2ca4803498d7d375a61bfab2a3a4cf7e0eec41d116e50a838791a55b164e0f8c

Resubmissions

13-01-2025 04:35

250113-e7x5tswlfz 10

13-01-2025 03:52

250113-ee43nsvjby 10

12-01-2025 15:57

250112-tealdsymgt 10

12-01-2025 15:53

250112-tbnc3s1mhn 10

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12-01-2025 15:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Malware-1-master/MEMZ-Destructive.bat
Size

13KB
MD5

4e2a7f369378a76d1df4d8c448f712af
SHA1

1192b4d01254a8704e6d6ae17dc2ec28a7ad5a49
SHA256

5e2cd213ff47b7657abd9167c38ffd8b53c13261fe22adddea92b5a2d9e320ad
SHA512

90e6eedca424e2ee37c78e0c0380db490c049b0378541812734c134510c40c6e4c48c4e213f395339ed99ff337ef087b6056ac5aafb246c1789ca6082dcabd2e
SSDEEP

192:AOyUySl0UaDz2gWsIzlmj+BxZ3yqueWQx0lZicyC8Sh31xcjBzyxwn7AVhllz3:AVODaDSHMql3yqlxy5L1xcjwrlz3

Score

7^/10

bootkit discovery execution persistence

Malware Config

Signatures

Executes dropped EXE 7 IoCs

pid	Process
1196	MEMZ.exe
2984	MEMZ.exe
2940	MEMZ.exe
2096	MEMZ.exe
3000	MEMZ.exe
1500	MEMZ.exe
1300	MEMZ.exe

Loads dropped DLL 1 IoCs

pid	Process
1196	MEMZ.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	MEMZ.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe

Modifies Internet Explorer settings 1 TTPs 53 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.google.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "442859140"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000063bacd52a7af91439c33028be09ca163000000000200000000001066000000010000200000003dbd748a87ec53680b8fce2fb97d5529f41738d7344a33bcb91eeaa2dad36c8b000000000e80000000020000200000005f60bf9e433211360b67f6064c2ae34561663c8bc229a3bd9f26930607a939bb20000000df69ad8f9a18f7988fd6c3d77766389faf564b7c38d7d5d1bc97182772b7c99d40000000b4224c8a1036484125ec956a1a71206f898a59432e3513171d38509d85c51c180d4b0cbc0e780b2d229d30c9059f2475c111e27c228be383502c56dde22ea142	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000063bacd52a7af91439c33028be09ca1630000000002000000000010660000000100002000000057543b137e50d03835ec27bbc539e73894a82536d64ebcdb3f39ebec719b58ee000000000e80000000020000200000002bbe0718ee08015f6724a7072c6782ef26ab28771b1836f78f58f3662841124990000000cdd293e66ce65d0c910e1e7abda0de98957ab8f334fb6ceddf970249751bb5363e65f3c0161629c8fd3d2e7d5e43a2b62bec9dca8e8048c33e786e84690adf2d48c1bc7038472b3e6304102524551d1d91ab5e23f362877b7ddc14dea9a7e46016935ecd43923b2f5112dfdcb3d01b7f429e3d0b5ab0c3e6cd699acceb674d6d881262ace1913614ece6abadb584a1ef400000009bee5ffc7986e27e05f975b532c9352a45a269585231279fc094e8035664f3a7f7305d41c2e472c04ea789b28813bfafaf37355f6f4f6bdea71d423727f855fd	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 00aa07570a65db01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{841961F1-D0FD-11EF-8F2E-E67A421F41DB} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.google.com\ = "21"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "21"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com\Total = "21"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
1196	MEMZ.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2984	MEMZ.exe
2984	MEMZ.exe
2940	MEMZ.exe
2940	MEMZ.exe
2096	MEMZ.exe
2984	MEMZ.exe
2940	MEMZ.exe
3000	MEMZ.exe
2096	MEMZ.exe
2984	MEMZ.exe
2984	MEMZ.exe
3000	MEMZ.exe
2096	MEMZ.exe
2940	MEMZ.exe
1500	MEMZ.exe
2984	MEMZ.exe
3000	MEMZ.exe
2940	MEMZ.exe
2096	MEMZ.exe
1500	MEMZ.exe
2940	MEMZ.exe
3000	MEMZ.exe
2984	MEMZ.exe
2096	MEMZ.exe
1500	MEMZ.exe
3000	MEMZ.exe
2940	MEMZ.exe
2984	MEMZ.exe
1500	MEMZ.exe
2096	MEMZ.exe
2940	MEMZ.exe
1500	MEMZ.exe
3000	MEMZ.exe
2984	MEMZ.exe
2096	MEMZ.exe
2096	MEMZ.exe
2940	MEMZ.exe
3000	MEMZ.exe
1500	MEMZ.exe
2984	MEMZ.exe
2940	MEMZ.exe
3000	MEMZ.exe
2984	MEMZ.exe
2096	MEMZ.exe
1500	MEMZ.exe
2940	MEMZ.exe
3000	MEMZ.exe
2984	MEMZ.exe
1500	MEMZ.exe
2096	MEMZ.exe
3000	MEMZ.exe
1500	MEMZ.exe
2940	MEMZ.exe
2096	MEMZ.exe
2984	MEMZ.exe
2984	MEMZ.exe
3000	MEMZ.exe
1500	MEMZ.exe
2940	MEMZ.exe
2096	MEMZ.exe
3000	MEMZ.exe
2940	MEMZ.exe
2984	MEMZ.exe
1500	MEMZ.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	2140	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2140	AUDIODG.EXE
Token: 33	2140	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2140	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1076	cscript.exe
1404	iexplore.exe

