLORE.EXE
1932	IEXPLORE.EXE
308	IEXPLORE.EXE
308	IEXPLORE.EXE
2268	MEMZ.exe
1704	IEXPLORE.EXE
1704	IEXPLORE.EXE
1704	IEXPLORE.EXE
1704	IEXPLORE.EXE
988	IEXPLORE.EXE
988	IEXPLORE.EXE
2268	MEMZ.exe
988	IEXPLORE.EXE
988	IEXPLORE.EXE
2520	IEXPLORE.EXE
2520	IEXPLORE.EXE
2268	MEMZ.exe
1096	IEXPLORE.EXE
1096	IEXPLORE.EXE
1096	IEXPLORE.EXE
1096	IEXPLORE.EXE
2268	MEMZ.exe
2576	IEXPLORE.EXE
2576	IEXPLORE.EXE
2576	IEXPLORE.EXE
2576	IEXPLORE.EXE
1916	mmc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

MEMZ.exeMEMZ.exeiexplore.exe

description	pid	process	target process
PID 1996 wrote to memory of 1572	1996	MEMZ.exe	MEMZ.exe
PID 1996 wrote to memory of 1572	1996	MEMZ.exe	MEMZ.exe
PID 1996 wrote to memory of 1572	1996	MEMZ.exe	MEMZ.exe
PID 1996 wrote to memory of 1572	1996	MEMZ.exe	MEMZ.exe
PID 1996 wrote to memory of 1864	1996	MEMZ.exe	MEMZ.exe
PID 1996 wrote to memory of 1864	1996	MEMZ.exe	MEMZ.exe
PID 1996 wrote to memory of 1864	1996	MEMZ.exe	MEMZ.exe
PID 1996 wrote to memory of 1864	1996	MEMZ.exe	MEMZ.exe
PID 1996 wrote to memory of 1732	1996	MEMZ.exe	MEMZ.exe
PID 1996 wrote to memory of 1732	1996	MEMZ.exe	MEMZ.exe
PID 1996 wrote to memory of 1732	1996	MEMZ.exe	MEMZ.exe
PID 1996 wrote to memory of 1732	1996	MEMZ.exe	MEMZ.exe
PID 1996 wrote to memory of 1652	1996	MEMZ.exe	MEMZ.exe
PID 1996 wrote to memory of 1652	1996	MEMZ.exe	MEMZ.exe
PID 1996 wrote to memory of 1652	1996	MEMZ.exe	MEMZ.exe
PID 1996 wrote to memory of 1652	1996	MEMZ.exe	MEMZ.exe
PID 1996 wrote to memory of 1324	1996	MEMZ.exe	MEMZ.exe
PID 1996 wrote to memory of 1324	1996	MEMZ.exe	MEMZ.exe
PID 1996 wrote to memory of 1324	1996	MEMZ.exe	MEMZ.exe
PID 1996 wrote to memory of 1324	1996	MEMZ.exe	MEMZ.exe
PID 1996 wrote to memory of 2268	1996	MEMZ.exe	MEMZ.exe
PID 1996 wrote to memory of 2268	1996	MEMZ.exe	MEMZ.exe
PID 1996 wrote to memory of 2268	1996	MEMZ.exe	MEMZ.exe
PID 1996 wrote to memory of 2268	1996	MEMZ.exe	MEMZ.exe
PID 2268 wrote to memory of 3060	2268	MEMZ.exe	notepad.exe
PID 2268 wrote to memory of 3060	2268	MEMZ.exe	notepad.exe
PID 2268 wrote to memory of 3060	2268	MEMZ.exe	notepad.exe
PID 2268 wrote to memory of 3060	2268	MEMZ.exe	notepad.exe
PID 2268 wrote to memory of 2708	2268	MEMZ.exe	iexplore.exe
PID 2268 wrote to memory of 2708	2268	MEMZ.exe	iexplore.exe
PID 2268 wrote to memory of 2708	2268	MEMZ.exe	iexplore.exe
PID 2268 wrote to memory of 2708	2268	MEMZ.exe	iexplore.exe
PID 2708 wrote to memory of 2656	2708	iexplore.exe	IEXPLORE.EXE
PID 2708 wrote to memory of 2656	2708	iexplore.exe	IEXPLORE.EXE
PID 2708 wrote to memory of 2656	2708	iexplore.exe	IEXPLORE.EXE
PID 2708 wrote to memory of 2656	2708	iexplore.exe	IEXPLORE.EXE
PID 2708 wrote to memory of 3000	2708	iexplore.exe	IEXPLORE.EXE
PID 2708 wrote to memory of 3000	2708	iexplore.exe	IEXPLORE.EXE
PID 2708 wrote to memory of 3000	2708	iexplore.exe	IEXPLORE.EXE
PID 2708 wrote to memory of 3000	2708	iexplore.exe	IEXPLORE.EXE
PID 2708 wrote to memory of 1932	2708	iexplore.exe	IEXPLORE.EXE
PID 2708 wrote to memory of 1932	2708	iexplore.exe	IEXPLORE.EXE
PID 2708 wrote to memory of 1932	2708	iexplore.exe	IEXPLORE.EXE
PID 2708 wrote to memory of 1932	2708	iexplore.exe	IEXPLORE.EXE
PID 2708 wrote to memory of 1704	2708	iexplore.exe	IEXPLORE.EXE
PID 2708 wrote to memory of 1704	2708	iexplore.exe	IEXPLORE.EXE
PID 2708 wrote to memory of 1704	2708	iexplore.exe	IEXPLORE.EXE
PID 2708 wrote to memory of 1704	2708	iexplore.exe	IEXPLORE.EXE
PID 2268 wrote to memory of 1756	2268	MEMZ.exe	cmd.exe
PID 2268 wrote to memory of 1756	2268	MEMZ.exe	cmd.exe
PID 2268 wrote to memory of 1756	2268	MEMZ.exe	cmd.exe
PID 2268 wrote to memory of 1756	2268	MEMZ.exe	cmd.exe
PID 2268 wrote to memory of 2808	2268	MEMZ.exe	regedit.exe
PID 2268 wrote to memory of 2808	2268	MEMZ.exe	regedit.exe
PID 2268 wrote to memory of 2808	2268	MEMZ.exe	regedit.exe
PID 2268 wrote to memory of 2808	2268	MEMZ.exe	regedit.exe
PID 2708 wrote to memory of 2520	2708	iexplore.exe	IEXPLORE.EXE
PID 2708 wrote to memory of 2520	2708	iexplore.exe	IEXPLORE.EXE
PID 2708 wrote to memory of 2520	2708	iexplore.exe	IEXPLORE.EXE
PID 2708 wrote to memory of 2520	2708	iexplore.exe	IEXPLORE.EXE
PID 2708 wrote to memory of 2576	2708	iexplore.exe	IEXPLORE.EXE
PID 2708 wrote to memory of 2576	2708	iexplore.exe	IEXPLORE.EXE
PID 2708 wrote to memory of 2576	2708	iexplore.exe	IEXPLORE.EXE
PID 2708 wrote to memory of 2576	2708	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\MEMZ.exe
"C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\MEMZ.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1996
- C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\MEMZ.exe
  "C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\MEMZ.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1572
- C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\MEMZ.exe
  "C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\MEMZ.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1864
- C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\MEMZ.exe
  "C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\MEMZ.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1732
- C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\MEMZ.exe
  "C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\MEMZ.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1652
- C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\MEMZ.exe
  "C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\MEMZ.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1324
- C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\MEMZ.exe
  "C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\MEMZ.exe" /main
  2⤵
  - Writes to the Master Boot Record (MBR)
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2268
- - C:\Windows\SysWOW64\notepad.exe
    "C:\Windows\System32\notepad.exe" \note.txt
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3060
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" https://google.co.ck/search?q=facebook+hacking+tool+free+download+no+virus+working+2016
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2708
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2708 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2656
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2708 CREDAT:472077 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:3000
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2708 CREDAT:865296 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1932
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2708 CREDAT:472109 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1704
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2708 CREDAT:3355694 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2520
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2708 CREDAT:603192 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2576
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2708 CREDAT:996395 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:308
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2708 CREDAT:1193020 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:988
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2708 CREDAT:406668 /prefetch:2
      4⤵
      Suspicious use of SetWindowsHookEx
      PID:1096
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2708 CREDAT:472212 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      PID:820
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2708 CREDAT:3421260 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      PID:3872
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2708 CREDAT:3748942 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      PID:956
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2708 CREDAT:3421310 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      PID:4024
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2708 CREDAT:3617924 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      PID:3188
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2708 CREDAT:3749010 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      PID:3640
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2708 CREDAT:3814524 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      PID:4848
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1756
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Runs regedit.exe
    - Suspicious behavior: GetForegroundWindowSpam
    PID:2808
- - C:\Windows\SysWOW64\mmc.exe
    "C:\Windows\system32\mmc.exe" "C:\Windows\System32\devmgmt.msc"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1916
  - - C:\Windows\system32\mmc.exe
      "C:\Windows\System32\devmgmt.msc" "C:\Windows\System32\devmgmt.msc"
      4⤵
      Drops file in System32 directory
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      PID:1876
- - C:\Windows\SysWOW64\mmc.exe
    "C:\Windows\system32\mmc.exe" "C:\Windows\System32\devmgmt.msc"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3520
  - - C:\Windows\system32\mmc.exe
      "C:\Windows\System32\devmgmt.msc" "C:\Windows\System32\devmgmt.msc"
      4⤵
      Drops file in System32 directory
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious behavior: SetClipboardViewer
      Suspicious use of AdjustPrivilegeToken
      PID:3620
- - C:\Windows\SysWOW64\explorer.exe
    "C:\Windows\System32\explorer.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3688
- - C:\Windows\SysWOW64\mspaint.exe
    "C:\Windows\System32\mspaint.exe"
    3⤵
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:2280
- - C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
    "C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4516
  - - C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      4⤵
      PID:4520
- - C:\Windows\SysWOW64\notepad.exe
    "C:\Windows\System32\notepad.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4252
- - C:\Windows\SysWOW64\explorer.exe
    "C:\Windows\System32\explorer.exe"
    3⤵
    PID:5072
- - C:\Windows\SysWOW64\control.exe
    "C:\Windows\System32\control.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4568
- - C:\Windows\SysWOW64\calc.exe
    "C:\Windows\System32\calc.exe"
    3⤵
    PID:3956
- - C:\Windows\SysWOW64\calc.exe
    "C:\Windows\System32\calc.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1020
- - C:\Windows\SysWOW64\mmc.exe
    "C:\Windows\System32\mmc.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3764
  - - C:\Windows\system32\mmc.exe
      "C:\Windows\system32\mmc.exe"
      4⤵
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious behavior: SetClipboardViewer
      Suspicious use of AdjustPrivilegeToken
      PID:4744
- - C:\Windows\SysWOW64\mmc.exe
    "C:\Windows\system32\mmc.exe" "C:\Windows\System32\devmgmt.msc"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3788
  - - C:\Windows\system32\mmc.exe
      "C:\Windows\System32\devmgmt.msc" "C:\Windows\System32\devmgmt.msc"
      4⤵
      Drops file in System32 directory
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious behavior: SetClipboardViewer
