Overview

overview

7

Static

static

1

MEMZ 3.0/MEMZ.bat

windows10-1703-x64

7

MEMZ 3.0/MEMZ.exe

windows10-1703-x64

7

Analysis

  • max time kernel
    289s
  • max time network
    300s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    31-03-2023 17:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    MEMZ 3.0/MEMZ.bat

  • Size

    12KB

  • MD5

    13a43c26bb98449fd82d2a552877013a

  • SHA1

    71eb7dc393ac1f204488e11f5c1eef56f1e746af

  • SHA256

    5f52365accb76d679b2b3946870439a62eb8936b9a0595f0fb0198138106b513

  • SHA512

    602518b238d80010fa88c2c88699f70645513963ef4f148a0345675738cf9b0c23b9aeb899d9f7830cc1e5c7e9c7147b2dc4a9222770b4a052ee0c879062cd5a

  • SSDEEP

    384:nnLhRNiqt0kCH2LR0GPXxGiZgCz+KG/yKhLdW79HOli+lz3:nLhRN9t0SR4iZtzlREBWhuF

Score
7/10
bootkitpersistence

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 7 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Drops file in Windows directory 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 3 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Runs regedit.exe 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\MEMZ.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2076
    • C:\Windows\system32\cscript.exe
      cscript x.js
      2⤵
      • Suspicious use of FindShellTrayWindow
      PID:4804
    • C:\Users\Admin\AppData\Roaming\MEMZ.exe
      "C:\Users\Admin\AppData\Roaming\MEMZ.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:760
      • C:\Users\Admin\AppData\Roaming\MEMZ.exe
        "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:4696
      • C:\Users\Admin\AppData\Roaming\MEMZ.exe
        "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:4704
      • C:\Users\Admin\AppData\Roaming\MEMZ.exe
        "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:4356
      • C:\Users\Admin\AppData\Roaming\MEMZ.exe
        "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:4364
      • C:\Users\Admin\AppData\Roaming\MEMZ.exe
        "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:3332
      • C:\Users\Admin\AppData\Roaming\MEMZ.exe
        "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /main
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Writes to the Master Boot Record (MBR)
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3344
        • C:\Windows\SysWOW64\notepad.exe
          "C:\Windows\System32\notepad.exe" \note.txt
          4⤵
          • Modifies registry class
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          PID:3204
        • C:\Windows\SysWOW64\regedit.exe
          "C:\Windows\System32\regedit.exe"
          4⤵
          • Runs regedit.exe
          PID:296
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe"
          4⤵
            PID:1608
          • C:\Windows\SysWOW64\explorer.exe
            "C:\Windows\System32\explorer.exe"
            4⤵
              PID:668
            • C:\Windows\SysWOW64\notepad.exe
              "C:\Windows\System32\notepad.exe"
              4⤵
                PID:2832
        • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
          "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
          1⤵
          • Drops file in Windows directory
          • Modifies Internet Explorer settings
          • Modifies registry class
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:4160
        • C:\Windows\system32\browser_broker.exe
          C:\Windows\system32\browser_broker.exe -Embedding
          1⤵
          • Modifies Internet Explorer settings
          PID:1660
        • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
          "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
          1⤵
          • Modifies registry class
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:3492
        • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
          "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
          1⤵
          • Drops file in Windows directory
          • Modifies Internet Explorer settings
          • Modifies registry class
          • Suspicious use of AdjustPrivilegeToken
          PID:3012
        • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
          "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
          1⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:4432
        • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
          "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
          1⤵
          • Drops file in Windows directory
          • Modifies registry class
          PID:68
        • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
          "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
          1⤵
          • Modifies registry class
          PID:4536
        • C:\Windows\system32\AUDIODG.EXE
          C:\Windows\system32\AUDIODG.EXE 0x34c
          1⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:3688
        • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
          "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
          1⤵
          • Drops file in Windows directory
          • Modifies registry class
          PID:4272
        • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
          "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
          1⤵
          • Drops file in Windows directory
          • Modifies registry class
          PID:3200
        • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
          "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
          1⤵
          • Drops file in Windows directory
          PID:2012
        • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
          "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
          1⤵
          • Modifies registry class
          PID:3488
        • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
          "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
          1⤵
            PID:3920