Suspicious use of SetWindowsHookEx 22 IoCs

pid	Process
1404	iexplore.exe
1404	iexplore.exe
2432	IEXPLORE.EXE
2432	IEXPLORE.EXE
2432	IEXPLORE.EXE
2432	IEXPLORE.EXE
1752	IEXPLORE.EXE
1752	IEXPLORE.EXE
1752	IEXPLORE.EXE
1752	IEXPLORE.EXE
1992	IEXPLORE.EXE
1992	IEXPLORE.EXE
1992	IEXPLORE.EXE
1992	IEXPLORE.EXE
2804	IEXPLORE.EXE
2804	IEXPLORE.EXE
2804	IEXPLORE.EXE
2804	IEXPLORE.EXE
2432	IEXPLORE.EXE
2432	IEXPLORE.EXE
2432	IEXPLORE.EXE
2432	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 55 IoCs

description	pid	Process	procid_target
PID 2656 wrote to memory of 1076	2656	cmd.exe	31
PID 2656 wrote to memory of 1076	2656	cmd.exe	31
PID 2656 wrote to memory of 1076	2656	cmd.exe	31
PID 2656 wrote to memory of 1196	2656	cmd.exe	32
PID 2656 wrote to memory of 1196	2656	cmd.exe	32
PID 2656 wrote to memory of 1196	2656	cmd.exe	32
PID 2656 wrote to memory of 1196	2656	cmd.exe	32
PID 1196 wrote to memory of 2984	1196	MEMZ.exe	33
PID 1196 wrote to memory of 2984	1196	MEMZ.exe	33
PID 1196 wrote to memory of 2984	1196	MEMZ.exe	33
PID 1196 wrote to memory of 2984	1196	MEMZ.exe	33
PID 1196 wrote to memory of 2940	1196	MEMZ.exe	34
PID 1196 wrote to memory of 2940	1196	MEMZ.exe	34
PID 1196 wrote to memory of 2940	1196	MEMZ.exe	34
PID 1196 wrote to memory of 2940	1196	MEMZ.exe	34
PID 1196 wrote to memory of 2096	1196	MEMZ.exe	35
PID 1196 wrote to memory of 2096	1196	MEMZ.exe	35
PID 1196 wrote to memory of 2096	1196	MEMZ.exe	35
PID 1196 wrote to memory of 2096	1196	MEMZ.exe	35
PID 1196 wrote to memory of 3000	1196	MEMZ.exe	36
PID 1196 wrote to memory of 3000	1196	MEMZ.exe	36
PID 1196 wrote to memory of 3000	1196	MEMZ.exe	36
PID 1196 wrote to memory of 3000	1196	MEMZ.exe	36
PID 1196 wrote to memory of 1500	1196	MEMZ.exe	37
PID 1196 wrote to memory of 1500	1196	MEMZ.exe	37
PID 1196 wrote to memory of 1500	1196	MEMZ.exe	37
PID 1196 wrote to memory of 1500	1196	MEMZ.exe	37
PID 1196 wrote to memory of 1300	1196	MEMZ.exe	38
PID 1196 wrote to memory of 1300	1196	MEMZ.exe	38
PID 1196 wrote to memory of 1300	1196	MEMZ.exe	38
PID 1196 wrote to memory of 1300	1196	MEMZ.exe	38
PID 1300 wrote to memory of 1252	1300	MEMZ.exe	39
PID 1300 wrote to memory of 1252	1300	MEMZ.exe	39
PID 1300 wrote to memory of 1252	1300	MEMZ.exe	39
PID 1300 wrote to memory of 1252	1300	MEMZ.exe	39
PID 1300 wrote to memory of 1404	1300	MEMZ.exe	40
PID 1300 wrote to memory of 1404	1300	MEMZ.exe	40
PID 1300 wrote to memory of 1404	1300	MEMZ.exe	40
PID 1300 wrote to memory of 1404	1300	MEMZ.exe	40
PID 1404 wrote to memory of 2432	1404	iexplore.exe	41
PID 1404 wrote to memory of 2432	1404	iexplore.exe	41
PID 1404 wrote to memory of 2432	1404	iexplore.exe	41
PID 1404 wrote to memory of 2432	1404	iexplore.exe	41
PID 1404 wrote to memory of 1752	1404	iexplore.exe	43
PID 1404 wrote to memory of 1752	1404	iexplore.exe	43
PID 1404 wrote to memory of 1752	1404	iexplore.exe	43
PID 1404 wrote to memory of 1752	1404	iexplore.exe	43
PID 1404 wrote to memory of 1992	1404	iexplore.exe	45
PID 1404 wrote to memory of 1992	1404	iexplore.exe	45
PID 1404 wrote to memory of 1992	1404	iexplore.exe	45
PID 1404 wrote to memory of 1992	1404	iexplore.exe	45
PID 1404 wrote to memory of 2804	1404	iexplore.exe	46
PID 1404 wrote to memory of 2804	1404	iexplore.exe	46
PID 1404 wrote to memory of 2804	1404	iexplore.exe	46
PID 1404 wrote to memory of 2804	1404	iexplore.exe	46