      Suspicious use of AdjustPrivilegeToken
      PID:3868
- - C:\Windows\SysWOW64\mmc.exe
    "C:\Windows\System32\mmc.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3232
  - - C:\Windows\system32\mmc.exe
      "C:\Windows\system32\mmc.exe"
      4⤵
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious behavior: SetClipboardViewer
      Suspicious use of AdjustPrivilegeToken
      PID:3084
- - C:\Windows\SysWOW64\taskmgr.exe
    "C:\Windows\System32\taskmgr.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:4944
- - C:\Windows\SysWOW64\calc.exe
    "C:\Windows\System32\calc.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4972
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1648
- - C:\Windows\SysWOW64\notepad.exe
    "C:\Windows\System32\notepad.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3228
- - C:\Windows\SysWOW64\taskmgr.exe
    "C:\Windows\System32\taskmgr.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:1060
- - C:\Windows\SysWOW64\taskmgr.exe
    "C:\Windows\System32\taskmgr.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5576
- - C:\Windows\SysWOW64\mmc.exe
    "C:\Windows\System32\mmc.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5392
  - - C:\Windows\system32\mmc.exe
      "C:\Windows\system32\mmc.exe"
      4⤵
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious behavior: SetClipboardViewer
      Suspicious use of AdjustPrivilegeToken
      PID:4424
- - C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
    "C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4152
- - C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
    "C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:7012
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6940
- - C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
    "C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:7008
- - C:\Windows\SysWOW64\mspaint.exe
    "C:\Windows\System32\mspaint.exe"
    3⤵
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:6236
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe"
    3⤵
    - Runs regedit.exe
    PID:6336
- - C:\Windows\SysWOW64\taskmgr.exe
    "C:\Windows\System32\taskmgr.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:5944
- - C:\Windows\SysWOW64\control.exe
    "C:\Windows\System32\control.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4448
- - C:\Windows\SysWOW64\mspaint.exe
    "C:\Windows\System32\mspaint.exe"
    3⤵
    - Drops file in Windows directory
    PID:3516
- - C:\Windows\SysWOW64\notepad.exe
    "C:\Windows\System32\notepad.exe"
    3⤵
    PID:6176
- - C:\Windows\SysWOW64\calc.exe
    "C:\Windows\System32\calc.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:7216
- - C:\Windows\SysWOW64\taskmgr.exe
    "C:\Windows\System32\taskmgr.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:7920
- - C:\Windows\SysWOW64\calc.exe
    "C:\Windows\System32\calc.exe"
    3⤵
    PID:6688
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:7280
- - C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
    "C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:7536
- - C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
    "C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:8056
- - C:\Windows\SysWOW64\mspaint.exe
    "C:\Windows\System32\mspaint.exe"
    3⤵
    - Drops file in Windows directory
    PID:7552
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6588
- - C:\Windows\SysWOW64\control.exe
    "C:\Windows\System32\control.exe"
    3⤵
    PID:6676
- - C:\Windows\SysWOW64\mmc.exe
    "C:\Windows\System32\mmc.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3896
  - - C:\Windows\system32\mmc.exe
      "C:\Windows\system32\mmc.exe"
      4⤵
      Suspicious behavior: SetClipboardViewer
      Suspicious use of AdjustPrivilegeToken
      PID:6804
- - C:\Windows\SysWOW64\mspaint.exe
    "C:\Windows\System32\mspaint.exe"
    3⤵
    - Drops file in Windows directory
    PID:7728
- - C:\Windows\SysWOW64\explorer.exe
    "C:\Windows\System32\explorer.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:9200
- - C:\Windows\SysWOW64\mmc.exe
    "C:\Windows\System32\mmc.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:8380
  - - C:\Windows\system32\mmc.exe
      "C:\Windows\system32\mmc.exe"
      4⤵
      Suspicious behavior: SetClipboardViewer
      Suspicious use of AdjustPrivilegeToken
      PID:8396
- - C:\Windows\SysWOW64\mspaint.exe
    "C:\Windows\System32\mspaint.exe"
    3⤵
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:8664
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:9112
- - C:\Windows\SysWOW64\taskmgr.exe
    "C:\Windows\System32\taskmgr.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:8584
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" https://google.co.ck/search?q=mcafee+vs+norton
    3⤵
    PID:9116
- - C:\Windows\SysWOW64\control.exe
    "C:\Windows\System32\control.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:8956
- - C:\Windows\SysWOW64\explorer.exe
    "C:\Windows\System32\explorer.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:8204
- - C:\Windows\SysWOW64\mspaint.exe
    "C:\Windows\System32\mspaint.exe"
    3⤵
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:7464
- - C:\Windows\SysWOW64\mmc.exe
    "C:\Windows\System32\mmc.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:8600
  - - C:\Windows\system32\mmc.exe
      "C:\Windows\system32\mmc.exe"
      4⤵
      Suspicious behavior: SetClipboardViewer
      PID:7344
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" https://google.co.ck/search?q=virus.exe
    3⤵
    - Modifies Internet Explorer settings
    PID:8340
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:8340 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:8244
- - C:\Windows\SysWOW64\mspaint.exe
    "C:\Windows\System32\mspaint.exe"
    3⤵
    - Drops file in Windows directory
    PID:9732
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" https://google.co.ck/search?q=how+to+send+a+virus+to+my+friend
    3⤵
    - Modifies Internet Explorer settings
    PID:9848
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:9848 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:3748
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:9948
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" https://google.co.ck/search?q=g3t+r3kt
    3⤵
    - Modifies Internet Explorer settings
    PID:10100
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:10100 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      PID:9528
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" https://google.co.ck/search?q=what+happens+if+you+delete+system32
    3⤵
    PID:8796
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:8796 CREDAT:275457 /prefetch:2
      4⤵
      PID:9448
- - C:\Windows\SysWOW64\control.exe
    "C:\Windows\System32\control.exe"
    3⤵
    PID:9764
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" https://google.co.ck/search?q=virus.exe
    3⤵
    PID:9904
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:9904 CREDAT:275457 /prefetch:2
      4⤵
      PID:8500
- - C:\Windows\SysWOW64\mmc.exe
    "C:\Windows\system32\mmc.exe" "C:\Windows\System32\devmgmt.msc"
    3⤵
    PID:10152
  - - C:\Windows\system32\mmc.exe
      "C:\Windows\System32\devmgmt.msc" "C:\Windows\System32\devmgmt.msc"
      4⤵
      PID:9592
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" https://google.co.ck/search?q=facebook+hacking+tool+free+download+no+virus+working+2016
    3⤵
    PID:6352
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6352 CREDAT:275457 /prefetch:2
      4⤵
      PID:8768
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" https://google.co.ck/search?q=virus.exe
    3⤵
    PID:7768
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:7768 CREDAT:275457 /prefetch:2
      4⤵
      PID:10348
- - C:\Windows\SysWOW64\calc.exe
    "C:\Windows\System32\calc.exe"
    3⤵
    PID:9504
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" https://google.co.ck/search?q=how+2+buy+weed
    3⤵
    PID:10584
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:10584 CREDAT:275457 /prefetch:2
      4⤵
      PID:10864
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" https://google.co.ck/search?q=what+happens+if+you+delete+system32
    3⤵
    PID:10792
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:10792 CREDAT:275457 /prefetch:2
      4⤵
      PID:11196
- - C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
    "C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:10920
- - C:\Windows\SysWOW64\calc.exe
    "C:\Windows\System32\calc.exe"
    3⤵
    PID:10312
- - C:\Windows\SysWOW64\notepad.exe
    "C:\Windows\System32\notepad.exe"
    3⤵
    PID:11028
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" https://google.co.ck/search?q=virus+builder+legit+free+download
    3⤵
    PID:6484
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6484 CREDAT:275457 /prefetch:2
      4⤵
      PID:11504
- - C:\Windows\SysWOW64\mmc.exe
    "C:\Windows\system32\mmc.exe" "C:\Windows\System32\devmgmt.msc"
    3⤵
    PID:10452
  - - C:\Windows\system32\mmc.exe
      "C:\Windows\System32\devmgmt.msc" "C:\Windows\System32\devmgmt.msc"
      4⤵
      PID:11592
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe"
    3⤵
    - Runs regedit.exe
    PID:11392
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" https://google.co.ck/search?q=how+to+create+your+own+ransomware
    3⤵
    PID:11648
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:11648 CREDAT:275457 /prefetch:2
      4⤵
      PID:12236
- - C:\Windows\SysWOW64\mmc.exe
    "C:\Windows\System32\mmc.exe"
    3⤵
    PID:11828
  - - C:\Windows\system32\mmc.exe
      "C:\Windows\system32\mmc.exe"
      4⤵
      PID:12004
- - C:\Windows\SysWOW64\control.exe
    "C:\Windows\System32\control.exe"
    3⤵
    PID:12128
- - C:\Windows\SysWOW64\calc.exe
    "C:\Windows\System32\calc.exe"
    3⤵
    PID:13252
- - C:\Windows\SysWOW64\control.exe
    "C:\Windows\System32\control.exe"
    3⤵
    PID:13084
- - C:\Windows\SysWOW64\control.exe
    "C:\Windows\System32\control.exe"
    3⤵
    PID:12964
- - C:\Windows\SysWOW64\mmc.exe
    "C:\Windows\system32\mmc.exe" "C:\Windows\System32\devmgmt.msc"
    3⤵
    PID:12452
  - - C:\Windows\system32\mmc.exe
      "C:\Windows\System32\devmgmt.msc" "C:\Windows\System32\devmgmt.msc"
      4⤵
      PID:13692
- - C:\Windows\SysWOW64\mspaint.exe
    "C:\Windows\System32\mspaint.exe"
    3⤵
    PID:14752
- - C:\Windows\SysWOW64\mspaint.exe
    "C:\Windows\System32\mspaint.exe"
    3⤵
    PID:14988
- - C:\Windows\SysWOW64\mmc.exe
    "C:\Windows\system32\mmc.exe" "C:\Windows\System32\devmgmt.msc"
    3⤵
    PID:15204
  - - C:\Windows\system32\mmc.exe
      "C:\Windows\System32\devmgmt.msc" "C:\Windows\System32\devmgmt.msc"
      4⤵
      PID:15060
- - C:\Windows\SysWOW64\calc.exe
    "C:\Windows\System32\calc.exe"
    3⤵
    PID:10992
- - C:\Windows\SysWOW64\explorer.exe
    "C:\Windows\System32\explorer.exe"
    3⤵
    PID:7840

