2ca4803498d7d375a61bfab2a3a4cf7e0eec41d116e50a838791a55b164e0f8c

Resubmissions

17-01-2025 20:14

250117-yz7h3s1qfw 10

17-01-2025 20:12

17-01-2025 17:25

17-01-2025 17:21

17-01-2025 14:16

17-01-2025 14:12

16-01-2025 12:52

16-01-2025 12:50

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
17-01-2025 17:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Malware-1-master/MEMZ-Destructive.bat
Size

13KB
MD5

4e2a7f369378a76d1df4d8c448f712af
SHA1

1192b4d01254a8704e6d6ae17dc2ec28a7ad5a49
SHA256

5e2cd213ff47b7657abd9167c38ffd8b53c13261fe22adddea92b5a2d9e320ad
SHA512

90e6eedca424e2ee37c78e0c0380db490c049b0378541812734c134510c40c6e4c48c4e213f395339ed99ff337ef087b6056ac5aafb246c1789ca6082dcabd2e
SSDEEP

192:AOyUySl0UaDz2gWsIzlmj+BxZ3yqueWQx0lZicyC8Sh31xcjBzyxwn7AVhllz3:AVODaDSHMql3yqlxy5L1xcjwrlz3

Score

7^/10

bootkit discovery execution persistence

Malware Config

Signatures

Executes dropped EXE 7 IoCs

pid	Process
2960	MEMZ.exe
2100	MEMZ.exe
2248	MEMZ.exe
2220	MEMZ.exe
1540	MEMZ.exe
1416	MEMZ.exe
3004	MEMZ.exe

Loads dropped DLL 1 IoCs

pid	Process
2960	MEMZ.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	MEMZ.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe

Modifies Internet Explorer settings 1 TTPs 50 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{2CF22F71-D4F8-11EF-B25F-FE6EB537C9A6} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a0f452040569db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com\Total = "25"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005a5f800f79681544bd0bc8309f4ba95b0000000002000000000010660000000100002000000019600342531af751e60411e37e00f9b21e2bd8186268dbd5f2aad94bf0ef60ce000000000e80000000020000200000002d7a1b5846a3eec76b95ef1a30aa91b0c6af7e1d8e3c7e8accab1e089b035d0d20000000e9eb5ed06bbdd51de648ddfeae9f8ac28c5204de99dda561f80a72ab5167219940000000824454aef617fcee9a499dd48c1147312ae5ba3fda029d06d62f53e7fc491115f8e52746c066425057d023dd210fa918d184dcfd9104f156473fe3b0c062c2f2	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "443296652"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.google.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005a5f800f79681544bd0bc8309f4ba95b00000000020000000000106600000001000020000000b44ba1197732ba0ddaca4a457b26e7dfc9041b8f56536343808e756950e81631000000000e8000000002000020000000a14f65fa63380d0e116c88d05f2431955d69c11faf74dac857c86431221f8e009000000057bb699cb2f46f72fafd777222c500e9ce2cfaee37a2eddedc7777e15bac13054758ff609d7022a5a4d57772760c6a0471cbb3fc603551dfebbf3152703db9300ff326b6d460dba299718e97cb624d7550f427291b247c5980972b886c43b78397b1b524724a97b82c0574dded78e1080d61818678ed814d162118419dbfb3cb8dd6faf9291fbbb6a0f1c565145dcd10400000008d5341514eecab9d25dd602d78da2d5a551b2703e243a8470165b32ea9060e57baa8b7f1c133e9f247baf8557c8569efd72c7b49723c06cf1b220187d7a66e76	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "25"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.google.com\ = "25"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
2960	MEMZ.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2248	MEMZ.exe
2100	MEMZ.exe
2248	MEMZ.exe
2220	MEMZ.exe
1540	MEMZ.exe
1416	MEMZ.exe
2100	MEMZ.exe
2248	MEMZ.exe
1540	MEMZ.exe
2100	MEMZ.exe
2220	MEMZ.exe
1416	MEMZ.exe
2100	MEMZ.exe
2248	MEMZ.exe
1416	MEMZ.exe
1540	MEMZ.exe
2220	MEMZ.exe
2248	MEMZ.exe
1540	MEMZ.exe
2100	MEMZ.exe
1416	MEMZ.exe
2220	MEMZ.exe
1540	MEMZ.exe
2248	MEMZ.exe
1416	MEMZ.exe
2100	MEMZ.exe
2220	MEMZ.exe
2248	MEMZ.exe
1540	MEMZ.exe
2220	MEMZ.exe
1416	MEMZ.exe
2100	MEMZ.exe
2248	MEMZ.exe
1416	MEMZ.exe
2220	MEMZ.exe
1540	MEMZ.exe
2100	MEMZ.exe
2248	MEMZ.exe
1540	MEMZ.exe
1416	MEMZ.exe
2220	MEMZ.exe
2100	MEMZ.exe
1540	MEMZ.exe
2248	MEMZ.exe
1416	MEMZ.exe
2100	MEMZ.exe
2220	MEMZ.exe
2248	MEMZ.exe
1540	MEMZ.exe
1416	MEMZ.exe
2100	MEMZ.exe
2220	MEMZ.exe
1540	MEMZ.exe
2248	MEMZ.exe
2100	MEMZ.exe
1416	MEMZ.exe
2220	MEMZ.exe
1540	MEMZ.exe
2248	MEMZ.exe
2220	MEMZ.exe
2100	MEMZ.exe
1416	MEMZ.exe
2248	MEMZ.exe
2220	MEMZ.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1712	mmc.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: 33	1712	mmc.exe
Token: SeIncBasePriorityPrivilege	1712	mmc.exe
Token: 33	1712	mmc.exe
Token: SeIncBasePriorityPrivilege	1712	mmc.exe
Token: 33	1712	mmc.exe
Token: SeIncBasePriorityPrivilege	1712	mmc.exe
Token: 33	2652	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2652	AUDIODG.EXE
Token: 33	2652	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2652	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2796	cscript.exe
992	iexplore.exe