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Malware-1-master\MEMZ-Destructive.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2656
- C:\Windows\system32\cscript.exe
  cscript x.js
  2⤵
  - Suspicious use of FindShellTrayWindow
  PID:1076
- C:\Users\Admin\AppData\Roaming\MEMZ.exe
  "C:\Users\Admin\AppData\Roaming\MEMZ.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious use of WriteProcessMemory
  PID:1196
- - C:\Users\Admin\AppData\Roaming\MEMZ.exe
    "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2984
- - C:\Users\Admin\AppData\Roaming\MEMZ.exe
    "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2940
- - C:\Users\Admin\AppData\Roaming\MEMZ.exe
    "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2096
- - C:\Users\Admin\AppData\Roaming\MEMZ.exe
    "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:3000
- - C:\Users\Admin\AppData\Roaming\MEMZ.exe
    "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1500
- - C:\Users\Admin\AppData\Roaming\MEMZ.exe
    "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /main
    3⤵
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1300
  - - C:\Windows\SysWOW64\notepad.exe
      "C:\Windows\System32\notepad.exe" \note.txt
      4⤵
      System Location Discovery: System Language Discovery
      PID:1252
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://google.co.ck/search?q=virus.exe
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1404
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1404 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2432
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1404 CREDAT:472071 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1752
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1404 CREDAT:537618 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1992
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1404 CREDAT:930834 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2804

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x410
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\05DDC6AA91765AACACDB0A5F96DF8199

Filesize
854B

MD5
e935bc5762068caf3e24a2683b1b8a88

SHA1
82b70eb774c0756837fe8d7acbfeec05ecbf5463

SHA256
a8accfcfeb51bd73df23b91f4d89ff1a9eb7438ef5b12e8afda1a6ff1769e89d

SHA512
bed4f6f5357b37662623f1f8afed1a3ebf3810630b2206a0292052a2e754af9dcfe34ee15c289e3d797a8f33330e47c14cbefbc702f74028557ace29bf855f9e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
45debcf77962a19a50c87176ed685fae

SHA1
e92569d5cd00cdcbfc8a56c360e98996ea017e7e

SHA256
6038c6ab25a1fc6def1155efabb83500d3f9d7f040c2bb6c1b702a6af4d7711c

SHA512
cc6286aabf39d112790bc6c44a452cbc4ecceeda27a24e4518ecdb9726ac214823a0176bdcbabcea8ed98af3c1cf246abdd220373b1dbe35c01ba51e521f38b7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4FA45AE1010E09657982D8D28B3BD38E_EB153A79B5AB80C6592F798A4A3667A5

Filesize
472B

MD5
5c9de39c384b4fec11fe164bd3b18fc7

SHA1
c68810a1297c4f3856205a4245bb7ad789560c7a

SHA256
2aa20a92b16630996215619142074d390285edc170e4cc8e734daba8aa85ecae

SHA512
29fcfdf1a6cf1c0a4ebe2fb4bfe81bf1b0a637ed19ad02580889612b56878dc764971ef9e37691045d11e88a49d51bc3aadc7c3cb80e2d9906cac3f85e2f1e0e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199

Filesize
170B

MD5
114b5a415a860bbdf5571a41a822fa64

SHA1
a71fe2c2478c063862ddd2a40a5406fe28e03479

SHA256
c570b390299283a885c8f984eafa6b7cb4e05228b398067c6aa243c71e3cd4af

SHA512
0791c3c818620e3d5a74372297e2cf4101c13cde88485fb8b41b2fa27a34274895b487a2714f15e6d9cabf48a48f91bca5209c634ccf4155b88d87415904ce2b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
2452b19abe7a391a9a295410c164dbea

SHA1
fb5bb7ff9c912508503879e14cb406046a5e20a3

SHA256
fddcd9dae0aeba1554a26a8dce6708212844f8956fbea5b9725635c551830d47

SHA512
262d5947c7c65889697635a9fd54de6f5eea25ab62d79ba1bece608ad65770ed8bf599f587baca6e60fbc75df1706293fcc9612701c498a5b268249ba023a76f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
0d9cb9632782b4e6cc14a81133dff114

