Overview
overview
10Static
static
3eeeeeeeeee...00.exe
windows7-x64
eeeeeeeeee...um.exe
windows7-x64
10eeeeeeeeee...ug.exe
windows7-x64
6eeeeeeeeee...le.exe
windows7-x64
3eeeeeeeeee...er.exe
windows7-x64
7eeeeeeeeee...us.exe
windows7-x64
3MEMZ 3.0/MEMZ.bat
windows7-x64
7MEMZ 3.0/MEMZ.exe
windows7-x64
6eeeeeeeeee...MZ.bat
windows7-x64
7eeeeeeeeee...MZ.exe
windows7-x64
6eeeeeeeeee...ld.exe
windows7-x64
3eeeeeeeeee....A.exe
windows7-x64
6eeeeeeeeee...al.exe
windows7-x64
7eeeeeeeeee...15.exe
windows7-x64
3eeeeeeeeee...al.exe
windows7-x64
7eeeeeeeeee...0r.exe
windows7-x64
10eeeeeeeeee...ro.exe
windows7-x64
eeeeeeeeee...od.exe
windows7-x64
10eeeeeeeeee...ts.dll
windows7-x64
1eeeeeeeeee...ts.dll
windows7-x64
3eeeeeeeeee...ot.exe
windows7-x64
3Resubmissions
15-09-2024 23:12
240915-27aqvsxhjq 815-09-2024 23:02
240915-21efgaxake 815-09-2024 22:58
240915-2xypyaxdkj 315-09-2024 22:56
240915-2wn44sxcpk 315-09-2024 22:43
240915-2np2fawhpr 315-09-2024 22:42
240915-2m3k5swhmk 1015-09-2024 22:33
240915-2gqdmawbja 815-09-2024 22:27
240915-2de4gswekk 715-09-2024 22:15
240915-16esravenh 10Analysis
-
max time kernel
1394s -
max time network
1790s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
15-09-2024 22:42
Static task
static1
Behavioral task
behavioral1
Sample
eeeeeeeeeeeeee/Malware_pack_2/Malware_pack_2/000/[email protected]
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
eeeeeeeeeeeeee/Malware_pack_2/Malware_pack_2/Antivirus Platinum/[email protected]
Resource
win7-20240903-en
Behavioral task
behavioral3
Sample
eeeeeeeeeeeeee/Malware_pack_2/Malware_pack_2/ColorBug/[email protected]
Resource
win7-20240704-en
Behavioral task
behavioral4
Sample
eeeeeeeeeeeeee/Malware_pack_2/Malware_pack_2/DesktopPuzzle/[email protected]
Resource
win7-20240903-en
Behavioral task
behavioral5
Sample
eeeeeeeeeeeeee/Malware_pack_2/Malware_pack_2/FakeActivation/[email protected]
Resource
win7-20240729-en
Behavioral task
behavioral6
Sample
eeeeeeeeeeeeee/Malware_pack_2/Malware_pack_2/Happy Antivirus/[email protected]
Resource
win7-20240903-en
Behavioral task
behavioral7
Sample
MEMZ 3.0/MEMZ.bat
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
MEMZ 3.0/MEMZ.exe
Resource
win7-20240903-en
Behavioral task
behavioral9
Sample
eeeeeeeeeeeeee/Malware_pack_2/Malware_pack_2/MEMZ 3.0 (1)/MEMZ 3.0/MEMZ.bat
Resource
win7-20240708-en
Behavioral task
behavioral10
Sample
eeeeeeeeeeeeee/Malware_pack_2/Malware_pack_2/MEMZ 3.0 (1)/MEMZ 3.0/MEMZ.exe
Resource
win7-20240903-en
Behavioral task
behavioral11
Sample
eeeeeeeeeeeeee/Malware_pack_2/Malware_pack_2/NavaShield/[email protected]
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
eeeeeeeeeeeeee/Malware_pack_2/Malware_pack_2/Petya.A/[email protected]
Resource
win7-20240708-en
Behavioral task
behavioral13
Sample
eeeeeeeeeeeeee/Malware_pack_2/Malware_pack_2/Security Central/[email protected]
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
eeeeeeeeeeeeee/Malware_pack_2/Malware_pack_2/Security Defender 2015/[email protected]
Resource
win7-20240903-en
Behavioral task
behavioral15
Sample
eeeeeeeeeeeeee/Malware_pack_2/Malware_pack_2/VineMEMZ-Original.exe
Resource
win7-20240704-en
Behavioral task
behavioral16
Sample
eeeeeeeeeeeeee/Malware_pack_2/Malware_pack_2/WannaCrypt0r/[email protected]
Resource
win7-20240708-en
Behavioral task
behavioral17
Sample
eeeeeeeeeeeeee/Malware_pack_2/Malware_pack_2/Windows Accelerator Pro/[email protected]
Resource
win7-20240903-en
Behavioral task
behavioral18
Sample
eeeeeeeeeeeeee/Malware_pack_2/Malware_pack_2/Winlocker.VB6.Blacksod/[email protected]
Resource
win7-20240903-en
Behavioral task
behavioral19
Sample
eeeeeeeeeeeeee/Malware_pack_2/Malware_pack_2/YouAreAnIdiot/AxInterop.ShockwaveFlashObjects.dll
Resource
win7-20240903-en
Behavioral task
behavioral20
Sample
eeeeeeeeeeeeee/Malware_pack_2/Malware_pack_2/YouAreAnIdiot/Interop.ShockwaveFlashObjects.dll
Resource
win7-20240729-en
Behavioral task
behavioral21
Sample
eeeeeeeeeeeeee/Malware_pack_2/Malware_pack_2/YouAreAnIdiot/YouAreAnIdiot.exe
Resource
win7-20240903-en
General
-
Target
eeeeeeeeeeeeee/Malware_pack_2/Malware_pack_2/MEMZ 3.0 (1)/MEMZ 3.0/MEMZ.bat
-
Size
12KB
-
MD5
13a43c26bb98449fd82d2a552877013a
-
SHA1
71eb7dc393ac1f204488e11f5c1eef56f1e746af
-
SHA256
5f52365accb76d679b2b3946870439a62eb8936b9a0595f0fb0198138106b513
-
SHA512
602518b238d80010fa88c2c88699f70645513963ef4f148a0345675738cf9b0c23b9aeb899d9f7830cc1e5c7e9c7147b2dc4a9222770b4a052ee0c879062cd5a
-
SSDEEP
384:nnLhRNiqt0kCH2LR0GPXxGiZgCz+KG/yKhLdW79HOli+lz3:nLhRN9t0SR4iZtzlREBWhuF
Malware Config
Signatures
-
Executes dropped EXE 7 IoCs
pid Process 352 MEMZ.exe 1968 MEMZ.exe 1408 MEMZ.exe 1524 MEMZ.exe 2920 MEMZ.exe 2600 MEMZ.exe 2952 MEMZ.exe -
Loads dropped DLL 64 IoCs
pid Process 352 MEMZ.exe 352 MEMZ.exe 352 MEMZ.exe 352 MEMZ.exe 352 MEMZ.exe 352 MEMZ.exe 352 MEMZ.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 5424 taskmgr.exe 5424 taskmgr.exe 5424 taskmgr.exe 5424 taskmgr.exe 5424 taskmgr.exe 5424 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 5424 taskmgr.exe 2516 taskmgr.exe 5424 taskmgr.exe 2516 taskmgr.exe 5424 taskmgr.exe 5424 taskmgr.exe 2516 taskmgr.exe 5424 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 5424 taskmgr.exe 2516 taskmgr.exe 5424 taskmgr.exe 2516 taskmgr.exe 5424 taskmgr.exe 5424 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 5424 taskmgr.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 MEMZ.exe -
Drops file in System32 directory 6 IoCs
description ioc Process File opened for modification C:\Windows\System32\devmgmt.msc mmc.exe File opened for modification C:\Windows\System32\devmgmt.msc mmc.exe File opened for modification C:\Windows\System32\devmgmt.msc mmc.exe File opened for modification C:\Windows\System32\devmgmt.msc mmc.exe File opened for modification C:\Windows\System32\devmgmt.msc mmc.exe File opened for modification C:\Windows\System32\devmgmt.msc mmc.exe -
Drops file in Windows directory 9 IoCs
description ioc Process File opened for modification C:\Windows\Debug\WIA\wiatrace.log mspaint.exe File opened for modification C:\Windows\Debug\WIA\wiatrace.log mspaint.exe File opened for modification C:\Windows\Debug\WIA\wiatrace.log mspaint.exe File opened for modification C:\Windows\Debug\WIA\wiatrace.log mspaint.exe File opened for modification C:\Windows\Debug\WIA\wiatrace.log mspaint.exe File opened for modification C:\Windows\Debug\WIA\wiatrace.log mspaint.exe File opened for modification C:\Windows\Debug\WIA\wiatrace.log mspaint.exe File opened for modification C:\Windows\Debug\WIA\wiatrace.log mspaint.exe File opened for modification C:\Windows\Debug\WIA\wiatrace.log mspaint.exe -
