2ca4803498d7d375a61bfab2a3a4cf7e0eec41d116e50a838791a55b164e0f8c

Resubmissions

13/02/2025, 01:26

250213-btppra1pcz 10

17/01/2025, 20:14

17/01/2025, 20:12

17/01/2025, 17:25

17/01/2025, 17:21

17/01/2025, 14:16

17/01/2025, 14:12

16/01/2025, 12:52

Analysis

max time kernel
150s
max time network
152s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
17/01/2025, 14:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Malware-1-master/MEMZ-Destructive.exe
Size

14KB
MD5

19dbec50735b5f2a72d4199c4e184960
SHA1

6fed7732f7cb6f59743795b2ab154a3676f4c822
SHA256

a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d
SHA512

aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d
SSDEEP

192:sIvxdXSQeWSg9JJS/lcIEiwqZKBkDFR43xWTM3LHn8f26gyr6yfFCj3r:sMVSaSEglcIqq3agmLc+6gyWqFCj

Score

6^/10

bootkit discovery persistence

Malware Config

Signatures

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	MEMZ-Destructive.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ-Destructive.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ-Destructive.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe

Modifies Internet Explorer settings 1 TTPs 53 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.google.com\ = "25"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "25"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 10ef9c1aea68db01	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{48FDACA1-D4DD-11EF-89F5-527E38F5B48B} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com\Total = "25"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c2e34a2d14956c41959f389c0e98abcd00000000020000000000106600000001000020000000e153613a5b1a58238670e424865704b4caba0b6a1818a52c0a3484b2861b0e83000000000e80000000020000200000005fe77d0068630c7ef8670ecb8e8e45eb281bba4d524b928ff4a300ac995b9fa120000000014bc5e421b985c5b201b46b012d9aa324fc277ddae06c8b5d6b821ecfd378ce40000000d44c07f5ad3d7540b840f0950b4126e50c8a8dc6f6fb76993a034b5c99b0178c5c65705759bb64f9b44fd8ec1d183c6aaea730264bf3914ad41259ffc61f356c	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "443285102"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c2e34a2d14956c41959f389c0e98abcd00000000020000000000106600000001000020000000cfbd172d16241a07680e26c7a2d5d12dffce3af4eb6db86856e1c3bfdd6175d5000000000e80000000020000200000005589f92ae731354ba1000d0f59aed0899e5bd4dfc4c4b7ccbaaf3cecca25d0df900000008182e988dc2af4a82f71b43b6dbc6ef86a9c13eee6d8fc383ec2ba421d2ec3ee25a95ed5314d4157e1fef155518564bbbcf7708d43d0cd32ee0ae5fbe323880f43c16dcd05282539170ae4007f86bf2284f2352ec43d5d7ad1aa22e71630192461ce7506148d3e1ef055daf579754a4aae0f9d7c46f185dd440ed816876f2c26757a154c87738fa707c9dd64a73918f440000000374a8ab9eb2dffbf9b8e32426a15da39c9e66b8385da84c508c016157e6cbbcfb1c9b1e610245f4d3a4f7fd2b163fbb23cbbbe8881aa7e3f4754235c80187818	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.google.com	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2880	MEMZ-Destructive.exe
3040	MEMZ-Destructive.exe
2780	MEMZ-Destructive.exe
3060	MEMZ-Destructive.exe
3040	MEMZ-Destructive.exe
2780	MEMZ-Destructive.exe
3060	MEMZ-Destructive.exe
2408	MEMZ-Destructive.exe
2880	MEMZ-Destructive.exe
3040	MEMZ-Destructive.exe
2408	MEMZ-Destructive.exe
2780	MEMZ-Destructive.exe
3060	MEMZ-Destructive.exe
2880	MEMZ-Destructive.exe
3040	MEMZ-Destructive.exe
3060	MEMZ-Destructive.exe
2408	MEMZ-Destructive.exe
2780	MEMZ-Destructive.exe
2880	MEMZ-Destructive.exe
2880	MEMZ-Destructive.exe
3040	MEMZ-Destructive.exe
2780	MEMZ-Destructive.exe
2408	MEMZ-Destructive.exe
3060	MEMZ-Destructive.exe
2408	MEMZ-Destructive.exe
3040	MEMZ-Destructive.exe
2880	MEMZ-Destructive.exe
2780	MEMZ-Destructive.exe
3060	MEMZ-Destructive.exe
3040	MEMZ-Destructive.exe
2408	MEMZ-Destructive.exe
2880	MEMZ-Destructive.exe
3060	MEMZ-Destructive.exe
2780	MEMZ-Destructive.exe
2880	MEMZ-Destructive.exe
3040	MEMZ-Destructive.exe
2780	MEMZ-Destructive.exe
2408	MEMZ-Destructive.exe
3060	MEMZ-Destructive.exe
3040	MEMZ-Destructive.exe
2780	MEMZ-Destructive.exe
2408	MEMZ-Destructive.exe
3060	MEMZ-Destructive.exe
2880	MEMZ-Destructive.exe
2780	MEMZ-Destructive.exe
3040	MEMZ-Destructive.exe
3060	MEMZ-Destructive.exe
2408	MEMZ-Destructive.exe
2880	MEMZ-Destructive.exe
2780	MEMZ-Destructive.exe
3040	MEMZ-Destructive.exe
3060	MEMZ-Destructive.exe
2408	MEMZ-Destructive.exe
2880	MEMZ-Destructive.exe
2780	MEMZ-Destructive.exe
3040	MEMZ-Destructive.exe
3060	MEMZ-Destructive.exe
2408	MEMZ-Destructive.exe
2880	MEMZ-Destructive.exe
2408	MEMZ-Destructive.exe
3040	MEMZ-Destructive.exe
2880	MEMZ-Destructive.exe
3060	MEMZ-Destructive.exe
2780	MEMZ-Destructive.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2916	mmc.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: 33	2916	mmc.exe
Token: SeIncBasePriorityPrivilege	2916	mmc.exe
Token: 33	2916	mmc.exe
Token: SeIncBasePriorityPrivilege	2916	mmc.exe
Token: 33	2916	mmc.exe
Token: SeIncBasePriorityPrivilege	2916	mmc.exe
Token: 33	2916	mmc.exe
Token: SeIncBasePriorityPrivilege	2916	mmc.exe
Token: 33	2012	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2012	AUDIODG.EXE
Token: 33	2012	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2012	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3052	iexplore.exe