SHA1
0fba85f8ea34628f76b8c3968c37a60f5b280a24

SHA256
60e599ecbb6705723331ce519ac62a51977772b97e5bfb5da37b9bd16f36c904

SHA512
23257858b5389964e2fe9fab98cfb4756adcae006a0187f3110791d229256b2440e4c47247de4cbeefe3569d984760a3fca5f6eb79236106ce71e0412df296f9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4FA45AE1010E09657982D8D28B3BD38E_EB153A79B5AB80C6592F798A4A3667A5

Filesize
398B

MD5
83c220c9a5e681d13b21d6a58b8803ab

SHA1
c79dafe89558b8ffe16a60d55f50b4174c74018d

SHA256
e6ce570a8ddc9aef3dbe8c6c7268961a62a8d81b6c2f9903dc05e9bb45692f56

SHA512
45083d3792a5b13c39e2d2cd11c321216e33ef6aadb48a1d65b4541c24a2d84d4b2a616c95507e138997ad9e7d9851e22766063c8da12c068429229bd1de3b1e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8270e36b9152da40575a25c111b3c4ef

SHA1
8b2817b4845bec15f289b542ec3d8d9d353f9478

SHA256
0f87b9cc81c8c50581133c8b97c7d0a2381175800408a36be18526355632b04b

SHA512
57ae75462c29fff44d7d917561ddd889343abeaa733d96632016e9ae8cc035090dde34f11c3ce2f318821c35d3c678e442c64f8b8b01b42b65bb3d21f3ffff45

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
75759b6f1a7cb9f382b89eab2009404c

SHA1
efe3129a91ddb3da6dde1fff5c9624436f52f3a9

SHA256
56087302481ae92dc973b775a0f14cea387bed7f85e8c35d19fc82871f632431

SHA512
cecb2e4201dfbbd6a3f37ebc450d1d950b816f82349d8082ad8c19ca89f625c692db4593cb2715af207d9ba3c690f77d97e9ee89f197c3c71f443dbea53272a4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
40fc98a620e4df88b9dcfbbb4955d36b

SHA1
8c5889eb009a7ca87d07f346c733bbcad84c7cd6

SHA256
f621020287d8c6a7fb96966c3cb94900603d112be74d5ef6a7c546611926c98d

SHA512
420d820a70e01bef9b1b51a104c64f386683ed6647aac3ef4c73956c175d8f3fc961b637102e4ea0dd80ad4ace5c4a6b49b71a112be70601c6432d9317234065

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9c274731aa98b871f29ddc8071ff0a8e

SHA1
6a2cbe4f866822cca44d79a59631a06a69bf200c

SHA256
b234cf29f16e8c905af8452894ca0b6e11425b6714e3f96f5ad9132adc5ad5f6

SHA512
56e05e155804493bba6c5cc64cf4762903d9acd4aee5d54caa05d33e81a7be8f1e068ec3c083847649d1f939ff70c13d5a6196a18b0930a6f1c108295b72d09c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5928bcc7f6857abfe516c1ca53f91c05

SHA1
c94bd5903489d9f67214ac351679e0c56c20f2d2

SHA256
cb9600d53ef717b76c85344c6263e7995af6a3c450cfcf8a4df4987539e5488f

SHA512
c920bfc10be95112cad68bdc1d88031e02cf67dc926a385458101b7f8d9c3d2f52d2a97f62de3353ef63f8fd5d1f54d104ee3f4e1a9a2048059d611b932f373d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0bfbd0a6120d1ff2ca793003702a41a4

SHA1
a8d136b834dc21773374b3ef2ff6d25c9589f308

SHA256
09fc2f5c15c770ceaf5f3682721a4dad1a2f24962fb5c84e1a7b18dbd9303c4d

SHA512
5a6407898984f4e75d446d7c50d7ec282152491869fd81551a4c8a8686ce9c931977ea2440310c17a47b68f05da1eed383f3f9b6b4ab2386d3821fb8d7ec36d2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
398c4057d44c8769272e877e26338234

SHA1
632e0a83b959aaff49ff1abcc057a2a5f92a4034

SHA256
77fa0e3e7fe861d1dfbc98bade519d18d3cb23bf3eecf24e4fea2d440b476a85

SHA512
f6225388b70141854020b8a196b02e0f5bd3914d17fca990e8fbac9a4b6c5df56feb402987678de7c053294bf68f1707a4ebf737051022f0f5e3d379593db12f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
20e20c3173f60475bd59ab86944bd0b5

SHA1
1ff8504fdb02d18d971523de7c136c7e7a359ba0

SHA256
fbbc5b891ed75876ec9d0f6f5dec85db96c33bc79b77f7b06bef2867bb3fb967

SHA512
274ed0560052992d21ac55b885cd6c43e0197affd06e0e594810af138ac61d3ec5549a6db0fb66de6e941a4824c1e6adc59d9149f4edc6f96d2fc2012b6d63be