          Network

          MITRE ATT&CK Matrix ATT&CK v6

          Initial Access

          Execution

          Persistence

          Bootkit

          1
          T1067

          Privilege Escalation

          Defense Evasion

          Modify Registry

          1
          T1112

          Credential Access

          Discovery

          Query Registry

          1
          T1012

          System Information Discovery

          2
          T1082

          Lateral Movement

          Collection

          Exfiltration

          Command and Control

          Impact

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
            Filesize

            4KB

            MD5

            f7dcb24540769805e5bb30d193944dce

            SHA1

            e26c583c562293356794937d9e2e6155d15449ee

            SHA256

            6b88c6ac55bbd6fea0ebe5a760d1ad2cfce251c59d0151a1400701cb927e36ea

            SHA512

            cb5ad678b0ef642bf492f32079fe77e8be20c02de267f04b545df346b25f3e4eb98bb568c4c2c483bb88f7d1826863cb515b570d620766e52476c8ee2931ea94

            Download Submit
          • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\IV9H23MJ\edgecompatviewlist[1].xml
            Filesize

            74KB

            MD5

            d4fc49dc14f63895d997fa4940f24378

            SHA1

            3efb1437a7c5e46034147cbbc8db017c69d02c31

            SHA256

            853d2f4eb81c9fdcea2ee079f6faf98214b111b77cdf68709b38989d123890f1

            SHA512

            cc60d79b4afe5007634ac21dc4bc92081880be4c0d798a1735b63b27e936c02f399964f744dc73711987f01e8a1064b02a4867dd6cac27538e5fbe275cc61e0a

            Download Submit
          • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\MDWA2OEW\favicon[1].ico
            Filesize

            5KB

            MD5

            f3418a443e7d841097c714d69ec4bcb8

            SHA1

            49263695f6b0cdd72f45cf1b775e660fdc36c606

            SHA256

            6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770

            SHA512

            82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

            Download Submit
          • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\PE03ZQZ3\suggestions[1].en-US
            Filesize

            17KB

            MD5

            5a34cb996293fde2cb7a4ac89587393a

            SHA1

            3c96c993500690d1a77873cd62bc639b3a10653f

            SHA256

            c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

            SHA512

            e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

            Download Submit
          • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\Microsoft\Windows\3720402701\2219095117.pri
            Filesize

            207KB

            MD5

            e2b88765ee31470114e866d939a8f2c6

            SHA1

            e0a53b8511186ff308a0507b6304fb16cabd4e1f

            SHA256

            523e419d2fa2e780239812d36caa37e92f8c3e6a5cd9f18f0d807c593effa45e

            SHA512

            462e8e6b4e63fc6781b6a9935b332a1dc77bfb88e1de49134f86fd46bd1598d2e842902dd9415a328e325bd7cdee766bd9473f2695acdfa769ffe7ba9ae1953d

            Download Submit
          • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\CMIYW4OW\search[1].htm
            Filesize

            76KB

            MD5

            77248ad0a8d83e04da4023b9a9435abf

            SHA1

            19b2e942638ad8fedb7543f9b25f4a487c041185

            SHA256

            20c6068b72ec5dc0012624d75aec2ba78a4b22746bd221d09f0daff845087557

            SHA512

            c460ab48c36b3e1346164b4368e6fa276e36acd084e31d058b0b12fed97b205121c672fd107d19465979d24aa9ab5a1ba19731b9441516b80dec77668c03ef3e

            Download Submit
          • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\CMIYW4OW\search[2].htm
            Filesize

            89KB

            MD5

            b8949b3038c2889af1b0e333d35534e8

            SHA1

            30442a41c339466231b23ff28490a920967a487d

            SHA256

            68b94562088f850e037bc7607033e885933bea42e53264a0f7c06087844f7cf6

            SHA512

            73e35c501e108c1afc7d31b996885371101fc584333fe0055a8b253ef9f1b21691521af83cce9c98d7da5f676ed5c46466de9714cb68c0d48604d8065de9772d

            Download Submit
          • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
            Filesize

