1aec273004c1804ca7491860677c80fa6405ce0ec8843d1ffffbf5ff1f2f6c93

Analysis

max time kernel
152s
max time network
149s
platform
windows7_x64
resource
win7-20220414-en
submitted
24-05-2022 18:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Gemini.bat
Size

13KB
MD5

4e2a7f369378a76d1df4d8c448f712af
SHA1

1192b4d01254a8704e6d6ae17dc2ec28a7ad5a49
SHA256

5e2cd213ff47b7657abd9167c38ffd8b53c13261fe22adddea92b5a2d9e320ad
SHA512

90e6eedca424e2ee37c78e0c0380db490c049b0378541812734c134510c40c6e4c48c4e213f395339ed99ff337ef087b6056ac5aafb246c1789ca6082dcabd2e

Score

8^/10

bootkit persistence

Malware Config

Signatures

Executes dropped EXE 7 IoCs

Processes:

MEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exe

pid process

1856 MEMZ.exe
1252 MEMZ.exe
776 MEMZ.exe
1164 MEMZ.exe
468 MEMZ.exe
1224 MEMZ.exe
1860 MEMZ.exe
Loads dropped DLL 1 IoCs

Processes:

MEMZ.exe

pid process

1856 MEMZ.exe
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

MEMZ.exe

description ioc process

File opened for modification \??\PhysicalDrive0 MEMZ.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1856	MEMZ.exe
1252	MEMZ.exe
776	MEMZ.exe
1164	MEMZ.exe
468	MEMZ.exe
1224	MEMZ.exe
1860	MEMZ.exe

pid	process
1856	MEMZ.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	MEMZ.exe

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{28A4CA61-DBA2-11EC-8E39-DE95627D9645} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000962422cf799f2f46a7e75b376cef3c3c0000000002000000000010660000000100002000000090f30f07abd42f4156dac7c23acbccab26715bce69a744e881069833ae1ad7e1000000000e8000000002000020000000580a1188f8f0753795282e97488f5d6ff6d4e582a72f903679dbe0eec61896ee20000000e960b32bd31d4a16916c334ce37c32db6116d6417e27ff7ff2c71d37ab80cd6940000000d1f5d56de3ad55d9c28f9026f3b40aad81334f3bfc51dd68a0d2bc71242060f35b0b49636344a13cbeaef921ba0a56f7590deca67598dbd7968878f13ac20d24	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d09d8711af6fd801	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000962422cf799f2f46a7e75b376cef3c3c0000000002000000000010660000000100002000000030bda35401a1c1ac52e683bdb12bddf0d5ecf5b0541bb85d3434730051fc99f8000000000e8000000002000020000000c88ad883a1019c6c307ba7aa0d4cbe39ee489dc1094188258067aaac6d123d7d9000000015eee75464f45263c14e351c674f973c221be484a1b77e1deec30b5aa5101a33ea9cf2a1df0ad4a29dfc4d3e67faa55d40dbd4ef4ded83f8f615f6e2991a938a3576aa4d60d4bdaf0d7bd244fa1088ce24444c47e148ce06e4f3c4d5dcf3646d003cfc38384bfa4c6e3e59fb2103b96ba9e1d3f0f8dfd2149e7a98aeec727a4aff7175ddb67cf195bd77735ed4a086c040000000e06d3ebf9a6d7d17447a49169b8b9b5b9024e3a60ef7f1a3677094e8f3d7de493285285f44b854404d600316f3d495e0890a1ee498bfff8c66dcc7e9dfc23838	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "360189984"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

MEMZ.exe

pid process

1856 MEMZ.exe

pid	process
1856	MEMZ.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

MEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exe

pid	process
1252	MEMZ.exe
776	MEMZ.exe
1164	MEMZ.exe
468	MEMZ.exe
1224	MEMZ.exe
1252	MEMZ.exe
776	MEMZ.exe
1164	MEMZ.exe
1224	MEMZ.exe
468	MEMZ.exe
1252	MEMZ.exe
776	MEMZ.exe
1164	MEMZ.exe
468	MEMZ.exe
1224	MEMZ.exe
1252	MEMZ.exe
776	MEMZ.exe
1164	MEMZ.exe
1224	MEMZ.exe
468	MEMZ.exe
1252	MEMZ.exe
776	MEMZ.exe
1164	MEMZ.exe
468	MEMZ.exe
1224	MEMZ.exe
1252	MEMZ.exe
776	MEMZ.exe
1164	MEMZ.exe
468	MEMZ.exe
1224	MEMZ.exe
1252	MEMZ.exe
776	MEMZ.exe
1164	MEMZ.exe
468	MEMZ.exe
1224	MEMZ.exe
1252	MEMZ.exe
776	MEMZ.exe
1164	MEMZ.exe
468	MEMZ.exe
1224	MEMZ.exe
1252	MEMZ.exe
776	MEMZ.exe
1164	MEMZ.exe
468	MEMZ.exe
1224	MEMZ.exe
1252	MEMZ.exe
776	MEMZ.exe
1164	MEMZ.exe
468	MEMZ.exe
1224	MEMZ.exe
1252	MEMZ.exe
776	MEMZ.exe
1164	MEMZ.exe
468	MEMZ.exe
1224	MEMZ.exe
1252	MEMZ.exe
776	MEMZ.exe
1164	MEMZ.exe
468	MEMZ.exe
1224	MEMZ.exe
1252	MEMZ.exe
776	MEMZ.exe
1164	MEMZ.exe
468	MEMZ.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