Suspicious use of SetWindowsHookEx 17 IoCs

pid	Process
992	iexplore.exe
992	iexplore.exe
1488	IEXPLORE.EXE
1488	IEXPLORE.EXE
1488	IEXPLORE.EXE
1488	IEXPLORE.EXE
1692	mmc.exe
1712	mmc.exe
1712	mmc.exe
1944	IEXPLORE.EXE
1944	IEXPLORE.EXE
1944	IEXPLORE.EXE
1944	IEXPLORE.EXE
1740	IEXPLORE.EXE
1740	IEXPLORE.EXE
1740	IEXPLORE.EXE
1740	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 352 wrote to memory of 2796	352	cmd.exe	31
PID 352 wrote to memory of 2796	352	cmd.exe	31
PID 352 wrote to memory of 2796	352	cmd.exe	31
PID 352 wrote to memory of 2960	352	cmd.exe	32
PID 352 wrote to memory of 2960	352	cmd.exe	32
PID 352 wrote to memory of 2960	352	cmd.exe	32
PID 352 wrote to memory of 2960	352	cmd.exe	32
PID 2960 wrote to memory of 2100	2960	MEMZ.exe	34
PID 2960 wrote to memory of 2100	2960	MEMZ.exe	34
PID 2960 wrote to memory of 2100	2960	MEMZ.exe	34
PID 2960 wrote to memory of 2100	2960	MEMZ.exe	34
PID 2960 wrote to memory of 2248	2960	MEMZ.exe	35
PID 2960 wrote to memory of 2248	2960	MEMZ.exe	35
PID 2960 wrote to memory of 2248	2960	MEMZ.exe	35
PID 2960 wrote to memory of 2248	2960	MEMZ.exe	35
PID 2960 wrote to memory of 2220	2960	MEMZ.exe	36
PID 2960 wrote to memory of 2220	2960	MEMZ.exe	36
PID 2960 wrote to memory of 2220	2960	MEMZ.exe	36
PID 2960 wrote to memory of 2220	2960	MEMZ.exe	36
PID 2960 wrote to memory of 1540	2960	MEMZ.exe	37
PID 2960 wrote to memory of 1540	2960	MEMZ.exe	37
PID 2960 wrote to memory of 1540	2960	MEMZ.exe	37
PID 2960 wrote to memory of 1540	2960	MEMZ.exe	37
PID 2960 wrote to memory of 1416	2960	MEMZ.exe	38
PID 2960 wrote to memory of 1416	2960	MEMZ.exe	38
PID 2960 wrote to memory of 1416	2960	MEMZ.exe	38
PID 2960 wrote to memory of 1416	2960	MEMZ.exe	38
PID 2960 wrote to memory of 3004	2960	MEMZ.exe	39
PID 2960 wrote to memory of 3004	2960	MEMZ.exe	39
PID 2960 wrote to memory of 3004	2960	MEMZ.exe	39
PID 2960 wrote to memory of 3004	2960	MEMZ.exe	39
PID 3004 wrote to memory of 1908	3004	MEMZ.exe	40
PID 3004 wrote to memory of 1908	3004	MEMZ.exe	40
PID 3004 wrote to memory of 1908	3004	MEMZ.exe	40
PID 3004 wrote to memory of 1908	3004	MEMZ.exe	40
PID 3004 wrote to memory of 992	3004	MEMZ.exe	41
PID 3004 wrote to memory of 992	3004	MEMZ.exe	41
PID 3004 wrote to memory of 992	3004	MEMZ.exe	41
PID 3004 wrote to memory of 992	3004	MEMZ.exe	41
PID 992 wrote to memory of 1488	992	iexplore.exe	42
PID 992 wrote to memory of 1488	992	iexplore.exe	42
PID 992 wrote to memory of 1488	992	iexplore.exe	42
PID 992 wrote to memory of 1488	992	iexplore.exe	42
PID 3004 wrote to memory of 1692	3004	MEMZ.exe	44
PID 3004 wrote to memory of 1692	3004	MEMZ.exe	44
PID 3004 wrote to memory of 1692	3004	MEMZ.exe	44
PID 3004 wrote to memory of 1692	3004	MEMZ.exe	44
PID 1692 wrote to memory of 1712	1692	mmc.exe	45
PID 1692 wrote to memory of 1712	1692	mmc.exe	45
PID 1692 wrote to memory of 1712	1692	mmc.exe	45
PID 1692 wrote to memory of 1712	1692	mmc.exe	45
PID 3004 wrote to memory of 2492	3004	MEMZ.exe	46
PID 3004 wrote to memory of 2492	3004	MEMZ.exe	46
PID 3004 wrote to memory of 2492	3004	MEMZ.exe	46
PID 3004 wrote to memory of 2492	3004	MEMZ.exe	46
PID 992 wrote to memory of 1944	992	iexplore.exe	48
PID 992 wrote to memory of 1944	992	iexplore.exe	48
PID 992 wrote to memory of 1944	992	iexplore.exe	48
PID 992 wrote to memory of 1944	992	iexplore.exe	48
PID 992 wrote to memory of 1740	992	iexplore.exe	49
PID 992 wrote to memory of 1740	992	iexplore.exe	49
PID 992 wrote to memory of 1740	992	iexplore.exe	49
PID 992 wrote to memory of 1740	992	iexplore.exe	49