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
51414e07aa77103a403593eea01d7d92

SHA1
b9bb2b931b397fc02f9351b9a2d603fa1a03b63a

SHA256
2526cd191525c379d8f4449d60baff44cd8059699f22e9b8e5ffca724698c6ed

SHA512
22aea70389077225b5f7f7667cb2a8c5de5e8acc4daa1b87889254455731424da42c2c68893dad0859d4d8643e00bb089d80475696d648fbfe2d6609a187bcee

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
88045816411b83498cd3f951a726d02e

SHA1
7d3006b7a00fda5f2ba458e6e14e08883e9dd4a2

SHA256
4f54a8f8d4646002891f401ff8bea7aa48e2f89c805bf93967f2cb9cf466600b

SHA512
fe8bf7e898d13030527392947fc494943fa6ff0b90ab1a17482c8477ad3217281f2d0dcf045fef6855641c09adce261b1c0fa510f23d0f3e4830fdabb14aa055

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9595028c309a856f976387d46cd8a1bc

SHA1
59132ef6f7ff0b6a4f88a4fdeb37bb98dfe5f8eb

SHA256
5b634b76679c7030ac4d9eb7ce327a63d94c557659dc1cec002ed0fc536f2c1a

SHA512
5beeeb1b30da93094032021d41ac7e25234d9ebf3290b9391b09b1b98e34009070e41f0ca3f64a4e274f396e4acfcd671d65414b2b953df047f5b8ccd30c9247

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ab61f0b96bd8b15cd906ca5dcda99762

SHA1
5e844632dbd88aa0be0356b1874fee742bfbb022

SHA256
edb219999bcd90192ab14cbdcdb2015b9fcd8513d27b8cd58b6d7e7ff32acce3

SHA512
e1e4ffa1105e1692882274a740d6ac4a2a47c74970079efee90b3c929e2fae8bbb566dccba1294802d2f38e1187b13212a7ea93211f5127223943f63f3decfa0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9d85761933edab9a74729d3fe93beb58

SHA1
e9e9442062932deb98fa2151503914efad91f906

SHA256
446bdec578a65a435af64cb4867eaa3ba3fc73449a5dd136a361576380249490

SHA512
54ab864ef1e0f035b3ee0461558153d8a7fa696bfff60f9691722a83e3791508317c52952de8b3a48ddb2fda49d66f4faafc6d93dab43d5e7de53c490e9983b2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fd131320d228fa905251afd9cfd47efc

SHA1
d4e68d1061169f53b6e3af17a0e4b1a62ce04788

SHA256
fc185fbfeccacd1afff0ffb347c3b88f54ded8fe52eb8342a02ef8ae44749af9

SHA512
4a69ab1f82b64b951d2a23993324c2f6af7f45ce29abe0b48a4388648cb3bf345157a7b6c3a3b0f9365f0dbffe086762c910e99f8dfc72e8d75fb579188988cd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4a09a04b87cfaade88ec59fee55a301b

SHA1
17d55eceacedae8e68a00c0871a9938cb51fb472

SHA256
c948a12416e85a63da8c631e789569125431af23be4ba8b67e896d6322e30993

SHA512
786e819372d53c25e79ed7f2ede7b294f7a41294508a26c640e7f17fdfa32f95736708320a75ad491f906db488873754231648eda1ea7d7eed61156e0a5bf93e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c2682edcfa28a83dfebb645996be53b0

SHA1
af1a7e7e6e711826673e2a993e3ff1fda4697d1f

SHA256
4c025e939170091a57f6fbf1c76b7b8398c5615f38916f48a38eb2cbe760a12f

SHA512
f27160ccc4edfaf006745a253a693dcdde4ae332d670d631272f6d7edb0fd95e68c055f1a8b2f68f1fbc202a83e2a77e1c9fe72b4a5655502d9cd37983a3fc29

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a65ac35da935202b13c13fe396d12820

SHA1
ef501b2529f8ce15a86e150c803c92eea81b969e

SHA256
294eb83c72e5b5be80e511139dfb4ceaaa745eae884dbf96636ed3740f2e602d

SHA512
d31d41d8f8ab8fce8741f1cd7a76d91bc5b90ef151381cd1f673553fb21ff49f429aa081166c1cd89a142d1a319d10a8823820707e56cb34087e453180ea9291

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
785629820adbaf7dc9df491f3662f7c8

SHA1
d1c8c7ee4a1b61515148f9ab787d9686064d35b1

SHA256
b67ae5e31fe096d33a40478b58be081faf7445835ab7b137ca46ac26925e0a06

SHA512
271b644ba7dd8104829204a7f0aa3b365e209cec34c1ad86dcc67b52c30b6bc62b8aa726f407169c53ea04fc5b0f851e7efcde17930cc7ca475844b27a3828f3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
02ab06d418c3ab86ad3b41b373f4814b

