2ca4803498d7d375a61bfab2a3a4cf7e0eec41d116e50a838791a55b164e0f8c

Resubmissions

17-01-2025 20:14

250117-yz7h3s1qfw 10

17-01-2025 20:12

17-01-2025 17:25

17-01-2025 17:21

17-01-2025 14:16

17-01-2025 14:12

16-01-2025 12:52

16-01-2025 12:50

Analysis

max time kernel
101s
max time network
147s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
17-01-2025 14:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Malware-1-master/getr3kt.bat
Size

13KB
MD5

4e2a7f369378a76d1df4d8c448f712af
SHA1

1192b4d01254a8704e6d6ae17dc2ec28a7ad5a49
SHA256

5e2cd213ff47b7657abd9167c38ffd8b53c13261fe22adddea92b5a2d9e320ad
SHA512

90e6eedca424e2ee37c78e0c0380db490c049b0378541812734c134510c40c6e4c48c4e213f395339ed99ff337ef087b6056ac5aafb246c1789ca6082dcabd2e
SSDEEP

192:AOyUySl0UaDz2gWsIzlmj+BxZ3yqueWQx0lZicyC8Sh31xcjBzyxwn7AVhllz3:AVODaDSHMql3yqlxy5L1xcjwrlz3

Score

7^/10

bootkit discovery execution persistence

Malware Config

Signatures

Executes dropped EXE 7 IoCs

pid	Process
2196	MEMZ.exe
2332	MEMZ.exe
572	MEMZ.exe
2288	MEMZ.exe
2684	MEMZ.exe
1944	MEMZ.exe
2244	MEMZ.exe

Loads dropped DLL 1 IoCs

pid	Process
2196	MEMZ.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	MEMZ.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 46 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.google.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f7b63cf248f46b459d454efb137c703e00000000020000000000106600000001000020000000f2fae43d4d3806860067656baef5403d206f0895192b289a9ada14638568cb22000000000e80000000020000200000004a543d9338664b9ccebea20ef86232f028e288d44e818d8b88571c229317dc419000000026a21a689cfd421a1e159e4fb898f8dcb83fd1a3c2662b8b8c8087438dccc381e5f0e9059641f08e3920b4b93193969e81476836994b250c55131f5d5e69be1e1565ccd246c441b71781d73c0ec97f615a98ec656bc445436bca23fb89e64b18b29f54bb9c57d995a7fe362b2ca418d845a405c815e83524f6141d923475b0c6cea146f5d8e47cbb871e5181cec742b8400000002daa84cf18e6da5f3b34b247e15a840896257f3290d72a7d0e3ae305cdb23ff1b53288ad18f50ccb925adda349e3d3edd9bf4c43701a8d94a7f8572d82b0be6b	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "25"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.google.com\ = "25"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f7b63cf248f46b459d454efb137c703e00000000020000000000106600000001000020000000babc75ce122b343383f89005ae65c1063f1421bca936541f9a535f1e7c753b0d000000000e800000000200002000000064f72ceaa57957e5b140f5483c8d700add042f59233ab0d97b1c26367e42d2a220000000c19ac54b97e894ecfacf298951fdde922ca77004a4876b6b37f407db1638b72640000000e2e0f0c51cf8e751d8480cb2fa3cf28fb8602456509d6eab0fe68b003759e018c56da2da5a5722851c9eeeaeb079787e258c09e0f4584539705bc43457405429	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{FC78C1C1-D4DD-11EF-87C7-F2088C279AF6} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d0121bd1ea68db01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com\Total = "25"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
2196	MEMZ.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2332	MEMZ.exe
572	MEMZ.exe
2332	MEMZ.exe
572	MEMZ.exe
2288	MEMZ.exe
2288	MEMZ.exe
2332	MEMZ.exe
572	MEMZ.exe
2332	MEMZ.exe
2288	MEMZ.exe
1944	MEMZ.exe
572	MEMZ.exe
2684	MEMZ.exe
2332	MEMZ.exe
2288	MEMZ.exe
1944	MEMZ.exe
572	MEMZ.exe
2684	MEMZ.exe
1944	MEMZ.exe
2684	MEMZ.exe
2288	MEMZ.exe
2332	MEMZ.exe
572	MEMZ.exe
1944	MEMZ.exe
2288	MEMZ.exe
2332	MEMZ.exe
572	MEMZ.exe
2684	MEMZ.exe
2332	MEMZ.exe
2288	MEMZ.exe
1944	MEMZ.exe
2684	MEMZ.exe
572	MEMZ.exe
2332	MEMZ.exe
2288	MEMZ.exe
1944	MEMZ.exe
2684	MEMZ.exe
572	MEMZ.exe
2684	MEMZ.exe
1944	MEMZ.exe
2288	MEMZ.exe
2332	MEMZ.exe
572	MEMZ.exe
1944	MEMZ.exe
2288	MEMZ.exe
2332	MEMZ.exe
2684	MEMZ.exe
572	MEMZ.exe
2332	MEMZ.exe
2288	MEMZ.exe
1944	MEMZ.exe
2684	MEMZ.exe
572	MEMZ.exe
2332	MEMZ.exe
2684	MEMZ.exe
572	MEMZ.exe
2288	MEMZ.exe
1944	MEMZ.exe
2288	MEMZ.exe
572	MEMZ.exe
2332	MEMZ.exe
2684	MEMZ.exe
1944	MEMZ.exe
1944	MEMZ.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2484	taskmgr.exe