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Malware-1-master\MEMZ-Destructive.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:352
- C:\Windows\system32\cscript.exe
  cscript x.js
  2⤵
  - Suspicious use of FindShellTrayWindow
  PID:2796
- C:\Users\Admin\AppData\Roaming\MEMZ.exe
  "C:\Users\Admin\AppData\Roaming\MEMZ.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious use of WriteProcessMemory
  PID:2960
- - C:\Users\Admin\AppData\Roaming\MEMZ.exe
    "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2100
- - C:\Users\Admin\AppData\Roaming\MEMZ.exe
    "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2248
- - C:\Users\Admin\AppData\Roaming\MEMZ.exe
    "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2220
- - C:\Users\Admin\AppData\Roaming\MEMZ.exe
    "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1540
- - C:\Users\Admin\AppData\Roaming\MEMZ.exe
    "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1416
- - C:\Users\Admin\AppData\Roaming\MEMZ.exe
    "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /main
    3⤵
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3004
  - - C:\Windows\SysWOW64\notepad.exe
      "C:\Windows\System32\notepad.exe" \note.txt
      4⤵
      System Location Discovery: System Language Discovery
      PID:1908
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://google.co.ck/search?q=how+to+code+a+virus+in+visual+basic
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:992
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:992 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1488
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:992 CREDAT:406546 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1944
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:992 CREDAT:799766 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1740
  - - C:\Windows\SysWOW64\mmc.exe
      "C:\Windows\System32\mmc.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1692
    - - C:\Windows\system32\mmc.exe
        
        "C:\Windows\system32\mmc.exe"
        5⤵
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1712
  - - C:\Windows\SysWOW64\explorer.exe
      "C:\Windows\System32\explorer.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2492

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x1b8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\05DDC6AA91765AACACDB0A5F96DF8199

Filesize
854B

MD5
e935bc5762068caf3e24a2683b1b8a88

SHA1
82b70eb774c0756837fe8d7acbfeec05ecbf5463

SHA256
a8accfcfeb51bd73df23b91f4d89ff1a9eb7438ef5b12e8afda1a6ff1769e89d

SHA512
bed4f6f5357b37662623f1f8afed1a3ebf3810630b2206a0292052a2e754af9dcfe34ee15c289e3d797a8f33330e47c14cbefbc702f74028557ace29bf855f9e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
273ff677888fa82c7b7de7cd7cd1afb6

SHA1
796192d452b8044349c604adc3576423b2c21004

SHA256
510338dc2cd22605d968c4fe02b4f82e036be4c784f57e312067bffef1842fd3

SHA512
5d7a08ba6cbf2a88c806427c6d0fe4c678aa2bf921a4f752bd029cde945397d86bd08f6074c39a7072dbcabe44f1b8d66cd076861324a4e4623bab72fa718671

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4FA45AE1010E09657982D8D28B3BD38E_EB153A79B5AB80C6592F798A4A3667A5

