Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
31-03-2023 22:45
Static task
static1
Behavioral task
behavioral1
Sample
MEMZ 3.0/MEMZ.bat
Resource
win7-20230220-en
General
-
Target
MEMZ 3.0/MEMZ.bat
-
Size
12KB
-
MD5
13a43c26bb98449fd82d2a552877013a
-
SHA1
71eb7dc393ac1f204488e11f5c1eef56f1e746af
-
SHA256
5f52365accb76d679b2b3946870439a62eb8936b9a0595f0fb0198138106b513
-
SHA512
602518b238d80010fa88c2c88699f70645513963ef4f148a0345675738cf9b0c23b9aeb899d9f7830cc1e5c7e9c7147b2dc4a9222770b4a052ee0c879062cd5a
-
SSDEEP
384:nnLhRNiqt0kCH2LR0GPXxGiZgCz+KG/yKhLdW79HOli+lz3:nLhRN9t0SR4iZtzlREBWhuF
Malware Config
Signatures
-
Executes dropped EXE 7 IoCs
Processes:
MEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exepid process 1472 MEMZ.exe 1760 MEMZ.exe 1184 MEMZ.exe 1408 MEMZ.exe 1220 MEMZ.exe 1512 MEMZ.exe 1488 MEMZ.exe -
Loads dropped DLL 1 IoCs
Processes:
MEMZ.exepid process 1472 MEMZ.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
MEMZ.exedescription ioc process File opened for modification \??\PhysicalDrive0 MEMZ.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Recovery\PendingDelete\C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{CF8092F3-D026-11ED-927D-F2C06CA9A191}.dat = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{CF8092F1-D026-11ED-927D-F2C06CA9A191} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\MINIE iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Recovery\PendingDelete iexplore.exe -
Runs regedit.exe 1 IoCs
Processes:
regedit.exepid process 1908 regedit.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
MEMZ.exepid process 1472 MEMZ.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
MEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exepid process 1760 MEMZ.exe 1184 MEMZ.exe 1512 MEMZ.exe 1220 MEMZ.exe 1408 MEMZ.exe 1760 MEMZ.exe 1184 MEMZ.exe 1512 MEMZ.exe 1220 MEMZ.exe 1408 MEMZ.exe 1760 MEMZ.exe 1408 MEMZ.exe 1184 MEMZ.exe 1512 MEMZ.exe 1220 MEMZ.exe 1760 MEMZ.exe 1184 MEMZ.exe 1512 MEMZ.exe 1408 MEMZ.exe 1220 MEMZ.exe 1760 MEMZ.exe 1184 MEMZ.exe 1220 MEMZ.exe 1408 MEMZ.exe 1512 MEMZ.exe 1760 MEMZ.exe 1512 MEMZ.exe 1184 MEMZ.exe 1220 MEMZ.exe 1408 MEMZ.exe 1760 MEMZ.exe 1184 MEMZ.exe 1408 MEMZ.exe 1220 MEMZ.exe 1512 MEMZ.exe 1760 MEMZ.exe 1184 MEMZ.exe 1512 MEMZ.exe 1408 MEMZ.exe 1220 MEMZ.exe 1760 MEMZ.exe 1184 MEMZ.exe 1220 MEMZ.exe 1512 MEMZ.exe 1408 MEMZ.exe 1760 MEMZ.exe 1184 MEMZ.exe 1512 MEMZ.exe 1220 MEMZ.exe 1408 MEMZ.exe 1760 MEMZ.exe 1184 MEMZ.exe 1408 MEMZ.exe 1220 MEMZ.exe 1512 MEMZ.exe 1760 MEMZ.exe 1184 MEMZ.exe 1512 MEMZ.exe 1408 MEMZ.exe 1220 MEMZ.exe 1760 MEMZ.exe 1184 MEMZ.exe 1220 MEMZ.exe 1408 MEMZ.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
taskmgr.exepid process 1052 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
AUDIODG.EXEtaskmgr.exedescription pid process Token: 33 1096 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1096 AUDIODG.EXE Token: 33 1096 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1096 AUDIODG.EXE Token: SeDebugPrivilege 1052 taskmgr.exe -
Suspicious use of FindShellTrayWindow 22 IoCs
Processes:
cscript.exeiexplore.exetaskmgr.exepid process 1108 cscript.exe 1508 iexplore.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe -
Suspicious use of SendNotifyMessage 20 IoCs
Processes:
taskmgr.exepid process 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe 1052 taskmgr.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
iexplore.exeIEXPLORE.EXEpid process 1508 iexplore.exe 1508 iexplore.exe 1608 IEXPLORE.EXE 1608 IEXPLORE.EXE 1508 iexplore.exe 1608 IEXPLORE.EXE 1608 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 43 IoCs
Processes:
cmd.exeMEMZ.exeMEMZ.exeiexplore.exedescription pid process target process PID 816 wrote to memory of 1108 816 cmd.exe cscript.exe PID 816 wrote to memory of 1108 816 cmd.exe cscript.exe PID 816 wrote to memory of 1108 816 cmd.exe cscript.exe PID 816 wrote to memory of 1472 816 cmd.exe MEMZ.exe PID 816 wrote to memory of 1472 816 cmd.exe MEMZ.exe PID 816 wrote to memory of 1472 816 cmd.exe MEMZ.exe PID 816 wrote to memory of 1472 816 cmd.exe MEMZ.exe PID 1472 wrote to memory of 1760 1472 MEMZ.exe MEMZ.exe PID 1472 wrote to memory of 1760 1472 MEMZ.exe MEMZ.exe PID 1472 wrote to memory of 1760 1472 MEMZ.exe MEMZ.exe PID 1472 wrote to memory of 1760 1472 MEMZ.exe MEMZ.exe PID 1472 wrote to memory of 1408 1472 MEMZ.exe MEMZ.exe PID 1472 wrote to memory of 1408 1472 MEMZ.exe MEMZ.exe PID 1472 wrote to memory of 1408 1472 MEMZ.exe MEMZ.exe PID 1472 wrote to memory of 1408 1472 MEMZ.exe MEMZ.exe PID 1472 wrote to memory of 1184 1472 MEMZ.exe MEMZ.exe PID 1472 wrote to memory of 1184 1472 MEMZ.exe MEMZ.exe PID 1472 wrote to memory of 1184 1472 MEMZ.exe MEMZ.exe PID 1472 wrote to memory of 1184 1472 MEMZ.exe MEMZ.exe PID 1472 wrote to memory of 1220 1472 MEMZ.exe MEMZ.exe PID 1472 wrote to memory of 1220 1472 MEMZ.exe MEMZ.exe PID 1472 wrote to memory of 1220 1472 MEMZ.exe MEMZ.exe PID 1472 wrote to memory of 1220 1472 MEMZ.exe MEMZ.exe PID 1472 wrote to memory of 1512 1472 MEMZ.exe MEMZ.exe PID 1472 wrote to memory of 1512 1472 MEMZ.exe MEMZ.exe PID 1472 wrote to memory of 1512 1472 MEMZ.exe MEMZ.exe PID 1472 wrote to memory of 1512 1472 MEMZ.exe MEMZ.exe PID 1472 wrote to memory of 1488 1472 MEMZ.exe MEMZ.exe PID 1472 wrote to memory of 1488 1472 MEMZ.exe MEMZ.exe PID 1472 wrote to memory of 1488 1472 MEMZ.exe MEMZ.exe PID 1472 wrote to memory of 1488 1472 MEMZ.exe MEMZ.exe PID 1488 wrote to memory of 548 1488 MEMZ.exe notepad.exe PID 1488 wrote to memory of 548 1488 MEMZ.exe notepad.exe PID 1488 wrote to memory of 548 1488 MEMZ.exe notepad.exe PID 1488 wrote to memory of 548 1488 MEMZ.exe notepad.exe PID 1488 wrote to memory of 1908 1488 MEMZ.exe regedit.exe PID 1488 wrote to memory of 1908 1488 MEMZ.exe regedit.exe PID 1488 wrote to memory of 1908 1488 MEMZ.exe regedit.exe PID 1488 wrote to memory of 1908 1488 MEMZ.exe regedit.exe PID 1508 wrote to memory of 1608 1508 iexplore.exe IEXPLORE.EXE PID 1508 wrote to memory of 1608 1508 iexplore.exe IEXPLORE.EXE PID 1508 wrote to memory of 1608 1508 iexplore.exe IEXPLORE.EXE PID 1508 wrote to memory of 1608 1508 iexplore.exe IEXPLORE.EXE -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\MEMZ.bat"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cscript.execscript x.js2⤵
