2ca4803498d7d375a61bfab2a3a4cf7e0eec41d116e50a838791a55b164e0f8c

Resubmissions

13-02-2025 01:26

250213-btppra1pcz 10

17-01-2025 20:14

17-01-2025 20:12

17-01-2025 17:25

17-01-2025 17:21

17-01-2025 14:16

17-01-2025 14:12

16-01-2025 12:52

Analysis

max time kernel
150s
max time network
138s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
17-01-2025 20:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Malware-1-master/MEMZ-Destructive.bat
Size

13KB
MD5

4e2a7f369378a76d1df4d8c448f712af
SHA1

1192b4d01254a8704e6d6ae17dc2ec28a7ad5a49
SHA256

5e2cd213ff47b7657abd9167c38ffd8b53c13261fe22adddea92b5a2d9e320ad
SHA512

90e6eedca424e2ee37c78e0c0380db490c049b0378541812734c134510c40c6e4c48c4e213f395339ed99ff337ef087b6056ac5aafb246c1789ca6082dcabd2e
SSDEEP

192:AOyUySl0UaDz2gWsIzlmj+BxZ3yqueWQx0lZicyC8Sh31xcjBzyxwn7AVhllz3:AVODaDSHMql3yqlxy5L1xcjwrlz3

Score

7^/10

bootkit discovery execution persistence

Malware Config

Signatures

Executes dropped EXE 7 IoCs

pid	Process
344	MEMZ.exe
1620	MEMZ.exe
2188	MEMZ.exe
1212	MEMZ.exe
2524	MEMZ.exe
1244	MEMZ.exe
2464	MEMZ.exe

Loads dropped DLL 1 IoCs

pid	Process
344	MEMZ.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	MEMZ.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	calc.exe

Modifies Internet Explorer settings 1 TTPs 48 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "443306756"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.google.com	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000446e8adde2a11f4286dc84810b7cc7b600000000020000000000106600000001000020000000cb2ea077e50fe35adc1a3bfa8e49b636f5c6cb6bc7958d43629ee0f942c1180c000000000e8000000002000020000000464039956b0a2550448d61296a192b97de8f4aa6bb5ff82b9136d09f7b30f79f2000000000289b54a6b42aff81170863a5bb1d7d021b017ebdb4bd79267f02200a407191400000002e6519dd3b097bae2b111128909b3ee521a1fbdd9b18cf8c99a331e423185ca661722209742dbcb5386e65edf800c241c69de330e5b5c6698bba7568fa08c604	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "25"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a0767e851c69db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B3543241-D50F-11EF-94A5-465533733A50} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com\Total = "25"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.google.com\ = "25"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000446e8adde2a11f4286dc84810b7cc7b600000000020000000000106600000001000020000000f74b8a09af15b4c0436ea70d661d6f0edb4f53a53895ac3cc752fec3721fec6d000000000e80000000020000200000004fb08fd352cfa3d3b9f7902c396d8b0deb738f3fba72e1fddb25e9c4d655d78b90000000008b892944c4d29cea6619fce5dfb368b0266f198dfe4a02022aab56330d3c5e91e0d3b6c4f97fc10e237344558bad467019e616fc06772e1ab2e02607ebdaf5a6e55cb8bf929a378a3fc846ae88afee6d8ed19df8b81655498b0a3ffe592f6314e6da645c8e809ee55b6cf466e999aa8ee3ca33ae73465729726a69c7b66c9f0c110123a60e0d402688eed857433dae4000000012b80c8f2aa1e12b052e2e4cfd7cebf8249dcdcac9ecd3a8d8006c1b1cd8485177b22a6e555f611c0a5408a4aebd7f9920d34ff81e398e2a542bf0d689027759	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
344	MEMZ.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1620	MEMZ.exe
2188	MEMZ.exe
2524	MEMZ.exe
1212	MEMZ.exe
1620	MEMZ.exe
2524	MEMZ.exe
1620	MEMZ.exe
2188	MEMZ.exe
1244	MEMZ.exe
1212	MEMZ.exe
1212	MEMZ.exe
2524	MEMZ.exe
1620	MEMZ.exe
2188	MEMZ.exe
1244	MEMZ.exe
2524	MEMZ.exe
2188	MEMZ.exe
1244	MEMZ.exe
1212	MEMZ.exe
1620	MEMZ.exe
2524	MEMZ.exe
2188	MEMZ.exe
1244	MEMZ.exe
1212	MEMZ.exe
1620	MEMZ.exe
2188	MEMZ.exe
1212	MEMZ.exe
2524	MEMZ.exe
1620	MEMZ.exe
1244	MEMZ.exe
1244	MEMZ.exe
2524	MEMZ.exe
1212	MEMZ.exe
2188	MEMZ.exe
1620	MEMZ.exe
2524	MEMZ.exe
2188	MEMZ.exe
1244	MEMZ.exe
1212	MEMZ.exe
1620	MEMZ.exe
2524	MEMZ.exe
2188	MEMZ.exe
1244	MEMZ.exe
1620	MEMZ.exe
1212	MEMZ.exe
2188	MEMZ.exe
1620	MEMZ.exe
2524	MEMZ.exe
1212	MEMZ.exe
1244	MEMZ.exe
2188	MEMZ.exe
2524	MEMZ.exe
1244	MEMZ.exe
1620	MEMZ.exe
1212	MEMZ.exe
1620	MEMZ.exe
2524	MEMZ.exe
1244	MEMZ.exe
2188	MEMZ.exe
1212	MEMZ.exe
2188	MEMZ.exe
2524	MEMZ.exe
1620	MEMZ.exe
1244	MEMZ.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	2388	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2388	AUDIODG.EXE
Token: 33	2388	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2388	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2808	cscript.exe
340	iexplore.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
340	iexplore.exe
340	iexplore.exe
2532	IEXPLORE.EXE
2532	IEXPLORE.EXE
2532	IEXPLORE.EXE
2532	IEXPLORE.EXE
924	IEXPLORE.EXE
924	IEXPLORE.EXE
924	IEXPLORE.EXE
924	IEXPLORE.EXE
2316	IEXPLORE.EXE
2316	IEXPLORE.EXE
2316	IEXPLORE.EXE
2316	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 59 IoCs

