2ca4803498d7d375a61bfab2a3a4cf7e0eec41d116e50a838791a55b164e0f8c

Resubmissions

17-01-2025 20:14

250117-yz7h3s1qfw 10

17-01-2025 20:12

17-01-2025 17:25

17-01-2025 17:21

17-01-2025 14:16

17-01-2025 14:12

16-01-2025 12:52

16-01-2025 12:50

Analysis

max time kernel
150s
max time network
152s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
17-01-2025 17:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Malware-1-master/MEMZ-Destructive.exe
Size

14KB
MD5

19dbec50735b5f2a72d4199c4e184960
SHA1

6fed7732f7cb6f59743795b2ab154a3676f4c822
SHA256

a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d
SHA512

aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d
SSDEEP

192:sIvxdXSQeWSg9JJS/lcIEiwqZKBkDFR43xWTM3LHn8f26gyr6yfFCj3r:sMVSaSEglcIqq3agmLc+6gyWqFCj

Score

6^/10

bootkit discovery persistence

Malware Config

Signatures

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	MEMZ-Destructive.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ-Destructive.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ-Destructive.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 50 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d02b4b910469db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{BFA77C91-D4F7-11EF-9333-DEF96DC0BBD1} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.google.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000008d271c25cb41e44a2f7e86cb08ef3050000000002000000000010660000000100002000000009d6d75c0f48bdf4a83865a9c86f9ac361b942749737df70bd7b2e7506ce797a000000000e80000000020000200000006010e14f33f6547ac4aa742b034a19c5fd7c2c86f6d40aea2ddf55828835e36b9000000063075f25338f0de63cebcd2b0537b748d1783c16f463571cbd81a3d7265e67b325e69fb54fe68be7bc6b7cf8e0463c217979568c558b8c508071ccdfc2098b997fb267089493c4342901246bb19ce3d57d6d26da3c06d2667cae6e3dd14b200bb070efcc51837956390edc91519d7a11d7a316ef8dd59eddec86175bda5f497d27c188ae4af175f587cbc268b21969c740000000ac0dbe19d22b888fcfc47059728d8d3ed09d8eda7911676f95bcd37e694ffb451cc2d30f9c4ae50898eab24d302f535961fa9864010897bf64e8b7566bd15e90	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "25"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.google.com\ = "25"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000008d271c25cb41e44a2f7e86cb08ef30500000000020000000000106600000001000020000000424f436634ce64076ef89a60df6ca5fd8a055d6f55a7d4b53eb03df79e0670c5000000000e8000000002000020000000bddea3e267a2b6da77491c9eb73fbd137e6ad270bd5a9c6fe3319f4ab267e94320000000d6e54d5f6465630cbc335b9fb9c3cc3a259daf85cb9c86fedf2c03896b25412240000000f7edff8c35606916d7cf85024a5c8ff71f8b3783789143f16cee7bdd9d2f5d89d63be31904322c55400a21d6259c249ffd17cf610adcd5a541f50f1dd4c18d4a	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "443296469"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com\Total = "25"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE

Runs regedit.exe 1 IoCs

pid	Process
948	regedit.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1448	MEMZ-Destructive.exe
2860	MEMZ-Destructive.exe
2772	MEMZ-Destructive.exe
1448	MEMZ-Destructive.exe
2860	MEMZ-Destructive.exe
2772	MEMZ-Destructive.exe
1680	MEMZ-Destructive.exe
2276	MEMZ-Destructive.exe
2276	MEMZ-Destructive.exe
1448	MEMZ-Destructive.exe
1680	MEMZ-Destructive.exe
2860	MEMZ-Destructive.exe
2772	MEMZ-Destructive.exe
2276	MEMZ-Destructive.exe
1680	MEMZ-Destructive.exe
2772	MEMZ-Destructive.exe
1448	MEMZ-Destructive.exe
2860	MEMZ-Destructive.exe
2276	MEMZ-Destructive.exe
1680	MEMZ-Destructive.exe
2772	MEMZ-Destructive.exe
1448	MEMZ-Destructive.exe
2860	MEMZ-Destructive.exe
2276	MEMZ-Destructive.exe
1680	MEMZ-Destructive.exe
2860	MEMZ-Destructive.exe
2772	MEMZ-Destructive.exe
1448	MEMZ-Destructive.exe
1680	MEMZ-Destructive.exe
2772	MEMZ-Destructive.exe
2276	MEMZ-Destructive.exe
2860	MEMZ-Destructive.exe
1448	MEMZ-Destructive.exe
2772	MEMZ-Destructive.exe
1680	MEMZ-Destructive.exe
2860	MEMZ-Destructive.exe
2276	MEMZ-Destructive.exe
1448	MEMZ-Destructive.exe
2276	MEMZ-Destructive.exe
1680	MEMZ-Destructive.exe
2772	MEMZ-Destructive.exe
2860	MEMZ-Destructive.exe
1448	MEMZ-Destructive.exe
1680	MEMZ-Destructive.exe
2276	MEMZ-Destructive.exe
2860	MEMZ-Destructive.exe
2772	MEMZ-Destructive.exe
1448	MEMZ-Destructive.exe
2276	MEMZ-Destructive.exe
2860	MEMZ-Destructive.exe
1680	MEMZ-Destructive.exe
1448	MEMZ-Destructive.exe
2772	MEMZ-Destructive.exe
2276	MEMZ-Destructive.exe
1680	MEMZ-Destructive.exe
2772	MEMZ-Destructive.exe
2860	MEMZ-Destructive.exe
1448	MEMZ-Destructive.exe
1680	MEMZ-Destructive.exe
2860	MEMZ-Destructive.exe
2276	MEMZ-Destructive.exe
2772	MEMZ-Destructive.exe
1448	MEMZ-Destructive.exe
1680	MEMZ-Destructive.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
948	regedit.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	2664	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2664	AUDIODG.EXE
Token: 33	2664	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2664	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3036	iexplore.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
3036	iexplore.exe
3036	iexplore.exe
1380	IEXPLORE.EXE
1380	IEXPLORE.EXE
1380	IEXPLORE.EXE
1380	IEXPLORE.EXE
2968	IEXPLORE.EXE
2968	IEXPLORE.EXE
2968	IEXPLORE.EXE
2968	IEXPLORE.EXE
2140	IEXPLORE.EXE
2140	IEXPLORE.EXE
2140	IEXPLORE.EXE
2140	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 2036 wrote to memory of 1448	2036	MEMZ-Destructive.exe	31
PID 2036 wrote to memory of 1448	2036	MEMZ-Destructive.exe	31
PID 2036 wrote to memory of 1448	2036	MEMZ-Destructive.exe	31
PID 2036 wrote to memory of 1448	2036	MEMZ-Destructive.exe	31
PID 2036 wrote to memory of 1680	2036	MEMZ-Destructive.exe	32
PID 2036 wrote to memory of 1680	2036	MEMZ-Destructive.exe	32
PID 2036 wrote to memory of 1680	2036	MEMZ-Destructive.exe	32
PID 2036 wrote to memory of 1680	2036	MEMZ-Destructive.exe	32
PID 2036 wrote to memory of 2860	2036	MEMZ-Destructive.exe	33
PID 2036 wrote to memory of 2860	2036	MEMZ-Destructive.exe	33
PID 2036 wrote to memory of 2860	2036	MEMZ-Destructive.exe	33
PID 2036 wrote to memory of 2860	2036	MEMZ-Destructive.exe	33
PID 2036 wrote to memory of 2276	2036	MEMZ-Destructive.exe	34
PID 2036 wrote to memory of 2276	2036	MEMZ-Destructive.exe	34
PID 2036 wrote to memory of 2276	2036	MEMZ-Destructive.exe	34
PID 2036 wrote to memory of 2276	2036	MEMZ-Destructive.exe	34
PID 2036 wrote to memory of 2772	2036	MEMZ-Destructive.exe	35
PID 2036 wrote to memory of 2772	2036	MEMZ-Destructive.exe	35
PID 2036 wrote to memory of 2772	2036	MEMZ-Destructive.exe	35
PID 2036 wrote to memory of 2772	2036	MEMZ-Destructive.exe	35
PID 2036 wrote to memory of 2192	2036	MEMZ-Destructive.exe	36
PID 2036 wrote to memory of 2192	2036	MEMZ-Destructive.exe	36
PID 2036 wrote to memory of 2192	2036	MEMZ-Destructive.exe	36
PID 2036 wrote to memory of 2192	2036	MEMZ-Destructive.exe	36
PID 2192 wrote to memory of 2932	2192	MEMZ-Destructive.exe	37
PID 2192 wrote to memory of 2932	2192	MEMZ-Destructive.exe	37
PID 2192 wrote to memory of 2932	2192	MEMZ-Destructive.exe	37
PID 2192 wrote to memory of 2932	2192	MEMZ-Destructive.exe	37
PID 2192 wrote to memory of 848	2192	MEMZ-Destructive.exe	38
PID 2192 wrote to memory of 848	2192	MEMZ-Destructive.exe	38
PID 2192 wrote to memory of 848	2192	MEMZ-Destructive.exe	38
PID 2192 wrote to memory of 848	2192	MEMZ-Destructive.exe	38
PID 2192 wrote to memory of 3036	2192	MEMZ-Destructive.exe	40
PID 2192 wrote to memory of 3036	2192	MEMZ-Destructive.exe	40
PID 2192 wrote to memory of 3036	2192	MEMZ-Destructive.exe	40
PID 2192 wrote to memory of 3036	2192	MEMZ-Destructive.exe	40
PID 3036 wrote to memory of 1380	3036	iexplore.exe	41
PID 3036 wrote to memory of 1380	3036	iexplore.exe	41
PID 3036 wrote to memory of 1380	3036	iexplore.exe	41
PID 3036 wrote to memory of 1380	3036	iexplore.exe	41
PID 3036 wrote to memory of 2968	3036	iexplore.exe	43
PID 3036 wrote to memory of 2968	3036	iexplore.exe	43
PID 3036 wrote to memory of 2968	3036	iexplore.exe	43
PID 3036 wrote to memory of 2968	3036	iexplore.exe	43
PID 2192 wrote to memory of 948	2192	MEMZ-Destructive.exe	44
PID 2192 wrote to memory of 948	2192	MEMZ-Destructive.exe	44
PID 2192 wrote to memory of 948	2192	MEMZ-Destructive.exe	44
PID 2192 wrote to memory of 948	2192	MEMZ-Destructive.exe	44
PID 3036 wrote to memory of 2140	3036	iexplore.exe	45
PID 3036 wrote to memory of 2140	3036	iexplore.exe	45
PID 3036 wrote to memory of 2140	3036	iexplore.exe	45
PID 3036 wrote to memory of 2140	3036	iexplore.exe	45