Suspicious use of SetWindowsHookEx 21 IoCs

pid	Process
2248	mmc.exe
2916	mmc.exe
2916	mmc.exe
3052	iexplore.exe
3052	iexplore.exe
1732	IEXPLORE.EXE
1732	IEXPLORE.EXE
1732	IEXPLORE.EXE
1732	IEXPLORE.EXE
2284	IEXPLORE.EXE
2284	IEXPLORE.EXE
2284	IEXPLORE.EXE
2284	IEXPLORE.EXE
2336	IEXPLORE.EXE
2336	IEXPLORE.EXE
2336	IEXPLORE.EXE
2336	IEXPLORE.EXE
2908	IEXPLORE.EXE
2908	IEXPLORE.EXE
2908	IEXPLORE.EXE
2908	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 2100 wrote to memory of 2880	2100	MEMZ-Destructive.exe	31
PID 2100 wrote to memory of 2880	2100	MEMZ-Destructive.exe	31
PID 2100 wrote to memory of 2880	2100	MEMZ-Destructive.exe	31
PID 2100 wrote to memory of 2880	2100	MEMZ-Destructive.exe	31
PID 2100 wrote to memory of 3040	2100	MEMZ-Destructive.exe	32
PID 2100 wrote to memory of 3040	2100	MEMZ-Destructive.exe	32
PID 2100 wrote to memory of 3040	2100	MEMZ-Destructive.exe	32
PID 2100 wrote to memory of 3040	2100	MEMZ-Destructive.exe	32
PID 2100 wrote to memory of 3060	2100	MEMZ-Destructive.exe	33
PID 2100 wrote to memory of 3060	2100	MEMZ-Destructive.exe	33
PID 2100 wrote to memory of 3060	2100	MEMZ-Destructive.exe	33
PID 2100 wrote to memory of 3060	2100	MEMZ-Destructive.exe	33
PID 2100 wrote to memory of 2408	2100	MEMZ-Destructive.exe	34
PID 2100 wrote to memory of 2408	2100	MEMZ-Destructive.exe	34
PID 2100 wrote to memory of 2408	2100	MEMZ-Destructive.exe	34
PID 2100 wrote to memory of 2408	2100	MEMZ-Destructive.exe	34
PID 2100 wrote to memory of 2780	2100	MEMZ-Destructive.exe	35
PID 2100 wrote to memory of 2780	2100	MEMZ-Destructive.exe	35
PID 2100 wrote to memory of 2780	2100	MEMZ-Destructive.exe	35
PID 2100 wrote to memory of 2780	2100	MEMZ-Destructive.exe	35
PID 2100 wrote to memory of 592	2100	MEMZ-Destructive.exe	36
PID 2100 wrote to memory of 592	2100	MEMZ-Destructive.exe	36
PID 2100 wrote to memory of 592	2100	MEMZ-Destructive.exe	36
PID 2100 wrote to memory of 592	2100	MEMZ-Destructive.exe	36
PID 592 wrote to memory of 2736	592	MEMZ-Destructive.exe	37
PID 592 wrote to memory of 2736	592	MEMZ-Destructive.exe	37
PID 592 wrote to memory of 2736	592	MEMZ-Destructive.exe	37
PID 592 wrote to memory of 2736	592	MEMZ-Destructive.exe	37
PID 592 wrote to memory of 2248	592	MEMZ-Destructive.exe	38
PID 592 wrote to memory of 2248	592	MEMZ-Destructive.exe	38
PID 592 wrote to memory of 2248	592	MEMZ-Destructive.exe	38
PID 592 wrote to memory of 2248	592	MEMZ-Destructive.exe	38
PID 2248 wrote to memory of 2916	2248	mmc.exe	39
PID 2248 wrote to memory of 2916	2248	mmc.exe	39
PID 2248 wrote to memory of 2916	2248	mmc.exe	39
PID 2248 wrote to memory of 2916	2248	mmc.exe	39
PID 592 wrote to memory of 3052	592	MEMZ-Destructive.exe	40
PID 592 wrote to memory of 3052	592	MEMZ-Destructive.exe	40
PID 592 wrote to memory of 3052	592	MEMZ-Destructive.exe	40
PID 592 wrote to memory of 3052	592	MEMZ-Destructive.exe	40
PID 3052 wrote to memory of 1732	3052	iexplore.exe	41
PID 3052 wrote to memory of 1732	3052	iexplore.exe	41
PID 3052 wrote to memory of 1732	3052	iexplore.exe	41
PID 3052 wrote to memory of 1732	3052	iexplore.exe	41
PID 3052 wrote to memory of 2284	3052	iexplore.exe	43
PID 3052 wrote to memory of 2284	3052	iexplore.exe	43
PID 3052 wrote to memory of 2284	3052	iexplore.exe	43
PID 3052 wrote to memory of 2284	3052	iexplore.exe	43
PID 3052 wrote to memory of 2336	3052	iexplore.exe	44
PID 3052 wrote to memory of 2336	3052	iexplore.exe	44
PID 3052 wrote to memory of 2336	3052	iexplore.exe	44
PID 3052 wrote to memory of 2336	3052	iexplore.exe	44
PID 3052 wrote to memory of 2908	3052	iexplore.exe	45
PID 3052 wrote to memory of 2908	3052	iexplore.exe	45
PID 3052 wrote to memory of 2908	3052	iexplore.exe	45
PID 3052 wrote to memory of 2908	3052	iexplore.exe	45

