2ca4803498d7d375a61bfab2a3a4cf7e0eec41d116e50a838791a55b164e0f8c

Analysis

max time kernel
150s
max time network
128s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
13/01/2025, 08:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Malware-1-master/MEMZ-Destructive.bat
Size

13KB
MD5

4e2a7f369378a76d1df4d8c448f712af
SHA1

1192b4d01254a8704e6d6ae17dc2ec28a7ad5a49
SHA256

5e2cd213ff47b7657abd9167c38ffd8b53c13261fe22adddea92b5a2d9e320ad
SHA512

90e6eedca424e2ee37c78e0c0380db490c049b0378541812734c134510c40c6e4c48c4e213f395339ed99ff337ef087b6056ac5aafb246c1789ca6082dcabd2e
SSDEEP

192:AOyUySl0UaDz2gWsIzlmj+BxZ3yqueWQx0lZicyC8Sh31xcjBzyxwn7AVhllz3:AVODaDSHMql3yqlxy5L1xcjwrlz3

Score

7^/10

bootkit discovery execution persistence

Malware Config

Signatures

Executes dropped EXE 7 IoCs

pid	Process
1124	MEMZ.exe
2224	MEMZ.exe
2124	MEMZ.exe
548	MEMZ.exe
396	MEMZ.exe
2280	MEMZ.exe
1672	MEMZ.exe

Loads dropped DLL 1 IoCs

pid	Process
1124	MEMZ.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	MEMZ.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	calc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 53 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{6F32E851-D18A-11EF-9D96-D6B302822781} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "442919665"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com\Total = "25"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.google.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.google.com\ = "25"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000087706204dd35974aa24b4fc860b4d98500000000020000000000106600000001000020000000bbf059cfb2fe083e48d016016b09026fd621242c036bb351237964bd14854081000000000e8000000002000020000000a8ab3dc97e50c55dce8d7b263b186ff46692a39d345978d66f991e16676d671320000000e83499e222bd9782818e4cc07240a0b3ad24bf9224c48576c1e11c747c7bc3c4400000001fb23c981ed661676baaa2b510e1a095f1246ba19d6e192947ff399661c72a62c60b32fd912c6eefe3c67796b960a7fb31ea6f444c67a3b2efc08d722caac2b8	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000087706204dd35974aa24b4fc860b4d98500000000020000000000106600000001000020000000141a60d84d99966d86340e19fa604a05d8243e19120e445ecc5e16809e33f2b9000000000e8000000002000020000000c88e8ed24d51b9644f3e16b633c813e243748bf6d4ffa7ba178bf53bdcd658cf90000000d0d63131197a583d6af934ecd0774265f211a87076a55ff74dc165643be4ea1159a13df15e2d970919db47998b60fbc31e53ff3f574f1310959605ae9ad47102aedf9d2685efa04a296d241b5ffc0d64eb13dbdda53f6ffd651b724799751817ec4f71247eb7918690325720de4a6bbf52db36879e8a31ff7d9b36b263dc0caa30e8d544ef014f17f94f642db9ef3a39400000008a7fa67fff1d5ca5e98db9197d22cc6277f91ef9ea3e5f39c56eb926344574ac98b74b5bd9d46591d2f315f2ea6275fa9a0bf317761e65b5aa93186c06884129	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c079aa419765db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "25"	IEXPLORE.EXE

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
1124	MEMZ.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2224	MEMZ.exe
2124	MEMZ.exe
2224	MEMZ.exe
2124	MEMZ.exe
2224	MEMZ.exe
548	MEMZ.exe
2124	MEMZ.exe
396	MEMZ.exe
2224	MEMZ.exe
548	MEMZ.exe
2124	MEMZ.exe
396	MEMZ.exe
2224	MEMZ.exe
548	MEMZ.exe
2124	MEMZ.exe
396	MEMZ.exe
2224	MEMZ.exe
548	MEMZ.exe
2280	MEMZ.exe
2280	MEMZ.exe
396	MEMZ.exe
2124	MEMZ.exe
548	MEMZ.exe
2224	MEMZ.exe
396	MEMZ.exe
2124	MEMZ.exe
2280	MEMZ.exe
548	MEMZ.exe
2224	MEMZ.exe
396	MEMZ.exe
2124	MEMZ.exe
2280	MEMZ.exe
548	MEMZ.exe
2224	MEMZ.exe
2280	MEMZ.exe
396	MEMZ.exe
2124	MEMZ.exe
548	MEMZ.exe
2224	MEMZ.exe
2124	MEMZ.exe
396	MEMZ.exe
2280	MEMZ.exe
548	MEMZ.exe
2224	MEMZ.exe
2124	MEMZ.exe
396	MEMZ.exe
2280	MEMZ.exe
548	MEMZ.exe
2224	MEMZ.exe
548	MEMZ.exe
2124	MEMZ.exe
396	MEMZ.exe
2224	MEMZ.exe
2280	MEMZ.exe
2124	MEMZ.exe
548	MEMZ.exe
2224	MEMZ.exe
396	MEMZ.exe
2280	MEMZ.exe
396	MEMZ.exe
2124	MEMZ.exe
2224	MEMZ.exe
548	MEMZ.exe
2280	MEMZ.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	1292	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1292	AUDIODG.EXE
Token: 33	1292	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1292	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2572	cscript.exe
2188	iexplore.exe