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x550
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2592

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
- System Location Discovery: System Language Discovery
PID:4668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\05DDC6AA91765AACACDB0A5F96DF8199

Filesize
854B

MD5
e935bc5762068caf3e24a2683b1b8a88

SHA1
82b70eb774c0756837fe8d7acbfeec05ecbf5463

SHA256
a8accfcfeb51bd73df23b91f4d89ff1a9eb7438ef5b12e8afda1a6ff1769e89d

SHA512
bed4f6f5357b37662623f1f8afed1a3ebf3810630b2206a0292052a2e754af9dcfe34ee15c289e3d797a8f33330e47c14cbefbc702f74028557ace29bf855f9e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
1df4559dc042f51453d31bbd6d406cac

SHA1
defff321b0e39935b0281192bc732a47edc22d84

SHA256
2e5e6363cb570b2bdfef7476d83333ea9e7699f5418fb102d5ffa795f0536d9d

SHA512
c4a96d6fa0d96e706e89a571ad916c8995cb045bc3d30ac8f83b57c95bc1ee59e983ca42534b24f02ad862959826df6b5aac6f4a1288f5a3fb0eaf873f13f731

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4FA45AE1010E09657982D8D28B3BD38E_09E5FD68127B2EBD22C529250B8D2273

Filesize
471B

MD5
cea7f7436b62d1aa1808fbf42c7614e8

SHA1
d8530285ce4e6fd1ca352a617263fe26d46d383a

SHA256
dfddd19826ded2ca69f63200f442f8f4dcf9b5ec1dd78e15d74d015c651ba190

SHA512
3c679f47869a4e78c2b7a5a5ac20ce4ae922e4231f2cee533cf44d25e1ee45e848a3fd55d8e4c3d98bbe357ea2b9825dcbab55d9b71d5472d29b9e77aa86fda0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4FA45AE1010E09657982D8D28B3BD38E_B115649384851BE6BDDEA6DCEC8C2FEC

Filesize
472B

MD5
57fabf8ce960f6516a99cb1065e0f1b5

SHA1
0f06fda5952c1e047f2fdd06a941cde444e7fd1b

SHA256
287c0da810f4506a1fca9807d8457c52631b4f723f272412631a59fdda36d179

SHA512
df597f53035b5dc18aaefbe0fb232e9e2770343319e716a32d416d27be2b4d77e4671786d0e6711549440dda3e68fb122e61c42fc781238cb158d0c4d1546cbe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C02877841121CC45139CB51404116B25_193C88518F770D3F8D3CDA4F180E8635

Filesize
472B

MD5
2e15489eb620ba4779210d523e343152

SHA1
c6674bbf4ad29b2742ab2382f6ce4c17754b05d6

SHA256
04ba2c1f6dde1be4f81cdd43a931f554f357fa751ce75028929f14695995c99e

SHA512
87ea9978c49ce2b715361cdd60900ed5e3a7a589986056f4df3b547ad0168ee3bbe453b0a1a348ce7911a5548bd17cc6918aa88c689b2b46eeb857e2ec9ae471

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199

Filesize
170B

MD5
cd505b56a69addc95ff873b8c5211961

SHA1
58c166a7bd58f3d81f03753465f1e8781d4e03af

SHA256
7bca3acd9643d10316a31317705dcd5b0ea8043325e4cb0be95d0e5055f83988

SHA512
bf0b5851cdd4ddb07101f036046c18ea853d97e0060f6f31e49a0ca50fca0d5fcd96bb688b010f39b45fa0d09332a565bb4671909098a0416aa995467d4807a2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
4af89378abe354994d94db8ec3b25a2e

SHA1
0c0b193451e240d82acbe5422fba0f71c8fea428

SHA256
e6dae0566a1aa32d231f865e8a3732b66c40fde972ba31f247a12a5654d44fdc

SHA512
50b14f07f4e1d0465e3d7a21e6a5bc0bda1669bcde59ef3620fd5fe97e6aee077e61f17b5167de624e91f9b4b3b97bf3178d6f3e31836a1123e86aa0d19e7585

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4FA45AE1010E09657982D8D28B3BD38E_09E5FD68127B2EBD22C529250B8D2273

