5a47c296c6c7678d6e1caf53350581a5b9973241a5f95efe32ece8309ae6a7ba

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
31-03-2023 22:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MEMZ 3.0/MEMZ.bat
Size

12KB
MD5

13a43c26bb98449fd82d2a552877013a
SHA1

71eb7dc393ac1f204488e11f5c1eef56f1e746af
SHA256

5f52365accb76d679b2b3946870439a62eb8936b9a0595f0fb0198138106b513
SHA512

602518b238d80010fa88c2c88699f70645513963ef4f148a0345675738cf9b0c23b9aeb899d9f7830cc1e5c7e9c7147b2dc4a9222770b4a052ee0c879062cd5a
SSDEEP

384:nnLhRNiqt0kCH2LR0GPXxGiZgCz+KG/yKhLdW79HOli+lz3:nLhRN9t0SR4iZtzlREBWhuF

Score

7^/10

bootkit persistence

Malware Config

Signatures

Executes dropped EXE 7 IoCs

Processes:

MEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exe

pid process

1472 MEMZ.exe
1760 MEMZ.exe
1184 MEMZ.exe
1408 MEMZ.exe
1220 MEMZ.exe
1512 MEMZ.exe
1488 MEMZ.exe
Loads dropped DLL 1 IoCs

Processes:

MEMZ.exe

pid process

1472 MEMZ.exe
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

MEMZ.exe

description ioc process

File opened for modification \??\PhysicalDrive0 MEMZ.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1472	MEMZ.exe
1760	MEMZ.exe
1184	MEMZ.exe
1408	MEMZ.exe
1220	MEMZ.exe
1512	MEMZ.exe
1488	MEMZ.exe

pid	process
1472	MEMZ.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	MEMZ.exe

Modifies Internet Explorer settings 1 TTPs 29 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Recovery\PendingDelete\C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{CF8092F3-D026-11ED-927D-F2C06CA9A191}.dat = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{CF8092F1-D026-11ED-927D-F2C06CA9A191} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Recovery\PendingDelete	iexplore.exe

Runs regedit.exe 1 IoCs

Processes:

regedit.exe

pid process

1908 regedit.exe
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

MEMZ.exe

pid process

1472 MEMZ.exe

pid	process
1908	regedit.exe

pid	process
1472	MEMZ.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

MEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exe

pid	process
1760	MEMZ.exe
1184	MEMZ.exe
1512	MEMZ.exe
1220	MEMZ.exe
1408	MEMZ.exe
1760	MEMZ.exe
1184	MEMZ.exe
1512	MEMZ.exe
1220	MEMZ.exe
1408	MEMZ.exe
1760	MEMZ.exe
1408	MEMZ.exe
1184	MEMZ.exe
1512	MEMZ.exe
1220	MEMZ.exe
1760	MEMZ.exe
1184	MEMZ.exe
1512	MEMZ.exe
1408	MEMZ.exe
1220	MEMZ.exe
1760	MEMZ.exe
1184	MEMZ.exe
1220	MEMZ.exe
1408	MEMZ.exe
1512	MEMZ.exe
1760	MEMZ.exe
1512	MEMZ.exe
1184	MEMZ.exe
1220	MEMZ.exe
1408	MEMZ.exe
1760	MEMZ.exe
1184	MEMZ.exe
1408	MEMZ.exe
1220	MEMZ.exe
1512	MEMZ.exe
1760	MEMZ.exe
1184	MEMZ.exe
1512	MEMZ.exe
1408	MEMZ.exe
1220	MEMZ.exe
1760	MEMZ.exe
1184	MEMZ.exe
1220	MEMZ.exe
1512	MEMZ.exe
1408	MEMZ.exe
1760	MEMZ.exe
1184	MEMZ.exe
1512	MEMZ.exe
1220	MEMZ.exe
1408	MEMZ.exe
1760	MEMZ.exe
1184	MEMZ.exe
1408	MEMZ.exe
1220	MEMZ.exe
1512	MEMZ.exe
1760	MEMZ.exe
1184	MEMZ.exe
1512	MEMZ.exe
1408	MEMZ.exe
1220	MEMZ.exe
1760	MEMZ.exe
1184	MEMZ.exe
1220	MEMZ.exe
1408	MEMZ.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

taskmgr.exe

pid process

1052 taskmgr.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

AUDIODG.EXEtaskmgr.exe

description	pid	process
Token: 33	1096	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1096	AUDIODG.EXE
Token: 33	1096	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1096	AUDIODG.EXE
Token: SeDebugPrivilege	1052	taskmgr.exe