Suspicious use of SetWindowsHookEx 18 IoCs

pid	Process
2188	iexplore.exe
2188	iexplore.exe
924	IEXPLORE.EXE
924	IEXPLORE.EXE
924	IEXPLORE.EXE
924	IEXPLORE.EXE
944	IEXPLORE.EXE
944	IEXPLORE.EXE
944	IEXPLORE.EXE
944	IEXPLORE.EXE
2972	IEXPLORE.EXE
2972	IEXPLORE.EXE
2972	IEXPLORE.EXE
2972	IEXPLORE.EXE
2568	IEXPLORE.EXE
2568	IEXPLORE.EXE
2568	IEXPLORE.EXE
2568	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 59 IoCs

description	pid	Process	procid_target
PID 584 wrote to memory of 2572	584	cmd.exe	31
PID 584 wrote to memory of 2572	584	cmd.exe	31
PID 584 wrote to memory of 2572	584	cmd.exe	31
PID 584 wrote to memory of 1124	584	cmd.exe	32
PID 584 wrote to memory of 1124	584	cmd.exe	32
PID 584 wrote to memory of 1124	584	cmd.exe	32
PID 584 wrote to memory of 1124	584	cmd.exe	32
PID 1124 wrote to memory of 2224	1124	MEMZ.exe	33
PID 1124 wrote to memory of 2224	1124	MEMZ.exe	33
PID 1124 wrote to memory of 2224	1124	MEMZ.exe	33
PID 1124 wrote to memory of 2224	1124	MEMZ.exe	33
PID 1124 wrote to memory of 2124	1124	MEMZ.exe	34
PID 1124 wrote to memory of 2124	1124	MEMZ.exe	34
PID 1124 wrote to memory of 2124	1124	MEMZ.exe	34
PID 1124 wrote to memory of 2124	1124	MEMZ.exe	34
PID 1124 wrote to memory of 548	1124	MEMZ.exe	35
PID 1124 wrote to memory of 548	1124	MEMZ.exe	35
PID 1124 wrote to memory of 548	1124	MEMZ.exe	35
PID 1124 wrote to memory of 548	1124	MEMZ.exe	35
PID 1124 wrote to memory of 396	1124	MEMZ.exe	36
PID 1124 wrote to memory of 396	1124	MEMZ.exe	36
PID 1124 wrote to memory of 396	1124	MEMZ.exe	36
PID 1124 wrote to memory of 396	1124	MEMZ.exe	36
PID 1124 wrote to memory of 2280	1124	MEMZ.exe	37
PID 1124 wrote to memory of 2280	1124	MEMZ.exe	37
PID 1124 wrote to memory of 2280	1124	MEMZ.exe	37
PID 1124 wrote to memory of 2280	1124	MEMZ.exe	37
PID 1124 wrote to memory of 1672	1124	MEMZ.exe	38
PID 1124 wrote to memory of 1672	1124	MEMZ.exe	38
PID 1124 wrote to memory of 1672	1124	MEMZ.exe	38
PID 1124 wrote to memory of 1672	1124	MEMZ.exe	38
PID 1672 wrote to memory of 2448	1672	MEMZ.exe	39
PID 1672 wrote to memory of 2448	1672	MEMZ.exe	39
PID 1672 wrote to memory of 2448	1672	MEMZ.exe	39
PID 1672 wrote to memory of 2448	1672	MEMZ.exe	39
PID 1672 wrote to memory of 2188	1672	MEMZ.exe	41
PID 1672 wrote to memory of 2188	1672	MEMZ.exe	41
PID 1672 wrote to memory of 2188	1672	MEMZ.exe	41
PID 1672 wrote to memory of 2188	1672	MEMZ.exe	41
PID 2188 wrote to memory of 924	2188	iexplore.exe	42
PID 2188 wrote to memory of 924	2188	iexplore.exe	42
PID 2188 wrote to memory of 924	2188	iexplore.exe	42
PID 2188 wrote to memory of 924	2188	iexplore.exe	42
PID 2188 wrote to memory of 944	2188	iexplore.exe	44
PID 2188 wrote to memory of 944	2188	iexplore.exe	44
PID 2188 wrote to memory of 944	2188	iexplore.exe	44
PID 2188 wrote to memory of 944	2188	iexplore.exe	44
PID 2188 wrote to memory of 2972	2188	iexplore.exe	45
PID 2188 wrote to memory of 2972	2188	iexplore.exe	45
PID 2188 wrote to memory of 2972	2188	iexplore.exe	45
PID 2188 wrote to memory of 2972	2188	iexplore.exe	45
PID 2188 wrote to memory of 2568	2188	iexplore.exe	46
PID 2188 wrote to memory of 2568	2188	iexplore.exe	46
PID 2188 wrote to memory of 2568	2188	iexplore.exe	46
PID 2188 wrote to memory of 2568	2188	iexplore.exe	46
PID 1672 wrote to memory of 2580	1672	MEMZ.exe	47
PID 1672 wrote to memory of 2580	1672	MEMZ.exe	47
PID 1672 wrote to memory of 2580	1672	MEMZ.exe	47
PID 1672 wrote to memory of 2580	1672	MEMZ.exe	47