Filesize
406B

MD5
c05932eb4cbe54f871a70810b6ba337a

SHA1
67f450c1d67c975a1787f80ad7f362ff375a1d46

SHA256
13650e746b0d9bf291ca7c35cd5b383ad28e29d81bdd26da968677ab58fc94f7

SHA512
c979b92945b17b60efdea3bdf78f504956553d65bc985d0abbc749270170aa69a71ff85ff56220678ffc9f40605ad38f7609f2ae4de1759bfd95f6e9dd3d2d6b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4FA45AE1010E09657982D8D28B3BD38E_B115649384851BE6BDDEA6DCEC8C2FEC

Filesize
398B

MD5
86020b97bee22ecc8e628b8684f046aa

SHA1
c25927eaaf54775d93d290e3795748b655ba80ef

SHA256
49456abf0d04fc3c82d52eae14880bd8fd0f531a8860d466f290f1e7c123a1cf

SHA512
b2c3fc5defba9dd994e51ccd3e07a78d3fe1343420392f6f1ea66bd2dddfc7b344adebfaf26f6c87dd3c07b35f9c0b4100d609d26246d9f7a70d71f76e7b3bed

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c28c0a894c8a2595da1b58d5b18c47ca

SHA1
5c80ffd09fad2d8f5f84bb0c5a65a8b57563c74b

SHA256
f1b78f3cba47a596d7aefb955090030ef88967031d51324cc9ad1c0b2b16f555

SHA512
4cdbe878895dc5b29982dde52fa8a7a43e12d278b2c8a8f8b84fbf9a25c2cd6f28be806bbb35d1fdf46e80a64998a7a5ecb2c77e4d63b30adde7a7c9614c6961

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
25ec06f1c3490d9fb28f88c0f8905d38

SHA1
ffe3fde3d21d653213662faff93cd1b6f7e3a097

SHA256
94965fb5994d8ce45ac4704998122d29dec127b43a85e89fc79438ff3ac21954

SHA512
7d4790f8c91e345ee8993c972f8c22a723174f192313e024bde68f228a890b4c6641fbfce6b6b376f51038cbe50db4e1709d175c21545cce192c93bf0a16da86

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3d6aea5338649adc0cb0f8fdee7a9e5e

SHA1
cd7cabd8242cd5432f45020eedc0eafa9186a79a

SHA256
3bb6b4c1bfe150ed8c05b6290bf3fca55cdeb03abbb83d890057d4a4c0bf3a7f

SHA512
d95044dbe7d56463658d066c208ac4e2a3de7b5f73a3d7a4ddd3fdf08c9f93fc2f48b97ceffd0b9c27d7ba5180b08074eb02af81bd4bb26644980f2040ca052c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a4ee93174e0c1df2bfc34cb263343150

SHA1
a1df6f6a2c85cd415b046722d8602c77eaf72751

SHA256
a3854ab8d4b10e00daf5e4509f302a04132e1e0018c5a68abacefca0967265a9

SHA512
755637db952d849624cfad0b35337159fa3238ceead6326cab785536c205375b669b6473d66fd60618af51bb5c393a8d997dd80155a010ca2f09c7bd643fb09b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4347d9bb3160e75faa2964a5eb586089

SHA1
542eee630e0484fc60dd46df966241faf8678bd8

SHA256
1b9e3f65491233418f15ef497bc5a7d4d46f074508d8502839b401ab27432e14

SHA512
0d53c7136ad019578eec8331d21755318cbeb02c1746dea045997a71c87b2437df927663655becf1c119bb0781cb5c1433282d4be0329eb1c632e3b1431a0b7c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3ba895978b3e982caaf241a39d964723

SHA1
cef1f3f0642d6240a8f2d33fa826c46bb6a8bd39

SHA256
674fcdaacb7dd6f00031333b515cd33e4d84172553f680a805095d8591341306

SHA512
f84887d92df35c71bd3b07ab462354737a17f3294abc0c8c3bef4526326a14b1041b868ca9b6352bc7a2765a65591105deeddd7fa2cb7bc5f55f9174bc641461

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
70203a00dcbf3d442f24b081950e5eb1

SHA1
a9db317b2f1d3956fe93df5c6674c6fcf138e52f

SHA256
3588876a42ec9c099176edde6ae211dca31b9bfa9beee3198fb24c40f66e3a24

SHA512
898eda00478790110f862337c48827939f1c10d9db3a1bce71b6d95c8b2fc96ce569eda4d5c9c8693497b6ee7019244f5fed76348c75758d85e03af6b65f33d1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
39b911267ca861231b5e3726162e633c

SHA1
1bbf5919a16ed2d1ecce160c5fb24faf6298c5c5

SHA256
be731c49831c7b69728d76a423139914dfd2db2e2a70f2ea992f6f9cffa2d26e

SHA512
8b0d5150abaecd2be81807d3b7c07cde5e6a922f948e56f28a1fd38822f711be3021e27db3ebf5daa458087fd58f08084db8563323a85c09ac8f0ea7742e7717

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2ec49d0e2413047f7f33144b7cf2b222

SHA1
5e797c1af870cee2bf69f6581ca52f678f7cb931

SHA256
693a71d14f764ad9251cc2d97ae6187aff70de09a6f1332a4f7cb29f662cf1e7

SHA512
6238f6ce800dc068d3f73e60269ce9bd225632639e4e17665e09753091662cf087b940087f5c89eba241d466b7f42a45267de1c0bc9df2af17d31e4e69732672

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
41c3deee89c92f91f1f322c6196b6dc1

SHA1
1cc3758c9da74508948b5d62bbf88fac46d58462

SHA256
1503619201478a4aeb0006db56b78bf27ae0ac6539ddc8f98bdb1a234f4c46d8

SHA512
3549b56f94e97538e0261d6f611774c177356958d1712df0f6c568bc2227017f97cbe92aecb4f890a5208fa162a8f8f3a75106163915c19e6d015ce36503c5de

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e4059bd33e2861a808f969962954421c

SHA1
f7c322eb3cc183ce010b213632e6c78b31c1d203

SHA256
dbceff29c9a80df50be7eded62c15826f3c12289fda6c2d97b1b13ff3ab1724e

SHA512
e2236d2aaf295254d46e33203426555b919aec870407390fa08f1e81796be9e0ed681e349dbdc6e14ed05e5004444eb4d77b4ccbcf24addcb1c6f4dbcee417e3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
257257218c766ec201487ce2444ba9b5

SHA1
cd3a407f0ad4c341582926161b720884f09fca26

SHA256
b95b6f798b75a7f6aa7f80aeb6e0ced9262aabdf1bf54f760053a7b4fb47c812

SHA512
b3551b87a5817b9a2bb100caa0009a563ac9da2e2bb97fe872db88ff3701c64bc871c61cdee8cc305b17a13a7303367407578e9248f164712fe950579c8c63e7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8ddbc557cf8d0bf44c54150e5c623748

SHA1
9dbd6bb249a9661837c19a629d69794e3e477e4e

SHA256
8571cfaf4d846e7817361c89316c6635d619ad9390c56a2424af4b975aba4deb

SHA512
37c0b23106705905519c4b1bd1dfb4d065e891ce1b243da9d1f7efcb9b81cd55428df0343a29ae73e54c22971db2eb950b3972d552b78a68e9a2912c4ba0f75b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
07db74893dbba8691d29a7089e60113c

SHA1
6e462a01a617aaac3f21fcc6c92bf7058e854b8e

SHA256
e78b8b631110ce4c035eb06b54fd5e21b7779a4ed91abb5818b90749211f39e8

SHA512
f38147ff9a596b55b4520b0436f56279fe63d0b68e8ab3e06eebb02085effbced6baf63af17f7ea6a3dd8b258d235b4a922ae89f2fe17c70a226f8abcf1e2363

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fa82b86ada9250508c693e3a7872a329

SHA1
9c895338729bcf281c61c92ebf4a216ade379f93

SHA256
0b822188b4ee1eaf33c97f746819beb05a61656df2e2e2bd9d95d8a791ea3fc5

SHA512
8cb67ba64733c3f5b395c26bf90ca63c749d4d1a2d978ab61efa619014306ae1cd3f2d89aa3d56ba9f5a36c9992fed45ac3b6b8d95dca4e94c55567f8fb4d4c2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
784cd82f3af809a73bd86bbe2b5add47

SHA1
fd6bed27fa62f57308523a414970831d8f73675d

SHA256
6e7ed863b6fedc911debec5d140d804e3300576a1f23c8cd7e1b71557985876b

SHA512
a5b73bb04ca75e86341962155efb772e772cf5125146bfd264c9ffaaa6115a31dc9e1a582d156ce331e2efe1b818f6707a4003f16257c766a84346ff3dd22ea8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d5c193cb183b5ec472e74c18c778e279