Filesize
472B

MD5
766dcbceceb99c1bb9b3ee02d18187eb

SHA1
50e38eaacc2a4a533f1aeb0affc076a24ef030af

SHA256
83f771647dd16e667cf88e34a69765c0974fec2c1dcdc9a1ed19bdb95fbc82e7

SHA512
3a6ed996e75f6c535605c6ea0bb18345033f1c38e143931370639f7592dfc67574c005bc8a680630d2b91f821593242fecfc020b0068585077d70e663936d027

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199

Filesize
170B

MD5
1ce5b37d4c7b9c9707d35767e8091e2e

SHA1
c834323c5e8dfcdc70454ce24bcbda81d38a0a36

SHA256
771ed2ba0380b5b6d42dda2fc7029606a9aaf6d45d0edea04d17529b44bc9dd3

SHA512
9bcc689fb7d7dba70ed19e9c634b0ab8694cd5f841778a4e508a803e4b2d658a5fa74bf8dcb5f0e5e14bd44331c0684c94910974fe8afdd2d98e49630c291249

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
c0a9e83b3d7d5420f01bd82a283f0743

SHA1
8fd9c1266ae5ab24c127242c499cebe082a692a0

SHA256
69e10b0db005f47aedeff5933c84d2425685c707d62ea0248df20fdab9bbd6ba

SHA512
c2c2cb9a7917bbd11e473e41b798bfbfee7462f02b625157a20844d5ed627452595cc490e8a3279629efa0aa62aa7351e803789bf5621f4e8659d771f1f7740b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
9921ea6c81fa8961c906c6e8c267f6d3

SHA1
283407686d5bf214e5a4c4eecaa16224a135c427

SHA256
40c02cacb548563038a4627e5b690d41a5d2f3b73511342e582d96d9af67dc94

SHA512
cfc106feb5db3a299dbc05b2a5c74c941b9c5dd900660f033a54feb56e44ea163c5aca0bad2c56ec9ee3efcdb508b6697f9e41dbf3f8f207710ab81fb7a3fd58

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4FA45AE1010E09657982D8D28B3BD38E_EB153A79B5AB80C6592F798A4A3667A5

Filesize
398B

MD5
3d58788418d3f6f368f7fb0e350d2274

SHA1
576bf6578497d7909ad6c59af2f1111638a8937b

SHA256
e59cff8fb726e3e202d837ec578cd90e372928f82d4316d0b2bf3762fa505630

SHA512
e12fd41439a83cab28c99afd5dd0272ac0aa5a42611b2a0e7f622e58ffde5dff4218e50d45f3ac86477512506872f81e718339b267a915bb3ad0a47c7a149714

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6245e752980b8f72080ef822db398432

SHA1
f0b8716249cdb1572fa0cee259fbd2ea47e0db0a

SHA256
1590eb877708dede63593e145f631dd95e12665fc5aeb9b3bd8d27eec1ebb4cb

SHA512
4d3c461671b563955c6417e27f6fe62242e660a209c69a78a0288f52ecb66adaf30279343bfde94cdc686e6ece60107b182ef7a7375342b10b3c7de7b4c24d84

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c173ed56a8f5b6c64f421d8a3e2ae093

SHA1
b30882ba9bdcab0ccfccfedbca8aa34749cf786d

SHA256
e9d9168710dedf288d36b835ffbc84c8000af9893839f9121445b3eaa1ff2815

SHA512
b09631ea98347ca13487db55c4ff12070797ad25a99eadda85053bf8b983d56abd5618287c0bc20920154ad683fbb70fac690a0e6b4c2a2ae76e40fc007bf948

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4d8ce9ff37d0f4683b97de63012a423e

SHA1
cba464fa7f107493cbca0ecd8113a3ef4325381f

SHA256
91d35887bb2f317a5771d4f161c3ed4add9c8c44c8aac9a7f9333c5a796d7e9a

SHA512
ac0f11613bda531805d3d80a8660783edc696573ab86564744a1babfe1a8fc40db32b87a14b72829c81f8a9584f34870f77f1ac4d951ab5492b6df807d503df8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
381af6b1f90214c60aa0f75ee25cdd46

SHA1
b3753794593fe22d8a359c1374e50b0b98d382ad

SHA256
c276a2de2e2fab356f0557e2c1642e03feeb149cb13f32f88f78c3ee0690dcb4

SHA512
3618e532772134a83f30d5b33788267fd4cf8695b1aac93f853dcadbbd7b84ec1d7672fb278ae4d3198edca1cca49f6b5a65343c260a9d15573f189a7db35eb7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1f12962a1425c17dc0d132c2a85868b2

SHA1
58ca7bc6bdd2a9530dcfdb098881699292b47fef

SHA256
bed889328f90bccb60ab4f10b6de3f5ad6e8daedb75dc2e0de1e70c3599e11a1

SHA512
dc937b46812338a7b8dc366fc322019f8b995741c40bd5b9109b768f428756179a3215206ffa2d22082bd689e2f5c5be823f86ee051c716173522aaac6a58c63