C:\Users\Admin\AppData\Local\Temp\Malware-1-master\MEMZ-Destructive.exe
"C:\Users\Admin\AppData\Local\Temp\Malware-1-master\MEMZ-Destructive.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2036
- C:\Users\Admin\AppData\Local\Temp\Malware-1-master\MEMZ-Destructive.exe
  "C:\Users\Admin\AppData\Local\Temp\Malware-1-master\MEMZ-Destructive.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1448
- C:\Users\Admin\AppData\Local\Temp\Malware-1-master\MEMZ-Destructive.exe
  "C:\Users\Admin\AppData\Local\Temp\Malware-1-master\MEMZ-Destructive.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1680
- C:\Users\Admin\AppData\Local\Temp\Malware-1-master\MEMZ-Destructive.exe
  "C:\Users\Admin\AppData\Local\Temp\Malware-1-master\MEMZ-Destructive.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2860
- C:\Users\Admin\AppData\Local\Temp\Malware-1-master\MEMZ-Destructive.exe
  "C:\Users\Admin\AppData\Local\Temp\Malware-1-master\MEMZ-Destructive.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2276
- C:\Users\Admin\AppData\Local\Temp\Malware-1-master\MEMZ-Destructive.exe
  "C:\Users\Admin\AppData\Local\Temp\Malware-1-master\MEMZ-Destructive.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2772
- C:\Users\Admin\AppData\Local\Temp\Malware-1-master\MEMZ-Destructive.exe
  "C:\Users\Admin\AppData\Local\Temp\Malware-1-master\MEMZ-Destructive.exe" /main
  2⤵
  - Writes to the Master Boot Record (MBR)
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2192
- - C:\Windows\SysWOW64\notepad.exe
    "C:\Windows\System32\notepad.exe" \note.txt
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2932
- - C:\Windows\SysWOW64\explorer.exe
    "C:\Windows\System32\explorer.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:848
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://google.co.ck/search?q=dank+memz
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3036
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3036 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1380
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3036 CREDAT:406551 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2968
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3036 CREDAT:537621 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2140
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Runs regedit.exe
    - Suspicious behavior: GetForegroundWindowSpam
    PID:948

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x1b4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\05DDC6AA91765AACACDB0A5F96DF8199