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regedit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regedit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mspaint.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mspaint.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regedit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DllHost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mspaint.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mspaint.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wordpad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wordpad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wordpad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mspaint.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mspaint.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regedit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language calc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mspaint.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language control.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe -
Runs regedit.exe 11 IoCs
pid Process 11624 regedit.exe 12784 regedit.exe 2960 regedit.exe 3264 regedit.exe 5160 regedit.exe 6920 regedit.exe 13132 regedit.exe 4444 regedit.exe 5704 regedit.exe 8696 regedit.exe 7908 regedit.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
pid Process 352 MEMZ.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1408 MEMZ.exe 1968 MEMZ.exe 1408 MEMZ.exe 1968 MEMZ.exe 1524 MEMZ.exe 1524 MEMZ.exe 1408 MEMZ.exe 2920 MEMZ.exe 1968 MEMZ.exe 1408 MEMZ.exe 1524 MEMZ.exe 1968 MEMZ.exe 2920 MEMZ.exe 2920 MEMZ.exe 1408 MEMZ.exe 1524 MEMZ.exe 1968 MEMZ.exe 2600 MEMZ.exe 2920 MEMZ.exe 1408 MEMZ.exe 1968 MEMZ.exe 1524 MEMZ.exe 2600 MEMZ.exe 2920 MEMZ.exe 1408 MEMZ.exe 1968 MEMZ.exe 1524 MEMZ.exe 2600 MEMZ.exe 2920 MEMZ.exe 1408 MEMZ.exe 1968 MEMZ.exe 1524 MEMZ.exe 2600 MEMZ.exe 2920 MEMZ.exe 1968 MEMZ.exe 1524 MEMZ.exe 1408 MEMZ.exe 2600 MEMZ.exe 2920 MEMZ.exe 1408 MEMZ.exe 1968 MEMZ.exe 1524 MEMZ.exe 2600 MEMZ.exe 2600 MEMZ.exe 1524 MEMZ.exe 1968 MEMZ.exe 1408 MEMZ.exe 2920 MEMZ.exe 2920 MEMZ.exe 1408 MEMZ.exe 1968 MEMZ.exe 2600 MEMZ.exe 1524 MEMZ.exe 2920 MEMZ.exe 1408 MEMZ.exe 1524 MEMZ.exe 2600 MEMZ.exe 1968 MEMZ.exe 2920 MEMZ.exe 1408 MEMZ.exe 1524 MEMZ.exe 2600 MEMZ.exe 1968 MEMZ.exe 1524 MEMZ.exe -
Suspicious behavior: GetForegroundWindowSpam 9 IoCs
pid Process 3016 mmc.exe 2516 taskmgr.exe 2960 regedit.exe 2952 MEMZ.exe 2756 mmc.exe 2864 mmc.exe 2024 iexplore.exe 5424 taskmgr.exe 6796 mmc.exe -
Suspicious behavior: SetClipboardViewer 6 IoCs
pid Process 2756 mmc.exe 2864 mmc.exe 6796 mmc.exe 7464 mmc.exe 7980 mmc.exe 8972 mmc.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
description pid Process Token: 33 3016 mmc.exe Token: SeIncBasePriorityPrivilege 3016 mmc.exe Token: 33 3016 mmc.exe Token: SeIncBasePriorityPrivilege 3016 mmc.exe Token: SeDebugPrivilege 2516 taskmgr.exe Token: 33 1428 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1428 AUDIODG.EXE Token: 33 1428 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1428 AUDIODG.EXE Token: 33 2756 mmc.exe Token: SeIncBasePriorityPrivilege 2756 mmc.exe Token: 33 2756 mmc.exe Token: SeIncBasePriorityPrivilege 2756 mmc.exe Token: 33 2864 mmc.exe Token: SeIncBasePriorityPrivilege 2864 mmc.exe Token: 33 2864 mmc.exe Token: SeIncBasePriorityPrivilege 2864 mmc.exe Token: SeDebugPrivilege 5424 taskmgr.exe Token: 33 6796 mmc.exe Token: SeIncBasePriorityPrivilege 6796 mmc.exe Token: 33 6796 mmc.exe Token: SeIncBasePriorityPrivilege 6796 mmc.exe Token: 33 7464 mmc.exe Token: SeIncBasePriorityPrivilege 7464 mmc.exe Token: 33 7464 mmc.exe Token: SeIncBasePriorityPrivilege 7464 mmc.exe Token: 33 7980 mmc.exe Token: SeIncBasePriorityPrivilege 7980 mmc.exe Token: 33 7980 mmc.exe Token: SeIncBasePriorityPrivilege 7980 mmc.exe Token: 33 8972 mmc.exe Token: SeIncBasePriorityPrivilege 8972 mmc.exe Token: 33 8972 mmc.exe Token: SeIncBasePriorityPrivilege 8972 mmc.exe Token: SeDebugPrivilege 10960 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 1344 cscript.exe 2024 iexplore.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe 2516 taskmgr.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 2024 iexplore.exe 2024 iexplore.exe 324 IEXPLORE.EXE 324 IEXPLORE.EXE 324 IEXPLORE.EXE 324 IEXPLORE.EXE 1392 mmc.exe 3016 mmc.exe 3016 mmc.exe 584 mspaint.exe 584 mspaint.exe 584 mspaint.exe 584 mspaint.exe 324 IEXPLORE.EXE 324 IEXPLORE.EXE 2728 IEXPLORE.EXE 2728 IEXPLORE.EXE 2728 IEXPLORE.EXE 2728 IEXPLORE.EXE 2476 IEXPLORE.EXE 2476 IEXPLORE.EXE 2476 IEXPLORE.EXE 2476 IEXPLORE.EXE 328 IEXPLORE.EXE 328 IEXPLORE.EXE 328 IEXPLORE.EXE 328 IEXPLORE.EXE 324 IEXPLORE.EXE 324 IEXPLORE.EXE 2952 MEMZ.exe 2784 IEXPLORE.EXE 2784 IEXPLORE.EXE 2952 MEMZ.exe 2952 MEMZ.exe 2728 IEXPLORE.EXE 2728 IEXPLORE.EXE 2784 IEXPLORE.EXE 2784 IEXPLORE.EXE 2728 IEXPLORE.EXE 2728 IEXPLORE.EXE 2952 MEMZ.exe 2760 IEXPLORE.EXE 2760 IEXPLORE.EXE 2760 IEXPLORE.EXE 2760 IEXPLORE.EXE 2952 MEMZ.exe 2476 IEXPLORE.EXE 2476 IEXPLORE.EXE 2952 MEMZ.exe 2952 MEMZ.exe 2952 MEMZ.exe 2476 IEXPLORE.EXE 2476 IEXPLORE.EXE 2768 IEXPLORE.EXE 2768 IEXPLORE.EXE 2952 MEMZ.exe 1216 mspaint.exe 1216 mspaint.exe 1216 mspaint.exe 1216 mspaint.exe 2952 MEMZ.exe 2768 IEXPLORE.EXE 2768 IEXPLORE.EXE 328 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2556 wrote to memory of 1344 2556 cmd.exe 31 PID 2556 wrote to memory of 1344 2556 cmd.exe 31 PID 2556 wrote to memory of 1344 2556 cmd.exe 31 PID 2556 wrote to memory of 352 2556 cmd.exe 32 PID 2556 wrote to memory of 352 2556 cmd.exe 32 PID 2556 wrote to memory of 352 2556 cmd.exe 32 PID 2556 wrote to memory of 352 2556 cmd.exe 32 PID 352 wrote to memory of 1968 352 MEMZ.exe 33 PID 352 wrote to memory of 1968 352 MEMZ.exe 33 PID 352 wrote to memory of 1968 352 MEMZ.exe 33 PID 352 wrote to memory of 1968 352 MEMZ.exe 33 PID 352 wrote to memory of 1408 352 MEMZ.exe 34 PID 352 wrote to memory of 1408 352 MEMZ.exe 34 PID 352 wrote to memory of 1408 352 MEMZ.exe 34 PID 352 wrote to memory of 1408 352 MEMZ.exe 34 PID 352 wrote to memory of 1524 352 MEMZ.exe 35 PID 352 wrote to memory of 1524 352 MEMZ.exe 35 PID 352 wrote to memory of 1524 352 MEMZ.exe 35 PID 352 wrote to memory of 1524 352 MEMZ.exe 35 PID 352 wrote to memory of 2920 352 MEMZ.exe 36 PID 352 wrote to memory of 2920 352 MEMZ.exe 36 PID 352 wrote to memory of 2920 352 MEMZ.exe 36 PID 352 wrote to memory of 2920 352 MEMZ.exe 36 PID 352 wrote to memory of 2600 352 MEMZ.exe 37 PID 352 wrote to memory of 2600 352 MEMZ.exe 37 PID 352 wrote to memory of 2600 352 MEMZ.exe 37 PID 352 wrote to memory of 2600 352 MEMZ.exe 37 PID 352 wrote to memory of 2952 352 MEMZ.exe 38 PID 352 wrote to memory of 2952 352 MEMZ.exe 38 PID 352 wrote to memory of 2952 352 MEMZ.exe 38 PID 352 wrote to memory of 2952 352 MEMZ.exe 38 PID 2952 wrote to memory of 2208 2952 MEMZ.exe 39 PID 2952 wrote to memory of 2208 2952 MEMZ.exe 39 PID 2952 wrote to memory of 2208 2952 MEMZ.exe 39 PID 2952 wrote to memory of 