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
72287988df6d3df7bf57b1caa550384d

SHA1
48b71d8152e6f6e625d5ffa07fe5e78e86653510

SHA256
bb61ba026b511b33543f75996af21b8e011eb1e1c4c70dd17190f78d47b56876

SHA512
87976663979349cbbeb9a866d65bbc0ffed840f3e475e2273cebc6fc3bafceea7b75b0a348d073dff0db1b1a21c9fce03a17106a722908169c1cb67fbafa14a3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
61933f640c1a15cd7457d1183453f32e

SHA1
49dc4b24148ca52b3140f509645992d31942cc94

SHA256
b92abbf6ca489211e63c2d5fcfc08f79127acdeb5a037822c6f40cd217f66eb0

SHA512
04a1cbec0ab83d0c232a187158e95e31bb205fb953ac1445bff15536f27e0d8095bfeed84d4710347e8f8fe45f1ca3e7d3c3849293de82de29589fa43eee2787

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b559bc6d878253f1bdb6c03ef866185f

SHA1
0019dc66301f1ee0c4fcb99ea57264a0bf8838b5

SHA256
2a02d93a0838cb1093c381651a6cf2795f2499cd25cb62ff4e843c54acf35aaa

SHA512
2d224f38ae8ed3308d497c4f64cb5c28a5b88c56ce9a95aef4faba0f5a7da7a9d3c98ecf6e56c4165144d79ea4c905cd1e8a8cccb885e40828fbc9063b521f3d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
18e03e638f1071b5f583af8594d535a2

SHA1
a01922522d8a9843d40fbffc9048aff3d6de2cea

SHA256
6b158c7310362b4b29c69b3839eacc6f86063b15a6c748f8bfc3596b1da9e177

SHA512
5aa3717949ff40067d51d878976bfd32801f6dbee6779cadefdfaf2a73e2ab7fce74daf2be67231ae6d6ac19ba9bdb019c8388638bd1c36999579bb4c6d01312

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b334ae2717e797aecb8f8f6fa14ce4fd

SHA1
6da1f2c40f20f0613f6313358894d8bc0c511cbe

SHA256
bd2ae801a11ed39505624c4064fc0b04e685561c7f8f4fcbad2df95b0ca7ca97

SHA512
02735ea874145af7906e5e97260c22fd37f3a5e0c789383e47109163954ebfda4b968ba6e5f88a5d76c8125d1685b6de167237a7deaf5e1363e2d3ac32303f71

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
daa2b8e5ce0c1a725248c3317e86926d

SHA1
683b5a6ea7b409524004c766f49d94a03c275617

SHA256
d2f906a863d448436b1f892df13b72aa85bd73d4dacdd438c1d29cbb16ef8111

SHA512
8ddb716a8c53891c96c63311130c4d11c8ad22bcebf3350253b90c8ba6a586e4ae35073e80abf5dda2ecfecee99eeb4e890a69f23a8d81a39f257572c9fbce63

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
79f38bfb62d046648e33a1cf16141eaf

SHA1
48b13a3606b5ddb67b42782eda37251eab4f6f93

SHA256
00afb48d95705ba07182b62ced7b9ee4900545f142c5ecd6af89491b79f08a82

SHA512
5ce00e1d4cf876d05f98826a32c8c995b58697675df80985feaf2d692d6f9d440fb42c18b2cf8addd2dcb0a904dac10ca350b6b74dbee98a0fec70f6a1c85fac

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d3380f40a9daf520c26a2f4e3d3378c5

SHA1
89315306eedbb68e3402c2efffc3824448c13558

SHA256
59c16dfe3ada94fb1a893649b7bc6e413ed5a2e617113a8203c89d5ce675b0fc

SHA512
255f256363c33c4b99cdd1fe1b5fd60ec952860e6f3440b8abd6a9759da98614d78392ae289b6c1fc580869426c8a494a82d054f4e974b3ca9ae63e294c41c33

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f1f9ec69b86e584b1cbf8fd2d82aba8c

SHA1
76413f67fceb21809d13cac4202476388033c526

SHA256
07891597c9b16dc25ce6e146b1a6026236cf433dec2ae46709d6b0cb5a2ca91e

SHA512
de4ce6d55769404f4bff26e8bcda4f9c13bf6af486748cb7e56699e1a7fceb096c95995bb99d9328ededd65e3119399e231a4f3cc05b7d9eba41c0ca6b4e303d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c37793c17d1a8272215c2de89557a810

SHA1
428feedf595c07b7fe5bd14aa80f13642763d019

SHA256
aa06573267964036162c25fd53a171a762e7d872d0ac4e9c0bc2fb97d74b882a

SHA512
d3dcb15cf6da102efd8802f8bc13bc434d59c38832abbea7df77e15f44c52afc662b5192bc441ef13c59b06bff36386fe300bcc7b809445ce7c9a22690ac44ef