SHA1
9338b857741826bbe31180b00436067c8b6e064c

SHA256
9f6c2f5ad73e7094bdbd4a0c1eab1ffc3b61c79952a6099528c02ed7c7287db7

SHA512
a5f62ebea0ebd517e532414a5631cfaaf7aeab684886aaeee7aa46c76599e886f88c61ce6d3fba88d0cfb2b36534fe519144eddce94bbc281c96839dde466cbd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
595b99e6626a29be8fb980ba06f0b6b2

SHA1
00e5f232c8a9f5a995f237902d1f0025e03bf364

SHA256
ee1232d9327dc0d7c7d2534003a4b9b7eee3a2a709172285f2b41a8ac8647d8f

SHA512
4a9b01b8f0a7fc0af600ae8601cc78934fe0a1dd76600ad3415c6915a91e4f94cba4ab703143a7aca67f9336742c94dbcd547c48872d260979fc41e8773f96a7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
94c684357f0dab0d56ad9af456f817fa

SHA1
a5bcc6b0c2d469ed02ceffe0e94133d6e8d2d7af

SHA256
8bfd97a568d08385d5381465808830225df6ea69a17f23a64445dce0eceaad86

SHA512
d4aae7f0366e3f114bc8cbb7b2b1f18d1f1e2c06066a9f088ba4a1284876bcceda19a6e2f1c5700a9aa34dc544a2b919290133e4df722537469c93d181a667e1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
45be2008dc3036ddd0919b832bbb9948

SHA1
6d375071abc3d4f73a23cd1db34bc6a21ba5eba3

SHA256
54236289101a90b5a88d550d212044786d5be53e921f40b247aa41454941a2ed

SHA512
9577b7a258a4e31152289f0b2f0ab282e7bb7c723d55a09044d6caecdf0eb333e12fad4ae5caf570f4d146f0dc98122c6d948e4e5d24870913a3219dcb67cd90

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
9e71853b7ec4c83ca4039df995b0afaa

SHA1
54e77341a5340a663565b66e77ee530776ff74e4

SHA256
6222c1cc73e5b3691f33ce26e1580163b17ffa372680a5317ec37eb05d89e254

SHA512
305284406633d2a6c6d9b36ce5c96a3c7117695dbe596eacae90c051e33e48048d83b5c9e4d7bac0f70729ddac11233b8ef3b1e3409027c6b1b071ec654df1bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\O518VGY3\www.google[1].xml

Filesize
95B

MD5
a083d97616edb8a912957ecf3aeb2bf8

SHA1
09a1b5236bba0ab617169e07807b6fbf51a795cb

SHA256
4bddc205cef008c83a9bcd1441c62cef9fee4a2cf795e9256d181b3e986d3f07

SHA512
90d7228fb96b435af70eb58d28f267af7d7583446280e7725d3c7b2cd310473afb9302cd675d72c1fd73b4dc19985120a1a8a734a0f66ad52f1a976098cc333a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\9fajjbh\imagestore.dat

Filesize
5KB

MD5
ec08f1e7ffb12a16fe42d7382b17309f

SHA1
d6798d0545d6860eecdf7e24e400f05c008e2487

SHA256
f91dc2e748f768b71769e62c59343bf24db3d6190fb7d4cfcc28146fd552e36e

SHA512
56970fe2b041307fedbbe0c7498c3ba89ad7ebae2d957ae003050f0878150b23a369df9492ad56b9e2c4513666ad4e9d70824fdb8742a851825dde9d6b1ff2fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\01LB6K3J\KFOlCnqEu92Fr1MmYUtfBBc9[1].ttf

Filesize
34KB

MD5
4d99b85fa964307056c1410f78f51439

SHA1
f8e30a1a61011f1ee42435d7e18ba7e21d4ee894

SHA256
01027695832f4a3850663c9e798eb03eadfd1462d0b76e7c5ac6465d2d77dbd0

SHA512
13d93544b16453fe9ac9fc025c3d4320c1c83a2eca4cd01132ce5c68b12e150bc7d96341f10cbaa2777526cf72b2ca0cd64458b3df1875a184bbb907c5e3d731

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\01LB6K3J\KFOmCnqEu92Fr1Mu4mxP[1].ttf

Filesize
34KB

MD5
372d0cc3288fe8e97df49742baefce90

SHA1
754d9eaa4a009c42e8d6d40c632a1dad6d44ec21

SHA256
466989fd178ca6ed13641893b7003e5d6ec36e42c2a816dee71f87b775ea097f

SHA512
8447bc59795b16877974cd77c52729f6ff08a1e741f68ff445c087ecc09c8c4822b83e8907d156a00be81cb2c0259081926e758c12b3aea023ac574e4a6c9885

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\01LB6K3J\styles__ltr[1].css