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Malware-1-master\MEMZ-Destructive.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:584
- C:\Windows\system32\cscript.exe
  cscript x.js
  2⤵
  - Suspicious use of FindShellTrayWindow
  PID:2572
- C:\Users\Admin\AppData\Roaming\MEMZ.exe
  "C:\Users\Admin\AppData\Roaming\MEMZ.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious use of WriteProcessMemory
  PID:1124
- - C:\Users\Admin\AppData\Roaming\MEMZ.exe
    "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2224
- - C:\Users\Admin\AppData\Roaming\MEMZ.exe
    "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2124
- - C:\Users\Admin\AppData\Roaming\MEMZ.exe
    "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:548
- - C:\Users\Admin\AppData\Roaming\MEMZ.exe
    "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:396
- - C:\Users\Admin\AppData\Roaming\MEMZ.exe
    "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2280
- - C:\Users\Admin\AppData\Roaming\MEMZ.exe
    "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /main
    3⤵
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1672
  - - C:\Windows\SysWOW64\notepad.exe
      "C:\Windows\System32\notepad.exe" \note.txt
      4⤵
      System Location Discovery: System Language Discovery
      PID:2448
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://google.co.ck/search?q=vinesauce+meme+collection
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2188
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2188 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:924
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2188 CREDAT:537608 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:944
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2188 CREDAT:865294 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2972
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2188 CREDAT:930853 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2568
  - - C:\Windows\SysWOW64\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2580

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x504
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\05DDC6AA91765AACACDB0A5F96DF8199

Filesize
854B

MD5
e935bc5762068caf3e24a2683b1b8a88

SHA1
82b70eb774c0756837fe8d7acbfeec05ecbf5463

SHA256
a8accfcfeb51bd73df23b91f4d89ff1a9eb7438ef5b12e8afda1a6ff1769e89d

SHA512
bed4f6f5357b37662623f1f8afed1a3ebf3810630b2206a0292052a2e754af9dcfe34ee15c289e3d797a8f33330e47c14cbefbc702f74028557ace29bf855f9e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
24f4c41bf7ba70f49b71aa4ed3c2a414

SHA1
1c70530cd8c5a2fd9f511d03dfbb59d0e17ecb80

SHA256
749f6dddc7a679fe08ad9616286cfbf2dff8ab604a6982e87f20892e7de7f3d6

SHA512
5c253db92a9bc18fe7a2a8f49604788e8bc1a97b4a90fffe96ddef280dcd17f07396d67a0ff2eda54deacfee6a2c5fc27a6e31ac8a866a695d8e8346b0afd1fa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4FA45AE1010E09657982D8D28B3BD38E_E4543EAB994D579360C32C5CC59A22C6

Filesize
472B

MD5
3eaafcbad445ede3672bbd89fcc07638

SHA1
06987df2bad9cb5f87b6ad9bb8cea7daed55aa72

SHA256
95740f1570a2f0b44aaa0153b67eed26a3fabe53e0a3c91b60be184fd48bd4a5

SHA512
62dfe89ece2b858328816c14b1152fcbc447ada1ae24e222f4f437e87e976b0922d294b6693573f2b8d57cd34395e98c7947bf5c14d96b9fffdf669ac90013be

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4FA45AE1010E09657982D8D28B3BD38E_EB153A79B5AB80C6592F798A4A3667A5

Filesize
472B

MD5
f197d1de268e3b33a942c749ba6bede5

SHA1
a40a16e3d6e4779db874016d2d35bad797532b7a

SHA256
171d3c3f7a5b12a9ceb127ab1ed643dd93b7eb67dc2798996ff6b6dd6078a789

SHA512
0990ff2c012dbe21314b285969b6544d1fa11c872dfb1dede2b04b75aac062e17095f3f57626e841f461f0d332b304d6ace52aa008990559dd5055f3aeccf637

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199

Filesize
170B

MD5
b6696dc9515f84ad7f04b2ae9ba6f390

SHA1
6b6ee542ee3838b1761eaf7a1fe249e46bfdce1e

SHA256
8ee8ff2cb91fcbca0d091fcaf053a6c606a6bf6c9ace11a2175f9099848f976b

SHA512
ff71c0171e56eacb593f5ada3b1eeaebe75b111c82fada380c2f239552ab6bc5b18b30cdc15291db721c80264ba93a027845b12ede5507d4f24e4587b6554636