C:\Users\Admin\AppData\Local\Temp\Malware-1-master\MEMZ-Destructive.exe
"C:\Users\Admin\AppData\Local\Temp\Malware-1-master\MEMZ-Destructive.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2100
- C:\Users\Admin\AppData\Local\Temp\Malware-1-master\MEMZ-Destructive.exe
  "C:\Users\Admin\AppData\Local\Temp\Malware-1-master\MEMZ-Destructive.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2880
- C:\Users\Admin\AppData\Local\Temp\Malware-1-master\MEMZ-Destructive.exe
  "C:\Users\Admin\AppData\Local\Temp\Malware-1-master\MEMZ-Destructive.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3040
- C:\Users\Admin\AppData\Local\Temp\Malware-1-master\MEMZ-Destructive.exe
  "C:\Users\Admin\AppData\Local\Temp\Malware-1-master\MEMZ-Destructive.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3060
- C:\Users\Admin\AppData\Local\Temp\Malware-1-master\MEMZ-Destructive.exe
  "C:\Users\Admin\AppData\Local\Temp\Malware-1-master\MEMZ-Destructive.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2408
- C:\Users\Admin\AppData\Local\Temp\Malware-1-master\MEMZ-Destructive.exe
  "C:\Users\Admin\AppData\Local\Temp\Malware-1-master\MEMZ-Destructive.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2780
- C:\Users\Admin\AppData\Local\Temp\Malware-1-master\MEMZ-Destructive.exe
  "C:\Users\Admin\AppData\Local\Temp\Malware-1-master\MEMZ-Destructive.exe" /main
  2⤵
  - Writes to the Master Boot Record (MBR)
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:592
- - C:\Windows\SysWOW64\notepad.exe
    "C:\Windows\System32\notepad.exe" \note.txt
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2736
- - C:\Windows\SysWOW64\mmc.exe
    "C:\Windows\System32\mmc.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2248
  - - C:\Windows\system32\mmc.exe
      "C:\Windows\system32\mmc.exe"
      4⤵
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2916
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://google.co.ck/search?q=half+life+3+release+date
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3052
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3052 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1732
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3052 CREDAT:472075 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2284
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3052 CREDAT:799758 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2336
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3052 CREDAT:865298 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2908

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x594
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\05DDC6AA91765AACACDB0A5F96DF8199

Filesize
854B

MD5
e935bc5762068caf3e24a2683b1b8a88

SHA1
82b70eb774c0756837fe8d7acbfeec05ecbf5463

SHA256
a8accfcfeb51bd73df23b91f4d89ff1a9eb7438ef5b12e8afda1a6ff1769e89d

SHA512
bed4f6f5357b37662623f1f8afed1a3ebf3810630b2206a0292052a2e754af9dcfe34ee15c289e3d797a8f33330e47c14cbefbc702f74028557ace29bf855f9e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
273ff677888fa82c7b7de7cd7cd1afb6

SHA1
796192d452b8044349c604adc3576423b2c21004

SHA256
510338dc2cd22605d968c4fe02b4f82e036be4c784f57e312067bffef1842fd3

SHA512
5d7a08ba6cbf2a88c806427c6d0fe4c678aa2bf921a4f752bd029cde945397d86bd08f6074c39a7072dbcabe44f1b8d66cd076861324a4e4623bab72fa718671

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4FA45AE1010E09657982D8D28B3BD38E_E4543EAB994D579360C32C5CC59A22C6

Filesize
472B

MD5
8fab11ecbc576e3c4135b996092f9cd3

SHA1
32c8f0a5db4729a1458bde22d38ecf730aae460e

SHA256
66e36bf1d628d0d15fe66aa1cd67eac809dc6001a110f6b99bfbe25f60cd6f42

SHA512
0b92a86cee6e4bbc01b742d23da00391a425b255e303de7e0b55dd84571aabf5aeeadb727aed02b5c81a1622f6181eda9ac869ec84ae71367763312d1209c8e5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4FA45AE1010E09657982D8D28B3BD38E_EB153A79B5AB80C6592F798A4A3667A5

Filesize
472B

MD5
766dcbceceb99c1bb9b3ee02d18187eb

SHA1
50e38eaacc2a4a533f1aeb0affc076a24ef030af

SHA256
83f771647dd16e667cf88e34a69765c0974fec2c1dcdc9a1ed19bdb95fbc82e7

SHA512
3a6ed996e75f6c535605c6ea0bb18345033f1c38e143931370639f7592dfc67574c005bc8a680630d2b91f821593242fecfc020b0068585077d70e663936d027

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199

Filesize
170B

MD5
577912a3079d1609c1fed3c25ba288dd

SHA1
3684c2f82ce6e2db9995924c33447b92ed3b0e7f

SHA256
31b2f379c7eb182119c4969b0d825d6bdee00db0f903364ef73a843ba126d82c

SHA512
bf734f4c457ea75244638a8b35b7cfea9a6a0327135ffce3611475a47a5d144ae28bd1697331ed1be7613b77cb69c4a8cb8800fff006c5cf4f6aa483feb958fd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
5189c19786b953ab5531b35eef518dd7

SHA1
dda19efb3c2ba2e7b0862ff480efa6f0f24730dd

SHA256
ebc183d8186068556669d6bbd24208ea86b7cacfdcbcda1b91b580fd59d6ed7c

SHA512
8d238565a7f85cb405fc4420ff15d1e26665f9353a4d48847877f155298e2ed7ae104a64b1b3c8ecabd04115d508d333eb934e0d794bf2382c365552466e5ba9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
1d4133720fc5aca0ca30277134711263

SHA1
68a4010c377f0f7d62077c3303329bb29787d91b

SHA256
1b115f4bedcc708189e32428dadb8fc2c8946010e88414043c8748a4ff099c1d

SHA512
6b688d9d94ef44bf96b9dc0335dba11bfddfd338eeba97247382f16c69fcc2795ba761e1021b83491a628d199330cf89b1f93945c55e6a14177d53ab97e80af4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4FA45AE1010E09657982D8D28B3BD38E_E4543EAB994D579360C32C5CC59A22C6

Filesize
398B

MD5
435604b34c3efc20169584a523a2c947

SHA1
160d7eed22cbc73da7ea90ea7fd7a21a9e214626

SHA256
1cc6b7cb0fe45cfdfd70bd05f28bac85ea3d35e18fcfbf0ae4fb78dc9380bca1

SHA512
2d92d09daea2ea9957e44c6f3e68b79f2cb066d2793b3da65ed932b2c27c14eda6059a3cbaa28586f89aaad19a4712ef068077dceee8d0c1eff775ff74acfa15

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4FA45AE1010E09657982D8D28B3BD38E_EB153A79B5AB80C6592F798A4A3667A5

Filesize
398B

MD5
d4da77d69886c5fc5a1d356ba9056b1e

SHA1
d261de26d9bae014766809515ba1a1c9ad0c02af

SHA256
6a948854df24f5669bc51c2aa6d30a9c5573ee381c7c392acadd1afe80d5380f

SHA512
9c13393a401dbbd00211eb5b790ff03aa86d02598d2901bbdb956435acce7fb7b18cbd74aab00248212f6056b2f3276f48e665a81231c566ec4940530d820620

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8e57171f5b597b05de175d637f17f05b

SHA1
cc1052cc96a6eee091b9bfa0a0d4c8310a5f7fde

SHA256
0e05bbc7f1e13e8558df14d8758cb40e542949f0644dab4de6ccc2f1108fbf0f

SHA512
c6381311fb7569eed703621691a81666bcafbdab396324854a16deb4fd88787e5855306195f416f827ee6354e8a1ed06121f8e13d34e8dfbd525af2a4289be67

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
640dc95b227e143a140328fb6e5cbedd

SHA1
9e4ea460d934ad2dcd5b460e1e08aa33559ad025

SHA256
632ffad0f04ecd58cc7452998a022919231f7ed29f94cbadf83a6b465d573064

SHA512
8461ddc6fb69e82286cff8b4b6dbc8f55ce46f90bbd680de0adbec1da93b9ef904f1ab7aea2187735cc316fefce9372c4f066413a1d31984b662ce4164d6da84

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f7ba7e427b241111a00329d80d056777

SHA1
030f382cb4ccc897ccc0b91fe8c1489cc284a2da

SHA256
612e80e728ac6516475441abb55e89ff4918474e9fdc7739cb7697a48f253e54

SHA512
dc1c0883a143af92d898acb1e68aa69dee9e8c984cd63e53ab1a391345cf6a9ced971c99c77c0ae667b213cb28109d9e565bc2b7f1a9e413f81284b981a4da39

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8f4fb6817c0405e66c1d9250b3648e2b

SHA1
86b215b4ad3dbef6c627eb0f345a94de45640810

SHA256
a557b7e153e563a6bfbf1d5756449926432a82288c7ae021f637bd8f9a2d7a44

SHA512
e98dfd581f260ad87613fa21d20c36aadc0541e525e73590b796dd752af68b513d2a6f8a4b1e0b97d5d5bb3141e6d8ad223ed9c822be2fda6b18fc370d6f1231

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
831392839a3d8a61f45bea46636d19d2

SHA1
46db452fafc47cea78a9b49963156cf3383fa97b

SHA256
82d746e79318bcd92215bbbf9e6d39f151cce2ac0a72f336f9098282bb34f1ad

SHA512
3ab1af7e93933b55aab7fa3f1d2c8ea3c8f90b1d268cf91b3777ecd019c7402d5f61628587c75e145dc42d83e796015e2962adc7c06d8b5f749bd7912328fbb1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fc1a24034b26ff679ee493ee3577f6ec

SHA1
4c2d27ae6667294a9c1ae169cddb78476ae7b95c

SHA256
1a9fa86d1c951cde867d5f9511389502d9cca0f7766a5483cb613066623403fd

SHA512
24f961e884f206a52799ac1e496808927daf9b21c6739620dd1fecae2854ca1c40603d6c339a770d9a9d3e8c324ac3b87520957d562a2d731b736e53f3fcb8a9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
84fdb6680756c4716fababa41ec4f56e

SHA1
e88d0cf2a3975e6e419b81fc60b9e3f4da1e83c7

SHA256
9deed00f2acd05a310171500e5d446afe3313affb7ab865be30ffeec9e350e00

SHA512
2ac004f0863759d63fef0151b006f8d94f300161c73accd8776d67d2761e95a69222e6d492fdd71f5abe01be255f1f4d234cc66717c748398c85c4508055e9f3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8f5fc05f64521028562760783334be0c

SHA1
2cbd617756c700f1b7bb9ad1d248f90a4eec5bd4

SHA256
dea1fc135c5ffaf7b0c4d5426c72223f689c46501bbeb431b43fd53a1700ab3a

SHA512
a1e2c8d4dce6ef83b5c6d967c7f95de3ace70b5f032e5b0c7f73e1410e0b6fbb4a16d026b84f2674dfabd30d0afe57a0c660fe18cf4a2fa1df248b9c42e1c283

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d1d128a35b43dcd75216e1f3e5125b79

SHA1
681f151d00a5c0f879e7d88bb0b2d37d7392ac97

SHA256
931209cf92c98b304bacdeb4d5e446a9bf7eb7e6b39dba049e21dcde7fcf08fe

SHA512
8693aa0393a29dda0042642b72202604b4d1e36c4604b98cfabc92a8ac338ea1c7dcfbf18da247113c6194821b026d3a23a94f13b0e6b2b9cb3f03918d1d1be9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b7a8337abc7f70b1234840f59e1a3552

SHA1
b2adc256e1ecc52cffb0e66734944819a5b5f085

SHA256
99c348643d3c4d8aa7d5502e8263b6cdcf9f3a76b58abd1a9dff0ccb4edc4a60

SHA512
51d65b6b6b7d455560d2765e3643d4f94cfa9ea2718da6964c362338955de7a1802c5cea6c2b02ae0692b20fd994ef370c41034fc0f41d3b7b4b9779d30beb00

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6e23c3dca54e55b5e3d3cd190a9b4ff9

SHA1
ec284b023fc51bda1170bc7114688bd0ee4d0e77

SHA256
951234b2fa397375184421fec15c772c161800615c6ae586ae5a7f7e4607432d

SHA512
5c2e945abe7c032a7a1b1721c4137aadad6bbff08ade3450ff39f54e0336dbf7d596b51048f75acacdd87f64a1063dab87dd79664531bdbb3199c0ac219377d7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8fcb68ef3e3a3fc0666feeaaf0dac96b

SHA1
f07b9755564744c0f63296b608de8cb264041008

SHA256
4261158d9e73050c986d9a4f9c8488785fcc3eaabddb7099afe86357e0c8a57b

SHA512
305b84464c9bf725c18c040347221e4f0442cce5c4307e111826cbe2866b72202d05b43231f9ae8e870c2712d28e110cc73994c36eb542aeeb8e60f5b601dc0c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3d61127c1dae2fefe296aa48f889dfc2

SHA1
4ec0dafd7feb95485f9e33e0f129cb5690974358

SHA256
ad386cf2941f2b39221ef42711f61eab08c4d901620201ce14b199aaa5067443

SHA512
b90b408bf812ce5956f0908cb984297b54a3476f6a1fc2a594468377ac18840cbe546f6ccb7b7468b2f2e5e07413e3c7c55677093dfb260d3ade802556f24021

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ea99b9b428bcb159f2fb02eff94a6ba9

SHA1
59d3ca9a5b3c34b95652ee9f9232dcf77f97f728

SHA256
c490b69ab46404d56833142ca7782d6e35ec72fa69479d0e12f60617815fedf0

SHA512
85b8a236beec395b441df2f061b2c35be117a0070c75e2b1361f404cb87304edb84d022ff97ab5df4f46d8e777fe716ba70c9fe638ed6869ca4f70549b3f7a4b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4b9cab0e23e9ab6069689674b27958e1

SHA1
5ef5b97c34a74a40be13e26e0dd6df3e7a1ae410

SHA256
b6e03d8fd86b5f1d7beced680227a6d00bf7e26bd35f43384a2294a48d2d2ee9

SHA512
b44b10f81d11af2f36ac4a270cf4a7ec55e3e455dbedf57f5f343f5b20e97b1b7a4d03f030738eca57a9fb4236056545daabdd4ffc2294ff645d08cdf3f7f071

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
03c9c50a8796c754ff1984085ef9adae

SHA1
46b2d77364eeee92da8910fe8f0124d2b06813b3

SHA256
db8a13aa460bbc541bf20b9864db99ed05caae5337a8e32204c72efbef288c28

SHA512
8b32b28bcbb3291d6226052ec702881f71eff1dbe921ad0049675237c63860266209b65e83f0f7471642c840ac6f2e26325e18c11f1ce52a0b0bdad521e2e7c6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
08710a8ca8f7cd73550e79471ac4d5ed

SHA1
8cf114d98f97754a9aaee39399342a9618507ff2

SHA256
4538144c7b24ac3479eacc8e2421be5c5815ead17bd71c93fe58f00e9247ae67

SHA512
18f593b70c80f5f12334586f43e53abb34d5fbdea95cb976020d35fc795c22c9ed280a88b91039a1777275e37422106de448b145bdb959a6baab84e828a35338

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0a297cbc098a22f0a71e2f684d9d0a47

SHA1
da3992664176246f8b5278e9973da5fad81ef445

SHA256
eecaaa8cfdb5e72294f6bb051fe9ac3868490980ac083bdae14204575dfe3e94

SHA512
2079dfeda62dc40cc3b1525ae8c2ad0fb15e0a576df2b44d63a5aa50a76206e167225e3d986bc112abd51580accac643d878dfd9c08e4a11c96b8cd7f0dd3a9a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
15b543f11457356b74b06668a460f9e8

SHA1
9d767824708bfb719a409f5b2a1e6a3dc99def8a

SHA256
fd9aa75855f17676e3c6d4b1dc79d3749a78c95d4f7fbd81a7382cee436c890e

SHA512
a764f8e6b63210225a5b7942647d8828834bf7e1b6b797210c86a2989b0657ffc29cd4f78bea7d1a85560c6879d472b95f9dd38d28228f774b999867f88491f2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
72cbb8495b723d41d77b168a3a613aca

SHA1
1c31dd6a083b8b85c66fda70d8e8e5643ab60791

SHA256
9733cc96ac5004ea2e91701e77d899ca459ac7709897c082f60ee331f5f46aa2

SHA512
eaf46664fed14b1012742ebfd8106eac2ec002db7f059ee48335b71ad215a6ac1ac1caf04899ac12aaa7eeff44c16a7d7daca54940ed720dca2cc0bf3ff7fe30

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4273f1fe5441a8327042220234b46395

SHA1
f46c182fe47a605b7602e0d5936bdc1e7f451932

SHA256
1d2707a71a399f15ef3213f21a8f73ab08892e7705aedd484029b2239913d2e2

SHA512
b94cd8a6505bce7beffa72471a46e4693654f082d9d28420fa15e27a1aadca49e6c5b0a2f59f61710a013f4e9acc64fe4e2eb22645ebb06e5a26b2ee7886b7ef

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
255e88ebc5d7e795313387b6089466b5

SHA1
83dc973b5eab21a598c31a6554bd552d6f9b230e

SHA256
95cd1d14545de6732dd745fd4121b1ae7472f6d9d80369044967046710238f19

SHA512
985abbaa9f8a9d9088bb2b90eb06136a9739646bb2475bf3f758c6f29216de04b5ac4d641624daf0616cedf8b99a1703cd590b0864821343f9d8b0ee63912bd3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
2db26742b42481ec239a973f23d4c084

SHA1
a2965771240f3e4d994cc33802e1ab5bded476a3

SHA256
830af24f3f6522fac43025ba1aaf0b226aab6e1c242d1b8b507578f5bf905cc5

SHA512
370c77a3a0cc60d2f7bd0b03d5f45b2f2d70244919affc420c627b706c8fca1365b6b77d6bdd6453e0762b88e8b9f5e93c399463f81dca48b3e7725010868c07

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\W1BT79XM\www.google[1].xml

Filesize
98B

MD5
925b7d9359aaec5cb14621d071bbd3c1

SHA1
72a5588865d027242e9e243909944970f6bb4842

SHA256
68a47714c07ca8f5c91cc30d8f37d60e0da94d4d40ecf9e9be4820bc2ca90757

SHA512
cbfb9042148fac6b4e9ae5930f7f2bc825443b7ee1a03075edfec8e26e84a30190953f378042df11fa7d5ec83b18cdd87eeae1ed0ea4ef76df8c8b38e974b99d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\njqq61f\imagestore.dat

Filesize
5KB

MD5
aaa06a5048423a121e531d48f3ab5f23

SHA1
f1daa00d79fb1412e0b94c62d390e72683f5b088

SHA256
4a9f61ed23eabf533167e290910dabfe03c8fd5b15371df64f72334f2e7e0cc7

SHA512
f5b700c2d57ad5d972d32d648541545534a40632fce983ed83a0ceae4b8d9eb7abbcc15e7bb165b70c64e03a69b25021dac8bbdd8e5279a13456e0d2829a6d1c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7CNUR30T\favicon[1].ico

Filesize
5KB

MD5
f3418a443e7d841097c714d69ec4bcb8

SHA1
49263695f6b0cdd72f45cf1b775e660fdc36c606

SHA256
6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770

SHA512
82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7CNUR30T\webworker[1].js

Filesize
102B

MD5
dcf0dd9e2a4c0015bd80ce993ac84ff1

SHA1
6c4eda6061f7a7b9e05f439540fa26c261996fbe

SHA256
73943cf1ab8eff323e097bee9c52083255ee6e53b9abbeb193aa09fce212fa24

SHA512
f2d0a9e79d038ae1d00e6f4c08c3cf41af3e81ea8955e73052f89c4370027ba795080c867019497842a337f049d0112d8dd6c3f1bf5db8659d5f8428023128e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D6V88JEY\KFOlCnqEu92Fr1MmEU9fBBc9[1].ttf

Filesize
34KB

MD5
4d88404f733741eaacfda2e318840a98

SHA1
49e0f3d32666ac36205f84ac7457030ca0a9d95f

SHA256
b464107219af95400af44c949574d9617de760e100712d4dec8f51a76c50dda1

SHA512
2e5d3280d5f7e70ca3ea29e7c01f47feb57fe93fc55fd0ea63641e99e5d699bb4b1f1f686da25c91ba4f64833f9946070f7546558cbd68249b0d853949ff85c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D6V88JEY\KFOlCnqEu92Fr1MmYUtfBBc9[1].ttf

Filesize
34KB

MD5
4d99b85fa964307056c1410f78f51439

SHA1
f8e30a1a61011f1ee42435d7e18ba7e21d4ee894

SHA256
01027695832f4a3850663c9e798eb03eadfd1462d0b76e7c5ac6465d2d77dbd0

SHA512
13d93544b16453fe9ac9fc025c3d4320c1c83a2eca4cd01132ce5c68b12e150bc7d96341f10cbaa2777526cf72b2ca0cd64458b3df1875a184bbb907c5e3d731

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D6V88JEY\KFOmCnqEu92Fr1Mu4mxP[1].ttf

Filesize
34KB

MD5
372d0cc3288fe8e97df49742baefce90

SHA1
754d9eaa4a009c42e8d6d40c632a1dad6d44ec21

SHA256
466989fd178ca6ed13641893b7003e5d6ec36e42c2a816dee71f87b775ea097f

SHA512
8447bc59795b16877974cd77c52729f6ff08a1e741f68ff445c087ecc09c8c4822b83e8907d156a00be81cb2c0259081926e758c12b3aea023ac574e4a6c9885