2208 2952 MEMZ.exe 39 PID 2952 wrote to memory of 2024 2952 MEMZ.exe 41 PID 2952 wrote to memory of 2024 2952 MEMZ.exe 41 PID 2952 wrote to memory of 2024 2952 MEMZ.exe 41 PID 2952 wrote to memory of 2024 2952 MEMZ.exe 41 PID 2024 wrote to memory of 324 2024 iexplore.exe 42 PID 2024 wrote to memory of 324 2024 iexplore.exe 42 PID 2024 wrote to memory of 324 2024 iexplore.exe 42 PID 2024 wrote to memory of 324 2024 iexplore.exe 42 PID 2952 wrote to memory of 1392 2952 MEMZ.exe 44 PID 2952 wrote to memory of 1392 2952 MEMZ.exe 44 PID 2952 wrote to memory of 1392 2952 MEMZ.exe 44 PID 2952 wrote to memory of 1392 2952 MEMZ.exe 44 PID 1392 wrote to memory of 3016 1392 mmc.exe 45 PID 1392 wrote to memory of 3016 1392 mmc.exe 45 PID 1392 wrote to memory of 3016 1392 mmc.exe 45 PID 1392 wrote to memory of 3016 1392 mmc.exe 45 PID 2952 wrote to memory of 584 2952 MEMZ.exe 46 PID 2952 wrote to memory of 584 2952 MEMZ.exe 46 PID 2952 wrote to memory of 584 2952 MEMZ.exe 46 PID 2952 wrote to memory of 584 2952 MEMZ.exe 46 PID 2952 wrote to memory of 2516 2952 MEMZ.exe 48 PID 2952 wrote to memory of 2516 2952 MEMZ.exe 48 PID 2952 wrote to memory of 2516 2952 MEMZ.exe 48 PID 2952 wrote to memory of 2516 2952 MEMZ.exe 48 PID 2024 wrote to memory of 2728 2024 iexplore.exe 49 PID 2024 wrote to memory of 2728 2024 iexplore.exe 49 PID 2024 wrote to memory of 2728 2024 iexplore.exe 49 PID 2024 wrote to memory of 2728 2024 iexplore.exe 49 PID 2024 wrote to memory of 2476 2024 iexplore.exe 51 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\eeeeeeeeeeeeee\Malware_pack_2\Malware_pack_2\MEMZ 3.0 (1)\MEMZ 3.0\MEMZ.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\system32\cscript.execscript x.js2⤵
- Suspicious use of FindShellTrayWindow
PID:1344
-
-
C:\Users\Admin\AppData\Roaming\MEMZ.exe"C:\Users\Admin\AppData\Roaming\MEMZ.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of WriteProcessMemory
PID:352 -
C:\Users\Admin\AppData\Roaming\MEMZ.exe"C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1968
-
-
C:\Users\Admin\AppData\Roaming\MEMZ.exe"C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1408
-
-
C:\Users\Admin\AppData\Roaming\MEMZ.exe"C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1524
-
-
C:\Users\Admin\AppData\Roaming\MEMZ.exe"C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2920
-
-
C:\Users\Admin\AppData\Roaming\MEMZ.exe"C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2600
-
-
C:\Users\Admin\AppData\Roaming\MEMZ.exe"C:\Users\Admin\AppData\Roaming\MEMZ.exe" /main3⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Windows\SysWOW64\notepad.exe"C:\Windows\System32\notepad.exe" \note.txt4⤵
- System Location Discovery: System Language Discovery
PID:2208
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://google.co.ck/search?q=how+to+remove+memz+trojan+virus4⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2024 CREDAT:275457 /prefetch:25⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:324
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2024 CREDAT:209956 /prefetch:25⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2728
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2024 CREDAT:930832 /prefetch:25⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2476
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2024 CREDAT:275502 /prefetch:25⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:328
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2024 CREDAT:865333 /prefetch:25⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2784
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2024 CREDAT:406610 /prefetch:25⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2760
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2024 CREDAT:406634 /prefetch:25⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2768
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2024 CREDAT:1979440 /prefetch:25⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
PID:352
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2024 CREDAT:3224638 /prefetch:25⤵PID:3692
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2024 CREDAT:3093582 /prefetch:25⤵
- Modifies Internet Explorer settings
PID:3620
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2024 CREDAT:3093615 /prefetch:25⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
PID:3092
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2024 CREDAT:3486804 /prefetch:25⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
PID:3156
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2024 CREDAT:996512 /prefetch:25⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
PID:3408
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2024 CREDAT:3224723 /prefetch:25⤵
- System Location Discovery: System Language Discovery
PID:3084
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2024 CREDAT:3093726 /prefetch:25⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
PID:3264
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2024 CREDAT:3880052 /prefetch:25⤵
- System Location Discovery: System Language Discovery
PID:4292
-
-
-
C:\Windows\SysWOW64\mmc.exe"C:\Windows\system32\mmc.exe" "C:\Windows\System32\devmgmt.msc"4⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1392 -
C:\Windows\system32\mmc.exe"C:\Windows\System32\devmgmt.msc" "C:\Windows\System32\devmgmt.msc"5⤵
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3016
-
-
-
C:\Windows\SysWOW64\mspaint.exe"C:\Windows\System32\mspaint.exe"4⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:584
-
-
C:\Windows\SysWOW64\taskmgr.exe"C:\Windows\System32\taskmgr.exe"4⤵
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2516
-
-
C:\Windows\SysWOW64\taskmgr.exe"C:\Windows\System32\taskmgr.exe"4⤵
- System Location Discovery: System Language Discovery
PID:1908
-
-
C:\Windows\SysWOW64\calc.exe"C:\Windows\System32\calc.exe"4⤵PID:2472
-
-
C:\Windows\SysWOW64\regedit.exe"C:\Windows\System32\regedit.exe"4⤵
- System Location Discovery: System Language Discovery
- Runs regedit.exe
- Suspicious behavior: GetForegroundWindowSpam
PID:2960
-
-
C:\Windows\SysWOW64\taskmgr.exe"C:\Windows\System32\taskmgr.exe"4⤵
- System Location Discovery: System Language Discovery
PID:1500
-
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\System32\notepad.exe"4⤵
- System Location Discovery: System Language Discovery
PID:1468
-
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\System32\notepad.exe"4⤵
- System Location Discovery: System Language Discovery
PID:2888
-
-
C:\Windows\SysWOW64\taskmgr.exe"C:\Windows\System32\taskmgr.exe"4⤵
- System Location Discovery: System Language Discovery
PID:2108
-
-
C:\Windows\SysWOW64\mspaint.exe"C:\Windows\System32\mspaint.exe"4⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1216
-
-
C:\Windows\SysWOW64\regedit.exe"C:\Windows\System32\regedit.exe"4⤵