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
9e4559651aa64a064aeda62396b46ce9

SHA1
b3c61f8146e7097a278467597efb65d9b6873343

SHA256
b61e9491dd814fbde05ce2a0eee3c8e272d4351227e0c0ff32c1bdd8384aed63

SHA512
a00a5e29480297944829338cdc49e5bd5674946c98d8b910c1e0c330f74373d592a13daf37538d3b82a813886c760ee4d479fdeb220349256f9f591e157a89b6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
a356f0659c0a58e641c96cad28a9e445

SHA1
b64f3162be3835eb377ae1e080b7ea012fea1ec7

SHA256
09c56c1b7b54eedbfc3863a6f274525c9d33dbf4bb8d294be10c2e670d34260e

SHA512
3dc82621b0341694c8918e723181805bd956d2c966c8003eab8ab2b041351f5bbd1913c8c557f04cb84fcf99be47f9b818a560d67ac0284aef6fe367529e51d3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4FA45AE1010E09657982D8D28B3BD38E_E4543EAB994D579360C32C5CC59A22C6

Filesize
398B

MD5
15a6e621d0b8160e91a7f8a2dd5bcab9

SHA1
8ed745ab571a7b356b491c76e6673145b7988b03

SHA256
15800aae945a0cfd3d3ab157a60d0bbe7ec70b2e9e232fb20c1c17e85418bec5

SHA512
fe5718cf16aad997c7e43d45f52eeeb3460ddd368a6990ec78a6a5b43fac4a894df19f5b60c11f03da27bb285ed21ed27d926507e3d2741c21f4ee5e4cc8593a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4FA45AE1010E09657982D8D28B3BD38E_EB153A79B5AB80C6592F798A4A3667A5

Filesize
398B

MD5
83529997b2ee3fe9b2a1f86457d553e5

SHA1
b66bf2705977bca38d6f64c2d946ec74e77e5862

SHA256
81d0c8748d7786d7f2ebde1c275fcc52ae34534f87bc9420899e9df1a423b256

SHA512
4c4017500304a8897be11752329549703b3045acaee3335a6273d722efeeef4c170c0a26f7740ab35e57eac4cc9eebacd8d8b527e42b8c68296c5cceb858c55a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5e7c52bd90590e4eeb6cd8191ca5bc26

SHA1
2a66c0367e79953e96085632b1f3f0e051615159

SHA256
fc6c906ff355faf5f881eca8985189a501c461d545b285f5dbf30e308dea5d8e

SHA512
21596f13bdcff3732b18f903731e3413b106903f928f3eb7c6b4a643e7c645f0b71fef46528567b3f7bfb4d7c025fabe4c418b6651b1da287d8188a83e83d9df

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
44f4f8e9cfba47b39c07868a06f4308b

SHA1
6f800cd9daaa2dcbb54c09b7b2f7510e9d2d0927

SHA256
d2cc829a8642521bc8ff0029bce248ff959e71d68d38c0ff6fa9b88de4c6c605

SHA512
00db45d4837343f045561cae84e7844088e272423bffa26bf812498c16c5b2e0b8ce6a5472d5e19769c336e22da8a07c40ab291033070fa7ab2f89f04ad6458f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c413c224207e289e7384799cb8579fc7

SHA1
1210074394e54774ff0d9403ae9360974b9080d1

SHA256
221713eebb557b5c18229c58d7cc4d435617dff2cef3eae621f3070429a52c0a

SHA512
82ae2ae3c57075eb41dd065aabdcafde8dd831513c7dd94ec2e54a064a4799c8415560de777529fe5a89228b78d5224513c9d007310513bcb73b0f611ee31c94

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c1fb13594e45974f96464b4969dfcc83

SHA1
4e0eb63b827860cc5ac24eac9cad7b3c08d75ee1

SHA256
523888dbfb244dc58a53cdeda01aab927fcddd114952ac0ac3fca5822104ddaa

SHA512
56882fa6be47cbce40bbe57af4b0f5346dca1380180ca8158e9c24b30466ebe8359db490326cfd5d5d40a906da32f81bd97d20a874eb72bde739dd6900c41ca0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
08d7ea24f36fce6722991c13c6edb475

SHA1
0644ab31c8ff8df5d4b29a2c44e5567d5e0c7df4

SHA256
b1eade631af6129787be10b8441314d254e35f5ac0477d33615d1482ffd9241c

SHA512
3f857e2c4ec0fedede34e6a53730d2bf16873f437e474e4dba905e9bbf0fab45485872dab3e316db45e3d66872bd12540f03df1d97fdffbf32d2086b6797b175

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8b3ab9d2462ce42d87d478aba45c9f5c