Filesize
854B

MD5
e935bc5762068caf3e24a2683b1b8a88

SHA1
82b70eb774c0756837fe8d7acbfeec05ecbf5463

SHA256
a8accfcfeb51bd73df23b91f4d89ff1a9eb7438ef5b12e8afda1a6ff1769e89d

SHA512
bed4f6f5357b37662623f1f8afed1a3ebf3810630b2206a0292052a2e754af9dcfe34ee15c289e3d797a8f33330e47c14cbefbc702f74028557ace29bf855f9e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
273ff677888fa82c7b7de7cd7cd1afb6

SHA1
796192d452b8044349c604adc3576423b2c21004

SHA256
510338dc2cd22605d968c4fe02b4f82e036be4c784f57e312067bffef1842fd3

SHA512
5d7a08ba6cbf2a88c806427c6d0fe4c678aa2bf921a4f752bd029cde945397d86bd08f6074c39a7072dbcabe44f1b8d66cd076861324a4e4623bab72fa718671

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4FA45AE1010E09657982D8D28B3BD38E_EB153A79B5AB80C6592F798A4A3667A5

Filesize
472B

MD5
766dcbceceb99c1bb9b3ee02d18187eb

SHA1
50e38eaacc2a4a533f1aeb0affc076a24ef030af

SHA256
83f771647dd16e667cf88e34a69765c0974fec2c1dcdc9a1ed19bdb95fbc82e7

SHA512
3a6ed996e75f6c535605c6ea0bb18345033f1c38e143931370639f7592dfc67574c005bc8a680630d2b91f821593242fecfc020b0068585077d70e663936d027

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199

Filesize
170B

MD5
58eb1909fd62850e5000e88dfa1bbbd6

SHA1
b8d57754efdb0439ce97429c744f7410bd075827

SHA256
85911d4e9c9a18b65a5b4887e5340ee981c203042d99db0e9b7e464d43cdb836

SHA512
fa517c5d7c9aae7c86f331b704ff1f536f8229780142c332b8b5029f2d2a873565bee56fe95feb0c65a3c2d2baf6131c9a57ea0535d0be95065e00f3598bdc21

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
491fa451c55f8eb343e918896a060c4b

SHA1
68c6ede8c55c6a35440e9341948f631f4e407657

SHA256
750825d5c4966157718a0f2dc5182dd20b14ae17727cfda970f979db70d7b967

SHA512
d48bd3c75634f45a3fee29cabacd33d01120f0f27e4dbe0409ad25adf26e6d9c1806fea67dd3171a065a5b6c554a28e36a59634d228e1dd199c467018103c883

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
98a87352cdcc33e4eeface259f722d71

SHA1
3c403a0a4c309253b683853bd9cfc5d75e809eab

SHA256
2640efc4c8c3326c3bfb749f3b58573c121429674da6d77c2ca2a92b52c09c10

SHA512
0eaa7ce851ceeaec2c055ff7421333cb9c3d3425049ed7d3dd6946b9716c5e0a782622759162580a39a657cd50e3db7a3e17b9d9cc37306e3ae4f16de34d8ebd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4FA45AE1010E09657982D8D28B3BD38E_EB153A79B5AB80C6592F798A4A3667A5

Filesize
398B

MD5
0094e92e71cee62a3dddfe9ba33e82e8

SHA1
2e648bc6b9e7d4201713b877a5cbf630d8b59fc4

SHA256
36f8679580eb1ccb2b8a1cdea5c5afc50ec4ad838d5fe52512a6fd2142b3a5c0

SHA512
94c5d10b768bc4efb9da7c5674b64cda0b16ef14494e4dd0fbd0b295866c5dcf5cbf4d7abe8e2f510b1a0998550ee29f77c2d457a347eee292027313f7702142

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6ab028f551d84b5adb5ab0fc49283e02

SHA1
479fa124acfb0ef063150b2138a8a57c1d662d24

SHA256
0771facd33b194603e128951d7d405e00647b69bbc2c766ee91447e4e3623e5c

SHA512
ce91183a5849493d1ad908aa6d8972fca7b1bc70646f27427991c880fdabbb6abdf73a0c429685bac720bb583f0c0c7a6c94f84324b46f623ccd8373b3a3cab0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
34878cd0a0cd6cc721ab61180536eae2

SHA1
26070da58f39097b8a9dadc3686b79d2d6d04b36

SHA256
76a8afd87357ca84891c399f926545596cd1223930b8c5f93a0c5212f24b0570

SHA512
360e3497c1327cb8eea964645ea5af3076650e876feb8dbaf07a1d8d9fbee0ac11f96627eb9c74aef076b6108fc0e584de5acb9e23965b5651a9f335dca02b2a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
52006c885a6e0d7cbdc290464493c646