Suspicious use of FindShellTrayWindow 18 IoCs

pid	Process
1952	cscript.exe
1332	iexplore.exe
2484	taskmgr.exe
2484	taskmgr.exe
2484	taskmgr.exe
2484	taskmgr.exe
2484	taskmgr.exe
2484	taskmgr.exe
2484	taskmgr.exe
2484	taskmgr.exe
2484	taskmgr.exe
2484	taskmgr.exe
2484	taskmgr.exe
2484	taskmgr.exe
2484	taskmgr.exe
2484	taskmgr.exe
2484	taskmgr.exe
2484	taskmgr.exe

Suspicious use of SendNotifyMessage 16 IoCs

pid	Process
2484	taskmgr.exe
2484	taskmgr.exe
2484	taskmgr.exe
2484	taskmgr.exe
2484	taskmgr.exe
2484	taskmgr.exe
2484	taskmgr.exe
2484	taskmgr.exe
2484	taskmgr.exe
2484	taskmgr.exe
2484	taskmgr.exe
2484	taskmgr.exe
2484	taskmgr.exe
2484	taskmgr.exe
2484	taskmgr.exe
2484	taskmgr.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
1332	iexplore.exe
1332	iexplore.exe
1364	IEXPLORE.EXE
1364	IEXPLORE.EXE
1364	IEXPLORE.EXE
1364	IEXPLORE.EXE
2784	IEXPLORE.EXE
2784	IEXPLORE.EXE
2784	IEXPLORE.EXE
2784	IEXPLORE.EXE
1864	IEXPLORE.EXE
1864	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 51 IoCs

description	pid	Process	procid_target
PID 2424 wrote to memory of 1952	2424	cmd.exe	30
PID 2424 wrote to memory of 1952	2424	cmd.exe	30
PID 2424 wrote to memory of 1952	2424	cmd.exe	30
PID 2424 wrote to memory of 2196	2424	cmd.exe	31
PID 2424 wrote to memory of 2196	2424	cmd.exe	31
PID 2424 wrote to memory of 2196	2424	cmd.exe	31
PID 2424 wrote to memory of 2196	2424	cmd.exe	31
PID 2196 wrote to memory of 2332	2196	MEMZ.exe	32
PID 2196 wrote to memory of 2332	2196	MEMZ.exe	32
PID 2196 wrote to memory of 2332	2196	MEMZ.exe	32
PID 2196 wrote to memory of 2332	2196	MEMZ.exe	32
PID 2196 wrote to memory of 572	2196	MEMZ.exe	33
PID 2196 wrote to memory of 572	2196	MEMZ.exe	33
PID 2196 wrote to memory of 572	2196	MEMZ.exe	33
PID 2196 wrote to memory of 572	2196	MEMZ.exe	33
PID 2196 wrote to memory of 2288	2196	MEMZ.exe	34
PID 2196 wrote to memory of 2288	2196	MEMZ.exe	34
PID 2196 wrote to memory of 2288	2196	MEMZ.exe	34
PID 2196 wrote to memory of 2288	2196	MEMZ.exe	34
PID 2196 wrote to memory of 2684	2196	MEMZ.exe	35
PID 2196 wrote to memory of 2684	2196	MEMZ.exe	35
PID 2196 wrote to memory of 2684	2196	MEMZ.exe	35
PID 2196 wrote to memory of 2684	2196	MEMZ.exe	35
PID 2196 wrote to memory of 1944	2196	MEMZ.exe	36
PID 2196 wrote to memory of 1944	2196	MEMZ.exe	36
PID 2196 wrote to memory of 1944	2196	MEMZ.exe	36
PID 2196 wrote to memory of 1944	2196	MEMZ.exe	36
PID 2196 wrote to memory of 2244	2196	MEMZ.exe	37
PID 2196 wrote to memory of 2244	2196	MEMZ.exe	37
PID 2196 wrote to memory of 2244	2196	MEMZ.exe	37
PID 2196 wrote to memory of 2244	2196	MEMZ.exe	37
PID 2244 wrote to memory of 944	2244	MEMZ.exe	38
PID 2244 wrote to memory of 944	2244	MEMZ.exe	38
PID 2244 wrote to memory of 944	2244	MEMZ.exe	38
PID 2244 wrote to memory of 944	2244	MEMZ.exe	38
PID 2244 wrote to memory of 1332	2244	MEMZ.exe	39
PID 2244 wrote to memory of 1332	2244	MEMZ.exe	39
PID 2244 wrote to memory of 1332	2244	MEMZ.exe	39
PID 2244 wrote to memory of 1332	2244	MEMZ.exe	39
PID 1332 wrote to memory of 1364	1332	iexplore.exe	40
PID 1332 wrote to memory of 1364	1332	iexplore.exe	40
PID 1332 wrote to memory of 1364	1332	iexplore.exe	40
PID 1332 wrote to memory of 1364	1332	iexplore.exe	40
PID 1332 wrote to memory of 2784	1332	iexplore.exe	42
PID 1332 wrote to memory of 2784	1332	iexplore.exe	42
PID 1332 wrote to memory of 2784	1332	iexplore.exe	42
PID 1332 wrote to memory of 2784	1332	iexplore.exe	42
PID 1332 wrote to memory of 1864	1332	iexplore.exe	43
PID 1332 wrote to memory of 1864	1332	iexplore.exe	43
PID 1332 wrote to memory of 1864	1332	iexplore.exe	43
PID 1332 wrote to memory of 1864	1332	iexplore.exe	43