SHA1
c947dd5f293aa0854805068e9f0a4a78cbabdb6c

SHA256
ec2099365ce2d083a94cb0efcbe197d2dc973d76ff391ef3d5943f1c3dcb3839

SHA512
b4cd753adae6838eaba3625b0911c3a981eb6e40b1cf13041815accbc5566752ac934c8e91c23e684cb482db3c18db8421cdefb2c59c49775e1460ea9d32b1f9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6ea8dca86e49d292ef727db893ed7cc5

SHA1
05629490790bdc21f28ec02df52e2a9d597fec08

SHA256
f0d4e6c4c4f10c74480cbeecc97e93e8cf2b81824b6e841848b5b45493de55b7

SHA512
ebf16357521ef20bcb2904df27b00ea9d7f5b90b0a463f8693f1fd14ca5bc8d69da383f9e5b8e488a0d58c1bbe227cf8a6c05c5eba08390a1453680c9765aa41

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dfc32eb70059379d79aa13e4f28caede

SHA1
c4e2275ecd53191a6c46d5425447022de097883c

SHA256
02165737205709da2b4fed76cff037bb3ec2e9587117cc91e0bc7526ba338f52

SHA512
50a21c89737a994b6ef230d0e69e0504bf817ac2194d1a07a168909f14e452178d75dcd1d427429991adafc6f66849905f213272f6125193dbb087a097e55b28

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3e9fd1e0af9f2e2841a386b1c937bfef

SHA1
53b57683cec2a36d3b204b2c820389d1b7d9549f

SHA256
f332a4aeb49787a7884fefc2383fa655eb56185ad82c7803cfe377fe3504561a

SHA512
8181996f6d829babacac0d7d1f479e8d554f7fbdcd2bfafeb488f1c5a4090c1f51cfe5e424fe6b339d9016b452c6ec0ec246d156629bdf7354aae798fc778054

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cf9aad255dd01ec3b51cc6e85c7713bd

SHA1
54ff934c08947ffa73ede3e07819283f2200b01c

SHA256
a2295f14e6c26697367add0c7ef07e03ee32e88084687efcd36dac6760ce745d

SHA512
f47137ecc2193e668668617b21141a731fe3d29606e0bc5567a0765ee6afe80f9a9440412f0d858727ce504bfd79f11cf0b9fb3b7abe516bb8cc54347fd39ac7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
199f85eb55c6157712feb69141d24fcc

SHA1
ddd3a2c572bd9a0a72e97f8b331c123d2f097926

SHA256
7a4e78c9a35124b6cc037bd416f5d1aa3a6ba31e8eb92966f980d9dd606d69c9

SHA512
36ecde097f37f5222959a25b778e98e330bda89085fa7d2416f8f2dd72f771a67af18bf9fea8cc2fd7a713ceec95ad503a5dda27f88b037fb84d74ddf19d54ff

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c58d6243b7998f82cb6eed144a543e3a

SHA1
79340ddbdef2ef95f811249df89d9348501b7eaf

SHA256
df75e281ec3225c5cfbf3986536f4e6a5e6d3dd72f49a0c76b882d3f32dbbcc1

SHA512
e88e226af8693012c094101dc98d533fae0f6e5bf947e857f80491d5300759b938c01af747e0889aadccfe2a25b36638cd56b9f2284cb81c609b7103ba3302dc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fac4ec95255cd2b6eaf7dc515eb5f839

SHA1
68ede28e186843a8a0df62182ca40d28389ce76a

SHA256
5431462c60374e47c5b8836e2f98ae2c0c82de33f13d16cf00358c93a42cbdd4

SHA512
bbc6152118a93f68459431807d8e8eb5f7cf68313bcb3b70537b3467018c856b129e0c1d82d57f876c119ba6f15c1f658a49fed8f14bd4fa69d21a12f68681ff

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f2dc73d7e9cc73691e63769eb7a0dc3e

SHA1
a5f9e8336e815f15e7365ae7e790201fbb787df8

SHA256
4b6e328efb78e339a3c86fdadc59d3c97b7c289ac34db660519d605f52a7fb63

SHA512
2af0dd15b9de8f88fb8692c1db1628dcabb00bb5966c0b161067da41e6865f436ce328a66a381d412f8b1f5e6c4dcb46be1a6b432e2d79a9eb9624482d278e93

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8c2c1a4a9c757d4cb9e07ff5a7f63e27

SHA1
02f22bd71174e353290219311a1d7d47ddb9810d

SHA256
d784033187098248776f5f511e63722dd0bbc932f3468c7e1bb1363a85b6a34e

SHA512
5fe21dfe7671c0e18f07b5e90d0ab5294dcc9d53088b8d3bef07fd51632ef8feecbd56f4cb0c77b03048de776e44cb30f7f746282c96e5385a12fc0c55106fa6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e3d86fb768bbd5ac78310bada28413d2