Suspicious use of FindShellTrayWindow 22 IoCs

Processes:

cscript.exeiexplore.exetaskmgr.exe

pid	process
1108	cscript.exe
1508	iexplore.exe
1052	taskmgr.exe
1052	taskmgr.exe
1052	taskmgr.exe
1052	taskmgr.exe
1052	taskmgr.exe
1052	taskmgr.exe
1052	taskmgr.exe
1052	taskmgr.exe
1052	taskmgr.exe
1052	taskmgr.exe
1052	taskmgr.exe
1052	taskmgr.exe
1052	taskmgr.exe
1052	taskmgr.exe
1052	taskmgr.exe
1052	taskmgr.exe
1052	taskmgr.exe
1052	taskmgr.exe
1052	taskmgr.exe
1052	taskmgr.exe

Suspicious use of SendNotifyMessage 20 IoCs

Processes:

taskmgr.exe

pid	process
1052	taskmgr.exe
1052	taskmgr.exe
1052	taskmgr.exe
1052	taskmgr.exe
1052	taskmgr.exe
1052	taskmgr.exe
1052	taskmgr.exe
1052	taskmgr.exe
1052	taskmgr.exe
1052	taskmgr.exe
1052	taskmgr.exe
1052	taskmgr.exe
1052	taskmgr.exe
1052	taskmgr.exe
1052	taskmgr.exe
1052	taskmgr.exe
1052	taskmgr.exe
1052	taskmgr.exe
1052	taskmgr.exe
1052	taskmgr.exe

Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1508 iexplore.exe
1508 iexplore.exe
1608 IEXPLORE.EXE
1608 IEXPLORE.EXE
1508 iexplore.exe
1608 IEXPLORE.EXE
1608 IEXPLORE.EXE

pid	process
1508	iexplore.exe
1508	iexplore.exe
1608	IEXPLORE.EXE
1608	IEXPLORE.EXE
1508	iexplore.exe
1608	IEXPLORE.EXE
1608	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 43 IoCs

Processes:

cmd.exeMEMZ.exeMEMZ.exeiexplore.exe

description	pid	process	target process
PID 816 wrote to memory of 1108	816	cmd.exe	cscript.exe
PID 816 wrote to memory of 1108	816	cmd.exe	cscript.exe
PID 816 wrote to memory of 1108	816	cmd.exe	cscript.exe
PID 816 wrote to memory of 1472	816	cmd.exe	MEMZ.exe
PID 816 wrote to memory of 1472	816	cmd.exe	MEMZ.exe
PID 816 wrote to memory of 1472	816	cmd.exe	MEMZ.exe
PID 816 wrote to memory of 1472	816	cmd.exe	MEMZ.exe
PID 1472 wrote to memory of 1760	1472	MEMZ.exe	MEMZ.exe
PID 1472 wrote to memory of 1760	1472	MEMZ.exe	MEMZ.exe
PID 1472 wrote to memory of 1760	1472	MEMZ.exe	MEMZ.exe
PID 1472 wrote to memory of 1760	1472	MEMZ.exe	MEMZ.exe
PID 1472 wrote to memory of 1408	1472	MEMZ.exe	MEMZ.exe
PID 1472 wrote to memory of 1408	1472	MEMZ.exe	MEMZ.exe
PID 1472 wrote to memory of 1408	1472	MEMZ.exe	MEMZ.exe
PID 1472 wrote to memory of 1408	1472	MEMZ.exe	MEMZ.exe
PID 1472 wrote to memory of 1184	1472	MEMZ.exe	MEMZ.exe
PID 1472 wrote to memory of 1184	1472	MEMZ.exe	MEMZ.exe
PID 1472 wrote to memory of 1184	1472	MEMZ.exe	MEMZ.exe
PID 1472 wrote to memory of 1184	1472	MEMZ.exe	MEMZ.exe
PID 1472 wrote to memory of 1220	1472	MEMZ.exe	MEMZ.exe
PID 1472 wrote to memory of 1220	1472	MEMZ.exe	MEMZ.exe
PID 1472 wrote to memory of 1220	1472	MEMZ.exe	MEMZ.exe
PID 1472 wrote to memory of 1220	1472	MEMZ.exe	MEMZ.exe
PID 1472 wrote to memory of 1512	1472	MEMZ.exe	MEMZ.exe
PID 1472 wrote to memory of 1512	1472	MEMZ.exe	MEMZ.exe
PID 1472 wrote to memory of 1512	1472	MEMZ.exe	MEMZ.exe
PID 1472 wrote to memory of 1512	1472	MEMZ.exe	MEMZ.exe
PID 1472 wrote to memory of 1488	1472	MEMZ.exe	MEMZ.exe
PID 1472 wrote to memory of 1488	1472	MEMZ.exe	MEMZ.exe
PID 1472 wrote to memory of 1488	1472	MEMZ.exe	MEMZ.exe
PID 1472 wrote to memory of 1488	1472	MEMZ.exe	MEMZ.exe
PID 1488 wrote to memory of 548	1488	MEMZ.exe	notepad.exe
PID 1488 wrote to memory of 548	1488	MEMZ.exe	notepad.exe
PID 1488 wrote to memory of 548	1488	MEMZ.exe	notepad.exe
PID 1488 wrote to memory of 548	1488	MEMZ.exe	notepad.exe
PID 1488 wrote to memory of 1908	1488	MEMZ.exe	regedit.exe
PID 1488 wrote to memory of 1908	1488	MEMZ.exe	regedit.exe
PID 1488 wrote to memory of 1908	1488	MEMZ.exe	regedit.exe
PID 1488 wrote to memory of 1908	1488	MEMZ.exe	regedit.exe
PID 1508 wrote to memory of 1608	1508	iexplore.exe	IEXPLORE.EXE
PID 1508 wrote to memory of 1608	1508	iexplore.exe	IEXPLORE.EXE
PID 1508 wrote to memory of 1608	1508	iexplore.exe	IEXPLORE.EXE
PID 1508 wrote to memory of 1608	1508	iexplore.exe	IEXPLORE.EXE

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\MEMZ.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:816

C:\Windows\system32\cscript.exe
cscript x.js
2⤵
- Suspicious use of FindShellTrayWindow
PID:1108

C:\Users\Admin\AppData\Roaming\MEMZ.exe
"C:\Users\Admin\AppData\Roaming\MEMZ.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of WriteProcessMemory
PID:1472

C:\Users\Admin\AppData\Roaming\MEMZ.exe
"C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1760

C:\Users\Admin\AppData\Roaming\MEMZ.exe
"C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1408

C:\Users\Admin\AppData\Roaming\MEMZ.exe
"C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1184

C:\Users\Admin\AppData\Roaming\MEMZ.exe
"C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1220

C:\Users\Admin\AppData\Roaming\MEMZ.exe
"C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1512

C:\Users\Admin\AppData\Roaming\MEMZ.exe
"C:\Users\Admin\AppData\Roaming\MEMZ.exe" /main
3⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of WriteProcessMemory
PID:1488

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\System32\notepad.exe" \note.txt
4⤵
PID:548

C:\Windows\SysWOW64\regedit.exe
"C:\Windows\System32\regedit.exe"
4⤵
- Runs regedit.exe
PID:1908

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1712

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x488
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1096

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1508

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1508 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1608

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2032

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1052

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
f65ef227fd462cebfd8f414be8894cab

SHA1
956fb24247dd2d0eb3620705ddd995fdef95fed6

SHA256
8e350a0038e8b8c6a3ab7bd5a95e10c5052e04c92439ada76bbbaa20a8225126

SHA512
559d5a49468494c8e9ae2ef78cd2b754583b09c66b18c11ba288d772cc2d677c2a547c3dadfb8b2f8072490e7b5f7e501b7252685af1828470fcc4e8f4a3bc8d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
b2a37254d3123b277e4903324b0a7ba2