AUDIODG.EXE

description	pid	process
Token: 33	972	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	972	AUDIODG.EXE
Token: 33	972	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	972	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

cscript.exeiexplore.exe

pid process

1944 cscript.exe
1296 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1296 iexplore.exe
1296 iexplore.exe
1276 IEXPLORE.EXE
1276 IEXPLORE.EXE
1276 IEXPLORE.EXE
1276 IEXPLORE.EXE

pid	process
1944	cscript.exe
1296	iexplore.exe

pid	process
1296	iexplore.exe
1296	iexplore.exe
1276	IEXPLORE.EXE
1276	IEXPLORE.EXE
1276	IEXPLORE.EXE
1276	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 43 IoCs

Processes:

cmd.exeMEMZ.exeMEMZ.exeiexplore.exe

description	pid	process	target process
PID 1708 wrote to memory of 1944	1708	cmd.exe	cscript.exe
PID 1708 wrote to memory of 1944	1708	cmd.exe	cscript.exe
PID 1708 wrote to memory of 1944	1708	cmd.exe	cscript.exe
PID 1708 wrote to memory of 1856	1708	cmd.exe	MEMZ.exe
PID 1708 wrote to memory of 1856	1708	cmd.exe	MEMZ.exe
PID 1708 wrote to memory of 1856	1708	cmd.exe	MEMZ.exe
PID 1708 wrote to memory of 1856	1708	cmd.exe	MEMZ.exe
PID 1856 wrote to memory of 1252	1856	MEMZ.exe	MEMZ.exe
PID 1856 wrote to memory of 1252	1856	MEMZ.exe	MEMZ.exe
PID 1856 wrote to memory of 1252	1856	MEMZ.exe	MEMZ.exe
PID 1856 wrote to memory of 1252	1856	MEMZ.exe	MEMZ.exe
PID 1856 wrote to memory of 776	1856	MEMZ.exe	MEMZ.exe
PID 1856 wrote to memory of 776	1856	MEMZ.exe	MEMZ.exe
PID 1856 wrote to memory of 776	1856	MEMZ.exe	MEMZ.exe
PID 1856 wrote to memory of 776	1856	MEMZ.exe	MEMZ.exe
PID 1856 wrote to memory of 1164	1856	MEMZ.exe	MEMZ.exe
PID 1856 wrote to memory of 1164	1856	MEMZ.exe	MEMZ.exe
PID 1856 wrote to memory of 1164	1856	MEMZ.exe	MEMZ.exe
PID 1856 wrote to memory of 1164	1856	MEMZ.exe	MEMZ.exe
PID 1856 wrote to memory of 468	1856	MEMZ.exe	MEMZ.exe
PID 1856 wrote to memory of 468	1856	MEMZ.exe	MEMZ.exe
PID 1856 wrote to memory of 468	1856	MEMZ.exe	MEMZ.exe
PID 1856 wrote to memory of 468	1856	MEMZ.exe	MEMZ.exe
PID 1856 wrote to memory of 1224	1856	MEMZ.exe	MEMZ.exe
PID 1856 wrote to memory of 1224	1856	MEMZ.exe	MEMZ.exe
PID 1856 wrote to memory of 1224	1856	MEMZ.exe	MEMZ.exe
PID 1856 wrote to memory of 1224	1856	MEMZ.exe	MEMZ.exe
PID 1856 wrote to memory of 1860	1856	MEMZ.exe	MEMZ.exe
PID 1856 wrote to memory of 1860	1856	MEMZ.exe	MEMZ.exe
PID 1856 wrote to memory of 1860	1856	MEMZ.exe	MEMZ.exe
PID 1856 wrote to memory of 1860	1856	MEMZ.exe	MEMZ.exe
PID 1860 wrote to memory of 1604	1860	MEMZ.exe	notepad.exe
PID 1860 wrote to memory of 1604	1860	MEMZ.exe	notepad.exe
PID 1860 wrote to memory of 1604	1860	MEMZ.exe	notepad.exe
PID 1860 wrote to memory of 1604	1860	MEMZ.exe	notepad.exe
PID 1860 wrote to memory of 1296	1860	MEMZ.exe	iexplore.exe
PID 1860 wrote to memory of 1296	1860	MEMZ.exe	iexplore.exe
PID 1860 wrote to memory of 1296	1860	MEMZ.exe	iexplore.exe
PID 1860 wrote to memory of 1296	1860	MEMZ.exe	iexplore.exe
PID 1296 wrote to memory of 1276	1296	iexplore.exe	IEXPLORE.EXE
PID 1296 wrote to memory of 1276	1296	iexplore.exe	IEXPLORE.EXE
PID 1296 wrote to memory of 1276	1296	iexplore.exe	IEXPLORE.EXE
PID 1296 wrote to memory of 1276	1296	iexplore.exe	IEXPLORE.EXE

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Gemini.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1708

C:\Windows\system32\cscript.exe
cscript x.js
2⤵
- Suspicious use of FindShellTrayWindow
PID:1944

C:\Users\Admin\AppData\Roaming\MEMZ.exe
"C:\Users\Admin\AppData\Roaming\MEMZ.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of WriteProcessMemory
PID:1856

C:\Users\Admin\AppData\Roaming\MEMZ.exe
"C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1252

C:\Users\Admin\AppData\Roaming\MEMZ.exe
"C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:776

C:\Users\Admin\AppData\Roaming\MEMZ.exe
"C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1164

C:\Users\Admin\AppData\Roaming\MEMZ.exe
"C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:468

C:\Users\Admin\AppData\Roaming\MEMZ.exe
"C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1224

C:\Users\Admin\AppData\Roaming\MEMZ.exe
"C:\Users\Admin\AppData\Roaming\MEMZ.exe" /main
3⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of WriteProcessMemory
PID:1860

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\System32\notepad.exe" \note.txt
4⤵
PID:1604

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://google.co.ck/search?q=stanky+danky+maymays
4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1296

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1296 CREDAT:275457 /prefetch:2
5⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1276

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x540
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:972

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
922afbcf312304718896819074ddcbd0

SHA1
104713293562de30c264153e8219790b6bec6176

SHA256
1d97ee580ab7cc93a5c91ce31af7b80adc6a96c51c3cdf05cf11d59ed203a274

SHA512
caf5e4325ae0292fa765ee8988e109048dedf329852817054075b5b282dfb12fe8134a3867887ce14312fe2a13cccc6c9e6a3f63a65aeb880a0bf9ae248359f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\1b4wh1e\imagestore.dat
Filesize
9KB

MD5
4f1b83ebb3a80790d1ec18e59d8f22bd

SHA1
d5e53ffd7b70c315596f606767a209ad3ba8d206

SHA256
045526d73525d6bc448d651c13f439670dd1e44182e52367a8437021e503c4f6

SHA512
ab3fd453f5746c8e0aae1e81d273c7a4878501bbaabb9f561299cfac5633a977c3cc3404b8d39f3d3c58adcf3ca7883bf4db183e36303a23f21b61eaf37f5195

Download Submit
C:\Users\Admin\AppData\Local\Temp\x
Filesize
11KB

MD5
1882f3dd051e401349f1af58d55b0a37

SHA1
6b0875f9e3164f3a9f21c1ec36748a7243515b47

SHA256
3c8cea1a86f07b018e637a1ea2649d907573f78c7e4025ef7e514362d09ff6c0

SHA512
fec96d873997b5c6c82a94f8796c88fc2dd38739277c517b8129277dcbda02576851f1e27bdb2fbb7255281077d5b9ba867f6dfe66bedfc859c59fdd3bbffacf

Download Submit
C:\Users\Admin\AppData\Local\Temp\x.js
Filesize
448B

MD5
8eec8704d2a7bc80b95b7460c06f4854

SHA1
1b34585c1fa7ec0bd0505478ac9dbb8b8d19f326

SHA256
aa01b8864b43e92077a106ed3d4656a511f3ba1910fba40c78a32ee6a621d596

SHA512
e274b92810e9a30627a65f87448d784967a2fcfbf49858cbe6ccb841f09e0f53fde253ecc1ea0c7de491d8cc56a6cf8c79d1b7c657e72928cfb0479d11035210

Download Submit
C:\Users\Admin\AppData\Local\Temp\z.zip
Filesize
8KB

MD5
63ee4412b95d7ad64c54b4ba673470a7

SHA1
1cf423c6c2c6299e68e1927305a3057af9b3ce06

SHA256
44c1857b1c4894b3dfbaccbe04905652e634283dcf6b06c25a74b17021e2a268

SHA512
7ff153826bd5fed0a410f6d15a54787b79eba927d5b573c8a7f23f4ecef7bb223d79fd29fe8c2754fbf5b4c77ab7c41598f2989b6f4c7b2aa2f579ef4af06ee7

Download Submit
C:\Users\Admin\AppData\Roaming\MEMZ.exe
Filesize
14KB

MD5
19dbec50735b5f2a72d4199c4e184960

SHA1
6fed7732f7cb6f59743795b2ab154a3676f4c822

SHA256
a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d

SHA512
aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d

Download Submit
C:\Users\Admin\AppData\Roaming\MEMZ.exe
Filesize
14KB

MD5
19dbec50735b5f2a72d4199c4e184960

SHA1
6fed7732f7cb6f59743795b2ab154a3676f4c822

SHA256
a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d

SHA512
aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d

Download Submit
C:\Users\Admin\AppData\Roaming\MEMZ.exe
Filesize
14KB

MD5
19dbec50735b5f2a72d4199c4e184960

SHA1
6fed7732f7cb6f59743795b2ab154a3676f4c822

SHA256
a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d

SHA512
aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d

Download Submit
C:\Users\Admin\AppData\Roaming\MEMZ.exe
Filesize
14KB

MD5
19dbec50735b5f2a72d4199c4e184960

SHA1
6fed7732f7cb6f59743795b2ab154a3676f4c822

SHA256
a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d

SHA512
aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d

Download Submit
C:\Users\Admin\AppData\Roaming\MEMZ.exe
Filesize
14KB

MD5
19dbec50735b5f2a72d4199c4e184960

SHA1
6fed7732f7cb6f59743795b2ab154a3676f4c822

SHA256
a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d

SHA512
aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d

Download Submit
C:\Users\Admin\AppData\Roaming\MEMZ.exe
Filesize
14KB

MD5
19dbec50735b5f2a72d4199c4e184960

SHA1
6fed7732f7cb6f59743795b2ab154a3676f4c822

SHA256
a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d

SHA512
aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d

Download Submit
C:\Users\Admin\AppData\Roaming\MEMZ.exe
Filesize
14KB

MD5
19dbec50735b5f2a72d4199c4e184960

SHA1
6fed7732f7cb6f59743795b2ab154a3676f4c822

SHA256
a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d

SHA512
aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d

Download Submit
C:\Users\Admin\AppData\Roaming\MEMZ.exe
Filesize
14KB

MD5
19dbec50735b5f2a72d4199c4e184960

SHA1
6fed7732f7cb6f59743795b2ab154a3676f4c822

SHA256
a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d

SHA512
aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\YPCFS7MA.txt
Filesize
603B

MD5
b3d634c273ca64b09eb535aac32563ec

SHA1
467c396e066af3ec31703149854bb7fb0b9a8ea7

SHA256
fae8f58f26e2c7532ac66f9612a15f7b50acd0f18d52f80e855cacb3688fe4f1

SHA512
c76442ba755fa346995be849dd5455b4a52c07f1ca31ff144d12235bccfa0506f4c18a5e107c73ecfc594d68eb50b5c2575622ed253b8144e1b23b88f7aa09d0

Download Submit
C:\note.txt
Filesize
218B

MD5
afa6955439b8d516721231029fb9ca1b

SHA1
087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

SHA256
8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

SHA512
5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

Download Submit
\Users\Admin\AppData\Roaming\MEMZ.exe
Filesize
14KB

MD5
19dbec50735b5f2a72d4199c4e184960

SHA1
6fed7732f7cb6f59743795b2ab154a3676f4c822

SHA256
a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d

SHA512
aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d

Download Submit
memory/468-72-0x0000000000000000-mapping.dmp

Download
memory/776-66-0x0000000000000000-mapping.dmp

Download
memory/1164-69-0x0000000000000000-mapping.dmp

Download
memory/1224-75-0x0000000000000000-mapping.dmp

Download
memory/1252-63-0x0000000000000000-mapping.dmp

Download
memory/1604-82-0x0000000000000000-mapping.dmp

Download
memory/1856-62-0x00000000758D1000-0x00000000758D3000-memory.dmp

Filesize
8KB

Download
memory/1856-60-0x0000000000000000-mapping.dmp

Download
memory/1860-79-0x0000000000000000-mapping.dmp

Download
memory/1944-54-0x0000000000000000-mapping.dmp

Download
memory/1944-57-0x000007FEFBE51000-0x000007FEFBE53000-memory.dmp

Filesize
8KB

Download