- Runs regedit.exe
PID:3264
-
-
C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"4⤵
- System Location Discovery: System Language Discovery
PID:4600 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122885⤵PID:3632
-
-
-
C:\Windows\SysWOW64\mmc.exe"C:\Windows\system32\mmc.exe" "C:\Windows\System32\devmgmt.msc"4⤵
- System Location Discovery: System Language Discovery
PID:4908 -
C:\Windows\system32\mmc.exe"C:\Windows\System32\devmgmt.msc" "C:\Windows\System32\devmgmt.msc"5⤵
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
PID:2756
-
-
-
C:\Windows\SysWOW64\calc.exe"C:\Windows\System32\calc.exe"4⤵PID:2556
-
-
C:\Windows\SysWOW64\mmc.exe"C:\Windows\System32\mmc.exe"4⤵
- System Location Discovery: System Language Discovery
PID:1708 -
C:\Windows\system32\mmc.exe"C:\Windows\system32\mmc.exe"5⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
PID:2864
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
- System Location Discovery: System Language Discovery
PID:3472
-
-
C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"4⤵PID:4232
-
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\System32\notepad.exe"4⤵
- System Location Discovery: System Language Discovery
PID:4104
-
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\System32\notepad.exe"4⤵PID:1600
-
-
C:\Windows\SysWOW64\regedit.exe"C:\Windows\System32\regedit.exe"4⤵
- System Location Discovery: System Language Discovery
- Runs regedit.exe
PID:4444
-
-
C:\Windows\SysWOW64\mspaint.exe"C:\Windows\System32\mspaint.exe"4⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3180
-
-
C:\Windows\SysWOW64\regedit.exe"C:\Windows\System32\regedit.exe"4⤵
- System Location Discovery: System Language Discovery
- Runs regedit.exe
PID:5160
-
-
C:\Windows\SysWOW64\calc.exe"C:\Windows\System32\calc.exe"4⤵
- System Location Discovery: System Language Discovery
PID:5568
-
-
C:\Windows\SysWOW64\mspaint.exe"C:\Windows\System32\mspaint.exe"4⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:5984
-
-
C:\Windows\SysWOW64\taskmgr.exe"C:\Windows\System32\taskmgr.exe"4⤵
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:5424
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\System32\explorer.exe"4⤵
- System Location Discovery: System Language Discovery
PID:5840
-
-
C:\Windows\SysWOW64\taskmgr.exe"C:\Windows\System32\taskmgr.exe"4⤵
- System Location Discovery: System Language Discovery
PID:5272
-
-
C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"4⤵PID:5324
-
-
C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"4⤵
- System Location Discovery: System Language Discovery
PID:6036
-
-
C:\Windows\SysWOW64\regedit.exe"C:\Windows\System32\regedit.exe"4⤵
- Runs regedit.exe
PID:5704
-
-
C:\Windows\SysWOW64\mspaint.exe"C:\Windows\System32\mspaint.exe"4⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:5380
-
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\System32\notepad.exe"4⤵
- System Location Discovery: System Language Discovery
PID:5264
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\System32\explorer.exe"4⤵PID:5960
-
-
C:\Windows\SysWOW64\mspaint.exe"C:\Windows\System32\mspaint.exe"4⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:5212
-
-
C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"4⤵PID:5332
-
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\System32\notepad.exe"4⤵PID:6408
-
-
C:\Windows\SysWOW64\mmc.exe"C:\Windows\system32\mmc.exe" "C:\Windows\System32\devmgmt.msc"4⤵
- System Location Discovery: System Language Discovery
PID:5640 -
C:\Windows\system32\mmc.exe"C:\Windows\System32\devmgmt.msc" "C:\Windows\System32\devmgmt.msc"5⤵
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
PID:6796
-
-
-
C:\Windows\SysWOW64\calc.exe"C:\Windows\System32\calc.exe"4⤵PID:2504
-
-
C:\Windows\SysWOW64\taskmgr.exe"C:\Windows\System32\taskmgr.exe"4⤵
- System Location Discovery: System Language Discovery
PID:6628
-
-
C:\Windows\SysWOW64\control.exe"C:\Windows\System32\control.exe"4⤵
- System Location Discovery: System Language Discovery
PID:7140
-
-
C:\Windows\SysWOW64\mspaint.exe"C:\Windows\System32\mspaint.exe"4⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:5708
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
- System Location Discovery: System Language Discovery
PID:6504
-
-
C:\Windows\SysWOW64\mmc.exe"C:\Windows\system32\mmc.exe" "C:\Windows\System32\devmgmt.msc"4⤵
- System Location Discovery: System Language Discovery
PID:7432 -
C:\Windows\system32\mmc.exe"C:\Windows\System32\devmgmt.msc" "C:\Windows\System32\devmgmt.msc"5⤵
- Drops file in System32 directory
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
PID:7464
-
-
-
C:\Windows\SysWOW64\mmc.exe"C:\Windows\system32\mmc.exe" "C:\Windows\System32\devmgmt.msc"4⤵
- System Location Discovery: System Language Discovery
PID:7968 -
C:\Windows\system32\mmc.exe"C:\Windows\System32\devmgmt.msc" "C:\Windows\System32\devmgmt.msc"5⤵
- Drops file in System32 directory
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
PID:7980
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:7684
-
-
C:\Windows\SysWOW64\mspaint.exe"C:\Windows\System32\mspaint.exe"4⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:6104
-
-
C:\Windows\SysWOW64\mspaint.exe"C:\Windows\System32\mspaint.exe"4⤵
- Drops file in Windows directory
PID:7744
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\System32\explorer.exe"4⤵
- System Location Discovery: System Language Discovery
PID:6516
-
-
C:\Windows\SysWOW64\taskmgr.exe"C:\Windows\System32\taskmgr.exe"4⤵
- System Location Discovery: System Language Discovery
PID:7716
-
-
C:\Windows\SysWOW64\regedit.exe"C:\Windows\System32\regedit.exe"4⤵
- Runs regedit.exe
PID:8696
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
- System Location Discovery: System Language Discovery
PID:8228
-
-
C:\Windows\SysWOW64\calc.exe"C:\Windows\System32\calc.exe"4⤵PID:6696
-
-
C:\Windows\SysWOW64\mmc.exe"C:\Windows\system32\mmc.exe" "C:\Windows\System32\devmgmt.msc"4⤵
- System Location Discovery: System Language Discovery
PID:8792 -
C:\Windows\system32\mmc.exe"C:\Windows\System32\devmgmt.msc" "C:\Windows\System32\devmgmt.msc"5⤵
- Drops file in System32 directory
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
PID:8972
-
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\System32\explorer.exe"4⤵
- System Location Discovery: System Language Discovery
PID:8600
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\System32\explorer.exe"4⤵PID:7368
-
-
C:\Windows\SysWOW64\regedit.exe"C:\Windows\System32\regedit.exe"4⤵
- System Location Discovery: System Language Discovery
- Runs regedit.exe
PID:6920
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
- System Location Discovery: System Language Discovery
PID:376
-
-
C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"4⤵
- System Location Discovery: System Language Discovery