SHA1
3b4d6cbefbb77b149149399e23ad9fb286f733cb

SHA256
d444451abec730b555bc78b3dfffee95dfd6dd2732b6a39f3ad2e050ea4b8897

SHA512
c41d02cebb34c182579b5bb28ad86e02c8263c047c618608b2ae7245366d7cfdfba655cc7bf681803908d9fa816658e5306b4bf7617ff81f3cb3144416e904e7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f986749ca3ef0baa1883471306d2557f

SHA1
33a9d56765cde453f76c2d487f852e019b038f42

SHA256
1faaae1d54bb171853f2a4d6b5810866d52021a6e6d270b287e4e9b0dba17bd8

SHA512
0b3895416a5f56fd592d93610b25a25cacb37a7a48dbead292d372c9561e42c3765a8b81505510b9deabd660aab9b77667c663217a7225f30b177e0c4f94b5a3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b571d4c75d24e69726cdced0a5fa9c56

SHA1
21799dcabf37bb5ce60fd2623478697c194f7f51

SHA256
e0619d0fddd9ca67d643846bebf2feb867186906b318b99bd2425c7614451c36

SHA512
aeb0c2b6856ab7a68a510cb4bc0e35da04660ea575148e4c56f817854850403a6402ca29d3aeeb211082cfdf6b29e0322c0b753ad1c14400d02eb7fc7acb6973

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1014ca73f59f0732a976ff68a4ea4216

SHA1
e5fb5e6dbf458557c45491efaf18dd93957a0a43

SHA256
c8eab8d9915a18691600e46d9f22a45f55e9b0cc49b0f8c12afac8807d515589

SHA512
7e20ba75d971c2dd6871a6f643457f55752c487cbb9493c7a424a6cde6417c92d1eaf8143cf963645f17e67946185998a88f2d20c38336dfafad28312aeed52c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e67e85b63054c77fb80e5eba07f4eb1b

SHA1
08e4c0d9786054f5ef375a704401a191b7d2f975

SHA256
cc69a790af62de09dbd21087f6ce11282889a1fd91ff7ac7aea5c7156e7e1f34

SHA512
5e2e745f96653ca8b9029fd0a83958067118553c3e244cf27c9d63dcb06b8ea28ddd599fc002d9b0b582a1900f8d31072b46d404d96b54739fa8163329831a42

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c92e1e3880a2461de351d32cc2fe1b80

SHA1
8bbb0b1d459e4d8e65d359ff6ee6b38f6c98135a

SHA256
8f504033abf95bea086574ae26b24558949ce8699bb5ae0af6db2e3189565c55

SHA512
0cd7d080c6432ab1a67db6833fee43081fb986c979e092b4742c06f450f23ce2a547e33988e3abb40153272a5eac921a58885e8188d50640a39c40a496d9490a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fe240584a827463efbc44a4a9f79aae8

SHA1
d911ebeda2ad22d0ddeb9901e22e70b393c2edf8

SHA256
0c480fb9da24c730c58ea2d02dc67a9974681934b19e914f4db851b46dda4227

SHA512
6b715ac053534da3775ae9714592a72e3b00e5d96d36404ceb6c70ea8679364adb68a66fed14e3afda96bd8c3efb9f20c4b1e760d1f35d8bd1900ef70649f874

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9d907321c8ecd69426be41a9bcbd5a81

SHA1
e9d5670251a6d7fc460414e4f29bad29766edeb7

SHA256
a6c9590fbb543ba3eeb24ea448a37857b2634e34af5865b9cb05a4a6aa670781

SHA512
0d66b294d01ec1210f359c694dd66d2a4725d1183a98efffaf4e4875a296f79f951cc81087df7ba8015ee8e5af6d79e9bb9886202203c5e166d5a4b81b530865

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
38a922174b1f003791e7d77cdf528e43

SHA1
e4b4beb970f52f5eeb893003a8c2c70f54c9fa6f

SHA256
7de1c88fb56110245de4869ac127b3f174cf5f75f8dfbe760ac7b808d126c500

SHA512
5c219e7f6438e894aad43d277c8c7ada2982d7f0248a249283f57607da972641613ecbb29fc418630e50b5a0e12230251a9f0c6bd4653756677638093b56bd3d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
35105ddfd4ebcad68ed9616f7afc5758

SHA1
6ae1eca860817ddf69d39f524ad0d92d094858de

SHA256
466d388069cf3f143c2ea13d598a561201735405e66d2df4129322a59e2ff146

SHA512
f94e9d2a1014e2972192645b7afae1ae59697d7bc117e7d6fc09cd94af35673554ef8eabd6c2f3f1c37362b28423cea43ee5fcb21bf1e0ba24a4cfe5ba0569d6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ecef4391d162a60d1a47eafadd7c196d

SHA1
1a673136b3770d0518bb1956e23c3a4f7009791a

SHA256
f7c7b2d39ee57b709c70fd8a97e4d9822af4e8407833be7a1c86a2ac59b421c1

SHA512
28071e67bac95161c1d752c0b9194c858e3f274a6badadcf59046ca090b3ba497e9ea1c004ea39663a4ad4cbd38e2bd2f763ab48d5614014db2286213ce49def

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1c2e13a8d8f1b0c86dd3dcb143814bd6

SHA1
d13405c0734d7588c7d25c4990d45c9d2ab21be4

SHA256
57405ca4758209f6170a4e942bd35048455030d43d5986a78d4aadaa2325b45d

SHA512
9aaa807dd040f1a3bbb71e1ee0699771647635be809810196c365513e97ad13a920f7be3fdf6a83baf9d498b7cc1ca9be939cc9ea084aab9dabaac2412d8e93b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a113d8b1afad2454e34c57a97f301868

SHA1
d2340d2af18236d1e4b15677223127db324ef6a2

SHA256
d53fe35c45bf5ae1e037f165aab55b72f51f2cc111933e6569a64e61ce536411

SHA512
f35e5730242436549219df6136e7e7de23e6331e28c374022a7bc2b2d9077f5a0567cfa748ce677a69752d4d9425cc600a4fc59aed6efbe6bb515d230b7f1983

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fbccbccfd4b654ac7495bcc94700d88b

SHA1
7fc8a7ed2b0e5a10bb002bb76bd31ec2603f1ef0

SHA256
f97eba1117220dc55d2e4e6f0883807a7415733a1e9c1a1da96a58f9fb3c7bd1

SHA512
c6ad0b4575bc0a63074e44bf106325ff03924fa0d8752d8e3edd5ae4e207b3fb079aaa602611c05e485cc4a5533c25c1416358a50b1770d4b7e326caafbe6c3d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
feb4c0c57d6df59d8f1c9e72f4d75325

SHA1
c59737c0bd485b8e39f9a9bb63960950d3924051

SHA256
e06ea681fc7ab39628ad6a172b3abf8d9e52ccc58d175e2f02a7829d53de46ee

SHA512
2a1ed9bba38921b132fe19bd2681b6b5c6c063534a8b6a2e2b088a943ad82a6b33cd38e629551c5cb7bf848ce608be30d1d029fc1d3a302f7cbfcd15b28a3e2e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7c56a057fbec3eae76ec6c4d10a7bc89

SHA1
7e08fd43c1264fa1763aa34f7e8a2daf850d95bb

SHA256
bd83aa7b3e6e15309507511d868d4312b14315d6c92ca0519c076c9cc52c09eb

SHA512
af9c03c95006a8865d2d298592c817f5f17ec32f936e294e4e019adc81235b75aeba7c0524606bf95b93693edae91670c69910a47206f99f1f5c8eac310e0c02

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cbd78c33ab2c58d492ded70eeaa96954

SHA1
356d988cb47b12a6c8efd576dd7b29e811aa4b9d

SHA256
d20faa3d7f20e572cafb2bc35e52149463ff9d65c8b3b66a38b4b691f3c7c2ad

SHA512
401729c177affd2cf7d265c38b90eed2e1a88490b2f4670e190b17a412f4c8bbdc238dd8d144b0f8c9f66572f5aa5617e0e54207ce6d20a53836d1ca086e5c56

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ea553ed5cc02157e45c7c252a40bf0ad

SHA1
727f0ddb7fea05afab5ff0795875fc0f3a296b14

SHA256
a633ca98f815007c3dffe5ffd13f4f47a7e0e73a1460b5aabae84c832d89546a

SHA512
f9b35f0363a69c14d40d2447c07dfef1884b053909e5a201e9fa5dd16f058ef43521c2663fd86e3e7b34c5b56f42559f7d68c4d4d33a5b02578937cb0dc8bbf0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c75a63c557c9ba7ab37ce6ef682329aa