SHA1
ad64b253806312eb0dfc678f18151c94f27b862b

SHA256
cff47a544857f8492a345c14b0fdbb2b51a3d3f5156a576c069c7992afb57b06

SHA512
a894f6dff9bc7fd209b661c11bdeb30c208766dca824d8a45df113e68408eca812e220650d98ed4f54fb0f9b75feffe6e83deaea27852be6b84a92da5ba89297

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
05a0dce58c682f1146a8fbf9402f0630

SHA1
e964f456e4af4c108c2deeae3dcce5efeff3d511

SHA256
8347353c7f50801654d331616db1eadd545a9f130bd61c9f0daabe3036f29076

SHA512
c7337832d92735203bd736083c333fec03fe273ccc76aed5713a1fb74cbe5750251e2528a7b6c84792c66d3f1570388465075c573e4d290ac090a03f8321a913

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
27cf7e2498154fac59debceaeb1255db

SHA1
d27880221313d1ea5216fbb4d2c1f5ddec0bf425

SHA256
1ab8b2775b3fb48ac70a8b3190c6bee4716adf3a2027d2dff9dec9f7b00d712c

SHA512
97e1df02449542e84f12e394c273dddb382ab78b083f76615100ac9dd926517c834f5d58ab464f6dc24a9bcc40a1fa62b42ab857710951fe0246105457f9d706

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
c7ee0e62647b6eaad9a69bdd068116b1

SHA1
012d174a9ec522c2894ef0b68e06bba0d830a77e

SHA256
775b60e5aa55b9629db0353f03919f5647ea1096fdbc51c1c832ea2c51b7e0de

SHA512
52815a8a5fe81ec2055e8a144836eaf8c9ce9ab171373a50f0f1574623892176febdb759e76b7092490e8f1e5d0cdd37b42366f81a9d8b037d47e1cb60b06fb9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
7d162a2ce4687813020cc485b927223b

SHA1
271405edfe2d1f8a07b2e7599042938e8ef96210

SHA256
5152b46ce200d9017cc1a4a2df443c5d9da120bdf26ac8310ac59595d571d3cf

SHA512
fc470ef8d0c487b661b0f3ffbe3dde81d3f59dac5c860c58e5cc559dac176eaaf8fa3da883c341f05fb71042f5d53052ffc7c9b47887edb47c95b5081e67b3f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabD50D.tmp
Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabD58D.tmp
Filesize
61KB

MD5
e71c8443ae0bc2e282c73faead0a6dd3

SHA1
0c110c1b01e68edfacaeae64781a37b1995fa94b

SHA256
95b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72

SHA512
b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\x
Filesize
4KB

MD5
b6873c6cbfc8482c7f0e2dcb77fb7f12

SHA1
844b14037e1f90973a04593785dc88dfca517673

SHA256
0a0cad82d9284ccc3c07de323b76ee2d1c0b328bd2ce59073ed5ac4eb7609bd1

SHA512
f3aa3d46d970db574113f40f489ff8a5f041606e79c4ab02301b283c66ff05732be4c5edc1cf4a851da9fbaaa2f296b97fc1135210966a0e2dfc3763398dfcaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\x
Filesize
10KB

MD5
fc59b7d2eb1edbb9c8cb9eb08115a98e

SHA1
90a6479ce14f8548df54c434c0a524e25efd9d17

SHA256
a05b9be9dd87492f265094146e18d628744c6b09c0e7efaabf228a9f1091a279

SHA512
3392cfc0dbddb37932e76da5a49f4e010a49aaa863c882b85cccab676cd458cfc8f880d8a0e0dc7581175f447e6b0a002da1591ecd14756650bb74996eacd2b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\x
Filesize
2KB