description	pid	Process	procid_target
PID 2840 wrote to memory of 2808	2840	cmd.exe	31
PID 2840 wrote to memory of 2808	2840	cmd.exe	31
PID 2840 wrote to memory of 2808	2840	cmd.exe	31
PID 2840 wrote to memory of 344	2840	cmd.exe	32
PID 2840 wrote to memory of 344	2840	cmd.exe	32
PID 2840 wrote to memory of 344	2840	cmd.exe	32
PID 2840 wrote to memory of 344	2840	cmd.exe	32
PID 344 wrote to memory of 1620	344	MEMZ.exe	33
PID 344 wrote to memory of 1620	344	MEMZ.exe	33
PID 344 wrote to memory of 1620	344	MEMZ.exe	33
PID 344 wrote to memory of 1620	344	MEMZ.exe	33
PID 344 wrote to memory of 2188	344	MEMZ.exe	34
PID 344 wrote to memory of 2188	344	MEMZ.exe	34
PID 344 wrote to memory of 2188	344	MEMZ.exe	34
PID 344 wrote to memory of 2188	344	MEMZ.exe	34
PID 344 wrote to memory of 1212	344	MEMZ.exe	35
PID 344 wrote to memory of 1212	344	MEMZ.exe	35
PID 344 wrote to memory of 1212	344	MEMZ.exe	35
PID 344 wrote to memory of 1212	344	MEMZ.exe	35
PID 344 wrote to memory of 2524	344	MEMZ.exe	36
PID 344 wrote to memory of 2524	344	MEMZ.exe	36
PID 344 wrote to memory of 2524	344	MEMZ.exe	36
PID 344 wrote to memory of 2524	344	MEMZ.exe	36
PID 344 wrote to memory of 1244	344	MEMZ.exe	37
PID 344 wrote to memory of 1244	344	MEMZ.exe	37
PID 344 wrote to memory of 1244	344	MEMZ.exe	37
PID 344 wrote to memory of 1244	344	MEMZ.exe	37
PID 344 wrote to memory of 2464	344	MEMZ.exe	38
PID 344 wrote to memory of 2464	344	MEMZ.exe	38
PID 344 wrote to memory of 2464	344	MEMZ.exe	38
PID 344 wrote to memory of 2464	344	MEMZ.exe	38
PID 2464 wrote to memory of 1616	2464	MEMZ.exe	39
PID 2464 wrote to memory of 1616	2464	MEMZ.exe	39
PID 2464 wrote to memory of 1616	2464	MEMZ.exe	39
PID 2464 wrote to memory of 1616	2464	MEMZ.exe	39
PID 2464 wrote to memory of 1652	2464	MEMZ.exe	40
PID 2464 wrote to memory of 1652	2464	MEMZ.exe	40
PID 2464 wrote to memory of 1652	2464	MEMZ.exe	40
PID 2464 wrote to memory of 1652	2464	MEMZ.exe	40
PID 2464 wrote to memory of 340	2464	MEMZ.exe	43
PID 2464 wrote to memory of 340	2464	MEMZ.exe	43
PID 2464 wrote to memory of 340	2464	MEMZ.exe	43
PID 2464 wrote to memory of 340	2464	MEMZ.exe	43
PID 340 wrote to memory of 2532	340	iexplore.exe	44
PID 340 wrote to memory of 2532	340	iexplore.exe	44
PID 340 wrote to memory of 2532	340	iexplore.exe	44
PID 340 wrote to memory of 2532	340	iexplore.exe	44
PID 340 wrote to memory of 924	340	iexplore.exe	46
PID 340 wrote to memory of 924	340	iexplore.exe	46
PID 340 wrote to memory of 924	340	iexplore.exe	46
PID 340 wrote to memory of 924	340	iexplore.exe	46
PID 340 wrote to memory of 2316	340	iexplore.exe	47
PID 340 wrote to memory of 2316	340	iexplore.exe	47
PID 340 wrote to memory of 2316	340	iexplore.exe	47
PID 340 wrote to memory of 2316	340	iexplore.exe	47
PID 2464 wrote to memory of 1884	2464	MEMZ.exe	48
PID 2464 wrote to memory of 1884	2464	MEMZ.exe	48
PID 2464 wrote to memory of 1884	2464	MEMZ.exe	48
PID 2464 wrote to memory of 1884	2464	MEMZ.exe	48

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Malware-1-master\MEMZ-Destructive.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2840
- C:\Windows\system32\cscript.exe
  cscript x.js
  2⤵
  - Suspicious use of FindShellTrayWindow
  PID:2808
- C:\Users\Admin\AppData\Roaming\MEMZ.exe
  "C:\Users\Admin\AppData\Roaming\MEMZ.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious use of WriteProcessMemory
  PID:344
- - C:\Users\Admin\AppData\Roaming\MEMZ.exe
    "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1620
- - C:\Users\Admin\AppData\Roaming\MEMZ.exe
    "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2188
- - C:\Users\Admin\AppData\Roaming\MEMZ.exe
    "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1212
- - C:\Users\Admin\AppData\Roaming\MEMZ.exe
    "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2524
- - C:\Users\Admin\AppData\Roaming\MEMZ.exe
    "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1244
- - C:\Users\Admin\AppData\Roaming\MEMZ.exe
    "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /main
    3⤵
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2464
  - - C:\Windows\SysWOW64\notepad.exe
      "C:\Windows\System32\notepad.exe" \note.txt
      4⤵
      System Location Discovery: System Language Discovery
      PID:1616
  - - C:\Windows\SysWOW64\explorer.exe
      "C:\Windows\System32\explorer.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1652
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://google.co.ck/search?q=how+to+create+your+own+ransomware
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:340
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:340 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2532
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:340 CREDAT:472073 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:924
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:340 CREDAT:668692 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2316
  - - C:\Windows\SysWOW64\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1884

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x504
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\05DDC6AA91765AACACDB0A5F96DF8199

Filesize
854B

MD5
e935bc5762068caf3e24a2683b1b8a88

SHA1
82b70eb774c0756837fe8d7acbfeec05ecbf5463

SHA256
a8accfcfeb51bd73df23b91f4d89ff1a9eb7438ef5b12e8afda1a6ff1769e89d

SHA512
bed4f6f5357b37662623f1f8afed1a3ebf3810630b2206a0292052a2e754af9dcfe34ee15c289e3d797a8f33330e47c14cbefbc702f74028557ace29bf855f9e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
dc5d561c7f4e7cc8f6c8424fb39f02a5

SHA1
5943ef27c0321c815ffd974bbe6d1f566b20c59a

SHA256
9df4a9ca0612aa448e673f536e6937cedea7c6d5bcac77bcb41f953aaccc8e77

SHA512
5e216f7cf280472c2d6158218978594807d923f7db68a1ba9ddc4db7f42891080c4bdec2b937d2c056ceca1a727a35e5bae879bdf55eaf03b79fd68c26421038

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4FA45AE1010E09657982D8D28B3BD38E_EB153A79B5AB80C6592F798A4A3667A5

Filesize
472B

MD5
349a5442591cdd239c9e9e22190bf0cf

SHA1
406a2dfb6d727b8f4a5031503659b4f15a5b56e8

SHA256
70ad939122bd78a771db315f174b810ce41f989194bf67b23617a02676196ba1

SHA512
cd7a365df445bf884f3479ef47877c776204863ec9221c711995954bc02471dc8f515ab4461cba07c459044ee6f1bc095e3d934aebeedb0c26fe9667a88c3018

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199

Filesize
170B

MD5
705dc4c83f0b868cc15f27af565d748f

SHA1
bfaacf5846285ddfb731aac48b8ca9019abd7901

SHA256
05f6e8803bddc3439a22826214b89ffc2fca68b1091fa76d586c26246825bc0b

SHA512
7df17bb53a39a076b532e7d215e07fe0ab55a77c1bb1a576657862b7e84ae13df41b3a208e3f9ccae399b123628e6e0a040962aea330ef8de619de6cfdc9ec90

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
07446384ecafa112a24c44c13000b67b

SHA1
86fb7347989d2a9df7393582d27a7c051f4ab66b

SHA256
3d8359ff533a793b6ca63c3712170b47e8c155d5847da54de6787b0d292dd0e0

SHA512
36d139358322c3a3105b41e1fb3c01f3ed50d43ac07327755b532ff041605e152a6a4c12bdcc1971bfc33b45fe554bd3d3e18c3f24b89b3b233a4704a4753e2b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
a197b8c9f7598e64312a6cf67bc0ae09

SHA1
5c7e151526ee1f8e33737e6459360f33cd66f2e4

SHA256
2d4693bde3ffa7076fe97f7ad691cbbe4d7dfd588c3ec1246d59df82f7d544ed

SHA512
93cf42682f104706b1b920d9e001e01675c40e6f305ee8818b51c08dd250b9e93e51ff3d8d85316658e03e4e9bb0f46eb255d99b95c877e857c6fd079f058e40

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4FA45AE1010E09657982D8D28B3BD38E_EB153A79B5AB80C6592F798A4A3667A5

Filesize
398B

MD5
e341c9f4933c3d28449124fd57ae0d61

SHA1
5ce63446674c2e6e6675557d359e13832109fa1f

SHA256
2b9a4c7b6c00f4a999e8a3651672fba879b9cf562a38509f3c53578ee83234fb

SHA512
627fefb1f546842b06efa16c4462a750f0fe4c72cb52b7cf50c94a5962c7f4e9c83710dbca7d1efede6a1ea04c2178cd4107317861a014dfdb79b583f92f0b26

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d6d231b2b941ec0bd2c8c1becd131598

SHA1
5551f9290fe98b5f0ea75ddfd26284f1eab73249

SHA256
9fb8ab10080de38043f249f4d3fcf114d1b47ec6db38d04dbda49db919f28875

SHA512
59b1d18c3c2420ec531e1fda42dc09d8614418ecd33caef41c9552c5a7faee09f1296f2721dfaae6163cf66f07b981ef68deb6862b456e28aebcecc6b73779af

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
65526bb0588e3110b1ad050e7e008b33

SHA1
ec0d1703534e11fe97cdc5ade16a61794c0025a5

SHA256
6a360b6836652b085286143cf765e62e731f371d1a85b5683ca291ae47a794de

SHA512
ef8df5f6f5c64781a8baa13302ff6d7a98139c6f99bb0ac7f1b3157ad6e39fa566eb52775b0347c3fa89505149960420eff3ec0698f4b8bd64297ac092451b1e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2c144441271e5c00d286e27a74ba91d2

SHA1
8b5c196e529e5566ba6de2fee6ea28567d44a892

SHA256
1aca6efeee294cffb83c9d5ca0731360da4003b6b899022b2e3e415cf4234d3e

SHA512
8c65b395b55c617e35d8fc5439873ca196f56910f5c282d981e864cc2397b911eaf92c5eaf69d516127ab7c4f685b251da118a35546cdc32d23f595277d64afe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f3d7c5f083b83c5d685a7e824d1491b8

SHA1
0dc758fa472cc897f8c9d8dcf3ef6b1e6940d606

SHA256
540d7b7d0f7682e64f056aca78f56a1b49f1f3b8734677def8baf86725d898ee

SHA512
619b7cae0c39e3a445906e058e5282e65c8a14aae1c4820e47a379ee0be98459d04e15960d65f9dd245db3bc9efa49d6e64a8a44a6351237e4156be0119347e4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
34b92eb8577f53c2326d8bb2ca8a4e29

SHA1
7b5aaa88954da184fd1e8a3fde4894917ae45502

SHA256
3487ef80a0099a6e94d38badc310bae33e18e740bf8fd7c0ad48b894c46e5f11

SHA512
9c40944807035a6b76528df54d45e07525c3be1b82af27016b14a0c80a1e3fc3f4dbd8daef3e864912957b4a50059964bf670f611d6132873ddb1a07dd14910f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9e633a7ab270d6ed0b951fb2b487458d

SHA1
2cb568fa0c08969ed75b9aa786aa0381e392c07c

SHA256
dc67ea95b3e17378c1f15da53c600e94bbf99dc8194f62fe4c95bb5bb076331a

SHA512
f1f642107a9086e65c988897986cf4ed6c2bb3738c9c130c1ffe3eea25840f7f87cdaea6769f5135970c73346e6e5e7f2e8e7cf08b1cd84de0abe1466c870295

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d6f99c2c1b7c05c4b59f0d016de4f3ed

SHA1
275c484a2847fc8afb115d4108d292b8036c70da

SHA256
9a35bf2b54ebb5da082e5e32cfbfde52082524c0dab2a58b1274e451b90922bd

SHA512
3d669beabbad53c157b780d4931df3a3fd03ce48a2f1eb16129f084309c00968a8e57e76779c0fe4895219fa2cd8953a4752f5b5c3900f97389c6831e305e795

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
516090ed31394e2da5a29aeda6af68c4

SHA1
cc7297650be669dd6378087e469326fcbef67361

SHA256
ef411ba0b3e520ccd843a97d3599242e87d90301d199cb999089b87d9cff6a1b

SHA512
0733be9c4060ee167b32d644755164da5143a97cebb64c009af9e890524aa46f4cc353f9f161c9f364931a8ab628312242d4f58579af7e84d7ea46fa318feda4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4715b5c7407b9f45d3d5bfdad0927e6f

SHA1
32f9c37a0ad40ecc496a7f0b1d0cba6f963e5caa

SHA256
6267c0bece497450ce4aa0286b93b20f9fd076d72a286e94904fc39e32a3385e

SHA512
dd50bd75c3df24803b49ad3eb95eb74889c9fa18164a4ad9298ae7414fe18f1923daa886c22c11409694cdefb0b8e581c0b00659dbc1208988335ea892658906

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e06a5d81707c4703337c1edbc69315d0

SHA1
1efb31b51d538ccf467447626eca37c69d6b745e

SHA256
1060ed59b3facf557a2edd46810ebd311347c73100797d756afb0886a8589eff

SHA512
b7e55826852840834d9f074ac3b1fa13fc4348641e40902ded99bd34b9caed9a883d617038ab5a489d5f8635b1c150765c7095fd2f7c9d609c06bff130e22c05

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
59f421e7bd25de73321069f778d68077

SHA1
802fe5aef8a676136f762feb1b678a92caf4ac3b

SHA256
052783b4ff04660b7accd88dbe0306017b875dc7d7d010806bde0fa5139bb826

SHA512
c7cc20853a851f4ce330da8b24b5501854a95fd74288e3dbcc018d3cf762aca34dc9f28b270758200b4b1c02a7af76926e17ea0d6f490a582bb32595ff6068ea

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c5d4d7f65a5eda65341afe3efb870821

SHA1
793ade040737a24e1272d8c716753b697f3da16c

SHA256
893857a41986511c6e271b2938d6da8bd12d0da9f109fc5c858d94b3266fdc10

SHA512
bbca22b20a4d542cdaa70c6f81bf16af34e614c14b9667c9aa65a179a6bfd6f8e50ac9d6a7cb1c21ebb23c06c9acb00470f32c7ec39198566428b1803b1942bf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5b1d3cdf6c479b6d63612dff1dab5adc

SHA1
68463bd8a58a81248eeca5807459d8a0b16229a1

SHA256
83435efef3fdbf4b55b10bdb49dfbde54bdc96561f44de7691fe62d9f7f171d3

SHA512
9de97a7b478f9722e5d47340a0817bd270d463e1dd9f0788fa6872b0e31b3ebde858d15a1a28c0dec6537bd71c67a332c33a4383d0880961965b691cce297d34

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c0756778be79468e52d983f675b664a3

SHA1
dbc91a045530c5b219aef5e56d01e219c7bccb05

SHA256
8f649e147f660f467b1617f610ab91876cfdc1e59a2003ad7193e8834e1d67a1

SHA512
825d479b3dbcd731de5e3992688b85bde32b66ec16d3ecfd68c4bab8676e18babb133f5359d46bcca417469622a340f70f02e3ff9de8a1dc9f768e3605ff7e37

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ab945ebad4dffef77dcffc5468a7ceca

SHA1
9ee4a2050087e9627bb753b777d7770ce4773edd

SHA256
709bf0eb54241a1bef30d6996e0fb646fae35c198fe79fe0c0f99e0179307046

SHA512
46cd98d1df607a6aaf8f9359a7f0f2f9b827121a7cbe1e499819dd772d3eaf5475b9638372e22b655c3e5414e4ce52dcde85b39dffad57ccf677d2fa9be7ffbe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b21e2cba632b687ac57c784a00357260

SHA1
73142dcd222e29ddd04a260e1da8e689852c6260

SHA256
f186457946bfba7db91e8143b229bf9e29f485c3680788de23690e1543002901

SHA512
97a485f5e70a2609acf04d574b5144fe423df8779cb8892e30db5b213296f2c317dc85f3ff03b7244441f63f87e2889f2f7d0393a13692e33b42237a1107a710

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
068c826e61167d87a43d5428ee7b61a0

SHA1
98ae1c4e36750da63e5842d77a181f60edf33b25

SHA256
444bdc1cc25d8877bdf18de820d764cbbd68711ff125d54405069d9ab65b148a

SHA512
ed8e301ba943e07b51e1b88bfedfabf7c14a7074797e67e0f7dd1d2d19bb62f614fc466411f1e163c9239c79b57ca4ac677095df825d7ce78427f49e59956ec2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2fc3382b2e8f03682f1c66f5975781a4

SHA1
771f3fcf6ae6d305a6f9351ae42f0fa14ba26693

SHA256
dec8725db7d457354c16126ae4cbaa461920b59e3edbf78c6697bb4d7a000a15

SHA512
400d4b939f4948bcd764afa84757cb7822f753e346cc36018a294a7274a3e96ae6c610d289569f242f2c5c1d85a224d28f76d0fc9954be0ec6dbdf7d23ede693

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
b837cf3886b09792a283e478d9a6251a

SHA1
96b6bf2cdf0a8f480a71734646652976763ba205

SHA256
e463d682bb81b52e9003d0164452474549cffa645b82cd9df9180baec30f9d44

SHA512
df1db5c6eab66600aa7ac8c5865256f2807970c7cc10d39ad4b741af91e28af34f480a96ca407e9433ccf7e0b10da527e06f3a10d900a073c63ae8c3f9074d5e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\R2FN7SRI\www.google[1].xml

Filesize
99B

MD5
dd69559aa7d3e6535d916685b4e86b6a

SHA1
5817ff2f87e4fc51d8023bc9cb62b205ea8c7bb0

SHA256
f1e5e6ac59e9a8377c4c4799dcd88c1b357cdcabdb39c5fedf5ae0313883a542

SHA512
4f991130ed0966062571bba6a9f01a83c964972f6f0c19b840af482305a2b19b5f971b40495ae093b6864c08298472cffc5cbddfbe0680df8e2d138bcf1971bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\anyweax\imagestore.dat

Filesize
5KB

MD5
c614d41cd5e01b85ecedeceb04915126

SHA1
fb6f4de6830637a5ea14a24de1324f564ae8c65f

SHA256
4454bc33be47a8cd55a77bc9cfbc4c4e77acb8ab1af8a3b8624d9a15f979ae90

SHA512
b859ecbd7bcbd59137b58cc322eae4d000bdc67558100fc79e26115f6c4f40c4e8cd64840542675b4b5becaf76c7ea617bf5a66c61562eefd1b36149e2187426

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BQQODH7V\KFOlCnqEu92Fr1MmEU9fBBc9[1].ttf

Filesize
34KB

MD5
4d88404f733741eaacfda2e318840a98

SHA1
49e0f3d32666ac36205f84ac7457030ca0a9d95f

SHA256
b464107219af95400af44c949574d9617de760e100712d4dec8f51a76c50dda1

SHA512
2e5d3280d5f7e70ca3ea29e7c01f47feb57fe93fc55fd0ea63641e99e5d699bb4b1f1f686da25c91ba4f64833f9946070f7546558cbd68249b0d853949ff85c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BQQODH7V\KFOlCnqEu92Fr1MmYUtfBBc9[1].ttf

Filesize
34KB

MD5
4d99b85fa964307056c1410f78f51439

SHA1
f8e30a1a61011f1ee42435d7e18ba7e21d4ee894

SHA256
01027695832f4a3850663c9e798eb03eadfd1462d0b76e7c5ac6465d2d77dbd0

SHA512
13d93544b16453fe9ac9fc025c3d4320c1c83a2eca4cd01132ce5c68b12e150bc7d96341f10cbaa2777526cf72b2ca0cd64458b3df1875a184bbb907c5e3d731

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BQQODH7V\KFOmCnqEu92Fr1Mu4mxP[1].ttf

Filesize
34KB

MD5
372d0cc3288fe8e97df49742baefce90

SHA1
754d9eaa4a009c42e8d6d40c632a1dad6d44ec21

SHA256
466989fd178ca6ed13641893b7003e5d6ec36e42c2a816dee71f87b775ea097f

SHA512
8447bc59795b16877974cd77c52729f6ff08a1e741f68ff445c087ecc09c8c4822b83e8907d156a00be81cb2c0259081926e758c12b3aea023ac574e4a6c9885

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BQQODH7V\favicon[1].ico

Filesize
5KB

MD5
f3418a443e7d841097c714d69ec4bcb8

SHA1
49263695f6b0cdd72f45cf1b775e660fdc36c606

SHA256
6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770

SHA512
82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Q4648X1K\api[1].js

Filesize
870B

MD5
9a90c06ffab392f11cda0b80188775a8

SHA1
395386715f54948ab58be5ad918b494b1ab86156

SHA256
ef7a5d110fd5a78289d4f71807784696ef0625efca97453caa6f3051e74a4c6b

SHA512
e40292115e00e2e652be3de796da6e860f99901d58adbd543edcc281e80fbee45ba35cb6b436cd5f7bd654eee8ce722a8f5fc41c6a40478f77bd2d6fb44f5780

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Q4648X1K\xvnkv013T9iQERax3LRLfLP-YGjo9lA-elXqPIIu0pM[1].js

Filesize
25KB

MD5
d735f7826775631410df2363ec8ea7fb

SHA1
72622ae88b15219ad1b00c72b48e13b2dd10e6ec

SHA256
c6f9e4bf4d774fd8901116b1dcb44b7cb3fe6068e8f6503e7a55ea3c822ed293

SHA512
b4fda11a5e56e7d1344a38bcd0d086b366258c751f18de79147e763f848cb4fbc76720b211913be2d25163a77bd505d918780a7dc089e976069d12a68701db2b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ROLMKJ86\logo_48[1].png

Filesize
2KB

MD5
ef9941290c50cd3866e2ba6b793f010d

SHA1
4736508c795667dcea21f8d864233031223b7832

SHA256
1b9efb22c938500971aac2b2130a475fa23684dd69e43103894968df83145b8a

SHA512
a0c69c70117c5713caf8b12f3b6e8bbb9cdaf72768e5db9db5831a3c37541b87613c6b020dd2f9b8760064a8c7337f175e7234bfe776eee5e3588dc5662419d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ROLMKJ86\styles__ltr[1].css

Filesize
76KB

MD5
a9a4c0df287886862263d8af0a6e096e

SHA1
4aeb13637cff035bb7cc47aaa42d61f306e0e474

SHA256
ad68a177a2d52e736095a6b7431fbfca3f840d66a1ea67090b55c5f90722b067

SHA512
a9605e4b740e3841366ecfb2ee8b44469057009279d8bd6b6455af13bd5863dc130a65c740b465e20e060a3cae4d74ef7b4da860ed144b89131c5406bf12cbef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Y8UFEBH5\recaptcha__en[1].js

Filesize
545KB

MD5
1f233ff2deeaaacc3c11614068d6f46d

SHA1
6ab5f0fb0ada1228ef529e3d48961c36fbc21424

SHA256
dc987654372c681461a1ab9e9835fc0006367829e3f0cdccee51081109d7868f

SHA512
a44c564ba2ff696762dd9a9f05f38dbb839a594989bcae5c402222ae6d9a17a29942c99df9c473f043e928f98bdabb62299bb192613c72d5d5b3efde7dd36c63

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Y8UFEBH5\webworker[1].js

Filesize
102B

MD5
dcf0dd9e2a4c0015bd80ce993ac84ff1

SHA1
6c4eda6061f7a7b9e05f439540fa26c261996fbe

SHA256
73943cf1ab8eff323e097bee9c52083255ee6e53b9abbeb193aa09fce212fa24

SHA512
f2d0a9e79d038ae1d00e6f4c08c3cf41af3e81ea8955e73052f89c4370027ba795080c867019497842a337f049d0112d8dd6c3f1bf5db8659d5f8428023128e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab39C8.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MALWAR~1\z.zip

Filesize
8KB

MD5
63ee4412b95d7ad64c54b4ba673470a7

SHA1
1cf423c6c2c6299e68e1927305a3057af9b3ce06

SHA256
44c1857b1c4894b3dfbaccbe04905652e634283dcf6b06c25a74b17021e2a268

SHA512
7ff153826bd5fed0a410f6d15a54787b79eba927d5b573c8a7f23f4ecef7bb223d79fd29fe8c2754fbf5b4c77ab7c41598f2989b6f4c7b2aa2f579ef4af06ee7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Malware-1-master\x

Filesize
11KB

MD5
1882f3dd051e401349f1af58d55b0a37

SHA1
6b0875f9e3164f3a9f21c1ec36748a7243515b47

SHA256
3c8cea1a86f07b018e637a1ea2649d907573f78c7e4025ef7e514362d09ff6c0

SHA512
fec96d873997b5c6c82a94f8796c88fc2dd38739277c517b8129277dcbda02576851f1e27bdb2fbb7255281077d5b9ba867f6dfe66bedfc859c59fdd3bbffacf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Malware-1-master\x

Filesize
1KB

MD5
43890585f6c2fec2ba657f6fdf7ab452

SHA1
21fd60c3a806b98f34da9b07624547c9e25da2e6

SHA256
5d7a84a052bc96934bff8062446dc7628fc5705e3881ac96a67ed114a37370ce

SHA512
239cd36c3ddcbfc64bdd7909e52ead31fbd70baeeda39a70c42417c3fb46884d85d62ff63edc90ae66fd92bc1a2a3f75acc82d20afde3edf571d3bf4df359799

Download Submit
C:\Users\Admin\AppData\Local\Temp\Malware-1-master\x

Filesize
4KB

MD5
214f98cb6a54654a4ca5c456f16aed0a

SHA1
2229090d2f6a1814ba648e5b5a5ae26389cba5a0

SHA256
45f18ccd8df88c127304a7855a608661b52b0ca813e87e06d87da15259c45037

SHA512
5f058b05f166e2688df7b3960e135ada25bbcdfbb62a11da3cf9e70c08c51e5589a1e6ca2250318a694d27197f2c5ba1028c443831c43fba2171ca8e072e9873

Download Submit
C:\Users\Admin\AppData\Local\Temp\Malware-1-master\x.js

Filesize
448B

MD5
8eec8704d2a7bc80b95b7460c06f4854

SHA1
1b34585c1fa7ec0bd0505478ac9dbb8b8d19f326

SHA256
aa01b8864b43e92077a106ed3d4656a511f3ba1910fba40c78a32ee6a621d596

SHA512
e274b92810e9a30627a65f87448d784967a2fcfbf49858cbe6ccb841f09e0f53fde253ecc1ea0c7de491d8cc56a6cf8c79d1b7c657e72928cfb0479d11035210

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar39CA.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\MEMZ.exe

Filesize
14KB

MD5
19dbec50735b5f2a72d4199c4e184960

SHA1
6fed7732f7cb6f59743795b2ab154a3676f4c822

SHA256
a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d

SHA512
aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\22JADECT.txt

Filesize
124B

MD5
eede3f8ea89fbbec7ee1291356cc054a

SHA1
6c3e13228068917302f61ef9fa8a272a85c6f208

SHA256
1337ecd19509e098ca4d8d7aeb0bc4e6acd0f1aef4e0141fe23faf2b145483ec

SHA512
cff5ed488171973ea6f3c122af810ad67a34bc2c39050e1f76470f1050e0cbe05ff82d64da1344487406984c09f8d10bed2a1a42e11ef8d4941e3e508d98f189

Download Submit
C:\note.txt

Filesize
218B

MD5
afa6955439b8d516721231029fb9ca1b

SHA1
087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

SHA256
8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

SHA512
5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

Download Submit
memory/2808-167-0x0000000003600000-0x0000000003601000-memory.dmp

Filesize
4KB

Download