SHA1
63dec638ff0deac42ea56b16ddfadbd50afd7780

SHA256
3684f3e98d17893452ac4daa5694001f15929ab026324d97eca9441775f31bf0

SHA512
74361bb3c47450c583e339a07f0e32a20197048bc38e9bad4d96bc0b5bacb7cbed0649187352af1e5321cf88bbe76b42dff4a113a524ec2261c727c46ec15bd3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
79d0c6077bd5c42b619800ae5968c984

SHA1
21aa0ab59779bad35520d84a11b1ac011c0db739

SHA256
8f421c5dbea544f7035e827253115df73b4d2512c7cc0180cf508a8515fe0544

SHA512
39b598bd2c6d4c91474d6c7532e6227ea762a74e07d74b95c36e860a2646a843676922551617792e77fd3c6bde65043a96119b9dbd1415f0d2ca60abdd7b37a1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
733c8b51115bf47ec3f23d4050043391

SHA1
dfbe96201527775660a9a33850f58c3bda90179b

SHA256
461d15ce992719ba6f731a7c9b9ec0f3593331eecda61b77ce5f877cc23df2b5

SHA512
19640f0d0eeeb408563e75ad2d65e239751fe074dd14114f00962beb201beb9987a287eea0f981dd7b78bf302200a668c2e7f6f3e32b4057e98bab2f0a38206a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b251252d707fa20705c84081eb2944bc

SHA1
c8abaaf70939e7148d5ece1e9dbb2c4680938a00

SHA256
af7db6fe769da13891fa0d8c922d3edc10535cc9cf8527b982eab6a44322370a

SHA512
01940019c6f735882b5b59c00d1f269fd593a38d7403a22ff212838c0fad9070bbcea1d175b5ace88c3dc5fe3ce3deffaeb2eca821825a7797ac42ed60b746d5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ea0d77b739f8bd979e73a6adc3a6838c

SHA1
ab39e5a47c0dab48d0a49250e4bb0b6f92e918c4

SHA256
3c7e1c773ffe5a4bc3a7edc1537f517bfc6eedf1fd8780835435cc43cbbf408e

SHA512
bb1a75c8685b1603ebf77e2cde31a5981fadd0ae4ab601348918963685d14f2ffa19cb7d4e06dfe44684c60e89d1c914fdf36a423727d86db7557b998af9ea65

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
720cdb2e739790c0c37b0530d1a5e4ca

SHA1
416a528811b742520c0c1fddf413b976c4c4cad4

SHA256
84d6a6982972aa2b2e59ea108eb754cd20f92d473a5ef3ed43daeaf2d9c8c1d0

SHA512
b262cbcc952b5c11dd8c8b0c15f11475dc6e9a3b6478cb1dce23e59eb86373c4aa82f6821799a7a1ea68a348278dcc0ec476bd3e9542f4e88d4d4c43bd0cb656

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2eb07dae25cf9c187f55c8e52df6de8f

SHA1
3e79b400a718d96d637850f3a2143519b36df0f7

SHA256
aaf1440405f6af87006183a97dbb083562b1ca7c47c53a12bb7ee9751b0f50ed

SHA512
818b050cd125efde3979bdec79d6bf75d0b6fdd369b0ca01f33929a61edd2b0a44227d78ead118e6c5209cbf2a09e5994b3c4dcbd1b2aa9668b53af39b2f8e97

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
a1645bff3eceb5b843baea949ee33fbd

SHA1
50c3d663d215273929696c71663363fb5e1ed533

SHA256
0042ea5ab50992b0fd81a3f0c94614071f36ce0499602960d6fa76211cb281fa

SHA512
1d44d918f71429eec867e831a25a4600328ba2bdbed4f8fde124efbfa3404c5df94c1bda708237eb755cd0a3981aea65b387c1e1b3f4b85ab296f32d99700226

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\A030Z3R7\www.google[1].xml

Filesize
98B

MD5
661fa013d61901d3509f30639ad6d813

SHA1
4e215d3f3a60bff1dd8e6f95428e245fa0ae15d3

SHA256
c6057f6ae677ec3350ec4c66bc19760c136e088e0333128a142af5a4b15f38e7

SHA512
ec655bba51a4f9c019941f114c65133f15408929369e59c8234b3281a71afc2ec1642a99134fe580874b8166eaf6f4a98048161e16869c8e01f2aac200f1eaa9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\z8d0nzh\imagestore.dat

Filesize
5KB

MD5
88cdc83a63f564d230669733bfed4f35

SHA1
5029d2807893dc588143799f41ca3a3dbc925676

SHA256
d36b025465bdb4196cd1367cdd9b1bf18996fec9c61a6666f2400c77be8d369d

SHA512
d2d26fa3658c81190efed56ca9a1e0c76f66e3c01bebf85e52bcbe501a570f24be72f4345c20917bdcb6b9c987c25a54a2e089772fc685000c215ba71f3d907c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5GWW47WY\logo_48[1].png