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Roaming\MEMZ.exe"C:\Users\Admin\AppData\Roaming\MEMZ.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\MEMZ.exe"C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Roaming\MEMZ.exe"C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Roaming\MEMZ.exe"C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Roaming\MEMZ.exe"C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Roaming\MEMZ.exe"C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Roaming\MEMZ.exe"C:\Users\Admin\AppData\Roaming\MEMZ.exe" /main3⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\System32\notepad.exe" \note.txt4⤵
-
C:\Windows\SysWOW64\regedit.exe"C:\Windows\System32\regedit.exe"4⤵
- Runs regedit.exe
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4881⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1508 CREDAT:275457 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD5f65ef227fd462cebfd8f414be8894cab
SHA1956fb24247dd2d0eb3620705ddd995fdef95fed6
SHA2568e350a0038e8b8c6a3ab7bd5a95e10c5052e04c92439ada76bbbaa20a8225126
SHA512559d5a49468494c8e9ae2ef78cd2b754583b09c66b18c11ba288d772cc2d677c2a547c3dadfb8b2f8072490e7b5f7e501b7252685af1828470fcc4e8f4a3bc8d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD5b2a37254d3123b277e4903324b0a7ba2
SHA1ad64b253806312eb0dfc678f18151c94f27b862b
SHA256cff47a544857f8492a345c14b0fdbb2b51a3d3f5156a576c069c7992afb57b06
SHA512a894f6dff9bc7fd209b661c11bdeb30c208766dca824d8a45df113e68408eca812e220650d98ed4f54fb0f9b75feffe6e83deaea27852be6b84a92da5ba89297
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD505a0dce58c682f1146a8fbf9402f0630
SHA1e964f456e4af4c108c2deeae3dcce5efeff3d511
SHA2568347353c7f50801654d331616db1eadd545a9f130bd61c9f0daabe3036f29076
SHA512c7337832d92735203bd736083c333fec03fe273ccc76aed5713a1fb74cbe5750251e2528a7b6c84792c66d3f1570388465075c573e4d290ac090a03f8321a913
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD527cf7e2498154fac59debceaeb1255db
SHA1d27880221313d1ea5216fbb4d2c1f5ddec0bf425
SHA2561ab8b2775b3fb48ac70a8b3190c6bee4716adf3a2027d2dff9dec9f7b00d712c
SHA51297e1df02449542e84f12e394c273dddb382ab78b083f76615100ac9dd926517c834f5d58ab464f6dc24a9bcc40a1fa62b42ab857710951fe0246105457f9d706
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD5c7ee0e62647b6eaad9a69bdd068116b1
SHA1012d174a9ec522c2894ef0b68e06bba0d830a77e
SHA256775b60e5aa55b9629db0353f03919f5647ea1096fdbc51c1c832ea2c51b7e0de
SHA51252815a8a5fe81ec2055e8a144836eaf8c9ce9ab171373a50f0f1574623892176febdb759e76b7092490e8f1e5d0cdd37b42366f81a9d8b037d47e1cb60b06fb9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD57d162a2ce4687813020cc485b927223b
SHA1271405edfe2d1f8a07b2e7599042938e8ef96210
SHA2565152b46ce200d9017cc1a4a2df443c5d9da120bdf26ac8310ac59595d571d3cf
SHA512fc470ef8d0c487b661b0f3ffbe3dde81d3f59dac5c860c58e5cc559dac176eaaf8fa3da883c341f05fb71042f5d53052ffc7c9b47887edb47c95b5081e67b3f8
-
C:\Users\Admin\AppData\Local\Temp\CabD50D.tmpFilesize
61KB
MD5fc4666cbca561e864e7fdf883a9e6661
SHA12f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5
SHA25610f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b