MD5
ddd82a15678c9e3f78d09e9ebacc3909

SHA1
fd5473fac1812d4e1343ad0fdec2d585b58ebc46

SHA256
c8c9a38c47ff86b09c978272173cf3647b4a9e9ba41c22b4a515ed19a0a6de8a

SHA512
3e6bd7a94c1c38e6009a441b6406526f285d77c57341b2871cf0629dbba59e11cc992f45574fbd555cede972fec9e5b5863c6189b98a7ad04d1fa4f7f07811a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\x.js
Filesize
448B

MD5
8eec8704d2a7bc80b95b7460c06f4854

SHA1
1b34585c1fa7ec0bd0505478ac9dbb8b8d19f326

SHA256
aa01b8864b43e92077a106ed3d4656a511f3ba1910fba40c78a32ee6a621d596

SHA512
e274b92810e9a30627a65f87448d784967a2fcfbf49858cbe6ccb841f09e0f53fde253ecc1ea0c7de491d8cc56a6cf8c79d1b7c657e72928cfb0479d11035210

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\z.zip
Filesize
7KB

MD5
cf0c19ef6909e5c1f10c8460ba9299d8

SHA1
875b575c124acfc1a4a21c1e05acb9690e50b880

SHA256
abb834ebd4b7d7f8ddf545976818f41b3cb51d2b895038a56457616d3a2c6776

SHA512
d930a022a373c283f35d103e277487c2034a0b0814913b8f6ec695b45e20528667aa830eeab58e4483d523bd6a755a16a5379095cb137db6c91909a545a19a2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEMZ3~1.0\z.zip
Filesize
7KB

MD5
cf0c19ef6909e5c1f10c8460ba9299d8

SHA1
875b575c124acfc1a4a21c1e05acb9690e50b880

SHA256
abb834ebd4b7d7f8ddf545976818f41b3cb51d2b895038a56457616d3a2c6776

SHA512
d930a022a373c283f35d103e277487c2034a0b0814913b8f6ec695b45e20528667aa830eeab58e4483d523bd6a755a16a5379095cb137db6c91909a545a19a2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarD65D.tmp
Filesize
161KB

MD5
be2bec6e8c5653136d3e72fe53c98aa3

SHA1
a8182d6db17c14671c3d5766c72e58d87c0810de

SHA256
1919aab2a820642490169bdc4e88bd1189e22f83e7498bf8ebdfb62ec7d843fd

SHA512
0d1424ccdf0d53faf3f4e13d534e12f22388648aa4c23edbc503801e3c96b7f73c7999b760b5bef4b5e9dd923dffe21a21889b1ce836dd428420bf0f4f5327ff

Download Submit
C:\Users\Admin\AppData\Roaming\MEMZ.exe
Filesize
12KB

MD5
a7bcf7ea8e9f3f36ebfb85b823e39d91

SHA1
761168201520c199dba68add3a607922d8d4a86e

SHA256
3ff64f10603f0330fa2386ff99471ca789391ace969bd0ec1c1b8ce1b4a6db42

SHA512
89923b669d31e590189fd06619bf27e47c5a47e82be6ae71fdb1b9b3b30b06fb7ca8ffed6d5c41ac410a367f2eb07589291e95a2644877d6bffd52775a5b1523

Download Submit
C:\Users\Admin\AppData\Roaming\MEMZ.exe
Filesize
12KB

MD5
a7bcf7ea8e9f3f36ebfb85b823e39d91

SHA1
761168201520c199dba68add3a607922d8d4a86e

SHA256
3ff64f10603f0330fa2386ff99471ca789391ace969bd0ec1c1b8ce1b4a6db42

SHA512
89923b669d31e590189fd06619bf27e47c5a47e82be6ae71fdb1b9b3b30b06fb7ca8ffed6d5c41ac410a367f2eb07589291e95a2644877d6bffd52775a5b1523

Download Submit
C:\Users\Admin\AppData\Roaming\MEMZ.exe
Filesize
12KB

MD5
a7bcf7ea8e9f3f36ebfb85b823e39d91

SHA1
761168201520c199dba68add3a607922d8d4a86e

SHA256
3ff64f10603f0330fa2386ff99471ca789391ace969bd0ec1c1b8ce1b4a6db42

SHA512
89923b669d31e590189fd06619bf27e47c5a47e82be6ae71fdb1b9b3b30b06fb7ca8ffed6d5c41ac410a367f2eb07589291e95a2644877d6bffd52775a5b1523