Filesize
2KB

MD5
ef9941290c50cd3866e2ba6b793f010d

SHA1
4736508c795667dcea21f8d864233031223b7832

SHA256
1b9efb22c938500971aac2b2130a475fa23684dd69e43103894968df83145b8a

SHA512
a0c69c70117c5713caf8b12f3b6e8bbb9cdaf72768e5db9db5831a3c37541b87613c6b020dd2f9b8760064a8c7337f175e7234bfe776eee5e3588dc5662419d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5GWW47WY\recaptcha__en[1].js

Filesize
547KB

MD5
19ddac3be88eda2c8263c5d52fa7f6bd

SHA1
c81720778f57c56244c72ce6ef402bb4de5f9619

SHA256
b261530f05e272e18b5b5c86d860c4979c82b5b6c538e1643b3c94fc9ba76dd6

SHA512
393015b8c7f14d5d4bdb9cceed7cd1477a7db07bc7c40bae7d0a48a2adfa7d56f9d1c3e4ec05c92fde152e72ffa6b75d8bf724e1f63f9bc21421125667afb05c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\K0PVW9XR\favicon[1].ico

Filesize
5KB

MD5
f3418a443e7d841097c714d69ec4bcb8

SHA1
49263695f6b0cdd72f45cf1b775e660fdc36c606

SHA256
6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770

SHA512
82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\K0PVW9XR\webworker[1].js

Filesize
102B

MD5
c206147c7cae99642a4f8a2c640a0019

SHA1
8c32b7b7e0807bbe85e5c8c94f87afea31eedc40

SHA256
6f55adbecce78b9c566f8dc830177dc91782702ff35f213f009fc2b902e25603

SHA512
0d94aa53b801ac69a9bb4a7df4fc0e00b6ffd1c5668a6fee4efc11986b7f516eb27a8a0197c0106a4295acd5f63c222ea2f1bd9431bf2d689672ac91c5528eb6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RLHRIIGD\-BI9RTDu-8BxHETcsTOjKWTLabkSJqe6xhYO-L_zfak[1].js

Filesize
25KB

MD5
16a0d41698c5d70e7a56c0177de31cde

SHA1
22d67dfe0defd61d847f607782bcebfc8945cdca

SHA256
f8123d4530eefbc0711c44dcb133a32964cb69b91226a7bac6160ef8bff37da9

SHA512
90728f9da056eedafe7599b9d9703deee36d1318c87ac8966680096a3328177a88dd946b236b8f1a04d5318b20554085eb64986d2f626e09d3448ec3c4296c97

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RLHRIIGD\api[1].js

Filesize
870B

MD5
959fca740c230726e5a7cdf2b7603468

SHA1
1fa3eb9690cb728a4ba96846bd8eac87fa914073

SHA256
1a7a8da967879cf8c53e114c331242c5d44c39d4b4778a0824bc2f363504c3a5

SHA512
c493d157fdb40ca20752cd7419c3bf837c12831ef05d0d3e41844e17fc99096d1a7429adaa58ade3eb99aa5e5ce4ad91af8ef7c25f36c7e69f341ad0f2e88e86

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VUUZQMCA\KFOlCnqEu92Fr1MmEU9fBBc9[1].ttf

Filesize
34KB

MD5
4d88404f733741eaacfda2e318840a98

SHA1
49e0f3d32666ac36205f84ac7457030ca0a9d95f

SHA256
b464107219af95400af44c949574d9617de760e100712d4dec8f51a76c50dda1

SHA512
2e5d3280d5f7e70ca3ea29e7c01f47feb57fe93fc55fd0ea63641e99e5d699bb4b1f1f686da25c91ba4f64833f9946070f7546558cbd68249b0d853949ff85c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VUUZQMCA\KFOlCnqEu92Fr1MmYUtfBBc9[1].ttf

Filesize
34KB

MD5
4d99b85fa964307056c1410f78f51439

SHA1
f8e30a1a61011f1ee42435d7e18ba7e21d4ee894

SHA256
01027695832f4a3850663c9e798eb03eadfd1462d0b76e7c5ac6465d2d77dbd0

SHA512
13d93544b16453fe9ac9fc025c3d4320c1c83a2eca4cd01132ce5c68b12e150bc7d96341f10cbaa2777526cf72b2ca0cd64458b3df1875a184bbb907c5e3d731

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VUUZQMCA\KFOmCnqEu92Fr1Mu4mxP[1].ttf

Filesize
34KB

MD5
372d0cc3288fe8e97df49742baefce90

SHA1
754d9eaa4a009c42e8d6d40c632a1dad6d44ec21

SHA256
466989fd178ca6ed13641893b7003e5d6ec36e42c2a816dee71f87b775ea097f

SHA512
8447bc59795b16877974cd77c52729f6ff08a1e741f68ff445c087ecc09c8c4822b83e8907d156a00be81cb2c0259081926e758c12b3aea023ac574e4a6c9885