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
64d8698ceb52b8ba47ced5a43aa23f64

SHA1
b71c0c6160a1f2d7d6a46a3491565eaf539ae8da

SHA256
ff68f4758b6545d7439f38c999103f423e0655c365856b887f8fc924c66eb5df

SHA512
cca4f7ac85d054cb4a9c1fd29d2f27f50f3a1d53aa9eb0817018237f01ea2f5e7c02540e68cc08d6c0d102918c69b603a944c629b9bf165a37338964d53cbc12

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7765069fdeec7bd8f96f024a1171bfce

SHA1
d31e1e12c2c7c0c8b6a32fc0395668c1b9d68fc0

SHA256
45a39550862783987048327a9a6c254b7cec93c9d50c5fc95625f72d778bd596

SHA512
726f63f53ca33441840622f9739ed0c834e449b745a25052a6047effab271259854d739febdb33f3c95bafab1d6be567e936fb32ac3697fc812c0658511d88a1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d65a0cc9e9cf10052b87f9857e786b9f

SHA1
b2a18a38daa1c113b7b5e1423a4bb5ac039a482f

SHA256
b24d64660428b1d8a15d0d8f7dbd402c256850799fcc0ca64811a99a6e1692b1

SHA512
befb1dcc37f5347d50de556819e18928caa356afd00e8864ebb66c35f9f27a85b79711f15832d47abdac9cc77591a66a270dcabcf3d39213ae8fe847dbf18416

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e025ba1643d03d83ce9759b33abfde4c

SHA1
6d52d8d487e40d8fd3f68a263d89f0c75e856e93

SHA256
ea19c8ecd90cdd433b3729de461afbc81ffbebb0453756278178d9acb5d68709

SHA512
00e22e66df4de57ff41a7220a9ffe5f12d0a44cd6a60b756754f11a68a8930be34ca57c1ff5b18242dc6a027129e975db487878398f6715ad96ce14119649403

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b77e2902d32cff918eab823c8f020ca7

SHA1
a11291bf4fa9078a3ad29f8b8a9e72f49e17d5d5

SHA256
61bec3fa808b84b2a98b4507348042bf438d99a51e65f2ea8761259fb009f8f9

SHA512
28cea3ec6a6ae68f8077a6f4566f9cc58de198ce496645397618ac43d629223fd7d0fcc89bd7dfe1e022c7ab5fda63a6723a7a94fdb6d0dea92da7e697d1aaeb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c0376aa6f670101c794ae0a346d4ac65

SHA1
53ee47b87aaf748aaa835b0c1c5249867e3c9396

SHA256
26d42d8d5dc750f3858b5d5b0c28dce92257254b555beb098248c6e28ddb0b41

SHA512
3bc389b1ba08c12f451ff8b1f4311946ac982b616924fb938d51a7b671786117f0bf0886ff78c945d75925a00032f0e17310aa0c8600b9d4cd76859d4697098b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
b9589bc0eb998431636cfebfbfe97bbd

SHA1
f97b27b80f2e1624f0a5e8d2082a8b80c977aca4

SHA256
27822aa639f64da860e8d282065550da3acda3e5538b03ceabc612316be92939

SHA512
15699b6af87611d7429baab4b5de06f5c678ae6fa4a3274bb7247860e7cf00670a69a57265ceae1e7e4fd4e6936ae8d5e36c798d06680201e36de46b38545876

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\NB20M8EU\www.google[1].xml

Filesize
99B

MD5
ec9a8ff922a8ff6f346091266e864822

SHA1
54d2b8d865677e3493ddce338b1452a468388a87

SHA256
1e90b23d967427ddf7160a8fcc56f929e77fd98d4434da1f098406f0d5fd7cff

SHA512
1fd75d1f2e89a6754029b6e91daa1e79d8ef9c5594b870c9b83f7f05056c6c512438764eece092769f7e022a92238b869298cd7cbc39c1d13f6d45dc4905c00b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\njqq61f\imagestore.dat

Filesize
5KB

MD5
208a00bbe5f4c47f36abe20c6d6723fd

SHA1
5d872358773ba5c2eb43514b8514388edaeca663

SHA256
3333b3b570454fa4bbfddcac64b1dd6c7455772a3b7367d31b4a5d32a0f98ffc

SHA512
3aed0c4762b42015ba2a257eaef1e21a7467440fe9eded48184b0073cc195baf7a6b6bf1ed022b0d324473a68e88a8a5f555851c24074448b19c72c9e4935c7f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7CNUR30T\favicon[1].ico

Filesize
5KB

MD5
f3418a443e7d841097c714d69ec4bcb8

SHA1
49263695f6b0cdd72f45cf1b775e660fdc36c606

SHA256
6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770

SHA512
82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7CNUR30T\webworker[1].js