PID:9912
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://google.co.ck/search?q=facebook+hacking+tool+free+download+no+virus+working+20164⤵
- Modifies Internet Explorer settings
PID:9444 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:9444 CREDAT:275457 /prefetch:25⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
PID:9544
-
-
-
C:\Windows\SysWOW64\regedit.exe"C:\Windows\System32\regedit.exe"4⤵
- Runs regedit.exe
PID:7908
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://google.co.ck/search?q=my+computer+is+doing+weird+things+wtf+is+happenin+plz+halp4⤵
- Modifies Internet Explorer settings
PID:10064 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:10064 CREDAT:275457 /prefetch:25⤵PID:9256
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://google.co.ck/search?q=bonzi+buddy+download+free4⤵
- Modifies Internet Explorer settings
PID:8104 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:8104 CREDAT:275457 /prefetch:25⤵PID:8748
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://play.clubpenguin.com/4⤵
- Modifies Internet Explorer settings
PID:9504 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:9504 CREDAT:275457 /prefetch:25⤵
- System Location Discovery: System Language Discovery
PID:7440
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://google.co.ck/search?q=internet+explorer+is+the+best+browser4⤵
- Modifies Internet Explorer settings
PID:7312 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:7312 CREDAT:275457 /prefetch:25⤵
- System Location Discovery: System Language Discovery
PID:10680
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://google.co.ck/search?q=my+computer+is+doing+weird+things+wtf+is+happenin+plz+halp4⤵
- Modifies Internet Explorer settings
PID:9596 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:9596 CREDAT:275457 /prefetch:25⤵
- Modifies Internet Explorer settings
PID:10604
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://google.co.ck/search?q=virus.exe4⤵
- Modifies Internet Explorer settings
PID:10284 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:10284 CREDAT:275457 /prefetch:25⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
PID:10896
-
-
-
C:\Windows\SysWOW64\mmc.exe"C:\Windows\system32\mmc.exe" "C:\Windows\System32\devmgmt.msc"4⤵
- System Location Discovery: System Language Discovery
PID:10444 -
C:\Windows\system32\mmc.exe"C:\Windows\System32\devmgmt.msc" "C:\Windows\System32\devmgmt.msc"5⤵PID:10840
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://google.co.ck/search?q=bonzi+buddy+download+free4⤵
- Modifies Internet Explorer settings
PID:10664 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:10664 CREDAT:275457 /prefetch:25⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
PID:9016
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
- System Location Discovery: System Language Discovery
PID:10736
-
-
C:\Windows\SysWOW64\taskmgr.exe"C:\Windows\System32\taskmgr.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:10960
-
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\System32\notepad.exe"4⤵
- System Location Discovery: System Language Discovery
PID:11180
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://google.co.ck/search?q=internet+explorer+is+the+best+browser4⤵
- Modifies Internet Explorer settings
PID:5936 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5936 CREDAT:275457 /prefetch:25⤵PID:10400
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://google.co.ck/search?q=g3t+r3kt4⤵
- Modifies Internet Explorer settings
PID:8628 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:8628 CREDAT:275457 /prefetch:25⤵
- System Location Discovery: System Language Discovery
PID:11280
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://google.co.ck/search?q=g3t+r3kt4⤵PID:6460
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6460 CREDAT:275457 /prefetch:25⤵PID:11644
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://google.co.ck/search?q=how+2+remove+a+virus4⤵PID:11504
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:11504 CREDAT:275457 /prefetch:25⤵PID:11880
-
-
-
C:\Windows\SysWOW64\regedit.exe"C:\Windows\System32\regedit.exe"4⤵
- Runs regedit.exe
PID:11624
-
-
C:\Windows\SysWOW64\control.exe"C:\Windows\System32\control.exe"4⤵PID:11720
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://google.co.ck/search?q=my+computer+is+doing+weird+things+wtf+is+happenin+plz+halp4⤵PID:12064
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:12064 CREDAT:275457 /prefetch:25⤵PID:4340
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://google.co.ck/search?q=how+to+send+a+virus+to+my+friend4⤵PID:6152
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6152 CREDAT:275457 /prefetch:25⤵PID:12004
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://google.co.ck/search?q=virus+builder+legit+free+download4⤵PID:9136
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:9136 CREDAT:275457 /prefetch:25⤵PID:12564
-
-
-
C:\Windows\SysWOW64\mmc.exe"C:\Windows\system32\mmc.exe" "C:\Windows\System32\devmgmt.msc"4⤵PID:12292
-
C:\Windows\system32\mmc.exe"C:\Windows\System32\devmgmt.msc" "C:\Windows\System32\devmgmt.msc"5⤵PID:12524
-
-
-
C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"4⤵PID:13116
-
-
C:\Windows\SysWOW64\taskmgr.exe"C:\Windows\System32\taskmgr.exe"4⤵PID:13216
-
-
C:\Windows\SysWOW64\regedit.exe"C:\Windows\System32\regedit.exe"4⤵
- Runs regedit.exe
PID:12784
-
-
C:\Windows\SysWOW64\control.exe"C:\Windows\System32\control.exe"4⤵PID:14200
-
-
C:\Windows\SysWOW64\regedit.exe"C:\Windows\System32\regedit.exe"4⤵
- Runs regedit.exe
PID:13132
-
-
C:\Windows\SysWOW64\taskmgr.exe"C:\Windows\System32\taskmgr.exe"4⤵PID:14296
-
-
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x55c1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1428
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}1⤵
- System Location Discovery: System Language Discovery
PID:5632
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
854B
MD5e935bc5762068caf3e24a2683b1b8a88
SHA182b70eb774c0756837fe8d7acbfeec05ecbf5463
SHA256a8accfcfeb51bd73df23b91f4d89ff1a9eb7438ef5b12e8afda1a6ff1769e89d
SHA512bed4f6f5357b37662623f1f8afed1a3ebf3810630b2206a0292052a2e754af9dcfe34ee15c289e3d797a8f33330e47c14cbefbc702f74028557ace29bf855f9e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize1KB
MD51df4559dc042f51453d31bbd6d406cac
SHA1defff321b0e39935b0281192bc732a47edc22d84
SHA2562e5e6363cb570b2bdfef7476d83333ea9e7699f5418fb102d5ffa795f0536d9d
SHA512c4a96d6fa0d96e706e89a571ad916c8995cb045bc3d30ac8f83b57c95bc1ee59e983ca42534b24f02ad862959826df6b5aac6f4a1288f5a3fb0eaf873f13f731
-
Filesize
914B
MD5e4a68ac854ac5242460afd72481b2a44
SHA1df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA5125622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4FA45AE1010E09657982D8D28B3BD38E_09E5FD68127B2EBD22C529250B8D2273