SHA1
86dc84de03ecf68d476100277898cbfa216e7f8e

SHA256
5ee6c94839af8272c5e5cb0dcc8767cfe8841bf789c6aa8c0ce7372db07146b9

SHA512
84340c24babd7f302f869ca942d8eec216b88c00f0319e2ddee278a61300f0ac7e0ce6f351090129820b26d6de74c7b6de4b93058cfc175c1716a35b48db4a03

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
55402b8917013f41549850a386477443

SHA1
ef49b46cdc3ccb1bdde7e3e6ee7e71f2cb1bd48b

SHA256
14e62ca2f47026311cafb59dd31b3e2e71768f0493adda1da82e9b2f2ef7408f

SHA512
685e441de68e9695dadb4e4fd01a5600cfde60e753b0531ccfe08bc66fa8fdccdf106b90890255807ace86d0ba28f56a4cb3da17029dc3afb8d05230e58f7f08

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f0b03fea2193b6f7e0503a3013118d53

SHA1
ab841fbd7e2a8a6feb1920690b76a1fdc378e914

SHA256
fce417820419cd5d32a7ac828f474538c6778dce9426fec2d9c504e831fb2469

SHA512
45efdaee451a43c4d5ce121dd50282e5f868da6565fada185bb810d6f2e894963277ba5c934c1265bb671d5a851d72ecdde6520bb2881533598101460a1f5780

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fe412ceef41d30b7202cba541e209507

SHA1
88cd52016a2abf471ab2818e409b535d0bc5391c

SHA256
7f44ca8ad0f7bfc29d36db09413c249f84c4f8b47313651c3d088cb5d955d6a5

SHA512
c79f7f5c0b7babe37f53d0991e289cdec0ca17d491b7a195b06be8ccce697bad82c47d929c62251a1a14997541c87e75afa87975ace19a5bf9b9628c06dae07d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9164678e6712937bfa05af37b4550da9

SHA1
0847829f57f6ab3fb69d6be46dc4d7b8e0e0de54

SHA256
d3d77f8b2bcebdee1d3a5ce9ea4bfc769a07584e81328250f486e5864e89ce69

SHA512
9af248f8e540a4ee3d1dd1f71a5c0226428248fa81150cba539d77bb72748429f1073dbcd687ab15bbbeb5507172ce20ffe0318a61d911daab7c88694b537fb9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9dc5d9c2655b16b2b211daccc0877b3b

SHA1
f42eda1aa1f547639c2e3b671a175cdf3a0ad2ee

SHA256
9b7a09b955582b503b8e4a7e82a012c8816e095541cadcd3bdc1902a0eeb3f43

SHA512
dfc75a57ce94f8e2bb74169c0176e8676c5028f3a1730593b80ee999b36035e82fdb007b260b4c7f54e3f70dabeac7cdcb006b728ffc679852a1a290201b322d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8061491e413c5b6ed8d4baf3e11cb8d1

SHA1
27fc6e1c3ef747b90582bda1b47fa71c8be3aa83

SHA256
669d03d3129ce542684e495cad48325df0dd512f179ee52b0b096eef0d2fb9ba

SHA512
27c166ead751ede5457c2a90864123789ec223fc3bf7b528113221818b3990481da33f96f206d21d0169a8cb7d7c1e8fc9dc7979317c6f1238afb1f5e3dac8e4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
690338492819072fd4fb6c57402d8871

SHA1
1ab82cf52e3b4e5f39c1ee765a321591a8624425

SHA256
fad07d37581ca236ff025daff69a8ca4c66e4f69868dc74765e28cd655b23375

SHA512
e9211021002f4677b66f42594eefc7634dab411691bbd121c0dba80f08df49902358db732de9c7801100c8bf17583cc69258b5520d5c74f1a4d8196c8e805c5e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9ca01ecb335d4e649e54262ae545f5ea

SHA1
72de10830b01d13fe502fec06c5ef7be999cd1c7

SHA256
e00ba64638e4a6cf563cfb22d17904bccee3402d39c7169e14e93937aa8a53d1

SHA512
8592d73e8ac0bc0c6f73c4ffa614ead99dd7a5b0ec321b833a37a1c319e2df680bf351c8c125a6f9eb599a78a23a2fdc3e574d672a5315cc31da4106d3dd8806

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2fe6d5bfd3e020281aa41a66a0a477b2

SHA1
71177eaa6980dba39b8527fdd2ea7010301b2255

SHA256
e6c78bdc768217b7597eeff1082e39d4bfef0e591d9230e5c6dbde6fca477510

SHA512
2dc79378968f16d413b48a882721ed7ca6bb6f2500cd88e17a5d17d2077eefc9d6a8173c41c74057c27c3ef743be5a577e6c16952a83cc682222670fef88069b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e117c777df6e365e547f64a33f6c4498

SHA1
1ed3a8cd274e01131a1c948c94d3e8f3a852681d

SHA256
d61d3ae77b66c8c8aef357eb6f93a72be437dc8cfed9d7576ee3df3704df3557

SHA512
eb2ceac0d1ddaf8454f6af25c3fc555c4f2f37fd66f7150c3b589f0a7b275dd91f0e554005b5cd50af6331dc1ae3712bd875c95b6946b9133979f3c741388dd6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2d57d1b5403d22ce05f724130839f84d

SHA1
6e2c77c2d09c3a52930c8e28b40493db8a5afa35

SHA256
85ed6e7ef779b44a4b196e421310dd4bdd5d03ab20b5a9d91ddbb234e1c436e8

SHA512
b5d91b5acdd4f8380e2907224a71291a7de336b95bb1cdd444b109f2526be573f3d134c915787df554fc4f164a4394a4bbe4d9daa1dd6667ef36e05de50f4ee0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
878e337cc5282f8c4f88e577b2eef286

SHA1
4041c5aeeef5901fd796df162dd0f2e5d3574e55

SHA256
282484ca14c22f701eae1d615b93ad235594c8dacba3bf56601477ddac2fefc6

SHA512
b01f613c62883325c7df56f32c835bc367f0542e4adbade0a3ba5854bfe0b08c51b590967ade146519d1de89889d417f1eaf762478d48206ba3eaea61aa5d7e1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
546385a354101a399c44009825705c05

SHA1
b842823b901773efd11a9e612b22084fb77f7dab

SHA256
d32e218d9622f65b678c11e0707444a78d7cb57096de079e5f6cdc4f24ad4632

SHA512
870620f3ce4a022e9edb2273276de99092b4cd4911ee6a89d0cfbb06125cdcb0ac84381424cac3c0c485461ef62871a1af96af67f8ceafa71c5dfb084fbf521c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8da18d0582e7ff569a03c1900b8d06ba

SHA1
25b6f5c47c92a30b1d691a79726c797b068f0697

SHA256
9566eda7d4f9f6a8ed8c7bb7d0b8ff0b25e3433197aec3b6f35f4359cacbbc5b

SHA512
1f01766074b8f7458368409f4dc7c60ae6fb920b41ca7e335ee334cba33db8e0b7b8e1b27b3f170b2706db19980c9251bf1ee1d0b91612bfd108dbe2cdd015f8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2a60201b3a0b3de2f1542a8dad2d588e

SHA1
9b580e352309ac9971e37ea547bb57ab03b5faa6

SHA256
28a397a53d00e67debc2920742d78c5e1c526a73050cd600e40994cc95f206c3

SHA512
f24bbf260515eeea6fb2f5ecfc6e53f90a4773b3796de2d4becaea93662edfc7446e56fbed5ae87346fbaebdee3efd144102a2d62cdd986667b93080385ce77d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ea4263fd3de2294a33a5852aff6d6f5a

SHA1
eb768c195e6e09a1a4bb1f2984d6e1dc7b15abcd

SHA256
5371dce39a92f02f4cd24b0212851772f750bc6298a1c9546b71fb800d09ec58

SHA512
42e2d92a5860fe75720e1be3c7b9b4d3df0849840c5af9d0168faf678d5c6840a2dd0f07f2c852e5adca2686e04015bf2fc65bd9734029eecc4ac7be1f7de2f4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3756c4c9acf7450154ddf369205347de

SHA1
bd7a661223e3fcb09e1120d1554aeaf1682e1a9a

SHA256
90ed1fd6e76336880bfe05bc720377bd7f012c4e711db76734f2a4ab089f077b

SHA512
86e7d4785e31eb98acef7a02d9e2fef06460ebbedfb4008f8b8872b885e142d67d885146b1e52328025b20f51ad196bdb246d1cae56a85fe577dcf0f56a14134

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
183c294763ebf2e8eb5e7e74cd0e4466

SHA1
1c8e0090bd295e0190d95bf6f8cc47c50786064b

SHA256
21dd828e8f254990ffbafd189bf6e5b5c9afdc36155e3f44e10e430252b265f6

SHA512
95466bb496ecf3b7c01514851cba6244b9350a6f8dbaa68adabf2d3dd329487490577107b2e0b972d06a24a19add7e1f3d7f54df7a955b874965cec1175272b8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
01ef54d4441dd2a6b9cf1249a0253279