Filesize
102B

MD5
dcf0dd9e2a4c0015bd80ce993ac84ff1

SHA1
6c4eda6061f7a7b9e05f439540fa26c261996fbe

SHA256
73943cf1ab8eff323e097bee9c52083255ee6e53b9abbeb193aa09fce212fa24

SHA512
f2d0a9e79d038ae1d00e6f4c08c3cf41af3e81ea8955e73052f89c4370027ba795080c867019497842a337f049d0112d8dd6c3f1bf5db8659d5f8428023128e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D6V88JEY\KFOlCnqEu92Fr1MmEU9fBBc9[1].ttf

Filesize
34KB

MD5
4d88404f733741eaacfda2e318840a98

SHA1
49e0f3d32666ac36205f84ac7457030ca0a9d95f

SHA256
b464107219af95400af44c949574d9617de760e100712d4dec8f51a76c50dda1

SHA512
2e5d3280d5f7e70ca3ea29e7c01f47feb57fe93fc55fd0ea63641e99e5d699bb4b1f1f686da25c91ba4f64833f9946070f7546558cbd68249b0d853949ff85c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D6V88JEY\KFOlCnqEu92Fr1MmYUtfBBc9[1].ttf

Filesize
34KB

MD5
4d99b85fa964307056c1410f78f51439

SHA1
f8e30a1a61011f1ee42435d7e18ba7e21d4ee894

SHA256
01027695832f4a3850663c9e798eb03eadfd1462d0b76e7c5ac6465d2d77dbd0

SHA512
13d93544b16453fe9ac9fc025c3d4320c1c83a2eca4cd01132ce5c68b12e150bc7d96341f10cbaa2777526cf72b2ca0cd64458b3df1875a184bbb907c5e3d731

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D6V88JEY\KFOmCnqEu92Fr1Mu4mxP[1].ttf

Filesize
34KB

MD5
372d0cc3288fe8e97df49742baefce90

SHA1
754d9eaa4a009c42e8d6d40c632a1dad6d44ec21

SHA256
466989fd178ca6ed13641893b7003e5d6ec36e42c2a816dee71f87b775ea097f

SHA512
8447bc59795b16877974cd77c52729f6ff08a1e741f68ff445c087ecc09c8c4822b83e8907d156a00be81cb2c0259081926e758c12b3aea023ac574e4a6c9885

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D6V88JEY\styles__ltr[1].css

Filesize
76KB

MD5
a9a4c0df287886862263d8af0a6e096e

SHA1
4aeb13637cff035bb7cc47aaa42d61f306e0e474

SHA256
ad68a177a2d52e736095a6b7431fbfca3f840d66a1ea67090b55c5f90722b067

SHA512
a9605e4b740e3841366ecfb2ee8b44469057009279d8bd6b6455af13bd5863dc130a65c740b465e20e060a3cae4d74ef7b4da860ed144b89131c5406bf12cbef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EOYL2MRI\api[1].js

Filesize
870B

MD5
9a90c06ffab392f11cda0b80188775a8

SHA1
395386715f54948ab58be5ad918b494b1ab86156

SHA256
ef7a5d110fd5a78289d4f71807784696ef0625efca97453caa6f3051e74a4c6b

SHA512
e40292115e00e2e652be3de796da6e860f99901d58adbd543edcc281e80fbee45ba35cb6b436cd5f7bd654eee8ce722a8f5fc41c6a40478f77bd2d6fb44f5780

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EOYL2MRI\xvnkv013T9iQERax3LRLfLP-YGjo9lA-elXqPIIu0pM[1].js

Filesize
25KB

MD5
d735f7826775631410df2363ec8ea7fb

SHA1
72622ae88b15219ad1b00c72b48e13b2dd10e6ec

SHA256
c6f9e4bf4d774fd8901116b1dcb44b7cb3fe6068e8f6503e7a55ea3c822ed293

SHA512
b4fda11a5e56e7d1344a38bcd0d086b366258c751f18de79147e763f848cb4fbc76720b211913be2d25163a77bd505d918780a7dc089e976069d12a68701db2b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\M4TQDAHL\logo_48[1].png

Filesize
2KB

MD5
ef9941290c50cd3866e2ba6b793f010d

SHA1
4736508c795667dcea21f8d864233031223b7832

SHA256
1b9efb22c938500971aac2b2130a475fa23684dd69e43103894968df83145b8a

SHA512
a0c69c70117c5713caf8b12f3b6e8bbb9cdaf72768e5db9db5831a3c37541b87613c6b020dd2f9b8760064a8c7337f175e7234bfe776eee5e3588dc5662419d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\M4TQDAHL\recaptcha__en[1].js