Download Submit
C:\Users\Admin\AppData\Roaming\MEMZ.exe
Filesize
12KB

MD5
a7bcf7ea8e9f3f36ebfb85b823e39d91

SHA1
761168201520c199dba68add3a607922d8d4a86e

SHA256
3ff64f10603f0330fa2386ff99471ca789391ace969bd0ec1c1b8ce1b4a6db42

SHA512
89923b669d31e590189fd06619bf27e47c5a47e82be6ae71fdb1b9b3b30b06fb7ca8ffed6d5c41ac410a367f2eb07589291e95a2644877d6bffd52775a5b1523

Download Submit
C:\Users\Admin\AppData\Roaming\MEMZ.exe
Filesize
12KB

MD5
a7bcf7ea8e9f3f36ebfb85b823e39d91

SHA1
761168201520c199dba68add3a607922d8d4a86e

SHA256
3ff64f10603f0330fa2386ff99471ca789391ace969bd0ec1c1b8ce1b4a6db42

SHA512
89923b669d31e590189fd06619bf27e47c5a47e82be6ae71fdb1b9b3b30b06fb7ca8ffed6d5c41ac410a367f2eb07589291e95a2644877d6bffd52775a5b1523

Download Submit
C:\Users\Admin\AppData\Roaming\MEMZ.exe
Filesize
12KB

MD5
a7bcf7ea8e9f3f36ebfb85b823e39d91

SHA1
761168201520c199dba68add3a607922d8d4a86e

SHA256
3ff64f10603f0330fa2386ff99471ca789391ace969bd0ec1c1b8ce1b4a6db42

SHA512
89923b669d31e590189fd06619bf27e47c5a47e82be6ae71fdb1b9b3b30b06fb7ca8ffed6d5c41ac410a367f2eb07589291e95a2644877d6bffd52775a5b1523

Download Submit
C:\Users\Admin\AppData\Roaming\MEMZ.exe
Filesize
12KB

MD5
a7bcf7ea8e9f3f36ebfb85b823e39d91

SHA1
761168201520c199dba68add3a607922d8d4a86e

SHA256
3ff64f10603f0330fa2386ff99471ca789391ace969bd0ec1c1b8ce1b4a6db42

SHA512
89923b669d31e590189fd06619bf27e47c5a47e82be6ae71fdb1b9b3b30b06fb7ca8ffed6d5c41ac410a367f2eb07589291e95a2644877d6bffd52775a5b1523

Download Submit
C:\Users\Admin\AppData\Roaming\MEMZ.exe
Filesize
12KB

MD5
a7bcf7ea8e9f3f36ebfb85b823e39d91

SHA1
761168201520c199dba68add3a607922d8d4a86e

SHA256
3ff64f10603f0330fa2386ff99471ca789391ace969bd0ec1c1b8ce1b4a6db42

SHA512
89923b669d31e590189fd06619bf27e47c5a47e82be6ae71fdb1b9b3b30b06fb7ca8ffed6d5c41ac410a367f2eb07589291e95a2644877d6bffd52775a5b1523

Download Submit
C:\note.txt
Filesize
218B

MD5
afa6955439b8d516721231029fb9ca1b

SHA1
087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

SHA256
8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

SHA512
5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

Download Submit
\Users\Admin\AppData\Roaming\MEMZ.exe
Filesize
12KB

MD5
a7bcf7ea8e9f3f36ebfb85b823e39d91

SHA1
761168201520c199dba68add3a607922d8d4a86e

SHA256
3ff64f10603f0330fa2386ff99471ca789391ace969bd0ec1c1b8ce1b4a6db42

SHA512
89923b669d31e590189fd06619bf27e47c5a47e82be6ae71fdb1b9b3b30b06fb7ca8ffed6d5c41ac410a367f2eb07589291e95a2644877d6bffd52775a5b1523

Download Submit
memory/1052-712-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1052-713-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download