            1KB

            MD5

            a371c997de65fa1d0c1c6e2d862593f7

            SHA1

            2cf4f67996db546829222259c361d0f3f91d8718

            SHA256

            f3e826add98dc2b453bad19a6492b09b9faef9de7651197314ad673583db5458

            SHA512

            b986495e52fa6d9472fcdf7fea433e24a4acc0ff29734455d722e233737de199c2ee32788facb98de681ca4fba985783d736acfb028e0d5b53399687022a6811

            Download Submit
          • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA
            Filesize

            724B

            MD5

            f569e1d183b84e8078dc456192127536

            SHA1

            30c537463eed902925300dd07a87d820a713753f

            SHA256

            287bc80237497eb8681dbf136a56cc3870dd5bd12d48051525a280ae62aab413

            SHA512

            49553b65a8e3fc0bf98c1bc02bae5b22188618d8edf8e88e4e25932105796956ae8301c63c487e0afe368ea39a4a2af07935a808f5fb53287ef9287bc73e1012

            Download Submit
          • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\E87CE99F124623F95572A696C80EFCAF_3B19E079B02C6E9472149DB847F37EF9
            Filesize

            472B

            MD5

            01dec6104ef463d96442a8770eed9efd

            SHA1

            aa2b574c90a9cf761437a445601672b4d5f44305

            SHA256

            074646cf44812ff410b1e71224bc69214999105760b3bd2f138bf30a2cc5459a

            SHA512

            5b0863303be78dd7604537e003d4237441465995112d2be61f770f6539d6aef47e8f422079e46239c02e0d200d7994fc1081cfc9064dcbfd8b96423c45ef741e

            Download Submit
          • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\E87CE99F124623F95572A696C80EFCAF_5C0FECF3E49EA4DC8292F821F42A2CB1
            Filesize

            472B

            MD5

            fdbc8e153c1bda0b5876b789404a18c4

            SHA1

            fe9e0df803b2f4028f47bf111e6d571730c87f84

            SHA256

            effdec2f1f1dddee58840580382425d98ba3bb1eebc6e0acc8df0fb006cc063f

            SHA512

            14d179f9bd4b7788b9cd123f309c4d096200d0534268ea5b21ebe5925a3317b21516d3f166782cc8be945b0385fd2e85e5cf41b7d5fecd627ec7fddc04888247

            Download Submit
          • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
            Filesize

            410B

            MD5

            19f10f12408a1d8e76c247768f0ad561

            SHA1

            82aac6d638c55804aa8848b5bd169bfe9b7d0d6d

            SHA256

            cd57eed2983d0df348753e483f0fa57768995f70c0fc6464ae0a0d31ef72773e

            SHA512

            73ef27cb5c6e6471fad10c345c4848d283830c8fddcc517e99576dfc6c8135ee4ce1de81d938dda6e19ee9758a25f4917f1a69dc638bc335a6978f2862c1fada

            Download Submit
          • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA
            Filesize

            392B

            MD5

            c5f9ed89674675a5357e0afbe657d0fc

            SHA1

            a6f85d24bfc4e58fbc0bbff965de868b2f012dce

            SHA256

            bcef2b1c2efd2f8261395508e0f9bd827bd4c941a22119e687ff87f0bf409238

            SHA512

            cb4559bd2f912d62dadbad1985a731f83f833b9d90b916b21cba4164db37d8a086cb6ce64910b7f9e69e8c13457b8ad16c23285fe838a4c62a51d2a86084ad18

            Download Submit
          • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\E87CE99F124623F95572A696C80EFCAF_3B19E079B02C6E9472149DB847F37EF9
            Filesize

            410B

            MD5

            622531cf46565194a6f47697088fc577

            SHA1

            4ce53bcd6c7303635e2df4c87438d64b31b0263b

            SHA256

            92c5026a3e3513e885c4baa109c928a237322cbbc622362099f4291e2179afde

            SHA512

            23f0f29b459056bb4665bb31870eac088765b1ffd5562332c30d831363ded24d223a9d2637bc8bf10d6a000c0e3badc675b89d41e9b1986aa1c1177680a8d5ff

            Download Submit
          • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\E87CE99F124623F95572A696C80EFCAF_5C0FECF3E49EA4DC8292F821F42A2CB1
            Filesize