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VUUZQMCA\styles__ltr[1].css

Filesize
76KB

MD5
6aec8cfd5d3a790339dc627f9f1229b5

SHA1
b6c8cffe38e1015dd8595f2dd1a92435e2795874

SHA256
80583fa3c83831a9e036eba0500d1b9c0d30892d0701f1617e0fafaf5aeaa2ca

SHA512
4279e479c860007d04cd6ff0b8c45131c18d87420cd5ceb5c727a7ddbfb4206d007069102d643da97c3bf01d0b756a2ef4662c8e39b6969fc154de3c763b1efc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab43B7.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MALWAR~1\z.zip

Filesize
8KB

MD5
63ee4412b95d7ad64c54b4ba673470a7

SHA1
1cf423c6c2c6299e68e1927305a3057af9b3ce06

SHA256
44c1857b1c4894b3dfbaccbe04905652e634283dcf6b06c25a74b17021e2a268

SHA512
7ff153826bd5fed0a410f6d15a54787b79eba927d5b573c8a7f23f4ecef7bb223d79fd29fe8c2754fbf5b4c77ab7c41598f2989b6f4c7b2aa2f579ef4af06ee7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Malware-1-master\x

Filesize
11KB

MD5
1882f3dd051e401349f1af58d55b0a37

SHA1
6b0875f9e3164f3a9f21c1ec36748a7243515b47

SHA256
3c8cea1a86f07b018e637a1ea2649d907573f78c7e4025ef7e514362d09ff6c0

SHA512
fec96d873997b5c6c82a94f8796c88fc2dd38739277c517b8129277dcbda02576851f1e27bdb2fbb7255281077d5b9ba867f6dfe66bedfc859c59fdd3bbffacf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Malware-1-master\x

Filesize
4KB

MD5
65fa693dc5b0a587453810111eb0d900

SHA1
1c39a93b423de6e678653d4178f48d4b324ecb6c

SHA256
8638fec818eb7f548a7f9648bd0bbc958fe80ce2b96fd059f69f2921b71d91c6

SHA512
b57930cc24a4b2f667af05ae6304f4a145d2ba351a6d7c37427f714685fb323cd6af5b860c7f079144a357e1027707270dd02cfaf94c010cbca7c2e46c870efc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Malware-1-master\x.js

Filesize
448B

MD5
8eec8704d2a7bc80b95b7460c06f4854

SHA1
1b34585c1fa7ec0bd0505478ac9dbb8b8d19f326

SHA256
aa01b8864b43e92077a106ed3d4656a511f3ba1910fba40c78a32ee6a621d596

SHA512
e274b92810e9a30627a65f87448d784967a2fcfbf49858cbe6ccb841f09e0f53fde253ecc1ea0c7de491d8cc56a6cf8c79d1b7c657e72928cfb0479d11035210

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar43B6.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\MEMZ.exe

Filesize
14KB

MD5
19dbec50735b5f2a72d4199c4e184960

SHA1
6fed7732f7cb6f59743795b2ab154a3676f4c822

SHA256
a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d

SHA512
aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\49TSOTVD.txt

Filesize
123B

MD5
117e37ae1708760f42f25afc128f41f3

SHA1
c231a33f444ecb227083bfe169ec68bed3621e5c

SHA256
177008bb0cf2a0031c6377a40e3946beaf17aa30c29a967d9bcbdbd823685f7d

SHA512
c7fd383ccd9343628346afee0180675ed1a22f632fdd9fb263bbeafd32410c666aaddf8e2d94f0b87402b073b5d70ec6424792df1422c7dd798e189bbde7eb41

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\63SHRBKG.txt

Filesize
124B

MD5
d6073df9ad8190ac083ac8f9bb3df5e5

SHA1
fee584ae240e0bc02effbce9ff4ab4817fbadb76

SHA256
f89d3fc910d03cdab0ea4b4147d5478dc5da56dbf849791958080ce623d90ab4

SHA512
4712df19471c743b5bccaada7a6defc200c04bf6dfd5f9858bf503f4098b1b007866a5093b881d99c1a0720b447ea5fc06ef69ec46eb1d27e7208e2c3920bfcc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\ALGTNL1W.txt

Filesize
123B

MD5
e4858e94863dd9819a78e450ac843d42

SHA1
12a9cd19637407fa5aa8cdcb75207c0810164912

SHA256
6f1539e66700eabed54710ad727d894d04af9deb722a3f4a44df34924e284bb2

SHA512
fbe8066e154d1bfe655ddc0229d28afdc1ea9f7edbeaa6db2da084b17bb54d9f241b99994f87ff119f4822e9acf1d85e2365448eff694808cb98379ebed35bca

Download Submit
C:\note.txt

Filesize
218B

MD5
afa6955439b8d516721231029fb9ca1b

SHA1
087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

SHA256
8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

SHA512
5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

Download Submit
memory/2572-167-0x0000000001FB0000-0x0000000001FB1000-memory.dmp

Filesize
4KB

Download