Filesize471B
MD5cea7f7436b62d1aa1808fbf42c7614e8
SHA1d8530285ce4e6fd1ca352a617263fe26d46d383a
SHA256dfddd19826ded2ca69f63200f442f8f4dcf9b5ec1dd78e15d74d015c651ba190
SHA5123c679f47869a4e78c2b7a5a5ac20ce4ae922e4231f2cee533cf44d25e1ee45e848a3fd55d8e4c3d98bbe357ea2b9825dcbab55d9b71d5472d29b9e77aa86fda0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4FA45AE1010E09657982D8D28B3BD38E_B115649384851BE6BDDEA6DCEC8C2FEC
Filesize472B
MD557fabf8ce960f6516a99cb1065e0f1b5
SHA10f06fda5952c1e047f2fdd06a941cde444e7fd1b
SHA256287c0da810f4506a1fca9807d8457c52631b4f723f272412631a59fdda36d179
SHA512df597f53035b5dc18aaefbe0fb232e9e2770343319e716a32d416d27be2b4d77e4671786d0e6711549440dda3e68fb122e61c42fc781238cb158d0c4d1546cbe
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C02877841121CC45139CB51404116B25_193C88518F770D3F8D3CDA4F180E8635
Filesize472B
MD52e15489eb620ba4779210d523e343152
SHA1c6674bbf4ad29b2742ab2382f6ce4c17754b05d6
SHA25604ba2c1f6dde1be4f81cdd43a931f554f357fa751ce75028929f14695995c99e
SHA51287ea9978c49ce2b715361cdd60900ed5e3a7a589986056f4df3b547ad0168ee3bbe453b0a1a348ce7911a5548bd17cc6918aa88c689b2b46eeb857e2ec9ae471
-
Filesize
1KB
MD5a266bb7dcc38a562631361bbf61dd11b
SHA13b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA5120da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199
Filesize170B
MD572ea18d6499130ec75a99209f4c00e78
SHA1fe4a36bbe55a3338f3c86678dc619906b50994d7
SHA2569a3da4b4d1871d62bc2d45690bb714d7960679fc437e4d386bef91511b63109c
SHA512a6c3b35b68de197669036650ad8c82c1d72b0e102ddb128198680130ee5d71aa703f50299855a1dda16810a131926b4a763655a45c4a32137fb9c1d5d240a80c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize410B
MD55d3f45563e157fc6e9a1deee5d031359
SHA1200c369c8e3d7cec193f02f31d9b592156d39d86
SHA256a51d76fb2b8975d4dec27b5c0587bc285718e51a15b0cf858ae31641a9592f84
SHA512eaf3667f3b9e8fa36126831cffcca4444266d56a5de359e9836e8ee3f0646934d128ca587da070ebb2f8061f97893160db0bbcf83a6ba1e2bd982e90430bfea0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC
Filesize252B
MD5e83790f588e734057f477ddc2a1619ca
SHA1eb410b7b880d08900b1ac91638d987221409787d
SHA25616c6f1172879c537b64d1d742d2b5b277e004bde6b760a5a48d05d668564ca28
SHA5122234ac3432550478e8cd48126d2c9bd32034c9569b6379b018c0e961404ddee0c78ce889dc97136b65dfcbfb864aa76a1d4488a3d37a7188abde5401492ea6ac
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4FA45AE1010E09657982D8D28B3BD38E_09E5FD68127B2EBD22C529250B8D2273
Filesize406B
MD50821a314af213fee471ffa43a3c0ec94
SHA1ba849fa78f67acd110a527d99d011654840c3807
SHA2565d6c7a28e13d636e11a9d780ada7dab98687dbefa227f183d199aa3f790556a3
SHA51295165f9ca9352a5f6959cc17ce349ea15aa09d0d2cc89834c0e1ae93afa34dbc7c68d15e22ff76225b8fb754b6bd9919785214a19a7bf5e45360c34399aa9d01
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4FA45AE1010E09657982D8D28B3BD38E_B115649384851BE6BDDEA6DCEC8C2FEC
Filesize398B
MD55f000be29118565835974c0aa7bd370b
SHA1ffd7100d4b05f55ab2f0edcfc4f9c6ed5411f1d7
SHA25643e76a99d1c30345315b0369516b99ec17371f55474ee73760bac0954e22374d
SHA512cbbb86df99830b68d3c1ef7c2b332fe79c8acc96e7c200697303fa79b4c6a1169b1fe759597331c49266694767dd01305ddfe3154f6f13f003606477626f316c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD51e826caf8aba5c66ab5baed7aa6697d9
SHA1b5d6f76685c329c313866e834bfea95fcda94478
SHA256cf2b5353fe1469e6daede34bb96c6ab12232a9470d8500e8fa66d7daaf851a7e
SHA512beafe834308361941dfb84b6ca416d057c3720a2abe281488efbe601c863a9b9de6ffbb2cd6c04c9d042f6967cccd7d7dfba80c78d2c26d92f03cb9d9b4583a4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5207cda953a9072c8a6fd62a408eebcb1
SHA1eabf0c91fb5cf05894d0889984d881148d49df6c
SHA25602d3b3d50363e75a061881e45bdd3a55149d6d1d97aed4b648112eb8530d99cc
SHA5121b2b46c4f868d7e80698990999d4d6c5687857dcdd7f331d8f1156c4f815ead8b8321ada6d4345d8f471539afc325230c6b6f57a358cc21a807f592d34f78ba9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ed5ec226d34ddb0f1ca6040c4aa836b4
SHA1463b6a53bc4407269e9fa7f109ce55836d87695c
SHA256c6970c948dfd2be02aa05b1ccb0457f090dfa1c43ff3a0f7b0135cc82ad9372c
SHA512f8815b5b27b353d4d18aacf40ffe39b0250b1840822253707238a60de0a6a4136574d463c820448b2d5b41ce24e7b5f0b47f3472aac6bfe777c659bb8bd118b0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD588b49d3bd4a31b8fc6bf02335bf3ff54
SHA1e40bd5e97b8303d1d3ecca0b05eb2aacac88fb31
SHA2569b2cc88c0ba1a3a5ddb898031723864847c007d3108f70fbb3a4559ac6762520
SHA512300990db8507ee7a28ea795b5d07c80b5857b165c85715a005b207ae0c2a7f9a2b57e082831b285d2aa1024b8333a7f4b6ee7635c13b66ed223ba1074373b875
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD59cd316064414a7c5e31118c8c8e4252c
SHA19d4a0dccd0e21cdd10fa1415cdca80a29bf26964
SHA2561d71e57133fdf8c4f0e6eb051e21832bcadbafddfb8451d3fe4e7e6e13eb026d
SHA512d9dee361bfde8f19dd8b9bf3247e1a712d9f4e34ee6cb7f91e0a5d5a393611a1ad375cba7ff9a13b5b88adccbc5577498b10f2a496f1ba257cc221c8d8a84d6f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD53dcdb95adde69198458278286245bdb4
SHA19f5625da1c4f6e249e30d50d4b56b91e58d54de8
SHA256323bd1e2935aabc07b51ce12908c2504f8d6e7bf52b3fc5815d8aa1dcbe9a91c
SHA5127c6465416471176730a78bd5b3088c75d30d87d6840d19770b1536d7ec3d50e91c3281d0fc818fbb8541078f336cd4dd79e0e812b24b2a894f579e0be2989aee
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5d53bb8e8f9adcf3af9621dc0463ad199
SHA12579f826c3ccfb125d7f616983fc61330cc4937e
SHA256282f8755c783ab599c8fe1a9ca8e756a99c077f895eaa93b7fdfaccfb58dd2f3
SHA512b80e0e877e2395202ea2731688ffd4fb08edef14b921d7100d2b6c02fee102ab98714ca7eee04654d5f399c897fae37d813edf9e82d9cd57bed56542f2ff8090
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5efa089a8d44003c323d3bd9a49d3037d
SHA1b5edaea211eb804f5472e5d94c4a7a8d026da1f2
SHA25662364f9b0d69414a802882a0132c24d84680a90a2014fce762c9ca9873bc2d2b
SHA512d00145efe786c421573345da22c40bf6e42fedca6fc8be3b70cb4db68857f44915b1596ececbdeb121c67ed6dde95547545db23e7aaf1db0f30f90112b68ca48
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b0b07b5e0a21d643caa88d492e715bb6
SHA1ae34d4d8277d128040fa09f245c9a6c830be89c7
SHA25683003a05e00c7c082d58230317d72d1910f733545fe07d4759493be7fe17af61
SHA512488c8f900a4a40ac6cae7a22c5f27e69b0773cf6936af05f931f1bfc6fdbad485cc2677b17b97edf76cdcd8c9cc2f2cec32149edcbea0d1063c79d64a1cf1c88
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5897b061331c9ebf2db946a7c7529b2f2
SHA15107301a46074f66ce88b50e093b0e63044ea7ec
SHA256d76b7e1e7d3a76c77ec37884e98dd34f3cdb8d3d7624172df68702c2219639de
SHA512c6a724fd369bcef05137705b4469ab925490d0a5350da5ea02d72ed7e7a33ad543043afb84eb71336b971da74c3d7274d28f585f167a51e73edd3349414a0db7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e84197d4a20cd06b823372923518a244
SHA1d83f25e756c7301f78e2c64e572672ab0a19290f
SHA2562869e2d9244dc047dfc45e6f7914d5473faebc1bce79ffe7104a3d191f7844be