Filesize
545KB

MD5
1f233ff2deeaaacc3c11614068d6f46d

SHA1
6ab5f0fb0ada1228ef529e3d48961c36fbc21424

SHA256
dc987654372c681461a1ab9e9835fc0006367829e3f0cdccee51081109d7868f

SHA512
a44c564ba2ff696762dd9a9f05f38dbb839a594989bcae5c402222ae6d9a17a29942c99df9c473f043e928f98bdabb62299bb192613c72d5d5b3efde7dd36c63

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab89FA.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MALWAR~1\z.zip

Filesize
8KB

MD5
63ee4412b95d7ad64c54b4ba673470a7

SHA1
1cf423c6c2c6299e68e1927305a3057af9b3ce06

SHA256
44c1857b1c4894b3dfbaccbe04905652e634283dcf6b06c25a74b17021e2a268

SHA512
7ff153826bd5fed0a410f6d15a54787b79eba927d5b573c8a7f23f4ecef7bb223d79fd29fe8c2754fbf5b4c77ab7c41598f2989b6f4c7b2aa2f579ef4af06ee7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Malware-1-master\x

Filesize
11KB

MD5
1882f3dd051e401349f1af58d55b0a37

SHA1
6b0875f9e3164f3a9f21c1ec36748a7243515b47

SHA256
3c8cea1a86f07b018e637a1ea2649d907573f78c7e4025ef7e514362d09ff6c0

SHA512
fec96d873997b5c6c82a94f8796c88fc2dd38739277c517b8129277dcbda02576851f1e27bdb2fbb7255281077d5b9ba867f6dfe66bedfc859c59fdd3bbffacf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Malware-1-master\x

Filesize
1KB

MD5
fadc915ee9da82445439eead685af76d

SHA1
05ba94fe7353702d08082f71d551f4de3f81093e

SHA256
ebf1d05c8996abee44608f853d170e912e05db1aed3447edbd65b5a3d4099773

SHA512
63eb75722c28dfd4397b9596e4bdbf17566f59e31d3387d142949222012d1cc5c9d0ba0d4c34ef96d1c6a4e3c44a94f2d680276356b65e9f0d493c6941df07cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Malware-1-master\x

Filesize
4KB

MD5
214f98cb6a54654a4ca5c456f16aed0a

SHA1
2229090d2f6a1814ba648e5b5a5ae26389cba5a0

SHA256
45f18ccd8df88c127304a7855a608661b52b0ca813e87e06d87da15259c45037

SHA512
5f058b05f166e2688df7b3960e135ada25bbcdfbb62a11da3cf9e70c08c51e5589a1e6ca2250318a694d27197f2c5ba1028c443831c43fba2171ca8e072e9873

Download Submit
C:\Users\Admin\AppData\Local\Temp\Malware-1-master\x.js

Filesize
448B

MD5
8eec8704d2a7bc80b95b7460c06f4854

SHA1
1b34585c1fa7ec0bd0505478ac9dbb8b8d19f326

SHA256
aa01b8864b43e92077a106ed3d4656a511f3ba1910fba40c78a32ee6a621d596

SHA512
e274b92810e9a30627a65f87448d784967a2fcfbf49858cbe6ccb841f09e0f53fde253ecc1ea0c7de491d8cc56a6cf8c79d1b7c657e72928cfb0479d11035210

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar89FB.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\MEMZ.exe

Filesize
14KB

MD5
19dbec50735b5f2a72d4199c4e184960

SHA1
6fed7732f7cb6f59743795b2ab154a3676f4c822

SHA256
a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d

SHA512
aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\7LABL58D.txt

Filesize
123B

MD5
0840aa791e68fdb1f49c68f489c743af

SHA1
15f89302d44d32934d5f604f49c96fb9b92715bb

SHA256
b5cbc525382a56fcb8aaf5cb63b5aa88937144dfb559d9cb5ef4d75464bea762

SHA512
9b077b1e5b20b957e914d5ac06a63e61a377aad1e7d941b72714fa3495815f07a88fa185d3674e02912667d0f001bfabda4ee6689220c40eec76ee10c87df7aa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\OUR1LF0K.txt

Filesize
124B

MD5
522b77e76f727b8754ba3e213899ca0c

SHA1
98a5511cdde98d27a521d93d2db52a218fb6d560

SHA256
19a634241c6dd210d94312cea2a4e784fa929d5f69dc8a1bd21899c8b42268a4

SHA512
53164562a536d01b14798da08e2f42ccf440158751997573c446b499ec0f817c41704db3dda99ce17dbe7ad7d28b575aa7378ddd84b7959ff2811e2887b830ae

Download Submit
C:\note.txt

Filesize
218B

MD5
afa6955439b8d516721231029fb9ca1b

SHA1
087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

SHA256
8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

SHA512
5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

Download Submit
memory/2796-167-0x0000000001E60000-0x0000000001E61000-memory.dmp

Filesize
4KB

Download