SHA512c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d
-
C:\Users\Admin\AppData\Local\Temp\CabD58D.tmpFilesize
61KB
MD5e71c8443ae0bc2e282c73faead0a6dd3
SHA10c110c1b01e68edfacaeae64781a37b1995fa94b
SHA25695b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72
SHA512b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6
-
C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\xFilesize
4KB
MD5b6873c6cbfc8482c7f0e2dcb77fb7f12
SHA1844b14037e1f90973a04593785dc88dfca517673
SHA2560a0cad82d9284ccc3c07de323b76ee2d1c0b328bd2ce59073ed5ac4eb7609bd1
SHA512f3aa3d46d970db574113f40f489ff8a5f041606e79c4ab02301b283c66ff05732be4c5edc1cf4a851da9fbaaa2f296b97fc1135210966a0e2dfc3763398dfcaf
-
C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\xFilesize
10KB
MD5fc59b7d2eb1edbb9c8cb9eb08115a98e
SHA190a6479ce14f8548df54c434c0a524e25efd9d17
SHA256a05b9be9dd87492f265094146e18d628744c6b09c0e7efaabf228a9f1091a279
SHA5123392cfc0dbddb37932e76da5a49f4e010a49aaa863c882b85cccab676cd458cfc8f880d8a0e0dc7581175f447e6b0a002da1591ecd14756650bb74996eacd2b1
-
C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\xFilesize
2KB
MD5ddd82a15678c9e3f78d09e9ebacc3909
SHA1fd5473fac1812d4e1343ad0fdec2d585b58ebc46
SHA256c8c9a38c47ff86b09c978272173cf3647b4a9e9ba41c22b4a515ed19a0a6de8a
SHA5123e6bd7a94c1c38e6009a441b6406526f285d77c57341b2871cf0629dbba59e11cc992f45574fbd555cede972fec9e5b5863c6189b98a7ad04d1fa4f7f07811a1
-
C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\x.jsFilesize
448B
MD58eec8704d2a7bc80b95b7460c06f4854
SHA11b34585c1fa7ec0bd0505478ac9dbb8b8d19f326
SHA256aa01b8864b43e92077a106ed3d4656a511f3ba1910fba40c78a32ee6a621d596
SHA512e274b92810e9a30627a65f87448d784967a2fcfbf49858cbe6ccb841f09e0f53fde253ecc1ea0c7de491d8cc56a6cf8c79d1b7c657e72928cfb0479d11035210
-
C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\z.zipFilesize
7KB
MD5cf0c19ef6909e5c1f10c8460ba9299d8
SHA1875b575c124acfc1a4a21c1e05acb9690e50b880
SHA256abb834ebd4b7d7f8ddf545976818f41b3cb51d2b895038a56457616d3a2c6776
SHA512d930a022a373c283f35d103e277487c2034a0b0814913b8f6ec695b45e20528667aa830eeab58e4483d523bd6a755a16a5379095cb137db6c91909a545a19a2f
-
C:\Users\Admin\AppData\Local\Temp\MEMZ3~1.0\z.zipFilesize
7KB
MD5cf0c19ef6909e5c1f10c8460ba9299d8
SHA1875b575c124acfc1a4a21c1e05acb9690e50b880
SHA256abb834ebd4b7d7f8ddf545976818f41b3cb51d2b895038a56457616d3a2c6776
SHA512d930a022a373c283f35d103e277487c2034a0b0814913b8f6ec695b45e20528667aa830eeab58e4483d523bd6a755a16a5379095cb137db6c91909a545a19a2f
-
C:\Users\Admin\AppData\Local\Temp\TarD65D.tmpFilesize
161KB
MD5be2bec6e8c5653136d3e72fe53c98aa3
SHA1a8182d6db17c14671c3d5766c72e58d87c0810de
SHA2561919aab2a820642490169bdc4e88bd1189e22f83e7498bf8ebdfb62ec7d843fd
SHA5120d1424ccdf0d53faf3f4e13d534e12f22388648aa4c23edbc503801e3c96b7f73c7999b760b5bef4b5e9dd923dffe21a21889b1ce836dd428420bf0f4f5327ff
-
C:\Users\Admin\AppData\Roaming\MEMZ.exeFilesize
12KB
MD5a7bcf7ea8e9f3f36ebfb85b823e39d91
SHA1761168201520c199dba68add3a607922d8d4a86e
SHA2563ff64f10603f0330fa2386ff99471ca789391ace969bd0ec1c1b8ce1b4a6db42
SHA51289923b669d31e590189fd06619bf27e47c5a47e82be6ae71fdb1b9b3b30b06fb7ca8ffed6d5c41ac410a367f2eb07589291e95a2644877d6bffd52775a5b1523