SHA1
cff6ad9c8f6d2d4e0b903e9a3c018c9119ec4b6a

SHA256
dbb0df52777a34255566e5dec8a458054cc3a0683041d48e325d068f09e22ca8

SHA512
b21bc359af9567dad8b97b440555556ad74e903f6c2154e50c6c5fee769e30873c5f668cfefb77102d082c2720e811c15f2d32db22990cce63f4e5162fa53030

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ccb7bc4bd2ba238fffce71f351d87dbb

SHA1
bb467c44fa3499bb40467fe6bb718ef371961ad6

SHA256
0cb79ef9575b6b2efa880baadea7cfc9f64d2edb7f35c2e77a786bafe411b79d

SHA512
79dc11c31f39892a6cc79d03422cc602128fb244eee27e09000db986de369e7fd567851ee7f1703718afd9bb12a8191508f12eb913874053d34b99726c90b507

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a5eecdf07d51ea7b95f7d8a3ee365980

SHA1
074be576516f82d5650f8cc67232026e4fa70df4

SHA256
5e95be73845cb7491235629cc67c11048869ae3821131b76b179ef232a4fb55b

SHA512
6400ea0dc687ccd209acb4f16ff61c8f612edb4e4c34cdf46763d9ffc05274185e3859d4874a19cfee0ca3bfb77a1cdc4d2b59a7326235041eb3ba50b7e7c6c3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d1185335e6485dfcfea6bff1f46b0b31

SHA1
807f1c529b543f4fc084964b12f5675fe2324ff9

SHA256
d61c97c8bbed08bfab772b6a61fed37eadc6e5c89f132ee51b8fab4cd036032f

SHA512
734b27b4e066c4ddbe9ef3e78b153a6da831e55aede2ed1ce4e24e373193a53964916db1efb8dc2f12f0109c7841a4f8894f569b1e0ed8e221c85e151a8501dd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4f7301e26dee7afcd9109156c3bc20e9

SHA1
881470afaa5cc9a427ccb6dfb7c8d6e486103334

SHA256
4586dbeb8c8809350c80c286d75aa05effaf8c74b215a4ba68527ee656830d17

SHA512
fe9dc41d381e2afa2f2aa236c46e7be34b65626a065cfd97c5d4aa26f7ba2d7d37e86f0f1a2ba40238dda8aba1162a87dc96883f7adb6cd83655343c068bd829

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
928e46e67a0b3fc4326f87914c185256

SHA1
462591f5bc4599854ee9817eba6d496f10790228

SHA256
ee20bc06c013f178cf2cbb86f39e1333ee3799cf4967ebf709ae12fbc1d97b22

SHA512
5da188ed26f8bbe4878e3d45f076a4efbd7b032d662cc83e16f29f3cc2c031df5fc7a3e82b8d4a2afa3f329943c6f4b39861442f53bbb4cbd73249546d9a9692

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
38ef9a43dba85ecff7572eabe2e8f8ca

SHA1
bb985642703b2e7ef55ffdacf0a214b286f3ae38

SHA256
1f88fe2e8b35369ff3e62038690298bb95a91608c7aabfd83b3aba1a6543c152

SHA512
0ef22789fb5a735cfaf01072bba8ee9d80792cecb8c6fccf65325fcd9e74c43ca19baa6b656a8ef632ba1f00ca6835faf46f61b95eb9ad65996124e55b8d02ad

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
91c213d1da7990ad07527c455303985b

SHA1
dad269a6fdced926c274f190b4f2524d30f12a4b

SHA256
2d1a86301a7fd8da7ec98c933b24463c5444b4fccdea0b53ca60236558c14334

SHA512
c62542964a9dcbeea95843e814628fb2f8aa05475bb7a2f0d8f99131bfff4576c4d2030cf71289258218eb68b87bf96f9bd15d32c71102d725842f93d5475d99

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3277f727809c36f1e720bb1301af4e65

SHA1
4d3b183be968e5d2f02d670555c6d3212e36ea5b

SHA256
736e65d5b624f3b1bd558d9c0d011a997a8bab970d378885d11c6805240915dd

SHA512
aa9018bffd8aaa80e66c05c5603d852d1c8e6be50ed909b8558bc4ef0c92f4a0bb59ce67d95c56dcb9f12ad5838492ac6e1537ab94b227a2c061c37ff956dfd4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5adb849ca29d6a646a4aeb83729a5880