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D6V88JEY\styles__ltr[1].css

Filesize
76KB

MD5
a9a4c0df287886862263d8af0a6e096e

SHA1
4aeb13637cff035bb7cc47aaa42d61f306e0e474

SHA256
ad68a177a2d52e736095a6b7431fbfca3f840d66a1ea67090b55c5f90722b067

SHA512
a9605e4b740e3841366ecfb2ee8b44469057009279d8bd6b6455af13bd5863dc130a65c740b465e20e060a3cae4d74ef7b4da860ed144b89131c5406bf12cbef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EOYL2MRI\api[1].js

Filesize
870B

MD5
9a90c06ffab392f11cda0b80188775a8

SHA1
395386715f54948ab58be5ad918b494b1ab86156

SHA256
ef7a5d110fd5a78289d4f71807784696ef0625efca97453caa6f3051e74a4c6b

SHA512
e40292115e00e2e652be3de796da6e860f99901d58adbd543edcc281e80fbee45ba35cb6b436cd5f7bd654eee8ce722a8f5fc41c6a40478f77bd2d6fb44f5780

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EOYL2MRI\xvnkv013T9iQERax3LRLfLP-YGjo9lA-elXqPIIu0pM[1].js

Filesize
25KB

MD5
d735f7826775631410df2363ec8ea7fb

SHA1
72622ae88b15219ad1b00c72b48e13b2dd10e6ec

SHA256
c6f9e4bf4d774fd8901116b1dcb44b7cb3fe6068e8f6503e7a55ea3c822ed293

SHA512
b4fda11a5e56e7d1344a38bcd0d086b366258c751f18de79147e763f848cb4fbc76720b211913be2d25163a77bd505d918780a7dc089e976069d12a68701db2b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\M4TQDAHL\logo_48[1].png

Filesize
2KB

MD5
ef9941290c50cd3866e2ba6b793f010d

SHA1
4736508c795667dcea21f8d864233031223b7832

SHA256
1b9efb22c938500971aac2b2130a475fa23684dd69e43103894968df83145b8a

SHA512
a0c69c70117c5713caf8b12f3b6e8bbb9cdaf72768e5db9db5831a3c37541b87613c6b020dd2f9b8760064a8c7337f175e7234bfe776eee5e3588dc5662419d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\M4TQDAHL\recaptcha__en[1].js

Filesize
545KB

MD5
1f233ff2deeaaacc3c11614068d6f46d

SHA1
6ab5f0fb0ada1228ef529e3d48961c36fbc21424

SHA256
dc987654372c681461a1ab9e9835fc0006367829e3f0cdccee51081109d7868f

SHA512
a44c564ba2ff696762dd9a9f05f38dbb839a594989bcae5c402222ae6d9a17a29942c99df9c473f043e928f98bdabb62299bb192613c72d5d5b3efde7dd36c63

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab83C.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar83F.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\0A3MFT90.txt

Filesize
123B

MD5
b910eef311f3f9e005307141cb276a1f

SHA1
9d5b3e5435aa2c3d452a02bfac011fbdfa08480f

SHA256
63d843d166b1ce004c511bcca778774a90dfbc0f78543530f4237b514f384b88

SHA512
324a05eab5aeeb1f88fa9c75fb631c3e7667bc88fa86823a41abe752d2f36e9e966fcf85e8397ca43355aae436160dcec82cb9bb46bb2e3454ca06f060ffe9bc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\R2YYI450.txt

Filesize
124B

MD5
a31e0e4aa17a7b86361d51863a341103

SHA1
8f97e5e133105175d4478c60a55531fc969467ca

SHA256
ea5262236d1a0e9749445e8066fc53bbb0005d2fc2bb5d64758441d73a0749f6

SHA512
645581097ef57b3cd510b79ddc2ea235e1677b5935fca483108e283aef04124788bbe65080c6c01e4851a86fd72ffa3ad389a0abdded519ef0035ec2df5d9b53

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\U1ABPO16.txt

Filesize
124B

MD5
310242387630979256ca986fbef13048

SHA1
a1d98a26658e90cb6751f886e4b29acd00db1154

SHA256
a0d493426cd593fed7eb4b8ed48a10045d531d7012b74603361bcc80c283d251

SHA512
501811731c04065171385b7b18266994033d62bd893852ffa6862db397b774b4fafa51404db44031bd50ffe6e6b10dff14a5f8e95acc347dd9f5d65a9e6d63c2

Download Submit
C:\note.txt

Filesize
218B

MD5
afa6955439b8d516721231029fb9ca1b

SHA1
087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

SHA256
8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

SHA512
5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

Download Submit