Filesize
76KB

MD5
6aec8cfd5d3a790339dc627f9f1229b5

SHA1
b6c8cffe38e1015dd8595f2dd1a92435e2795874

SHA256
80583fa3c83831a9e036eba0500d1b9c0d30892d0701f1617e0fafaf5aeaa2ca

SHA512
4279e479c860007d04cd6ff0b8c45131c18d87420cd5ceb5c727a7ddbfb4206d007069102d643da97c3bf01d0b756a2ef4662c8e39b6969fc154de3c763b1efc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0I0VVMWQ\favicon[1].ico

Filesize
5KB

MD5
f3418a443e7d841097c714d69ec4bcb8

SHA1
49263695f6b0cdd72f45cf1b775e660fdc36c606

SHA256
6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770

SHA512
82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0I0VVMWQ\webworker[1].js

Filesize
102B

MD5
c206147c7cae99642a4f8a2c640a0019

SHA1
8c32b7b7e0807bbe85e5c8c94f87afea31eedc40

SHA256
6f55adbecce78b9c566f8dc830177dc91782702ff35f213f009fc2b902e25603

SHA512
0d94aa53b801ac69a9bb4a7df4fc0e00b6ffd1c5668a6fee4efc11986b7f516eb27a8a0197c0106a4295acd5f63c222ea2f1bd9431bf2d689672ac91c5528eb6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CXRG2YQS\KFOlCnqEu92Fr1MmEU9fBBc9[1].ttf

Filesize
34KB

MD5
4d88404f733741eaacfda2e318840a98

SHA1
49e0f3d32666ac36205f84ac7457030ca0a9d95f

SHA256
b464107219af95400af44c949574d9617de760e100712d4dec8f51a76c50dda1

SHA512
2e5d3280d5f7e70ca3ea29e7c01f47feb57fe93fc55fd0ea63641e99e5d699bb4b1f1f686da25c91ba4f64833f9946070f7546558cbd68249b0d853949ff85c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CXRG2YQS\api[1].js

Filesize
870B

MD5
959fca740c230726e5a7cdf2b7603468

SHA1
1fa3eb9690cb728a4ba96846bd8eac87fa914073

SHA256
1a7a8da967879cf8c53e114c331242c5d44c39d4b4778a0824bc2f363504c3a5

SHA512
c493d157fdb40ca20752cd7419c3bf837c12831ef05d0d3e41844e17fc99096d1a7429adaa58ade3eb99aa5e5ce4ad91af8ef7c25f36c7e69f341ad0f2e88e86

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CXRG2YQS\fRwAWOYR0sZ_DK6a62ksuqjc33yP5zywIS6rjn3kgRU[1].js

Filesize
25KB

MD5
4b6daa0bcff92925cd864ebe7ff35ae5

SHA1
a31735731b1bb2cea0b4c0d72380396424a0d4bc

SHA256
7d1c0058e611d2c67f0cae9aeb692cbaa8dcdf7c8fe73cb0212eab8e7de48115

SHA512
fe36c45c25fc48510a722be53d4aa4eec956629eac88d8cdc1c18f8ad425c510e2a74cd1ddfaeedd230868de00d466918bb6710747e4afccd09735caf9002633

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Q0WBLVJY\logo_48[1].png

Filesize
2KB

MD5
ef9941290c50cd3866e2ba6b793f010d

SHA1
4736508c795667dcea21f8d864233031223b7832

SHA256
1b9efb22c938500971aac2b2130a475fa23684dd69e43103894968df83145b8a

SHA512
a0c69c70117c5713caf8b12f3b6e8bbb9cdaf72768e5db9db5831a3c37541b87613c6b020dd2f9b8760064a8c7337f175e7234bfe776eee5e3588dc5662419d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Q0WBLVJY\recaptcha__en[1].js

Filesize
547KB

MD5
19ddac3be88eda2c8263c5d52fa7f6bd

SHA1
c81720778f57c56244c72ce6ef402bb4de5f9619

SHA256
b261530f05e272e18b5b5c86d860c4979c82b5b6c538e1643b3c94fc9ba76dd6

SHA512
393015b8c7f14d5d4bdb9cceed7cd1477a7db07bc7c40bae7d0a48a2adfa7d56f9d1c3e4ec05c92fde152e72ffa6b75d8bf724e1f63f9bc21421125667afb05c

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabEACE.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MALWAR~1\z.zip

Filesize
8KB

MD5
63ee4412b95d7ad64c54b4ba673470a7

SHA1
1cf423c6c2c6299e68e1927305a3057af9b3ce06

SHA256
44c1857b1c4894b3dfbaccbe04905652e634283dcf6b06c25a74b17021e2a268

SHA512
7ff153826bd5fed0a410f6d15a54787b79eba927d5b573c8a7f23f4ecef7bb223d79fd29fe8c2754fbf5b4c77ab7c41598f2989b6f4c7b2aa2f579ef4af06ee7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Malware-1-master\x