SHA1
8f9a58d205ed33ede726b2e95f15b03be747d065

SHA256
bb3200131833a1952b011079238beac85532bcd15e9364134bb0c0b2ab793819

SHA512
418c4993a6b9c4ae9d40ac2ea819d8c5afbcf2aaef4a3f9a3df1d43e62d58e661e327eac03ba8c8571ecf962836bb27c0392734a87857d7c07c6de05ea903ae4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bcb7829ddb8da3af80e8a82b69b205c8

SHA1
46421589f3479a767d65e528af86ddf361f68fd0

SHA256
88adf546645611ec3f470fd4e05dc59e19ae7c16fa27675d1ac042fdb395a4cb

SHA512
0de9b7110863fea323b17dbd436ec750feb13c8ca9021f57fcd199c51ad413957c9488096187785f8a7bd3ea173d6f9da11e492485aa0f387a8ec80f38d9c67c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C02877841121CC45139CB51404116B25_193C88518F770D3F8D3CDA4F180E8635

Filesize
398B

MD5
739f7849ae4d043ed27789837fea094d

SHA1
c77637e405f7b0a8b5619c560f481b1457e4f35b

SHA256
5fca1cfa51bc634fcb225eee58f94ff49e97568558540a57e8b192117ae15883

SHA512
3fca41ff28a9b45f70a17fdbd81d61ffd9535e02094d7d0ae687a1a2eb71bbd3142931ca9104fec2fe011bf9db5dac6ab1e3ffed510c3b19d261f61555d78b7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\BMH3237K\www.google[1].xml

Filesize
99B

MD5
7373e37d92b2f1e1c3287df80d1fce91

SHA1
61d16afd71351783f26a15291f9ab6eee71d88a8

SHA256
a1c32169d4a0d70ae211a31dfe572c6abcd1d837cc63599870297394601938fb

SHA512
809a951945e269e32da71027a1a8a40fcfc70e249d1d68148f1397c356f835f5482758de06be99fe85826fc28e0a57c89880e78502e3249a7651e83bfd3e12e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{A6106488-73B6-11EF-B594-F245C6AC432F}.dat

Filesize
5KB

MD5
2a95b102cf4d34682803d0b605a05f7a

SHA1
6b4b970afbbf867ac0fe97b5f415fe9fc4c791a0

SHA256
e0f05feee8b2c7dd65271d30b4bfddbf96edf49632974814dec7674a79c3e536

SHA512
2c457ebbe3c55d9d66b5584578ed28d839aaf3e461db1c6d75fa86e19c7450c45d65265a487edeb741be08d21629263acaef5d10340351568fe291e6547ee9c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{D02714D8-73B6-11EF-B594-F245C6AC432F}.dat

Filesize
5KB

MD5
235935694133d363467479568cc721ca

SHA1
f340c022e55ef343281b4dd877e75f0c79a1dc3b

SHA256
bd3af1e6ed255d3b77d0ad869376ae9c263a451fc7ca05e68a5bf6f245b348ad

SHA512
e111bbd48438759ff352afd50cd1c19e58e0e12acad9efa65e6da5504a2f5bfe952d3dd39398bbadf604ba0869c61fc4b1dccc2207f1dda4ecd96469f4f141b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{D41250F8-73B6-11EF-B594-F245C6AC432F}.dat

Filesize
3KB

MD5
6899ddcabf8813475bc18d0065b0eaf3

SHA1
2a583f8a02e6136330846c4de596ae20ee427c97

SHA256
e376a6479ece236111cf8ac369254500e064962c96fbdb92c3d9c70addd9db6f

SHA512
a51b4a964028e2964b1978febe15f65275d771ce25404d208c056b7cb592d6e44347643c9a8d79fd041e3fad2f6e3521c481f43635821be8dc16f9fa86d7dce7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{E8C88828-73B6-11EF-B594-F245C6AC432F}.dat

Filesize
3KB

MD5
d48b50339d7825cfc061191ef674a21c

SHA1
b085b4784886d4cf12d0825f13a978f19236086a

SHA256
7dfec33cdffe4db926ef3cc7958d083a0115d9fdf551efcd8077b06323fceb9f

SHA512
a2966514dd1e5ca3155eeaa34846cb4764b76bb6864bc4f7088ba9850887b4c52ec43d2b2648610485c2dfed36993ea4e699d3c6ed84eadbe1218b1600494c1a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{FD32F491-73B3-11EF-B594-F245C6AC432F}.dat

Filesize
16KB

MD5
86cab0e336c404eee2875213148f298c

SHA1
61979ce0edbe364aa8b7c74e6350a85012046453

SHA256
ccad4ea3c79994680c61e092226f19e4d06d8d44ce575faf9f5ea07f6bf51b57

SHA512
fe4cbaae730a4a3946da98736ad78e020da937836873ac150660c44bf19ca402105c6fe7d65ad11d7e6d866ed8b3b89da7b7a96069c8e0c44ac5f46e1477eb46

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\gsz3hkd\imagestore.dat

Filesize
5KB

MD5
9a72bcd4f7b545be728ea1e13f76ca60

SHA1
c7fea7a2337e71e46930b6e0236c772c0f3c92aa

SHA256
edfefb288caf24329097742fe60a90c6a65a6f0a9edea5bec12d52828ff641bd

SHA512
988075c1a0b884226dd27f9109fc654035f603a43162c4d477ecfc1f68084c0d569e138e14955965c2df5421428d35ff7df20205bbd2297576ec07fd3e059400

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1LNUKNV0\dnserror[1]

Filesize
1KB

MD5
73c70b34b5f8f158d38a94b9d7766515

SHA1
e9eaa065bd6585a1b176e13615fd7e6ef96230a9

SHA256
3ebd34328a4386b4eba1f3d5f1252e7bd13744a6918720735020b4689c13fcf4

SHA512
927dcd4a8cfdeb0f970cb4ee3f059168b37e1e4e04733ed3356f77ca0448d2145e1abdd4f7ce1c6ca23c1e3676056894625b17987cc56c84c78e73f60e08fc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1LNUKNV0\logo_48[1].png

Filesize
2KB

MD5
ef9941290c50cd3866e2ba6b793f010d

SHA1
4736508c795667dcea21f8d864233031223b7832

SHA256
1b9efb22c938500971aac2b2130a475fa23684dd69e43103894968df83145b8a

SHA512
a0c69c70117c5713caf8b12f3b6e8bbb9cdaf72768e5db9db5831a3c37541b87613c6b020dd2f9b8760064a8c7337f175e7234bfe776eee5e3588dc5662419d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1LNUKNV0\recaptcha__en[1].js

Filesize
537KB

MD5
c7be68088b0a823f1a4c1f77c702d1b4

SHA1
05d42d754afd21681c0e815799b88fbe1fbabf4e

SHA256
4943e91f7f53318d481ca07297395abbc52541c2be55d7276ecda152cd7ad9c3

SHA512
cb76505845e7fc0988ade0598e6ea80636713e20209e1260ee4413423b45235f57cb0a33fca7baf223e829835cb76a52244c3197e4c0c166dad9b946b9285222

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8452S9S3\NewErrorPageTemplate[2]

Filesize
1KB

MD5
cdf81e591d9cbfb47a7f97a2bcdb70b9

SHA1
8f12010dfaacdecad77b70a3e781c707cf328496

SHA256
204d95c6fb161368c795bb63e538fe0b11f9e406494bb5758b3b0d60c5f651bd

SHA512
977dcc2c6488acaf0e5970cef1a7a72c9f9dc6bb82da54f057e0853c8e939e4ab01b163eb7a5058e093a8bc44ecad9d06880fdc883e67e28ac67fee4d070a4cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8452S9S3\errorPageStrings[1]

Filesize
2KB

MD5
e3e4a98353f119b80b323302f26b78fa

SHA1
20ee35a370cdd3a8a7d04b506410300fd0a6a864

SHA256
9466d620dc57835a2475f8f71e304f54aee7160e134ba160baae0f19e5e71e66

SHA512
d8e4d73c76804a5abebd5dbc3a86dcdb6e73107b873175a8de67332c113fb7c4899890bf7972e467866fa4cd100a7e2a10a770e5a9c41cbf23b54351b771dcee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8452S9S3\favicon[1].ico

Filesize
5KB

MD5
f3418a443e7d841097c714d69ec4bcb8

SHA1
49263695f6b0cdd72f45cf1b775e660fdc36c606

SHA256
6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770

SHA512
82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8452S9S3\webworker[1].js