SHA5124e299d27b37c6870918969c7f7aa90e3711ecb0f1930296a22310ebe96de83c3f9b3fd1d147a459a1d77ff18958b737d8d02643961ad8899cececcc705418c61
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5dcd514c54cb34b10747c2cfb23a943df
SHA1a42b955b6d3d978aa31846e6123bbbc64cc4e8f2
SHA256eb14c7b6bc308d411dcf96b61820728f546038a923c387854f7b50cdb5137d1e
SHA51207febfa72ac33711f26d9f36807a9d6c6ebb8bf55d060654e8d83f58c04f8a88e25c8e73492b7f0b641c213e74f52298ddf2ac8d4b28c648ecdcda64f9ec595c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD53a9d0e0265d1e7654fdeebbb1c100e8b
SHA11605d0e5c03463ed975c330909001f617f9463a4
SHA256aa19f8a7907a75cb4a6c5ad988ef69f1a7755cc3e37e65749c6b493d54021e39
SHA512b6a0b25d9c91e427b7e17d984077a66c9fc82c8f9cab0a2cc068889f0976597847b9a8154bb025c681cf5d73ee3df8640bc53b08d3b06af12e4f32b2afba551c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD59af539262d1c911b3014fdfbb598911b
SHA1ebe15f934bca0f4a0757014c28eb020cccdfa179
SHA256ce056500d1f319c42a6d70c58fa9ee7fc0c2fefd9bc9987501d5a177ab86639f
SHA512992141932efcab18d181a8e5d66cb7c2ef937bb371411fdde0615dce972d2d3572960af5e11b8be4dbaba7bce26fa171c7b4287e11152244476179990ea41c5f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5fe5970ec91057b4f4c1f88919cdf0fb2
SHA1c32172b0c10839c143473739e20577ea7c49d6e0
SHA2568cf5605283dac97c4e8e013ecba55e64619c69ac83441dc25e9cb0ba5a11237e
SHA5125167ecddd90efc4e553ca0561e2e0d3db3000e6f5dd844b217e94243bfea893b976344ee934aea55e07b51f4f189d1a0e56a76415b3c88ad91332ae6dd98e16e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD55fcf6b4e03dd5084a2b93578ebc1280d
SHA17507d5604e727360fd9ca8b581a3c0edc70c0b32
SHA2566859128965d604621d438b38fd7043936321d00e8090d31966ebafa0d37fd3fd
SHA512981121282982c977a05cc097530eaf08e0e0f5b3305a5b69674cf0dcd628bea36d8067f3dd4b228a6faa7b0a5f239266f4496e3c8caac23a766b54e887cf2c07
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a8be7032537bf69290eab1c79701a8e4
SHA1ef32c493c26b5f01beefbe1ef394ede1f979ca89
SHA256fdb22dfb8dbffd4b64edb59b7f6e5b1d7a8f423bf40a7de9bdc266075d2e1d0b
SHA5123d1344d26ddd1ef1a76d73b75a8dba1ed2ad6b84e47fff89c5cdef183bc343825093603afa4bbca4e8ba54f574ccbf7c2d51baa63f0e35c2ef1d5ffcb156a747
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD513548027096ce622bc0ba065958da06a
SHA19fb24ca8a6fb262f70771541817489e0ecf7d03e
SHA2569ef978489957e217641fa6bfdfc2217b27b7f1f6ff65031a2544f2bfcb694788
SHA512e0527cd9612ed3d87b788f9186b28a31dbf40f0f451a28642589c05e01c9442802f16112dbf9fedfdf5dad36f22c72f26e6b7ac6721a4f6ece54bbd803e09679
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5d824acf17f44317833e6d9c3e5cffc9e
SHA150146e9bbd2b5e4547a99b941787b01ac333d3c3
SHA2563c9b6b9ce1c60efc1fa7501f55bdd2a5a88963c33bc0ab07c5e57f8c646f950a
SHA512faa1a6d2a7d5e650f3ca1c1ca5034ce46daf1c5069e69ba3550875364ec4693b8a2f578b54f9fe1947fa496c0a3364dfad9f3709440206244740c75cf3fa43bd
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a9093c98ed64e4f9bb3a1b7609a8ec0d
SHA15c2386d14bfb5b535575bddc4b4e7e5a4ea5a34d
SHA2569fc9a5b04590bbf1df4e20a3d95ed2602194ce980a5aef61516a34d222c9940a
SHA512c84345564e35c5c86c682a579b3d5ceb646b6b95e51e743c883f6f4b43165b244a6d5624d00a5bc924c3a0a6303bb2a359df97aecebdedb369a900ff1a9806b3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5010509933134f304de92c94bf0e26b66
SHA1b86cd6affb308e29d41931577b92a211cac195cc
SHA256f0edf1ee1a02fec31f1555ff329605e71268f694e1a2402736d80057a9cccf54
SHA51273fc795df24a1d9d9143ef5085562a79a10f47f09632a476a38566c436e031c3e41c1b875af26dacb2153fab9ed073be47806210f4940f14e7e625cce7d86b46
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C02877841121CC45139CB51404116B25_193C88518F770D3F8D3CDA4F180E8635
Filesize398B
MD5345b62e90d8dbeb6eb688980ded94fa2
SHA143afa9f7875c9b1d0d49c3800e20138a74124ec4
SHA2569e52ba8d57434ce80f6f9be7686a9d271477ac36db55574b79e55d3b63326acb
SHA512c15012e23e68d489fea77dfe582df39c1a6c91146d3c2f0d07b691cada32e5bdd26ccd4def148c1af3f8b11ec8fd0809e94f963f4a67ea0d1bb5c42e6f93bc1c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize242B
MD523e15d37bb745f20ba3a135ba532de69
SHA12c5fc6f0f8399e427b9febc93f3f525e5464750a
SHA2568809b006535cb208e676bb62cee6f35f10e9f1264e4da8d270eeb7661047a1ba
SHA512487c29bab199d716afc80ae59487e82dcc1fd83812ba6b189ca12c90556f5661b97ccf0cec93f286c92b291cc11a9ca36945bc1b6c41b2fafaa51175fb8e0cd9
-
Filesize
99B
MD5f98b5a46fefc1957169335b9ca80ceaf
SHA12005464cc7695f329267776427a3b0c06a4c1d92
SHA2560aee592275d32197de0b086579ca4daa60f6c9c4c3b440cb45536053e67c1600
SHA512a2a8d0bfc1cba81e643c8b73d261f7ae2414d10027b23bd9798e110199a4b7dbf98829b04c21c832c57382cf645d669a9b7809333fa48d245373654d6e33f3eb
-
Filesize
5KB
MD5b35c9727a20f2bcf09889328e69dabb5
SHA15e045e7056733109ce7ab5ac4a746fd39409bfa8
SHA2561ef7c758cc324ba17fb2a741a44792d95463e99511fbd5799a831d56fd6ed4df
SHA512821a80fb37243b206cb8028e39a31f06e7090691cf5651e8b5bb027e2f519ca5a0b726ea91d5ebf4f37ab3d37dfc31d341e40e99a2f490cb49ad212d21b5fcb2
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0E1IWGZ4\dnserror[1]
Filesize1KB
MD573c70b34b5f8f158d38a94b9d7766515
SHA1e9eaa065bd6585a1b176e13615fd7e6ef96230a9
SHA2563ebd34328a4386b4eba1f3d5f1252e7bd13744a6918720735020b4689c13fcf4
SHA512927dcd4a8cfdeb0f970cb4ee3f059168b37e1e4e04733ed3356f77ca0448d2145e1abdd4f7ce1c6ca23c1e3676056894625b17987cc56c84c78e73f60e08fc0d
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0E1IWGZ4\favicon[1].ico
Filesize5KB
MD5f3418a443e7d841097c714d69ec4bcb8
SHA149263695f6b0cdd72f45cf1b775e660fdc36c606
SHA2566da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770
SHA51282d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0E1IWGZ4\httpErrorPagesScripts[1]
Filesize8KB
MD53f57b781cb3ef114dd0b665151571b7b
SHA1ce6a63f996df3a1cccb81720e21204b825e0238c
SHA25646e019fa34465f4ed096a9665d1827b54553931ad82e98be01edb1ddbc94d3ad
SHA5128cbf4ef582332ae7ea605f910ad6f8a4bc28513482409fa84f08943a72cac2cf0fa32b6af4c20c697e1fac2c5ba16b5a64a23af0c11eefbf69625b8f9f90c8fa
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0E1IWGZ4\webworker[1].js
Filesize102B
MD5ad5e6a567d064cba36f2a56caab2d866
SHA1a3b46ea0ca5df5a6b6ab6bb228cf805065523cd1
SHA256e70942d2b905910af2538c685c2223c25e5068bfbccb9742cfa5ffa48150d291
SHA512ba45b3d74c0d2e0ac22bc97bacb6df549d7a4eae8d64050af41167376926f4379ccb6be84a666ba615caa7c5ee6838f98020c530f5c2ce51f71dad369d130681
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6XUZ2JLF\errorPageStrings[1]
Filesize2KB
MD5e3e4a98353f119b80b323302f26b78fa
SHA120ee35a370cdd3a8a7d04b506410300fd0a6a864
SHA2569466d620dc57835a2475f8f71e304f54aee7160e134ba160baae0f19e5e71e66
SHA512d8e4d73c76804a5abebd5dbc3a86dcdb6e73107b873175a8de67332c113fb7c4899890bf7972e467866fa4cd100a7e2a10a770e5a9c41cbf23b54351b771dcee
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6XUZ2JLF\logo_48[1].png
Filesize2KB
MD5ef9941290c50cd3866e2ba6b793f010d
SHA14736508c795667dcea21f8d864233031223b7832
SHA2561b9efb22c938500971aac2b2130a475fa23684dd69e43103894968df83145b8a