Filesize
11KB

MD5
1882f3dd051e401349f1af58d55b0a37

SHA1
6b0875f9e3164f3a9f21c1ec36748a7243515b47

SHA256
3c8cea1a86f07b018e637a1ea2649d907573f78c7e4025ef7e514362d09ff6c0

SHA512
fec96d873997b5c6c82a94f8796c88fc2dd38739277c517b8129277dcbda02576851f1e27bdb2fbb7255281077d5b9ba867f6dfe66bedfc859c59fdd3bbffacf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Malware-1-master\x

Filesize
1KB

MD5
a07321f367a844c2344ca76c55b17a58

SHA1
5be050a5963da0c63f02bb1669a944fdadcb0108

SHA256
649feddce1327c84652a80c6069a82040f537ad65dcdf53cfa8bca7412f0476c

SHA512
65adcf6ef458ec185f04646e896899372c7fe1dd844984170b6a5b27c848c3d4d51311757a1b4e652e5c59ffc0b85decc4acf1c5c8cb8fefb640b87114a5f94d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Malware-1-master\x

Filesize
4KB

MD5
1c604b4fef887029e9a3fa342fa908fa

SHA1
27bd3753c25ea4ea49c7c7b564a1fd641bd0eb23

SHA256
d6a4b048b5f28963aeac2e56db9ceeb4607c068cbe06c041631b9c878964330e

SHA512
ff804c5b76e5aeb6efbd6a7650d5614e922ab605a45873aaeec0ae898e1a7275dc4ec862cd0bef20998e1b741b2add2846e4cfa9c0fcaaf197c4c50aa934cdf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Malware-1-master\x.js

Filesize
448B

MD5
8eec8704d2a7bc80b95b7460c06f4854

SHA1
1b34585c1fa7ec0bd0505478ac9dbb8b8d19f326

SHA256
aa01b8864b43e92077a106ed3d4656a511f3ba1910fba40c78a32ee6a621d596

SHA512
e274b92810e9a30627a65f87448d784967a2fcfbf49858cbe6ccb841f09e0f53fde253ecc1ea0c7de491d8cc56a6cf8c79d1b7c657e72928cfb0479d11035210

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarEAD0.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\MEMZ.exe

Filesize
14KB

MD5
19dbec50735b5f2a72d4199c4e184960

SHA1
6fed7732f7cb6f59743795b2ab154a3676f4c822

SHA256
a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d

SHA512
aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\615A642X.txt

Filesize
124B

MD5
3ca14b9e3a65145c63b47aeff0229a5d

SHA1
8cf75985027d634da084008ac270babc9cd0e8a5

SHA256
0a52836921d7b9671436f3a5644b007206f204b8570619330c1943bb9f42e9ee

SHA512
fd5580e30acfd188e92babc1fc7a2c2d7b8982620bcc8d3a2b4751e3100d2c76b58781284c389376f539369936305dd9db3d143646258f80b91f78f8efbdd74a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\OG9ZUPIY.txt

Filesize
125B

MD5
2f14f3a18de3429ef62333867ad683fe

SHA1
4fdfbd98113bf4a8cfdc91233fc210f76adbd74f

SHA256
44a2940445c15c5c72a72d989ab203cfa7a492a21a975c39edbb197b22507cdc

SHA512
82af5ccacf781ae17ff04cb59abb507be31a4c81cde6709a38abfd4e50b9ba43ebabc4adb38b5535a9d0bf0e3286e3ba859de3a7b9247bc0994d344a8c43cd19

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\TB3SAKV1.txt

Filesize
124B

MD5
38ead82db56d6b11de634e015bab8238

SHA1
eed9eae42881726e8716793f7c18017c88d57f4a

SHA256
4a274ff2e105d25974c45ffedb721e52d03dc9cd172c0050d44d8bffd8bdadca

SHA512
f8206048ddea1054154486687756d2580253f4bf9e832a40320b3b556fd179410a7735ea45ff9779c98b0ea52de98d855b580afd74c119610032065d1511a6ba

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\VT8B22AF.txt

Filesize
124B

MD5
98a1e92f6e8822bd1f1d977a919b8ee8

SHA1
04e05747f505d7fac51b0490a2788efc4f5aaffc

SHA256
82cdf66b9e12893b882b151ce7814ad78b100e29d05e94f443118b6ba7af3c58

SHA512
6e9f37127afeb467a6a8cd2b755971d3df2a7f13a204ddcdfbce9e4f8e88e04d8a1d3904dc951660156b9dc05404266281afe310861fe40e5f8d0d938a2be652

Download Submit
C:\note.txt

Filesize
218B

MD5
afa6955439b8d516721231029fb9ca1b

SHA1
087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

SHA256
8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

SHA512
5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

Download Submit
memory/1076-167-0x00000000022F0000-0x00000000022F1000-memory.dmp

Filesize
4KB

Download