Filesize
102B

MD5
ad5e6a567d064cba36f2a56caab2d866

SHA1
a3b46ea0ca5df5a6b6ab6bb228cf805065523cd1

SHA256
e70942d2b905910af2538c685c2223c25e5068bfbccb9742cfa5ffa48150d291

SHA512
ba45b3d74c0d2e0ac22bc97bacb6df549d7a4eae8d64050af41167376926f4379ccb6be84a666ba615caa7c5ee6838f98020c530f5c2ce51f71dad369d130681

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IAE3FJ0M\KFOlCnqEu92Fr1MmEU9fBBc9[1].ttf

Filesize
34KB

MD5
4d88404f733741eaacfda2e318840a98

SHA1
49e0f3d32666ac36205f84ac7457030ca0a9d95f

SHA256
b464107219af95400af44c949574d9617de760e100712d4dec8f51a76c50dda1

SHA512
2e5d3280d5f7e70ca3ea29e7c01f47feb57fe93fc55fd0ea63641e99e5d699bb4b1f1f686da25c91ba4f64833f9946070f7546558cbd68249b0d853949ff85c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IAE3FJ0M\KFOlCnqEu92Fr1MmYUtfBBc9[1].ttf

Filesize
34KB

MD5
4d99b85fa964307056c1410f78f51439

SHA1
f8e30a1a61011f1ee42435d7e18ba7e21d4ee894

SHA256
01027695832f4a3850663c9e798eb03eadfd1462d0b76e7c5ac6465d2d77dbd0

SHA512
13d93544b16453fe9ac9fc025c3d4320c1c83a2eca4cd01132ce5c68b12e150bc7d96341f10cbaa2777526cf72b2ca0cd64458b3df1875a184bbb907c5e3d731

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IAE3FJ0M\KFOmCnqEu92Fr1Mu4mxP[1].ttf

Filesize
34KB

MD5
372d0cc3288fe8e97df49742baefce90

SHA1
754d9eaa4a009c42e8d6d40c632a1dad6d44ec21

SHA256
466989fd178ca6ed13641893b7003e5d6ec36e42c2a816dee71f87b775ea097f

SHA512
8447bc59795b16877974cd77c52729f6ff08a1e741f68ff445c087ecc09c8c4822b83e8907d156a00be81cb2c0259081926e758c12b3aea023ac574e4a6c9885

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IAE3FJ0M\styles__ltr[1].css

Filesize
55KB

MD5
4adccf70587477c74e2fcd636e4ec895

SHA1
af63034901c98e2d93faa7737f9c8f52e302d88b

SHA256
0e04cd9eec042868e190cbdabf2f8f0c7172dcc54ab87eb616eca14258307b4d

SHA512
d3f071c0a0aa7f2d3b8e584c67d4a1adf1a9a99595cffc204bf43b99f5b19c4b98cec8b31e65a46c01509fc7af8787bd7839299a683d028e388fdc4ded678cb3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\K3VL8XEP\-HiUwdQxDKLzt71CPYD-hKnPnujfGhcYgWkgX6BRpVU[1].js

Filesize
24KB

MD5
242324a437f1e8dfa268b1be80e57fdc

SHA1
2198c8b982542d263d2df13efc9e476563b5874f

SHA256
f87894c1d4310ca2f3b7bd423d80fe84a9cf9ee8df1a17188169205fa051a555

SHA512
74d8caa815fbae1b8510c883da00cec7f43fed56890c50eb24e44d281e31d9579b592553be87d2ce8ccb04cb2e3f78eaa8889068762fa36b1143b85cb21f3410

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\K3VL8XEP\api[1].js

Filesize
870B

MD5
db3f5a748364d84b2b5f75e3d4e851d0

SHA1
17b34ff20d429abee726b4b74530e5af2819f7bc

SHA256
343ed5ecd144d781de67aa8638b1ca4fce5772faedbb72720daacb250884f4e1

SHA512
3ee552fff8e93097120367c7f5f6aed88145150d706349542e8800e65722f4e6507bc0802e41a305cda56aaf4bcd40c036ad7a4d2aabea9dc70f908bf400dd90

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\K3VL8XEP\httpErrorPagesScripts[2]

Filesize
8KB

MD5
3f57b781cb3ef114dd0b665151571b7b

SHA1
ce6a63f996df3a1cccb81720e21204b825e0238c

SHA256
46e019fa34465f4ed096a9665d1827b54553931ad82e98be01edb1ddbc94d3ad

SHA512
8cbf4ef582332ae7ea605f910ad6f8a4bc28513482409fa84f08943a72cac2cf0fa32b6af4c20c697e1fac2c5ba16b5a64a23af0c11eefbf69625b8f9f90c8fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\K3VL8XEP\lKPp_8x8SVU7b6KN44fvdWMof2HELUnUniMVUZmLxyE[1].js

Filesize
25KB

MD5
d79fe6b03d76ee6e31126e039d9e14be

SHA1
e0053872adb800706efe2d5bd425e27a9afebeee

SHA256
94a3e9ffcc7c49553b6fa28de387ef7563287f61c42d49d49e231551998bc721

SHA512
30c9ccdad80c81807da0045df2d950d5c1dea51a475597ecccf36ba3b69025412e5fce1d640d6c5b8cbfb7a517ca0d1195bcfecebbc593c19e8eb77fd9373da7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3B5D.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3B5F.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DF9D0A3143B1704B30.TMP

Filesize
16KB

MD5
bdd9803d5ed64de9f02e2072a95e5026

SHA1
ec74b54457e12bfd849283f6d692e9fe8a537334

SHA256
6785a86738850e47a302aec0059542216c7d30920ecee2d90b8cc10effade603

SHA512
a3c03f096ad84854a98291445a6d84319149d25572471be2ac49703158712a7ec0f5c7b6124e0610ec76af4b5dd684fabb7e9c1066190f15bb98a7b49d11f08a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\XN3HNPAB.txt

Filesize
406B

MD5
dcfa4f2709f3788e422a6e5bd9ddc765

SHA1
a55511f34ee758b75e0aeb47d74365f621253a3f

SHA256
c9924896f19f0bb10550119403b9b77ab772a62c2bea75638fc283312bbbaf73

SHA512
244e84b3ff67c465663b36467c40e46953bd74cac6856f47306e8e37b550370208a2efc6c72ebbc4d99d4effb3753f5ee8c7b985dd51268c16b27c51a82d1490

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\28c8b86deab549a1.customDestinations-ms

Filesize
3KB

MD5
c902e363a9b09c7001d7c9b0915cf609

SHA1
1d0c979a07ccfc41dfcf11f7493d18636439b6cd

SHA256
8ba87f21c5aa0019f6da90a51201315351974ca68ef3b92014fe348ecf24b988

SHA512
10c22dacdbe655fdd2980c664c69c9856cce8cd2ed57f5c179ec734bc66295bdb8d20208a9e13156d6ff2f9f0a5aa8774be9f67e06aabbb9f0bd98448e0af946

Download Submit
C:\note.txt

Filesize
218B

MD5
afa6955439b8d516721231029fb9ca1b

SHA1
087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

SHA256
8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

SHA512
5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

Download Submit
memory/1876-1202-0x000007FEF63A0000-0x000007FEF63DA000-memory.dmp

Filesize
232KB

Download
memory/1876-1374-0x000007FEF5D80000-0x000007FEF5DBA000-memory.dmp

Filesize
232KB

Download
memory/1876-1109-0x000007FEF63A0000-0x000007FEF63DA000-memory.dmp

Filesize
232KB

Download
memory/1876-1213-0x000007FEF6360000-0x000007FEF639A000-memory.dmp

Filesize
232KB

Download
memory/1876-1440-0x000007FEF5D80000-0x000007FEF5DBA000-memory.dmp

Filesize
232KB

Download
memory/1876-1299-0x000007FEF6360000-0x000007FEF639A000-memory.dmp

Filesize
232KB

Download
memory/3620-1439-0x000007FEF7ED0000-0x000007FEF7F0A000-memory.dmp

Filesize
232KB

Download
memory/3620-1214-0x000007FEF63A0000-0x000007FEF63DA000-memory.dmp

Filesize
232KB

Download
memory/3620-1300-0x000007FEF63A0000-0x000007FEF63DA000-memory.dmp

Filesize
232KB

Download
memory/3620-1373-0x000007FEF7ED0000-0x000007FEF7F0A000-memory.dmp

Filesize
232KB

Download
memory/3868-1442-0x000007FEF7ED0000-0x000007FEF7F0A000-memory.dmp

Filesize
232KB

Download
memory/3868-1375-0x000007FEF7ED0000-0x000007FEF7F0A000-memory.dmp

Filesize
232KB

Download