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Malware-1-master\getr3kt.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2424
- C:\Windows\system32\cscript.exe
  cscript x.js
  2⤵
  - Suspicious use of FindShellTrayWindow
  PID:1952
- C:\Users\Admin\AppData\Roaming\MEMZ.exe
  "C:\Users\Admin\AppData\Roaming\MEMZ.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious use of WriteProcessMemory
  PID:2196
- - C:\Users\Admin\AppData\Roaming\MEMZ.exe
    "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2332
- - C:\Users\Admin\AppData\Roaming\MEMZ.exe
    "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:572
- - C:\Users\Admin\AppData\Roaming\MEMZ.exe
    "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2288
- - C:\Users\Admin\AppData\Roaming\MEMZ.exe
    "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2684
- - C:\Users\Admin\AppData\Roaming\MEMZ.exe
    "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1944
- - C:\Users\Admin\AppData\Roaming\MEMZ.exe
    "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /main
    3⤵
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2244
  - - C:\Windows\SysWOW64\notepad.exe
      "C:\Windows\System32\notepad.exe" \note.txt
      4⤵
      System Location Discovery: System Language Discovery
      PID:944
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://softonic.com/
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1332
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1332 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1364
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1332 CREDAT:209944 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2784
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1332 CREDAT:209963 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1864

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
2833391c1eb291c01541d1d659871421

SHA1
ca085fc671eccbbc0dbb885c274a80cdd9764efe

SHA256
d250f21861e89ad96c93e8805ea694c6686661786edae94c39f2ca7a2308bb33

SHA512
bb78b3e6db31480d32f22c05758e7693d3e46a6b00bce61856bbade0586d2ac39130bc7d284c65c5e0f3f2bdae73c6216605803ebad880d07887943da80ad509

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
02f8b93d0f0f9e041548422af097cd8a

SHA1
bcd83a4ee2f8d527a55c4bfc5d7509edd8743e53

SHA256
06d93ae5364d085f502f79a0e346ce204399fc8fefe81371060ca589dc64ab3d

SHA512
c6a022b533bf6153513c5e89bde8837612237a46e8466bdf4d5ce904e5821f50564db15640574e71c4b2f343b9feb88e5b30e756eb7087e8655c7a648ee9584a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c2f2393b806cac109ea13e714ae02838

SHA1
b996df03ff260cb787091c3268de2ff435ec05cc

SHA256
742e19b4f591ea5e5d42b131f33d2a258c6fca8290c6dc7f24e10bbf3e5e40da

SHA512
cc21ed876fb8f46b9f16e533050eaa965fbd4b7b4c558559741e456cfb0b2c8a6c2d0db23f0704ea1640bb9ff97eea712b12bb2203af4d68ceab1117666f9a39

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a073bcf9d5121dc0edfbe7cb6b97f504

SHA1
2c24ec7b63489efe4a0dd37bb83061db4c9a214c

SHA256
26ee73bd854cf4467e2c2f90a9adc6f9e075ebf4dc3c76682e5e586ac039d3d6

SHA512
191163c444c6f206aa07176830b55a1c5e07425295c065bad69bf8e1625c661d253ab62ef450185f046acbc79f3b698759b285191ac3f5ae8a7a7b5f4b9a6dc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1206b9e5b665bab20570a49a4ed96559

SHA1
62769acef73706e7b74df9e0dfa7d85638d841b4

SHA256
34d03678d9438efcee6c4c47b88c7b5fa224760ebbc36a54596c8055ad02aa0d

SHA512
67ec684c3a84fdd0ecc44c4196d7a1175e7ddc225b30f27d34aec966876a7bc0d8d5dc5b7877b847cb0724b9e4bef11bd769cba2d7b1f2618d68482b819c7231

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a0fbca0e50e540bf599a08afa7c41bdf

SHA1
61b29ac1398511a145e7dedae63062f7fc0dd02d

SHA256
0e7f5c588127604b10240205e77b164a1cdc9eed4fe7cc0f7c2be9087488890a

SHA512
ae23bb857f17235067e08edb6353750a41c660a52991372599b4393f1572dedcaece9746437a077e7c67ddc940150be3332bf7316e096ac15c7702acda5ce6e8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
be28479e11d4b3d747b7684818cbe54d

SHA1
999e224eac1358772d8cc741bea65243e996c776

SHA256
df6fd2e998d8abb2a864730b159960f571e94cadc24a8dd531803984c01fed9f

SHA512
f621908c720166bf7c6caed97cd3d1c34cbb0c8e3c2f33324380c12fb4e6a6bf834f7e647ff38264531b74da310a4749f3fad9a0f4387a82e12b506485247540

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c9c4d13ba3263148b80261d9a46f1c9d

SHA1
d4ab8c87eac5fa627c106cc300625e26c5dabe08

SHA256
8134ae2c0d3f315141fdc0555864480c2d07f821c2ce28968f5be90f436db9ad

SHA512
55ac0c446802be856fef90b78da6b2393c1a39130ab0382f918f1c28887f3aa2ab7a3558677b1fbfea9c435ed35714140ef0e18b90efce426e618a45c0d04252

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d93035312d67356a49663eb97f3b0922

SHA1
e58f7c3394148cb4c493b2b56ae60d6f16c32fde

SHA256
982b42e26e459c372acfd20f4fb5cded1bf67c18024e2c87a60e3931112864ce

SHA512
71a1cf0e81b8e468f6170660a526a19a86dfffc59723cc3a3664e34ef159c99dd590f9526396a5456119ac6c97829d9c0afcecad79832f8116793aa39e806c6f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b40590fad4ec53aa8ec22924a5f3074e

SHA1
72cbe0bedf3b086e019a4bc0e4d1e2168f425aca

SHA256
58423cf95c35d4caa4464d2c4345ba4f42efb7d800675fd372f4752a313c566e

SHA512
8c0b61489c80214ed7e7c82226b17f65d492ef713a324aafd82e1010b1d6c7bc9f1f0a01cd2f16f2385e739193badd15d5dc8618c1803f9018dd392d7a8110c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
debf23f8521b85129cf83efaecb2a10f

SHA1
f035ea0621ba64d0dbd0fda6a9c1efacfd811946

SHA256
743255f85074b7b72b69552b885f3d1430aeb5b7009473283a69b9835bb8a6a9

SHA512
9317395e9b17b132e7d78ca3c299a6975a01787105d92bdea792d2dc9b2721e96034828403e8e5ec29a92db9a29a43d904e06df5828c0afe9ac8425618416cb8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3c03fbcd377e9b180d0609f9b39d9fcb

SHA1
73ec8d7fbe078b2dd62e153cbcef81562e9cdbdf

SHA256
91255cb80ce1f295ed63b1eccf849ac2553b73403908f38597c450cc9594974a

SHA512
67c4b5dff28341227d7e05d193674fc95d6a45efd48fe99271b3f84d2add84427b23f4fb765caee5ceb6c0dfa2f4215200f84aeeaee654706b81f782d2cff069

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3eb3de3f22c3be0d519e7a0180e0632e

SHA1
cd80a5c869e43ffd344215896d2d98b8c39c93c4

SHA256
18c204ef51e3111ecdb4b88ae3b04f4c62c6dca098d3dcd491ede4c80e18b829

SHA512
866f8ad345efc52d4217c9990f0ded0a6e9ff1ea674e6702a0ac5c7bfdb15db98b9fe49f77cf13bc4bc52a15930e84dae20e6224a1cf06e81016c725dbb7cf6a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
43f7cb19500841fa3ed21c16e53c342a

SHA1
035c94690f804c8f25b81594dcf7d90f3e4a9cf7

SHA256
87fe45763ce84bb8d0223d6076f7819940c351609e3a6f7a6fad464fe3cee3ad

SHA512
07869ef66fa4bcdcc03a848f5fa4b8def2166a046f5bc30614dd188c14771b1f37f64ea1b78823c6f501a35077357244630bb6fbe8f96733a88c426234d95e06

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
099b1ccc4c0267c2a639a2193706862b

SHA1
796e0b11221b0780442709f7f12eb60bf5713282

SHA256
1a40fa354908c5a0f2fdb5eb578e46450e5f4ea5aa1e74e3792788e2eac84319

SHA512
a063a5954527670b27f9a526bcc99811eba5f2d502c9665a405cae666f5b92515e3e78f1e9a5a461db5edd0cfa4072b68e8963a28c3f79b84338236f407708d5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
42cabbf81d1a9e2f73210d98c99e427d

SHA1
ef4ef271b8dc6ff06967e92e792ed0f4b8a74165

SHA256
d677c7b5cb47f1ba2c34e1c0d8a4b82c9b15b6437a5007dad95889955958ee6f

SHA512
d14f801370001fd605ab32c3f3195835201c9583929372b6c6db01143688959af4fcfd8933d8009ec2df33da8e9c11bd4fb4963e8eaa8c0aed8535658231a15f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c317b08500574828fc16363ed9d554a6

SHA1
a717cd8818de173312e96548bf7ae950df088c2b

SHA256
5a324dd6738785edd1f0dc5f64f1ae11cb11fbab6009991557b214db98a744cf

SHA512
6e76e55297e6d39f6feba688e4d33ddc7d38ddb8293f16801e3a9d1b02a2e60aa14d068dfa8f3e76e8fa3d1262c04ce2b4af51b3ee5789931323d4b0654c3138

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a1199e26da53825223e47e6709f94673

SHA1
ad876b6f1040957abc647876d8159d9abb7b39fd

SHA256
a191e1465fa9f8075f5ec2d893d35c425a501f93bb2301f7ed37723cd921599f

SHA512
feceb7c42aee252c91a9ec8fe37531d5907b9b38859c52f66e96d2d7473746e535d3d7656c97e7141fb4d826fc80a5f08b33979d597da0304799d754a001bf04

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f05c180628a156c2354b7274615e35e4

SHA1
b9c9a72f848ed9fcfb7c254265f02c316d357abf

SHA256
8d4fd0194a714e7fd65724db1dad9ea2fa33e7a69a861cfd0b2e4070dabe2622

SHA512
725d9ac0854e0334a4c403dbeccb9717aca3873f401b9a6b53f98638518f48fd540842cf1ab8ea8dfd80a0f8e018f61aa09b70397ac4f455372f31dcbc476817

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bdfac8ad97190f7d8bef61264941c4dd

SHA1
9ec427556df2f488bd70a2aa3aa54fc507daf454

SHA256
3a606504c13683d7d970e5c7cdd89360e747d4f89adfe9049d7811e638020a4b

SHA512
036652863692d9534f80acead82590f955693c4753840ea775cd32ba4160ef62cbbebe6290c97f64ad819393a6485db4a827f265557606dbd5e3b4043d5b21de

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6ee19ad0c401eca98f0957681fd24d2e

SHA1
9acff4bf76f980a98a639a05159c1253b72743b5

SHA256
e510d34cf45721f16bebe2707385566beaee9dede2a95f1666dd5e786827f1f5

SHA512
ad320c2bc163e9f2c2afa3323b3da7f60f8f502545a6233ccbe2494a3c21e143d1ae21798fee82f76ca2dcabfb4d402ff913ea46c52c9898ef78a0f6f460ead3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1f8028879537ed755bf7ca3fbd209d8c

SHA1
1e61e54f479af2daf29188c6a5f08bd2561d3231

SHA256
5512e54a566b0a7ecce5e0da53394027195783b26f1ea34546db3ee7753c93d0

SHA512
9fe8c0c5d3b0d56a9e41e13e4fc3020fb1ae0e9872d758af27147f4ac821fce4427e66e98f9b94f3eb8f51fdf615ef3bc544cbaa4414d20f93ea45d6350cc5a3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2f90c999b7c652557dcc2111729f5a29

SHA1
4e0f25cddf644a4848ba9b9847a42ebcd191d9c9

SHA256
ec81192441710b46cbb87b41fb89c12b40ec63e5d9087ca9b2b8168d860a7f89

SHA512
e35f9946edc65212cec7e72c281f9090dd3da6ab7f35fcc0da4b1fb907a8fe3dea3716c1d56eb3856a80646807842c835394c2a3eb09d227ab5a1c60995b1959

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
16abca920912290c45b3787166e83718

SHA1
19e8851164eb82649518fba68f41dee1c48601eb

SHA256
1a04ab42ff09483341d249bdb8a920eff4fb5b9ff5d4b31e828ab542b7197b7e

SHA512
271d93b16c6c7fae212616edd61ec949e6e6d77fdd9b2d24f9ea1366eb35cf083ab2ee2fcfe2d600f50eedf16d44722a006a417306822873384f2d6d804bdb4f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7549a9435a0bd0dcd333146ce889adfc

SHA1
fe5c276e8af625a140d81dc8db6d883481856c44

SHA256
cd8fc1b35042a5590cb1e2b10473475b0001d371cce3989c9d2065975e07bb93

SHA512
360ca56235d0fb2a8ff271b4f1eec92b60e4be367a88cd64e88bddbc0e6ed39563040634809d907287fbdcd86c86c6aeb2e346335667722208b36fd6e8c419e2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bd2c1598c8df223f5e4bbf8bea32f8d6

SHA1
d9a2111d1a43253a058b59aa294f84bcdcd03364

SHA256
976586f8b94cef3a4733fb94037349e66145b8c5cac77cd842e97e48cce1a983

SHA512
010acadadf906e07f00804b1e93644b0de41221fa30c8d9d35cd643066ed40d904a768fdc2d9a920e597ea33fcc129d5e033057fa79307564950923b1b9106c4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cce02b6809a515c056189db51fbbd19b

SHA1
ea8523454071f05ae770a8d4cf038dcb7a8539dc

SHA256
2bd08c5d96a47b8e91d98102be81ac79149ac77e3000e702e9abcd6faab93906

SHA512
fbb0afe19432e7e21e9b8bef1ad9457e2f0aa6f4e3a7f19e4d512f2d1194c234c359227f428e9341230efebf21e67a3aa06ac1c1e7f886552dbb557fff8ab94d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b0ec45c5e59032800e66a591ecc05571

SHA1
d43ff724006b9b65b1ae158856ce71cb4faad96f

SHA256
64d7c091e9f8e0b509069214c4cd614b18988cde8de5a95c3e0dff7177a73671

SHA512
e88274b716e652d2de30f11aa722936a407d68fcb778dccbb77be9362a5977cc35f2f2b901ee48c1e0737d6687268afbd822b1ff469fbbde921f128a1f35f80b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
76aecb3185ee98d1fac25b71e29673c3

SHA1
08dcc3309e196a6385571fc70c7485634945a8f0

SHA256
e754693bf176ab6c04a88bdfd49b381fd3f8a47c1cd9ac656c149088deeb0e41

SHA512
206b8d0b6ee8840df8672d16f9868fd6325b8994d9fad0622fdc9c0a9b477ed0d78b2f5d7cdc38199718c45ed3f69160b697eaacbd518706659d2b9270e80bd7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
697d9aedae13f5d54a797ac6f49c9713

SHA1
43248f34bc30693c60fa6606615e9b23c5172931

SHA256
047ecda12277729ae1406ce1fdcb3de4c26b44dfa2b8866e58b5199f0b514f72

SHA512
e83db513fc5367dabbe8a68fa7aaf4d1ca76f2bd4a3ac42e7ce4a12085969fe4c722b15fe17e779afa5467ff0ba08fc15baee74b66761a93b6d8d971f16ddccc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a0026b3cdb11acb43ae462fb67413750

SHA1
9946d3a831113014e70cbe5cdbfaea5759f128ce

SHA256
c7358300e4989b5993f7a1a2fe09e47f26db273848bd9ef8447445ba3b7879ca

SHA512
d878897e5700515d79bd0c4d52205000f75f53d6e048437a78ee42c890b4c64676f90ccd3cc42612e96a40f4cf10dff326442dbfc3a14058eb0bc5492fa0a583

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bed699a32854eb6868ec7a0035837f6a

SHA1
cb90776e18b3b94255769ebe58c884ddd6134207

SHA256
9649d64e23bc8dc6089709eb4e6fd6bf05bbe848e9b12837d7af87fa7a79760b

SHA512
ab1792d0d63fe063625075bc0461b7c8ecaefa21f1f5f45c7cb02a8e69df2ccb504b1f0dead02bb319b299ef0094a71496ab1bbf76dc79dd253f2739f1401954

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5c04b31a25b1f3e9276cec301f334de9

SHA1
74ea8e8eff7cf14d2c8599b13a6ed72214c08b62

SHA256
01c80bd266b90d1026b8c9317c8c7ce3b9919180a03edc1eaa20d0af98110763

SHA512
40ae32e5c27e0b732fdb1e86a9859516d83b13a9dbdef58dee10661485f6cd41af8427abb5e0794e46f593fb207ffc9b1b7b455dbdbd48603e7921e927f37db7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b4959f30fde38915e12ffd2fde5553b0

SHA1
9983cdce682c2cd02cd96fff996fcd0b7313a070

SHA256
55591654a3d721f2bf10be221325132bc74dbcb526b9196c307a8d3f7ff5068f

SHA512
e1943bc4933a938144f81b30f2bb3df410d1b88b1663381e7c0fd2953584faee84e5d53eefa02c84f7bab035f255cdcac5adbe39128253046a9c571544e06e5e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
faaba25f5f810a5532c122eeed409524

SHA1
5515fd27b119fdb87f9bae4121d089160a271c6f

SHA256
d84a738071991b1b15468dad833ea1d9f36d6691d6e1926a534c649fa6216800

SHA512
96d08216c067b25fcc19b513dc3f41fd4340b129a0eb284de3a7c7e4afc7042a45bf5fc6a7027550de1b94a97b4e04ba5b210c87d11e7fbc1988cb36e01c45d8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
febf9489679ab41d7bccea83c8ba5858

SHA1
2f847349f476ac7a2fd7c34a30d7389427e34d22

SHA256
26dffcca4efed7bd9259d6a300590f71f16dcce77def4c951184b9fab46d692c

SHA512
72b7bfd10ed5f54cbca7b2e01647f8223b99bc9c75bd68312c26795f2f40ea5ba953aca53604a377bf4c19d5a8d8d879b21c4cc43f0b5e4f686c7d75a77f9a0c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
0ab54523178aa669967aa1a39a49b669

SHA1
c9eb83e8f6ee3f917289bfa853ab68e2b4b73a01

SHA256
afc20beab612c6e57388f01b1fb1b60fe308f6d4a75772915cff711948aaf803

SHA512
50483d59e60c6198a4875c7fc74a98d14ab4971fe698317f2d72042f5af478a8b67508e11812b23875726b989e38a6bd7f19b09d2927d262ccc6ee25b130d341

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\melo7gx\imagestore.dat

Filesize
10KB

MD5
700cd3f1aabbbbe6432c4d3f6c5fe3d9

SHA1
bd2f63ad1f5a0920b17239e6be4f267a07517128

SHA256
4e769dc0924c495a4dfad08e65c5930dbad53f62964f70b6b445450d57c664f0

SHA512
d19181dc0ec01237507a7d8ecfbf6e9e7c704e022548f6d2007677ad970d7a6d6aeedb0f75f3e72e59ebc9c78fad67befe8f4b165ea5dd1877907fecbd764bf2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\melo7gx\imagestore.dat

Filesize
5KB

MD5
4fe475293cce9acd4923cc414716015d

SHA1
657f503f1bf4e2443eb051aff56ae95c3d4a0831

SHA256
e97aaa659ddc94f66dac63c59c6e84fca6b79eef3a3ca03c6c1dc1caad63c727

SHA512
e24e6d409d069af2790936e0530e116eb25445bde6751d3df53bcb61f9a9e6fb67d525188dba4ae9c5b5e51595cbe8579fb701940bb4ba12eb630d7e4e3ffecb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7BCOPU31\favicon[1].ico

Filesize
5KB

MD5
f3418a443e7d841097c714d69ec4bcb8

SHA1
49263695f6b0cdd72f45cf1b775e660fdc36c606

SHA256
6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770

SHA512
82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8P9TO0C6\favicon[1].ico

Filesize
4KB

MD5
b939aee911231447cbd2e3ff044b3cce

SHA1
0f79060358bea92b93ded65860ffbc9ecae3dc14

SHA256
f35fe126f90cecbb6addd79308e296e8409dbebf6bc589c31749e67713e9bb3c

SHA512
8053232364d54966f4b8acdf9af61a1366bae09789d6a76b8e723d7c3f96287460248eda12083795766809569527f4821f7e87ca4a644ae900c3df33002c9977

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8P9TO0C6\styles__ltr[1].css

Filesize
76KB

MD5
a9a4c0df287886862263d8af0a6e096e

SHA1
4aeb13637cff035bb7cc47aaa42d61f306e0e474

SHA256
ad68a177a2d52e736095a6b7431fbfca3f840d66a1ea67090b55c5f90722b067

SHA512
a9605e4b740e3841366ecfb2ee8b44469057009279d8bd6b6455af13bd5863dc130a65c740b465e20e060a3cae4d74ef7b4da860ed144b89131c5406bf12cbef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NT668XG4\recaptcha__en[1].js

Filesize
545KB

MD5
1f233ff2deeaaacc3c11614068d6f46d

SHA1
6ab5f0fb0ada1228ef529e3d48961c36fbc21424

SHA256
dc987654372c681461a1ab9e9835fc0006367829e3f0cdccee51081109d7868f

SHA512
a44c564ba2ff696762dd9a9f05f38dbb839a594989bcae5c402222ae6d9a17a29942c99df9c473f043e928f98bdabb62299bb192613c72d5d5b3efde7dd36c63

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabCE69.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MALWAR~1\z.zip

Filesize
8KB

MD5
63ee4412b95d7ad64c54b4ba673470a7

SHA1
1cf423c6c2c6299e68e1927305a3057af9b3ce06

SHA256
44c1857b1c4894b3dfbaccbe04905652e634283dcf6b06c25a74b17021e2a268

SHA512
7ff153826bd5fed0a410f6d15a54787b79eba927d5b573c8a7f23f4ecef7bb223d79fd29fe8c2754fbf5b4c77ab7c41598f2989b6f4c7b2aa2f579ef4af06ee7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Malware-1-master\x

Filesize
11KB

MD5
1882f3dd051e401349f1af58d55b0a37

SHA1
6b0875f9e3164f3a9f21c1ec36748a7243515b47

SHA256
3c8cea1a86f07b018e637a1ea2649d907573f78c7e4025ef7e514362d09ff6c0

SHA512
fec96d873997b5c6c82a94f8796c88fc2dd38739277c517b8129277dcbda02576851f1e27bdb2fbb7255281077d5b9ba867f6dfe66bedfc859c59fdd3bbffacf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Malware-1-master\x

Filesize
4KB

MD5
214f98cb6a54654a4ca5c456f16aed0a

SHA1
2229090d2f6a1814ba648e5b5a5ae26389cba5a0

SHA256
45f18ccd8df88c127304a7855a608661b52b0ca813e87e06d87da15259c45037

SHA512
5f058b05f166e2688df7b3960e135ada25bbcdfbb62a11da3cf9e70c08c51e5589a1e6ca2250318a694d27197f2c5ba1028c443831c43fba2171ca8e072e9873

Download Submit
C:\Users\Admin\AppData\Local\Temp\Malware-1-master\x.js

Filesize
448B

MD5
8eec8704d2a7bc80b95b7460c06f4854

SHA1
1b34585c1fa7ec0bd0505478ac9dbb8b8d19f326

SHA256
aa01b8864b43e92077a106ed3d4656a511f3ba1910fba40c78a32ee6a621d596

SHA512
e274b92810e9a30627a65f87448d784967a2fcfbf49858cbe6ccb841f09e0f53fde253ecc1ea0c7de491d8cc56a6cf8c79d1b7c657e72928cfb0479d11035210

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarCF18.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\MEMZ.exe

Filesize
14KB

MD5
19dbec50735b5f2a72d4199c4e184960

SHA1
6fed7732f7cb6f59743795b2ab154a3676f4c822

SHA256
a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d

SHA512
aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\0C9PQF1Y.txt

Filesize
402B

MD5
797ff6a423b6cf1264d67f537d3d1440

SHA1
793eb78b34b33e2c3b617310998a39922fe24024

SHA256
45a2e1c664c67d556213836084d6434b84423b0d18a7d8ca8b68c81f292ffab7

SHA512
74fea369e3e4c511e6ce6fa37a467c1d553162f607d77521e5f1b2b2c44a64c8bb11a4d5e10502bc3a4e2c1c17868cd7e56b119a18b30a88d6be37c2b3ca8363

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\1F24MUG0.txt

Filesize
458B

MD5
30d06537929559cf32e884d8ca627be9

SHA1
798a03c5488f11fb5e3174d50a92d7c2ab841bbb

SHA256
0e2e1ff2b88819d578e688b11113bf06850eacab76ecceb6a115ebe63a5935cd

SHA512
e8e4fcc3a260ce4cb90812a58a468bee5a54603f0bfc66019253146d09726b86dc886612d05c9d081a9c36afc782b57400063e36e000a153e362185718a0c220

Download Submit
C:\note.txt

Filesize
218B

MD5
afa6955439b8d516721231029fb9ca1b

SHA1
087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

SHA256
8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

SHA512
5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

Download Submit
memory/1952-167-0x00000000037A0000-0x00000000037A1000-memory.dmp

Filesize
4KB

Download
memory/2484-3157-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2484-729-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2484-728-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download