SHA1
f42856c9f8b32338f355ceffef78d7718c754f8b

SHA256
15dd692327f129265759ca77c3fbe176aad871158a080e2d939b7321e4cbc72a

SHA512
17523fa786ef5092f9efed6909723c72fc3ca5bef036d2b211049ad833e5c3434c75a7ac19413eb0f7ac83c505b5f907a017548904c2723c888993b4124ad327

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
15784e12996cd6f68e9b6afaeb8ae0bc

SHA1
0d411b3d772dc1dd7152f961928b63b48636054d

SHA256
2552727946485b218f4f9dbb4bcd9ac0a0cdd51546a13bea3331bfdb244273cf

SHA512
e7d588499154117d1a3c97287a136085a42ba9a5f3e1bb34a5cd1c69eb533117089ac4f015c1d922b52758be5cee05ba6e24373ddbea21d33ff4046c0b57da16

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8161aa5e0981c2d75cc65492bed92d50

SHA1
37af52e1db80b8cd8bdde7b5d8d9e9d38d58c964

SHA256
cfa81f63edb4150eb8c1e0608b16e8788f461218a318b5edfa581324a2f3d28a

SHA512
4659db2f2e86dc8d5c8efd3dd6565449c6ff40241d92076ca8fc3b6581ad8a7dd76e8ecfff04cf77830ec4067b301513b12f247f4eaf59f3369b18c104622c70

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
69598a1ee4f24c95b200500692dd0cec

SHA1
f2ae324d7dc79069e27deab01b3119c8c71e1037

SHA256
98cd21e34da829df2f261e3f619cbc4a1fbc86e0129473dcdd20c865df52db07

SHA512
0dae0c9fd9719b3475b09d31ceb39c18761cab7898b05a7e967fc5ad04ce5aca756570919f6707c5343cdbd5fcd74136bcc37f29c52cdb62891bfec0f4f6183d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8d32d51c4a1a8731b1c9ca7dac9a9589

SHA1
b2599c943a817e86d63f1ce2ab6801d821a7b904

SHA256
21dae1630fd62affb66c461394ebdbe4802eea72a6a4575444e68d2dd7a75330

SHA512
426a640bfc7ed304f1022f4309bb15076e06b4fa552be4f29a47ee5d04e94fb64e62fba17fa5b1d779e1c8a201e59b9b4ece8ce9bf0a5ec16bd4453ca46378ca

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5942a6add6d566717fd01e50cd34af87

SHA1
58e0a121cea324fd48b9725b6e40dc16baea23e5

SHA256
7d91596b7f3da2c19ab57254a85961bc9aab29cc21005936541caaf1e8e6ac90

SHA512
589be1cabfba3af8f720df774ed508a8f7082d6da27c73e7a2cb0f1eab699d3ea2f5257172b01ef2cd5c3056e800498fccbad5b7ce07c5c71b44b6a17dea4f16

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8039ed0743411c4aa16a3802bbb217d6

SHA1
aed37676f7a29d5a4bf635153d5f2320d12ce34a

SHA256
5c51d05d4f7a8fd48d5706a406a4b39f60bb854ba8cc207ce4fd1a0f7f17fe33

SHA512
2dd4d77c992c93dfe96dc6c5c332f3aaed821c6086e7df58b191b3f650445a3a82783ad3c9a25850cc462bf8164c0a1d9d76fa2b74603112874c19d29caa487b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3b1f2832b7c7e7f611ee411d2ddb8c4d

SHA1
47e3eba099c0e6367330c119739112fdd2f995ba

SHA256
7d6fcaa4d4451187691259d30e06c20fadccb4a48ed373d0ff89dc3308476e9b

SHA512
ccacf01d77ca8cd33ed89f616dc6bcd15cad9bbd709976f10c9c6f3a16dc616a1cf6662d10f92f73e7f499ed6b912dbe902908331d816097acb558ca3928777d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4621fefb660a0b75e884bb3128804d8d

SHA1
474dd8eb45a307deedf845f5841413c51534ca66

SHA256
003e91ce6fd8ffa89f76cfc0b5d38904283a021229e5d972251403a38c6159c4

SHA512
785324a9c37059ebac4f6aabba802a7ee30bedb302a41d8c1d8cd93736b86aa4e0d6770754020afd7a3cfd75ae15d96c9935b2c72f38114c356cbecc90efc6fc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a4c0b3ecfb308decd6e76dbf86e93208