SHA512a0c69c70117c5713caf8b12f3b6e8bbb9cdaf72768e5db9db5831a3c37541b87613c6b020dd2f9b8760064a8c7337f175e7234bfe776eee5e3588dc5662419d9
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6XUZ2JLF\recaptcha__en[1].js
Filesize537KB
MD5c7be68088b0a823f1a4c1f77c702d1b4
SHA105d42d754afd21681c0e815799b88fbe1fbabf4e
SHA2564943e91f7f53318d481ca07297395abbc52541c2be55d7276ecda152cd7ad9c3
SHA512cb76505845e7fc0988ade0598e6ea80636713e20209e1260ee4413423b45235f57cb0a33fca7baf223e829835cb76a52244c3197e4c0c166dad9b946b9285222
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WHDSWW5V\-HiUwdQxDKLzt71CPYD-hKnPnujfGhcYgWkgX6BRpVU[1].js
Filesize24KB
MD5242324a437f1e8dfa268b1be80e57fdc
SHA12198c8b982542d263d2df13efc9e476563b5874f
SHA256f87894c1d4310ca2f3b7bd423d80fe84a9cf9ee8df1a17188169205fa051a555
SHA51274d8caa815fbae1b8510c883da00cec7f43fed56890c50eb24e44d281e31d9579b592553be87d2ce8ccb04cb2e3f78eaa8889068762fa36b1143b85cb21f3410
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WHDSWW5V\NewErrorPageTemplate[1]
Filesize1KB
MD5cdf81e591d9cbfb47a7f97a2bcdb70b9
SHA18f12010dfaacdecad77b70a3e781c707cf328496
SHA256204d95c6fb161368c795bb63e538fe0b11f9e406494bb5758b3b0d60c5f651bd
SHA512977dcc2c6488acaf0e5970cef1a7a72c9f9dc6bb82da54f057e0853c8e939e4ab01b163eb7a5058e093a8bc44ecad9d06880fdc883e67e28ac67fee4d070a4cc
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WHDSWW5V\api[1].js
Filesize870B
MD5db3f5a748364d84b2b5f75e3d4e851d0
SHA117b34ff20d429abee726b4b74530e5af2819f7bc
SHA256343ed5ecd144d781de67aa8638b1ca4fce5772faedbb72720daacb250884f4e1
SHA5123ee552fff8e93097120367c7f5f6aed88145150d706349542e8800e65722f4e6507bc0802e41a305cda56aaf4bcd40c036ad7a4d2aabea9dc70f908bf400dd90
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YW15VCHK\KFOlCnqEu92Fr1MmEU9fBBc9[1].ttf
Filesize34KB
MD54d88404f733741eaacfda2e318840a98
SHA149e0f3d32666ac36205f84ac7457030ca0a9d95f
SHA256b464107219af95400af44c949574d9617de760e100712d4dec8f51a76c50dda1
SHA5122e5d3280d5f7e70ca3ea29e7c01f47feb57fe93fc55fd0ea63641e99e5d699bb4b1f1f686da25c91ba4f64833f9946070f7546558cbd68249b0d853949ff85c5
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YW15VCHK\KFOlCnqEu92Fr1MmYUtfBBc9[1].ttf
Filesize34KB
MD54d99b85fa964307056c1410f78f51439
SHA1f8e30a1a61011f1ee42435d7e18ba7e21d4ee894
SHA25601027695832f4a3850663c9e798eb03eadfd1462d0b76e7c5ac6465d2d77dbd0
SHA51213d93544b16453fe9ac9fc025c3d4320c1c83a2eca4cd01132ce5c68b12e150bc7d96341f10cbaa2777526cf72b2ca0cd64458b3df1875a184bbb907c5e3d731
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YW15VCHK\KFOmCnqEu92Fr1Mu4mxP[1].ttf
Filesize34KB
MD5372d0cc3288fe8e97df49742baefce90
SHA1754d9eaa4a009c42e8d6d40c632a1dad6d44ec21
SHA256466989fd178ca6ed13641893b7003e5d6ec36e42c2a816dee71f87b775ea097f
SHA5128447bc59795b16877974cd77c52729f6ff08a1e741f68ff445c087ecc09c8c4822b83e8907d156a00be81cb2c0259081926e758c12b3aea023ac574e4a6c9885
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YW15VCHK\styles__ltr[1].css
Filesize55KB
MD54adccf70587477c74e2fcd636e4ec895
SHA1af63034901c98e2d93faa7737f9c8f52e302d88b
SHA2560e04cd9eec042868e190cbdabf2f8f0c7172dcc54ab87eb616eca14258307b4d
SHA512d3f071c0a0aa7f2d3b8e584c67d4a1adf1a9a99595cffc204bf43b99f5b19c4b98cec8b31e65a46c01509fc7af8787bd7839299a683d028e388fdc4ded678cb3
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
7KB
MD5cf0c19ef6909e5c1f10c8460ba9299d8
SHA1875b575c124acfc1a4a21c1e05acb9690e50b880
SHA256abb834ebd4b7d7f8ddf545976818f41b3cb51d2b895038a56457616d3a2c6776
SHA512d930a022a373c283f35d103e277487c2034a0b0814913b8f6ec695b45e20528667aa830eeab58e4483d523bd6a755a16a5379095cb137db6c91909a545a19a2f
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
C:\Users\Admin\AppData\Local\Temp\eeeeeeeeeeeeee\Malware_pack_2\Malware_pack_2\MEMZ 3.0 (1)\MEMZ 3.0\x
Filesize10KB
MD5fc59b7d2eb1edbb9c8cb9eb08115a98e
SHA190a6479ce14f8548df54c434c0a524e25efd9d17
SHA256a05b9be9dd87492f265094146e18d628744c6b09c0e7efaabf228a9f1091a279
SHA5123392cfc0dbddb37932e76da5a49f4e010a49aaa863c882b85cccab676cd458cfc8f880d8a0e0dc7581175f447e6b0a002da1591ecd14756650bb74996eacd2b1
-
C:\Users\Admin\AppData\Local\Temp\eeeeeeeeeeeeee\Malware_pack_2\Malware_pack_2\MEMZ 3.0 (1)\MEMZ 3.0\x
Filesize3KB
MD5bdbb7a69ab8b24c79d4459cc1d8da36d
SHA19bc963561ddf7e37cf514096558480496f4f0f80
SHA256342bc67981f2c4bb79fdaf64a7073d371ad320f94f08f71c4e39dbedef82ae29
SHA51278f8cf4205aae51d76cdfe66cb9cfd033be9590561b567b7594ddf40eb98d000e854762314ad2beafc69d6c8ebcc4e19eafa986054f9b7f853b8b3074a2b04a8
-
C:\Users\Admin\AppData\Local\Temp\eeeeeeeeeeeeee\Malware_pack_2\Malware_pack_2\MEMZ 3.0 (1)\MEMZ 3.0\x
Filesize4KB
MD5c6e68ff1dc039af122429c3c5418630f
SHA1771938ab02aaf6714782ea1c70420794848b1d9c
SHA256b18e0bb23b9b78ca561b9499853ec5be84f67fcb7db5c7e207c6da1b89c17dbb
SHA512837b8b31d381030b79a1b85449238b8770999dde21dd705aec81a0205cfc40cb2f65fb7877de479bae9ca96c1233a62078332c93db764389bd6f26985b61c9b7
-
C:\Users\Admin\AppData\Local\Temp\eeeeeeeeeeeeee\Malware_pack_2\Malware_pack_2\MEMZ 3.0 (1)\MEMZ 3.0\x.js
Filesize448B
MD58eec8704d2a7bc80b95b7460c06f4854
SHA11b34585c1fa7ec0bd0505478ac9dbb8b8d19f326
SHA256aa01b8864b43e92077a106ed3d4656a511f3ba1910fba40c78a32ee6a621d596
SHA512e274b92810e9a30627a65f87448d784967a2fcfbf49858cbe6ccb841f09e0f53fde253ecc1ea0c7de491d8cc56a6cf8c79d1b7c657e72928cfb0479d11035210
-
Filesize
16KB
MD50df09b72f93ae6350aee105760606cfd
SHA191baa3affc84d832888ea715ee74a2b5852f599d
SHA2560ec5a0f2025f3630b0256679350adf91553336698696d33f67442e4ced4be231
SHA512398430f6f7d063351e37231e2656f9d35fc1e9959d2a19b2da0a89724db68cb9107d0b9950286b731825778189523412d1aec52e524d50d6304efcac488440ab
-
Filesize
12KB
MD5a7bcf7ea8e9f3f36ebfb85b823e39d91
SHA1761168201520c199dba68add3a607922d8d4a86e
SHA2563ff64f10603f0330fa2386ff99471ca789391ace969bd0ec1c1b8ce1b4a6db42
SHA51289923b669d31e590189fd06619bf27e47c5a47e82be6ae71fdb1b9b3b30b06fb7ca8ffed6d5c41ac410a367f2eb07589291e95a2644877d6bffd52775a5b1523
-
Filesize
406B
MD5010334dd9fdb58a3f6de2dba00581e17
SHA106c1c3ee2e31bbaef035dda9a382a8156744e1d9
SHA2568465fe70a2d3d090c7831f49b9d31b26b2a567d9030a599b74f456b18f0cf43e
SHA512318bb8377d75c4b5e4985715e6d7cadd09c2d5f6d95fb7901924357132aef0c4d7db597af1dbb2d2a3d818ef36d37e751915ac50ce9c513dcbeb35bfe1f34b8a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\28c8b86deab549a1.customDestinations-ms
Filesize3KB
MD5409afbe3a91e45867ebd5bdac9b1298d
SHA1a7ea9acb1d1a9f0580b427eb2a637a59a04d2ac3
SHA2564cc0a72f03180b4087dc993cb5ac2fc62c185d3e51b5ce423e12f157bc80ba49
SHA5123c2cc984957eaf5e6f1a88d47fd31f425ae65ebd5a715215ef379acd93af9f970fabc068d94f7028eed34155bb259fb016b7f32bba7f8a7c5cd8e4448d7c1c43
-
Filesize
218B
MD5afa6955439b8d516721231029fb9ca1b
SHA1087a043cc123c0c0df2ffadcf8e71e3ac86bbae9
SHA2568e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270
SHA5125da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf