2ca4803498d7d375a61bfab2a3a4cf7e0eec41d116e50a838791a55b164e0f8c

max time kernel
150s
max time network
151s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
17-01-2025 14:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Malware-1-master/MEMZ-Destructive.bat
Size

13KB
MD5

4e2a7f369378a76d1df4d8c448f712af
SHA1

1192b4d01254a8704e6d6ae17dc2ec28a7ad5a49
SHA256

5e2cd213ff47b7657abd9167c38ffd8b53c13261fe22adddea92b5a2d9e320ad
SHA512

90e6eedca424e2ee37c78e0c0380db490c049b0378541812734c134510c40c6e4c48c4e213f395339ed99ff337ef087b6056ac5aafb246c1789ca6082dcabd2e
SSDEEP

192:AOyUySl0UaDz2gWsIzlmj+BxZ3yqueWQx0lZicyC8Sh31xcjBzyxwn7AVhllz3:AVODaDSHMql3yqlxy5L1xcjwrlz3

Score

7^/10

bootkit discovery execution persistence

Malware Config

Signatures

Executes dropped EXE 7 IoCs

pid	Process
3052	MEMZ.exe
2128	MEMZ.exe
1552	MEMZ.exe
1472	MEMZ.exe
800	MEMZ.exe
2044	MEMZ.exe
408	MEMZ.exe

Loads dropped DLL 1 IoCs

pid	Process
3052	MEMZ.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	MEMZ.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe

Modifies Internet Explorer settings 1 TTPs 53 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.google.com\ = "25"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a907cc1344750743988d8bab481dbfbf0000000002000000000010660000000100002000000041e0cbb474b38c1046c187b8a5a32875a8bf3b9c721d65345c7e03ba6597f932000000000e80000000020000200000004138df3c84e978862b12d21ee572410f8ee65288f8472d58de6ff33931fbc890900000003828a08fa5a63e520a2737d879fb20fcedaa80f66377e935a488a59934e6009e2cd72c0459e0620f75ec6e13aae12c9bbfe0acff80297444a72c8648a9c214df813b055987b0e51084b4c3e7b65a17e3185c10162837fa84c2a916aa8140df5cec9dfa19031b47a26e2c7413d49542a801249f4edf6c40f6c198b98ba0167202812afc768a5e1f23a4c167d7a3c0e46940000000ff20327bdc8884dc7cee1a7edba22cb996e567b0318dece82b810dde2c45e2073ee6da74bfa63ab6a8c6e1d5bb8004b316a15c17247f1cab69c5dad680f6c66e	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.google.com	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a907cc1344750743988d8bab481dbfbf00000000020000000000106600000001000020000000b92e5a71f9c577f0e6556b490e4d84e4aed379bed20b42f9c469fb7f86ae7704000000000e80000000020000200000005599efe95fc568d32075f407daf1045fa81f80a3f5f97710dfc887d2820aa7bc20000000aaed00fce769b8258b4285e4f10e8050f7d603a248f34cd17c91ad466770dfc040000000ef321d37ce41b8815a823f1a49eb1d3f783008926ebb7bc88dc26295a091efae3315fbf074096d3a0c6f2841b3c1a4df036c1e45e4a6825968413b69f1490e6c	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{45578801-D4DD-11EF-831A-D2CEB2690DEF} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "25"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "443285097"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 50d6e716ea68db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com\Total = "25"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com	IEXPLORE.EXE

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
3052	MEMZ.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2128	MEMZ.exe
1552	MEMZ.exe
2128	MEMZ.exe
1552	MEMZ.exe
1472	MEMZ.exe
2128	MEMZ.exe
1552	MEMZ.exe
800	MEMZ.exe
2128	MEMZ.exe
1472	MEMZ.exe
1552	MEMZ.exe
800	MEMZ.exe
2128	MEMZ.exe
1472	MEMZ.exe
2044	MEMZ.exe
1552	MEMZ.exe
800	MEMZ.exe
1472	MEMZ.exe
2128	MEMZ.exe
2044	MEMZ.exe
1552	MEMZ.exe
800	MEMZ.exe
1472	MEMZ.exe
2128	MEMZ.exe
2044	MEMZ.exe
1552	MEMZ.exe
1472	MEMZ.exe
800	MEMZ.exe
2128	MEMZ.exe
2044	MEMZ.exe
1552	MEMZ.exe
2044	MEMZ.exe
800	MEMZ.exe
1472	MEMZ.exe
2128	MEMZ.exe
1552	MEMZ.exe
800	MEMZ.exe
2128	MEMZ.exe
2044	MEMZ.exe
1472	MEMZ.exe
1472	MEMZ.exe
1552	MEMZ.exe
800	MEMZ.exe
2128	MEMZ.exe
2044	MEMZ.exe
1552	MEMZ.exe
800	MEMZ.exe
1472	MEMZ.exe
2128	MEMZ.exe
2044	MEMZ.exe
1552	MEMZ.exe
1472	MEMZ.exe
800	MEMZ.exe
2128	MEMZ.exe
2044	MEMZ.exe
1552	MEMZ.exe
800	MEMZ.exe
2044	MEMZ.exe
1472	MEMZ.exe
2128	MEMZ.exe
800	MEMZ.exe
2044	MEMZ.exe
2128	MEMZ.exe
1552	MEMZ.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	2700	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2700	AUDIODG.EXE
Token: 33	2700	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2700	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3040	cscript.exe
920	iexplore.exe

Suspicious use of SetWindowsHookEx 18 IoCs

pid	Process
920	iexplore.exe
920	iexplore.exe
2504	IEXPLORE.EXE
2504	IEXPLORE.EXE
2504	IEXPLORE.EXE
2504	IEXPLORE.EXE
1100	IEXPLORE.EXE
1100	IEXPLORE.EXE
1100	IEXPLORE.EXE
1100	IEXPLORE.EXE
1804	IEXPLORE.EXE
1804	IEXPLORE.EXE
1804	IEXPLORE.EXE
1804	IEXPLORE.EXE
1984	IEXPLORE.EXE
1984	IEXPLORE.EXE
1984	IEXPLORE.EXE
1984	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 55 IoCs

description	pid	Process	procid_target
PID 2852 wrote to memory of 3040	2852	cmd.exe	31
PID 2852 wrote to memory of 3040	2852	cmd.exe	31
PID 2852 wrote to memory of 3040	2852	cmd.exe	31
PID 2852 wrote to memory of 3052	2852	cmd.exe	32
PID 2852 wrote to memory of 3052	2852	cmd.exe	32
PID 2852 wrote to memory of 3052	2852	cmd.exe	32
PID 2852 wrote to memory of 3052	2852	cmd.exe	32
PID 3052 wrote to memory of 2128	3052	MEMZ.exe	33
PID 3052 wrote to memory of 2128	3052	MEMZ.exe	33
PID 3052 wrote to memory of 2128	3052	MEMZ.exe	33
PID 3052 wrote to memory of 2128	3052	MEMZ.exe	33
PID 3052 wrote to memory of 1552	3052	MEMZ.exe	34
PID 3052 wrote to memory of 1552	3052	MEMZ.exe	34
PID 3052 wrote to memory of 1552	3052	MEMZ.exe	34
PID 3052 wrote to memory of 1552	3052	MEMZ.exe	34
PID 3052 wrote to memory of 1472	3052	MEMZ.exe	35
PID 3052 wrote to memory of 1472	3052	MEMZ.exe	35
PID 3052 wrote to memory of 1472	3052	MEMZ.exe	35
PID 3052 wrote to memory of 1472	3052	MEMZ.exe	35
PID 3052 wrote to memory of 800	3052	MEMZ.exe	36
PID 3052 wrote to memory of 800	3052	MEMZ.exe	36
PID 3052 wrote to memory of 800	3052	MEMZ.exe	36
PID 3052 wrote to memory of 800	3052	MEMZ.exe	36
PID 3052 wrote to memory of 2044	3052	MEMZ.exe	37
PID 3052 wrote to memory of 2044	3052	MEMZ.exe	37
PID 3052 wrote to memory of 2044	3052	MEMZ.exe	37
PID 3052 wrote to memory of 2044	3052	MEMZ.exe	37
PID 3052 wrote to memory of 408	3052	MEMZ.exe	38
PID 3052 wrote to memory of 408	3052	MEMZ.exe	38
PID 3052 wrote to memory of 408	3052	MEMZ.exe	38
PID 3052 wrote to memory of 408	3052	MEMZ.exe	38
PID 408 wrote to memory of 3044	408	MEMZ.exe	39
PID 408 wrote to memory of 3044	408	MEMZ.exe	39
PID 408 wrote to memory of 3044	408	MEMZ.exe	39
PID 408 wrote to memory of 3044	408	MEMZ.exe	39
PID 408 wrote to memory of 920	408	MEMZ.exe	41
PID 408 wrote to memory of 920	408	MEMZ.exe	41
PID 408 wrote to memory of 920	408	MEMZ.exe	41
PID 408 wrote to memory of 920	408	MEMZ.exe	41
PID 920 wrote to memory of 2504	920	iexplore.exe	42
PID 920 wrote to memory of 2504	920	iexplore.exe	42
PID 920 wrote to memory of 2504	920	iexplore.exe	42
PID 920 wrote to memory of 2504	920	iexplore.exe	42
PID 920 wrote to memory of 1100	920	iexplore.exe	44
PID 920 wrote to memory of 1100	920	iexplore.exe	44
PID 920 wrote to memory of 1100	920	iexplore.exe	44
PID 920 wrote to memory of 1100	920	iexplore.exe	44
PID 920 wrote to memory of 1804	920	iexplore.exe	45
PID 920 wrote to memory of 1804	920	iexplore.exe	45
PID 920 wrote to memory of 1804	920	iexplore.exe	45
PID 920 wrote to memory of 1804	920	iexplore.exe	45
PID 920 wrote to memory of 1984	920	iexplore.exe	46
PID 920 wrote to memory of 1984	920	iexplore.exe	46
PID 920 wrote to memory of 1984	920	iexplore.exe	46
PID 920 wrote to memory of 1984	920	iexplore.exe	46

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Malware-1-master\MEMZ-Destructive.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2852
- C:\Windows\system32\cscript.exe
  cscript x.js
  2⤵
  - Suspicious use of FindShellTrayWindow
  PID:3040
- C:\Users\Admin\AppData\Roaming\MEMZ.exe
  "C:\Users\Admin\AppData\Roaming\MEMZ.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious use of WriteProcessMemory
  PID:3052
- - C:\Users\Admin\AppData\Roaming\MEMZ.exe
    "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2128
- - C:\Users\Admin\AppData\Roaming\MEMZ.exe
    "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1552
- - C:\Users\Admin\AppData\Roaming\MEMZ.exe
    "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1472
- - C:\Users\Admin\AppData\Roaming\MEMZ.exe
    "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:800
- - C:\Users\Admin\AppData\Roaming\MEMZ.exe
    "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2044
- - C:\Users\Admin\AppData\Roaming\MEMZ.exe
    "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /main
    3⤵
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:408
  - - C:\Windows\SysWOW64\notepad.exe
      "C:\Windows\System32\notepad.exe" \note.txt
      4⤵
      System Location Discovery: System Language Discovery
      PID:3044
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://google.co.ck/search?q=batch+virus+download
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:920
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:920 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2504
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:920 CREDAT:275465 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1100
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:920 CREDAT:799758 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1804
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:920 CREDAT:799779 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1984

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x168
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\05DDC6AA91765AACACDB0A5F96DF8199

Filesize
854B

MD5
e935bc5762068caf3e24a2683b1b8a88

SHA1
82b70eb774c0756837fe8d7acbfeec05ecbf5463

SHA256
a8accfcfeb51bd73df23b91f4d89ff1a9eb7438ef5b12e8afda1a6ff1769e89d

SHA512
bed4f6f5357b37662623f1f8afed1a3ebf3810630b2206a0292052a2e754af9dcfe34ee15c289e3d797a8f33330e47c14cbefbc702f74028557ace29bf855f9e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
273ff677888fa82c7b7de7cd7cd1afb6

SHA1
796192d452b8044349c604adc3576423b2c21004

SHA256
510338dc2cd22605d968c4fe02b4f82e036be4c784f57e312067bffef1842fd3

SHA512
5d7a08ba6cbf2a88c806427c6d0fe4c678aa2bf921a4f752bd029cde945397d86bd08f6074c39a7072dbcabe44f1b8d66cd076861324a4e4623bab72fa718671

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4FA45AE1010E09657982D8D28B3BD38E_EB153A79B5AB80C6592F798A4A3667A5

Filesize
472B

MD5
766dcbceceb99c1bb9b3ee02d18187eb

SHA1
50e38eaacc2a4a533f1aeb0affc076a24ef030af

SHA256
83f771647dd16e667cf88e34a69765c0974fec2c1dcdc9a1ed19bdb95fbc82e7

SHA512
3a6ed996e75f6c535605c6ea0bb18345033f1c38e143931370639f7592dfc67574c005bc8a680630d2b91f821593242fecfc020b0068585077d70e663936d027

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199

Filesize
170B

MD5
8adff43663456b7e533621fad22c45ab

SHA1
ea3343ed7dfaa62e8ec86f8139906d98de6a66e2

SHA256
c3e18e6d305a76e6c888995d4b9c5ac56f430f2e11eb630932f40b2b06c99ee4

SHA512
716b6f95425b232fe169393ddfdee1b92fab4b34c02b25112be8847a83726422487f46cd372de72b1c7c701ef02e65fcc9dd13f565264bae8bb64d7f94df28fa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
5fc9d1b99d81615e1e4e947915144982

SHA1
eda50b5330e61fc24d5e2187689ba0d93d1f302f

SHA256
0f9439c35d4742f49a797252fb7a5fea3d20e6f6425f7c2c4bd1059daa3614a8

SHA512
dc694929e60b9ea04a7a02f79e0fd08f09bccf342e112e2c1bc0bf11fe7dc76ef0a9643a3af5c9f7d4c8134309e2f08182e7467d91662c2a5ba145ec143c77dd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
66a0ddbd7f2c2bced9a72d074ce37ccb

SHA1
f5fc977db802ea3c4620f40cd2d308df52843855

SHA256
32d8f4ef50edc9f4d0369002c75effb91b1af9f273728cc564fff8b26afe220a

SHA512
181be774901482fc3d28d279a6916fc262b109bb7b63ee9ca1aa2334619fbc6a2f461feef1e3d79e0a6820c9f2d082837df3cd2c0833b336370d037ab1246f51

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4FA45AE1010E09657982D8D28B3BD38E_EB153A79B5AB80C6592F798A4A3667A5

Filesize
398B

MD5
478fb87c38ba4b331d869de50766a2b2

SHA1
8a976d1405ae16d7b65c0c4412f2c82e188796ad

SHA256
3fa19a54c92eebf7340ccdf227886fad27719d0862ae7afac407550b38a8e3bd

SHA512
02638eb259afa9711e52c2a4fcb886ab426641b425687580b17136b7747d72f4a2eb3ba4345517fb2cdfe0d9c85a61303ad16ee878ac5195fdf9a7083e1f8c99

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
14b3234916f2279ae8142870c5693532

SHA1
37f1f6f2d312fba9fb34131bca3a884a37114e50

SHA256
f412e635d8818e23687face7ddb5d12abd084028836ba975f5bd60a9eb707ba5

SHA512
b4b730920400fe1be4a4683a1c3688428b7298283304c15372b35bcffd749c847782d6d8348f38303ddae332671b7382cb0ad464bf1b44f397e1a877d290c938

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
32dcfd83ba72871e9f3cd4f76c3bac1c

SHA1
092671d68d4b5b19f4df4aa17d9683f2c264f2bb

SHA256
9e87304abdcc66c7712fe13b83ce5a163ae88eda78e9b0849ddae57ecff90e57

SHA512
4c7de10c0c7379ca5ecfd8e17dcf852dc076ae12229df7f1e8b1c3d0e186e632f7236bea289bda3ef47b85710ab0af313400f3d4cf7bcd233a9ab804f89f8e83

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
02323312c34611b703ccab580aa7f745

SHA1
12399d9b362fdd9675f5e6b383742e93d9909332

SHA256
a30b16094825a0e569374a8815c7487119d35f8f226bc48a6e97a034efd97a90

SHA512
eca88dc5d742fa7a5ec89fd61c330b0f1fa978df244f3668bbed2e44afa04c4c66649fc58aab71fe4e80a36d7c2c8e6191c8df61d68d10b12cccb67afdcedbc0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
547a5d520d599e6da26ba6aa21f64a32

SHA1
4e8716f3cfc25cefa553b61d65d56cf287dc573b

SHA256
23bc58dee15700e6db4d50d9413c322c6d6809d10e572fc56bd1981cb65ee6da

SHA512
88614165101fd62b89d59b62dba320195025a053db8c9d9268890151b45c2aca76ccf8b1a690bb193e98ec924a165a448c1cbf100590eafb55d7dc61a1559f1a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
302acb20d8a0344f6aabff28a826ff47

SHA1
ede14e98b8a52f310ec2affefadd54fe586e6349

SHA256
f95c816960b8a61b939513e4cbd841385d8daec3cf645134a92ba50fa33fa29a

SHA512
89d25ac6d439be21fc730b3a2bdea3ae1e198a4ef27e464794f351356b771a457ddcab48baee80efd232857b3155a79ef2959fe1667d5009058bd856b6c96d60

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
aa361b87d2c77d8a417f075ad593527d

SHA1
6e5929871860aa4c6597a5e84f25aa6c493d3cc0

SHA256
86d449c5d236573709b9417144bc10f405417c6e53ad3d3e8f337ced6eb90abb

SHA512
96e934619008bba35f247027ee66a2f10f9a4ca088b1de0775c736ff52010717331a0142673965f528bd3a4bd0a40d4b579866bb7c4c8f68a423136ad7400d5d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4212e613804eb23c643e8e18a6260656

SHA1
9eff722d2146605701378d1387b61b12b7a4e9bc

SHA256
f35c384a820faf83dab0722f959aa5215dd6ac10d5da71f606e7af60c84a7e10

SHA512
134f31633d38dbd9ccb821d3438d2de9812cb58e2abedfb469ba92c3c9b7c4fa2adf16e6a04779ba50a8e229996364442d6413d5e9782332d1c87fa07311e884

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2afdc28d28b92b6808a213ffdaf579b2

SHA1
6989e35e4d60a79e1a4968474af2a640633c1699

SHA256
c75f3204ef7deaef5f8ac192dde25fa4fe0bc7067ae1b5d2b4fb8a6a76eb5bf9

SHA512
57d31f99ae3b38098dacd260adc5d573429a19eda789f0e7e4d4224c78c670f6d0b5abdd315b6a43928961146b518df053f174f3d51afb618e46e3fa3cb6c53d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dd0d6268e877669be98ffe2c2142ee2b

SHA1
79740ddefa71179aa8e8bb14d19f7093a59512ef

SHA256
ff7ac3c6dd0e141378da07ab809a4dad5af0f5f23884fe37a234a72fa1bb6aac

SHA512
aa7e8aa65fe03b831a757e0644659f599b13ba97814cf3b380aec5163745747722e89ef44a60eb6d36f2796dbe6c26bca1534c60173619a401ff015b2979426c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
eeb7c479eb7f627c4bd888e71315b9fc

SHA1
e0ae544e12dbad8c7129c310e2b0240755f637d4

SHA256
af25dcf757d4c65d4ae3564e3bda3c30d123cd867cc496e528128587fc6ff371

SHA512
ba4f3ad1a25a15be3ac1b9d9e938649b78fc9ede81b05a08fb1012c2c498c43f8633bd09ff2c7ca9f992582e3fe02075489b960d34bce0a31a74258e66553072

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
08b9d7b67fd0c731220cc9d325c55f5b

SHA1
4be099559e2c31e694720d773ae4c671a0a02439

SHA256
55082bcc8e0815cd870d9a375df44b53896ea7a67e8265b9cac12e3a3c13e230

SHA512
692b3e062f3d0c71d07e69a851084e00cb0e1f7636fb5d78b7fe2cf1f3d0d5b9fcdbf8bdb1189f158cdaf402753dcfd626ddf36bace5f8f7bfa542a3287ec9a4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
679efa5e4bcd35dac5fd059db100dd29

SHA1
a54d8d93207fdc61ace73af56b7fc5d45cf5688c

SHA256
9d3387cbf5e99bb30c3cb13deef795fe7f1a9837c753a78df9b50e03f8910533

SHA512
88a38a9140c99ed64415a7dde3869f59aeb8bbbedc6acf932b21c964e1ef6399c64568f8bdb1d8bfc359d282ffa84edc5e66e3b7ba0ac43819dca6f675938398

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
377eac6ab6adc36ce02a0f3a67e09248

SHA1
e33b3ee791c0a4e4e7e61795d07598c93a40fdbc

SHA256
b4b79eb1613385322e7b9a9cc32f5385389a6b502e132bdfd0a30b1d787eb9fa

SHA512
4d1c6b8b4f05691966c726cb8ad449e1af58646cc0519b5c567723f47675f8289caefa86951c09171434415cc1c3be16f34890de058b54a0d2d0dba53340b9bd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4f68519a21e84471542839695b7a00a4

SHA1
64cb6bc20019780c3353710e0753ed9a44e1a094

SHA256
67ef3b33ea58be38eb0ca83daef4fabcfc8074bc04a2c4ed5263fe3ee615bf1f

SHA512
ab14bae270d161e5e7604000f7ef4144ab94509c44f97c84ed8b4f57b70e0d204943f05827e206771e7f1288a0f639ba32fb5a4b28b92c952757f333e9117694

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1d4b7e590563b06950afb65f57d281fc

SHA1
7e389fcb59750581dd7edec89f5936c08ec58f62

SHA256
65bd92634eca0a5a3a86a73799c0ccead5a8a94e32185d3ee917bbae5c278981

SHA512
b187e7e5b539c481d935dffb6dae8d1e83fd84420d2b893901036f92b6d056b048cfe1f099d8cb025253ba94de3efb2128d5ac5af10a9af1104966a35af3b7c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0ebd0aca6d84ec4e04d4192db552408b

SHA1
f2bd3388d12b434b78b52bac0ba0c775053ae51a

SHA256
bf989177039aca3d8549aea9d1cadaec738b923858fe9308a8ca8e21436d8840

SHA512
1343284e450471627ff751395309005be721d54ed2a89e478a5a7e086ec68f2c250fdf79660cb382df327ad247cbd65ecf9a8c1c92e0045141b8963773b03fb0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0554db0c1a8f12822e1d3e50c733df60

SHA1
0ffc00954200b6ca71fe9617324ca46f347f5707

SHA256
51c12e40519a7dea74c3395d79b99d486f598cd316d72fc4921936999ddeb34c

SHA512
3fa241fa3055348d921fca36c84173cc0bf275ad59b22db4421b2b37243090944c93e93d5581e6c06e90015850ee36946e6003342a0f591cfe40284f9a99d705

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
145feb6f0b66fcbd449df3afb59dfb10

SHA1
9c2805cf36dc4fecd42fbf6f037f390f91ecc78c

SHA256
2287aec3393dec72fbf3709cbc78cb12e34f9fd0bc2643e5a1864ae602024afd

SHA512
953d68e8c04fd346951d944a61dca96a284e9588d6c67c04822619ebcb0edf957906810205005da76ae8148c9b62304b40d01a029abf000de5f16ba7c0d69ce7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
14f63251128fdc3159ab98233933cf82

SHA1
4121137352d96b179482322a5340297e4131dea6

SHA256
05f4b71c9d96ed4a48874ac6991955a376d0cdda551b4cc53abc352c27388ed9

SHA512
f54b261d50ce613f01d3e4ff4136fe41c84a5223463516b5b17cdf5a777e9f0d5192b4662f5f585dedb4f9468d7210d93617b08bf2511a05d685cf1dd92ff517

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
be1f1e6d5f482f6ba6a80027ec146ee7

SHA1
95d3b539e6080b0adc22187c69120fa6df76efdf

SHA256
5f9886f7eb9f7a131d48bb05f98d0dd551d2c5498b23a937fcc4ce56d5f3979c

SHA512
075a19a647dca2e4de5fefcc068ed93b1e95761048a8fd8d041ec8ceb3cfa87bdc4975332fd007c979e8bee86a7de0032eaf87ede62ca015624b3e13768b4d2a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
82ac0247ba31e0af8225bfaf501e165d

SHA1
54f67e93b3ff2a7dc2718451ed965a2c822093fa

SHA256
4329ab23ee1925aa110364606baf4e25d71f66a6f66a7b3d284637d909f2a759

SHA512
aa0f497c215d2d8611e5e02defac70d55063d16562056ce98d42d31f3fb7cf42b4d7778b7b8443bdcddf9110b10c52807d62be54d8043e6ce571c90b8b63d808

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7c0294a4b1afd0489820ff89a77302c4

SHA1
e1711477caf45677a9aca469988d39c567e564da

SHA256
8550322bf771890edddd4777e4269392531fd3101b441df76a74117bcf090ebc

SHA512
bbb74d66e0c73e8ddfb14743ea6b2161e32f6dfb382f389cbdd37f4e56f87c5b6f72d521708c0f4f575763a1568b16284c84a6395e8568996370506771eaad0a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
74f8371252720853d9247ab0343804bc

SHA1
7c69c373820ac12c78e3b8b595d9f8abf8d599df

SHA256
01b595565a46e0833104d6fc7aebeca5b07ec9671a156d776ee8347e03680f81

SHA512
952c2457f2f91c76df8a7e3d6d8b866a26da44f09a94a8f4bc75702cdb68b95591b970a7afd971c7353da719ef0b9acd76f8f35351a036e1e847672c8c11ae43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\7V0GSZZS\www.google[1].xml

Filesize
98B

MD5
35c6d605262bf064ed5b3a75cb255532

SHA1
fcec848a1cd7d6c86e2a51302fcd0031990de7c9

SHA256
96c12ebccbfde780e83f347bb74767508e1c841952712e920ee0d96984d9b190

SHA512
c0c15008b07624ddc46fd09748797b15150fe8d81c80434eb7db110a8964325f3777658cc8b46ac0bd8a0e6a2b62054b11ac665d01f21987eefbeca6248ead9d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\78076te\imagestore.dat

Filesize
5KB

MD5
58b7346e5d1d50021e0d66f2fbd6eb36

SHA1
7a92f2dcfee48b9627d3ac1da634ecb68746e9a8

SHA256
12d9f281958e2d7242d98be9d5fc370c1eabf131cedd0e96fd17359c04d69ff2

SHA512
3f47ecbc21c1eb1f17c0d6c15f0d77248949e2ec5d89cbd057be354ad7342dcfcc9cdb5863d3d096cdfcc4f4acbc8760081e26c5d211a4cfc5d833091b30ea41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6G4X5UFP\favicon[1].ico

Filesize
5KB

MD5
f3418a443e7d841097c714d69ec4bcb8

SHA1
49263695f6b0cdd72f45cf1b775e660fdc36c606

SHA256
6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770

SHA512
82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6G4X5UFP\webworker[1].js

Filesize
102B

MD5
dcf0dd9e2a4c0015bd80ce993ac84ff1

SHA1
6c4eda6061f7a7b9e05f439540fa26c261996fbe

SHA256
73943cf1ab8eff323e097bee9c52083255ee6e53b9abbeb193aa09fce212fa24

SHA512
f2d0a9e79d038ae1d00e6f4c08c3cf41af3e81ea8955e73052f89c4370027ba795080c867019497842a337f049d0112d8dd6c3f1bf5db8659d5f8428023128e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7BQ20K5D\api[1].js

Filesize
870B

MD5
9a90c06ffab392f11cda0b80188775a8

SHA1
395386715f54948ab58be5ad918b494b1ab86156

SHA256
ef7a5d110fd5a78289d4f71807784696ef0625efca97453caa6f3051e74a4c6b

SHA512
e40292115e00e2e652be3de796da6e860f99901d58adbd543edcc281e80fbee45ba35cb6b436cd5f7bd654eee8ce722a8f5fc41c6a40478f77bd2d6fb44f5780

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7BQ20K5D\xvnkv013T9iQERax3LRLfLP-YGjo9lA-elXqPIIu0pM[1].js

Filesize
25KB

MD5
d735f7826775631410df2363ec8ea7fb

SHA1
72622ae88b15219ad1b00c72b48e13b2dd10e6ec

SHA256
c6f9e4bf4d774fd8901116b1dcb44b7cb3fe6068e8f6503e7a55ea3c822ed293

SHA512
b4fda11a5e56e7d1344a38bcd0d086b366258c751f18de79147e763f848cb4fbc76720b211913be2d25163a77bd505d918780a7dc089e976069d12a68701db2b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9GP4P3HF\logo_48[1].png

Filesize
2KB

MD5
ef9941290c50cd3866e2ba6b793f010d

SHA1
4736508c795667dcea21f8d864233031223b7832

SHA256
1b9efb22c938500971aac2b2130a475fa23684dd69e43103894968df83145b8a

SHA512
a0c69c70117c5713caf8b12f3b6e8bbb9cdaf72768e5db9db5831a3c37541b87613c6b020dd2f9b8760064a8c7337f175e7234bfe776eee5e3588dc5662419d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9GP4P3HF\recaptcha__en[1].js

Filesize
545KB

MD5
1f233ff2deeaaacc3c11614068d6f46d

SHA1
6ab5f0fb0ada1228ef529e3d48961c36fbc21424

SHA256
dc987654372c681461a1ab9e9835fc0006367829e3f0cdccee51081109d7868f

SHA512
a44c564ba2ff696762dd9a9f05f38dbb839a594989bcae5c402222ae6d9a17a29942c99df9c473f043e928f98bdabb62299bb192613c72d5d5b3efde7dd36c63

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\L6J4GCMD\KFOlCnqEu92Fr1MmEU9fBBc9[1].ttf

Filesize
34KB

MD5
4d88404f733741eaacfda2e318840a98

SHA1
49e0f3d32666ac36205f84ac7457030ca0a9d95f

SHA256
b464107219af95400af44c949574d9617de760e100712d4dec8f51a76c50dda1

SHA512
2e5d3280d5f7e70ca3ea29e7c01f47feb57fe93fc55fd0ea63641e99e5d699bb4b1f1f686da25c91ba4f64833f9946070f7546558cbd68249b0d853949ff85c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\L6J4GCMD\KFOlCnqEu92Fr1MmYUtfBBc9[1].ttf

Filesize
34KB

MD5
4d99b85fa964307056c1410f78f51439

SHA1
f8e30a1a61011f1ee42435d7e18ba7e21d4ee894

SHA256
01027695832f4a3850663c9e798eb03eadfd1462d0b76e7c5ac6465d2d77dbd0

SHA512
13d93544b16453fe9ac9fc025c3d4320c1c83a2eca4cd01132ce5c68b12e150bc7d96341f10cbaa2777526cf72b2ca0cd64458b3df1875a184bbb907c5e3d731

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\L6J4GCMD\KFOmCnqEu92Fr1Mu4mxP[1].ttf

Filesize
34KB

MD5
372d0cc3288fe8e97df49742baefce90

SHA1
754d9eaa4a009c42e8d6d40c632a1dad6d44ec21

SHA256
466989fd178ca6ed13641893b7003e5d6ec36e42c2a816dee71f87b775ea097f

SHA512
8447bc59795b16877974cd77c52729f6ff08a1e741f68ff445c087ecc09c8c4822b83e8907d156a00be81cb2c0259081926e758c12b3aea023ac574e4a6c9885

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\L6J4GCMD\styles__ltr[1].css

Filesize
76KB

MD5
a9a4c0df287886862263d8af0a6e096e

SHA1
4aeb13637cff035bb7cc47aaa42d61f306e0e474

SHA256
ad68a177a2d52e736095a6b7431fbfca3f840d66a1ea67090b55c5f90722b067

SHA512
a9605e4b740e3841366ecfb2ee8b44469057009279d8bd6b6455af13bd5863dc130a65c740b465e20e060a3cae4d74ef7b4da860ed144b89131c5406bf12cbef

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabA027.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MALWAR~1\z.zip

Filesize
8KB

MD5
63ee4412b95d7ad64c54b4ba673470a7

SHA1
1cf423c6c2c6299e68e1927305a3057af9b3ce06

SHA256
44c1857b1c4894b3dfbaccbe04905652e634283dcf6b06c25a74b17021e2a268

SHA512
7ff153826bd5fed0a410f6d15a54787b79eba927d5b573c8a7f23f4ecef7bb223d79fd29fe8c2754fbf5b4c77ab7c41598f2989b6f4c7b2aa2f579ef4af06ee7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Malware-1-master\x

Filesize
11KB

MD5
1882f3dd051e401349f1af58d55b0a37

SHA1
6b0875f9e3164f3a9f21c1ec36748a7243515b47

SHA256
3c8cea1a86f07b018e637a1ea2649d907573f78c7e4025ef7e514362d09ff6c0

SHA512
fec96d873997b5c6c82a94f8796c88fc2dd38739277c517b8129277dcbda02576851f1e27bdb2fbb7255281077d5b9ba867f6dfe66bedfc859c59fdd3bbffacf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Malware-1-master\x

Filesize
3KB

MD5
021256bc7f934330b072c123e9b6f9b8

SHA1
48bfb1d1e7329dd385e6988bea6a7eb048f30a46

SHA256
9b9e41466aa4a7437f1e04e12f70a19a4c8e29ea76b90b927a77dbdbc0381ac2

SHA512
97e29361bae419b4e6d2977ac70e7fb7bf8748e71e84d4296aed4ceb9cb4fbba37e673e522df76b1be52844ed656f78172632f380e70d33aba6c2d9cbe19d9e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Malware-1-master\x

Filesize
4KB

MD5
68086481b352be726adfe4aca6311460

SHA1
4f96c608c2a3acf23eda92bf80a39234e2fae22b

SHA256
cc73e2990e99d47471ec12092ca56183604c3c0d0bf49b1d13260ef22a58dcd7

SHA512
ec07b421c3bea856970c6258a7167f6ac369d14aa666f526e5755ecddb474260cfdd43b9897db3449c4e4226e27b386fd293edf9e741dd0ebd7e2e3916d4e702

Download Submit
C:\Users\Admin\AppData\Local\Temp\Malware-1-master\x.js

Filesize
448B

MD5
8eec8704d2a7bc80b95b7460c06f4854

SHA1
1b34585c1fa7ec0bd0505478ac9dbb8b8d19f326

SHA256
aa01b8864b43e92077a106ed3d4656a511f3ba1910fba40c78a32ee6a621d596

SHA512
e274b92810e9a30627a65f87448d784967a2fcfbf49858cbe6ccb841f09e0f53fde253ecc1ea0c7de491d8cc56a6cf8c79d1b7c657e72928cfb0479d11035210

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarA039.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\MEMZ.exe

Filesize
14KB

MD5
19dbec50735b5f2a72d4199c4e184960

SHA1
6fed7732f7cb6f59743795b2ab154a3676f4c822

SHA256
a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d

SHA512
aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\1BEN3DG7.txt

Filesize
123B

MD5
cd234a8e8795cdf9895e35f9dfba8842

SHA1
71646567b9b3b5799f366f2330c8c8ad4d9cce51

SHA256
d7118eb8dce5c565f3254539cde14795c7bb7ea1ffd1c937c3281378f39642f1

SHA512
18faa2171239b5b8720b00fa8c9e1047fa74102fab6e644458c2312e38d04ea9443d6b41d503a69b5a00aba59666bf49f0a8f827187c9d41c3b8d8cf5e117d12

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\KSBUIKZX.txt

Filesize
124B

MD5
8f1556e6d8f12b322e5d73d4d706264f

SHA1
e7f3215cc2776ee1eaa8f8daaa3209308398b63e

SHA256
460891da38b1ffbcf0d69fb84c701ad1b3cabff64e995b7d0a0659240e1559b8

SHA512
7c69fd7bc4d4b10b32f502a242d5789062a6aff2dd39ee9d8b39e7272fa2be6fb814f66015f58ecb9b27b41c6d21b4d134696e0755d2153db336fb8c0ff716c5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\VGAJKSRF.txt

Filesize
123B

MD5
b0d612b3481622cf8432fa3f8156bad8

SHA1
20a0ec82f4beb1966e55d71c2f4b4e4ff440d4ec

SHA256
e3a9562c426ec522ebf4ae0f49e40f8187154aa3a9ae3bbf95f5e8da29344253

SHA512
bd8bfa72782849aa0218af21eb46d0687f0bb70a84f5eba48921a21ae297bf7262c5f2a8b8ec7702b3a0169e0309ac7158dbf7065e50bbd807e1acec52513f75

Download Submit
C:\note.txt

Filesize
218B

MD5
afa6955439b8d516721231029fb9ca1b

SHA1
087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

SHA256
8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

SHA512
5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

Download Submit
memory/3040-167-0x0000000002300000-0x0000000002301000-memory.dmp

Filesize
4KB

Download