SHA1
2af624be82e8b4e853c7cc80ee8a955a39cc9238

SHA256
7d9f380b8ffeacd0769aec72084fc72ad94b057b2ff216472a34e804b20338e5

SHA512
aaf2ade01ebd2c8baf44e173b94db4c027912d407f015395d9538dad03b981dafe4282599634eb048e3930931364ca5f91e531ab2bcbed68e88419b7a816f0da

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
b2619a9ed050e8223534a74512d08470

SHA1
42de74781fe30906917dd61cf38c9e1ae094fb9d

SHA256
a94d6209a9798bc01685813c5dd79f242da11254ee697b40b97ad77521588ca7

SHA512
f302bc818ab367c3f7b833b4d7e0ca6efde32692387f9dcaea35c1e481aaf7d77a652e8868d166b8224918d06a0139c83a9e9bfe7140378573947c9721172926

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\1XZBW3B6\www.google[1].xml

Filesize
99B

MD5
265e59fcdcb67c269e47959125175f61

SHA1
2675713f36b04e6f11e1de192d5332118c550f96

SHA256
6c2c0222446d8f5aea6a604b5e4c559135bd6f8f7a306c6d86a1e8c7ab1f4846

SHA512
399f718aa13374a3242e44d44f50d017007d2b92aac064b6101c390096024fddf01da4a4bda7f5899423a10352492c43290568a30ef731a0ded5610ec6cd1345

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\z8d0nzh\imagestore.dat

Filesize
5KB

MD5
642c07c049ceaa6a885dd7f13fbc86c5

SHA1
681a3a8f9c6476a3debfb2238b0f2c6b00d38d8c

SHA256
033b05184dad50dc6ead1403a80bf88c094dd72219077c7420e75b98624643df

SHA512
4b3226c7b40d7d55dc60a8ce5f592cddee381b29abebb79708788fba80e974d27f817377023040d10eaff521dbae1f1986acf978b3e32bf67dfaf2e03157b470

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5GWW47WY\logo_48[1].png

Filesize
2KB

MD5
ef9941290c50cd3866e2ba6b793f010d

SHA1
4736508c795667dcea21f8d864233031223b7832

SHA256
1b9efb22c938500971aac2b2130a475fa23684dd69e43103894968df83145b8a

SHA512
a0c69c70117c5713caf8b12f3b6e8bbb9cdaf72768e5db9db5831a3c37541b87613c6b020dd2f9b8760064a8c7337f175e7234bfe776eee5e3588dc5662419d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5GWW47WY\recaptcha__en[1].js

Filesize
545KB

MD5
1f233ff2deeaaacc3c11614068d6f46d

SHA1
6ab5f0fb0ada1228ef529e3d48961c36fbc21424

SHA256
dc987654372c681461a1ab9e9835fc0006367829e3f0cdccee51081109d7868f

SHA512
a44c564ba2ff696762dd9a9f05f38dbb839a594989bcae5c402222ae6d9a17a29942c99df9c473f043e928f98bdabb62299bb192613c72d5d5b3efde7dd36c63

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\K0PVW9XR\favicon[1].ico

Filesize
5KB

MD5
f3418a443e7d841097c714d69ec4bcb8

SHA1
49263695f6b0cdd72f45cf1b775e660fdc36c606

SHA256
6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770

SHA512
82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\K0PVW9XR\webworker[1].js

Filesize
102B

MD5
dcf0dd9e2a4c0015bd80ce993ac84ff1

SHA1
6c4eda6061f7a7b9e05f439540fa26c261996fbe

SHA256
73943cf1ab8eff323e097bee9c52083255ee6e53b9abbeb193aa09fce212fa24

SHA512
f2d0a9e79d038ae1d00e6f4c08c3cf41af3e81ea8955e73052f89c4370027ba795080c867019497842a337f049d0112d8dd6c3f1bf5db8659d5f8428023128e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RLHRIIGD\api[1].js

Filesize
870B

MD5
9a90c06ffab392f11cda0b80188775a8

SHA1
395386715f54948ab58be5ad918b494b1ab86156

SHA256
ef7a5d110fd5a78289d4f71807784696ef0625efca97453caa6f3051e74a4c6b

SHA512
e40292115e00e2e652be3de796da6e860f99901d58adbd543edcc281e80fbee45ba35cb6b436cd5f7bd654eee8ce722a8f5fc41c6a40478f77bd2d6fb44f5780

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RLHRIIGD\xvnkv013T9iQERax3LRLfLP-YGjo9lA-elXqPIIu0pM[1].js

Filesize
25KB

MD5
d735f7826775631410df2363ec8ea7fb

SHA1
72622ae88b15219ad1b00c72b48e13b2dd10e6ec

SHA256
c6f9e4bf4d774fd8901116b1dcb44b7cb3fe6068e8f6503e7a55ea3c822ed293

SHA512
b4fda11a5e56e7d1344a38bcd0d086b366258c751f18de79147e763f848cb4fbc76720b211913be2d25163a77bd505d918780a7dc089e976069d12a68701db2b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VUUZQMCA\KFOlCnqEu92Fr1MmEU9fBBc9[1].ttf

Filesize
34KB

MD5
4d88404f733741eaacfda2e318840a98

SHA1
49e0f3d32666ac36205f84ac7457030ca0a9d95f

SHA256
b464107219af95400af44c949574d9617de760e100712d4dec8f51a76c50dda1

SHA512
2e5d3280d5f7e70ca3ea29e7c01f47feb57fe93fc55fd0ea63641e99e5d699bb4b1f1f686da25c91ba4f64833f9946070f7546558cbd68249b0d853949ff85c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VUUZQMCA\KFOlCnqEu92Fr1MmYUtfBBc9[1].ttf

Filesize
34KB

MD5
4d99b85fa964307056c1410f78f51439

SHA1
f8e30a1a61011f1ee42435d7e18ba7e21d4ee894

SHA256
01027695832f4a3850663c9e798eb03eadfd1462d0b76e7c5ac6465d2d77dbd0

SHA512
13d93544b16453fe9ac9fc025c3d4320c1c83a2eca4cd01132ce5c68b12e150bc7d96341f10cbaa2777526cf72b2ca0cd64458b3df1875a184bbb907c5e3d731

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VUUZQMCA\KFOmCnqEu92Fr1Mu4mxP[1].ttf

Filesize
34KB

MD5
372d0cc3288fe8e97df49742baefce90

SHA1
754d9eaa4a009c42e8d6d40c632a1dad6d44ec21

SHA256
466989fd178ca6ed13641893b7003e5d6ec36e42c2a816dee71f87b775ea097f

SHA512
8447bc59795b16877974cd77c52729f6ff08a1e741f68ff445c087ecc09c8c4822b83e8907d156a00be81cb2c0259081926e758c12b3aea023ac574e4a6c9885

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VUUZQMCA\styles__ltr[1].css

Filesize
76KB

MD5
a9a4c0df287886862263d8af0a6e096e

SHA1
4aeb13637cff035bb7cc47aaa42d61f306e0e474

SHA256
ad68a177a2d52e736095a6b7431fbfca3f840d66a1ea67090b55c5f90722b067

SHA512
a9605e4b740e3841366ecfb2ee8b44469057009279d8bd6b6455af13bd5863dc130a65c740b465e20e060a3cae4d74ef7b4da860ed144b89131c5406bf12cbef

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabEABD.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarEAD0.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\CW383QMQ.txt

Filesize
125B

MD5
2eb99a389962e922e6716d57b43216bd

SHA1
52b46dad5659b4c588efb58f036624fb20710043

SHA256
978345b5d58dc8ae46918db64a82bfa5046010cbaa963cc018058fcb1318fef7

SHA512
80e5db5bb5de11d462fe82f1e685ceb5a1e2c18e05f8978db97594ce409047b7dd01513f0d5885d35d0003ab043f6677e41ae1f5d72def8a5e4479331ff0772e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\W0YSQL1E.txt

Filesize
125B

MD5
ce1ae27f65f6a521e924683b2e0c04f3

SHA1
e58ab364423557310d8537e0c4d35df18694a073

SHA256
b8a3ac22b0ff105e9360695a0ef02ddad4f9c04301dda3c4e6fe6c5f968953bf

SHA512
ec906be69e4a0bd2a5361c7f8b9f30e2cec925776ff6db8c79541d97198450e795010ba391fcd9aa9de99b0edc8a1eeb376f2dbd36942fcbcdddaa7454798959

Download Submit
C:\note.txt

Filesize
218B

MD5
afa6955439b8d516721231029fb9ca1b

SHA1
087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

SHA256
8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

SHA512
5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

Download Submit