-
C:\Users\Admin\AppData\Roaming\MEMZ.exeFilesize
12KB
MD5a7bcf7ea8e9f3f36ebfb85b823e39d91
SHA1761168201520c199dba68add3a607922d8d4a86e
SHA2563ff64f10603f0330fa2386ff99471ca789391ace969bd0ec1c1b8ce1b4a6db42
SHA51289923b669d31e590189fd06619bf27e47c5a47e82be6ae71fdb1b9b3b30b06fb7ca8ffed6d5c41ac410a367f2eb07589291e95a2644877d6bffd52775a5b1523
-
C:\Users\Admin\AppData\Roaming\MEMZ.exeFilesize
12KB
MD5a7bcf7ea8e9f3f36ebfb85b823e39d91
SHA1761168201520c199dba68add3a607922d8d4a86e
SHA2563ff64f10603f0330fa2386ff99471ca789391ace969bd0ec1c1b8ce1b4a6db42
SHA51289923b669d31e590189fd06619bf27e47c5a47e82be6ae71fdb1b9b3b30b06fb7ca8ffed6d5c41ac410a367f2eb07589291e95a2644877d6bffd52775a5b1523
-
C:\Users\Admin\AppData\Roaming\MEMZ.exeFilesize
12KB
MD5a7bcf7ea8e9f3f36ebfb85b823e39d91
SHA1761168201520c199dba68add3a607922d8d4a86e
SHA2563ff64f10603f0330fa2386ff99471ca789391ace969bd0ec1c1b8ce1b4a6db42
SHA51289923b669d31e590189fd06619bf27e47c5a47e82be6ae71fdb1b9b3b30b06fb7ca8ffed6d5c41ac410a367f2eb07589291e95a2644877d6bffd52775a5b1523
-
C:\Users\Admin\AppData\Roaming\MEMZ.exeFilesize
12KB
MD5a7bcf7ea8e9f3f36ebfb85b823e39d91
SHA1761168201520c199dba68add3a607922d8d4a86e
SHA2563ff64f10603f0330fa2386ff99471ca789391ace969bd0ec1c1b8ce1b4a6db42
SHA51289923b669d31e590189fd06619bf27e47c5a47e82be6ae71fdb1b9b3b30b06fb7ca8ffed6d5c41ac410a367f2eb07589291e95a2644877d6bffd52775a5b1523
-
C:\Users\Admin\AppData\Roaming\MEMZ.exeFilesize
12KB
MD5a7bcf7ea8e9f3f36ebfb85b823e39d91
SHA1761168201520c199dba68add3a607922d8d4a86e
SHA2563ff64f10603f0330fa2386ff99471ca789391ace969bd0ec1c1b8ce1b4a6db42
SHA51289923b669d31e590189fd06619bf27e47c5a47e82be6ae71fdb1b9b3b30b06fb7ca8ffed6d5c41ac410a367f2eb07589291e95a2644877d6bffd52775a5b1523
-
C:\Users\Admin\AppData\Roaming\MEMZ.exeFilesize
12KB
MD5a7bcf7ea8e9f3f36ebfb85b823e39d91
SHA1761168201520c199dba68add3a607922d8d4a86e
SHA2563ff64f10603f0330fa2386ff99471ca789391ace969bd0ec1c1b8ce1b4a6db42
SHA51289923b669d31e590189fd06619bf27e47c5a47e82be6ae71fdb1b9b3b30b06fb7ca8ffed6d5c41ac410a367f2eb07589291e95a2644877d6bffd52775a5b1523
-
C:\Users\Admin\AppData\Roaming\MEMZ.exeFilesize
12KB
MD5a7bcf7ea8e9f3f36ebfb85b823e39d91
SHA1761168201520c199dba68add3a607922d8d4a86e
SHA2563ff64f10603f0330fa2386ff99471ca789391ace969bd0ec1c1b8ce1b4a6db42
SHA51289923b669d31e590189fd06619bf27e47c5a47e82be6ae71fdb1b9b3b30b06fb7ca8ffed6d5c41ac410a367f2eb07589291e95a2644877d6bffd52775a5b1523
-
C:\note.txtFilesize
218B
MD5afa6955439b8d516721231029fb9ca1b
SHA1087a043cc123c0c0df2ffadcf8e71e3ac86bbae9
SHA2568e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270
SHA5125da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf
-
\Users\Admin\AppData\Roaming\MEMZ.exeFilesize
12KB
MD5a7bcf7ea8e9f3f36ebfb85b823e39d91
SHA1761168201520c199dba68add3a607922d8d4a86e
SHA2563ff64f10603f0330fa2386ff99471ca789391ace969bd0ec1c1b8ce1b4a6db42
SHA51289923b669d31e590189fd06619bf27e47c5a47e82be6ae71fdb1b9b3b30b06fb7ca8ffed6d5c41ac410a367f2eb07589291e95a2644877d6bffd52775a5b1523
-
memory/1052-712-0x0000000140000000-0x00000001405E8000-memory.dmpFilesize
5.9MB
-
memory/1052-713-0x0000000140000000-0x00000001405E8000-memory.dmpFilesize
5.9MB