            402B

            MD5

            f61add763f6f3d19c31c68972376c191

            SHA1

            e83cdd4b385c68f9fa858d941fc5d2262768bcaf

            SHA256

            bf6ec090189c6b1299f48d0790ce03d1849a6862307ba7f5b12af2686304589b

            SHA512

            fcc139e4a88127fa09d5f37199f63048b0e7523595de1f3b34cb933b4c5115186b8071a935f59e701f20aae031cae7f3d91dc9802c69e2e87eda35b3964c5554

            Download Submit
          • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\Windows\3720402701\2219095117.pri
            Filesize

            207KB

            MD5

            e2b88765ee31470114e866d939a8f2c6

            SHA1

            e0a53b8511186ff308a0507b6304fb16cabd4e1f

            SHA256

            523e419d2fa2e780239812d36caa37e92f8c3e6a5cd9f18f0d807c593effa45e

            SHA512

            462e8e6b4e63fc6781b6a9935b332a1dc77bfb88e1de49134f86fd46bd1598d2e842902dd9415a328e325bd7cdee766bd9473f2695acdfa769ffe7ba9ae1953d

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\x
            Filesize

            4KB

            MD5

            b6873c6cbfc8482c7f0e2dcb77fb7f12

            SHA1

            844b14037e1f90973a04593785dc88dfca517673

            SHA256

            0a0cad82d9284ccc3c07de323b76ee2d1c0b328bd2ce59073ed5ac4eb7609bd1

            SHA512

            f3aa3d46d970db574113f40f489ff8a5f041606e79c4ab02301b283c66ff05732be4c5edc1cf4a851da9fbaaa2f296b97fc1135210966a0e2dfc3763398dfcaf

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\x
            Filesize

            10KB

            MD5

            fc59b7d2eb1edbb9c8cb9eb08115a98e

            SHA1

            90a6479ce14f8548df54c434c0a524e25efd9d17

            SHA256

            a05b9be9dd87492f265094146e18d628744c6b09c0e7efaabf228a9f1091a279

            SHA512

            3392cfc0dbddb37932e76da5a49f4e010a49aaa863c882b85cccab676cd458cfc8f880d8a0e0dc7581175f447e6b0a002da1591ecd14756650bb74996eacd2b1

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\x.js
            Filesize

            448B

            MD5

            8eec8704d2a7bc80b95b7460c06f4854

            SHA1

            1b34585c1fa7ec0bd0505478ac9dbb8b8d19f326

            SHA256

            aa01b8864b43e92077a106ed3d4656a511f3ba1910fba40c78a32ee6a621d596

            SHA512

            e274b92810e9a30627a65f87448d784967a2fcfbf49858cbe6ccb841f09e0f53fde253ecc1ea0c7de491d8cc56a6cf8c79d1b7c657e72928cfb0479d11035210

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\z.zip
            Filesize

            7KB

            MD5

            cf0c19ef6909e5c1f10c8460ba9299d8

            SHA1

            875b575c124acfc1a4a21c1e05acb9690e50b880

            SHA256

            abb834ebd4b7d7f8ddf545976818f41b3cb51d2b895038a56457616d3a2c6776

            SHA512

            d930a022a373c283f35d103e277487c2034a0b0814913b8f6ec695b45e20528667aa830eeab58e4483d523bd6a755a16a5379095cb137db6c91909a545a19a2f

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\z.zip
            Filesize

            7KB

            MD5

            cf0c19ef6909e5c1f10c8460ba9299d8

            SHA1

            875b575c124acfc1a4a21c1e05acb9690e50b880

            SHA256

            abb834ebd4b7d7f8ddf545976818f41b3cb51d2b895038a56457616d3a2c6776

            SHA512

            d930a022a373c283f35d103e277487c2034a0b0814913b8f6ec695b45e20528667aa830eeab58e4483d523bd6a755a16a5379095cb137db6c91909a545a19a2f

            Download Submit
          • C:\Users\Admin\AppData\Roaming\MEMZ.exe
            Filesize

            12KB

            MD5

            a7bcf7ea8e9f3f36ebfb85b823e39d91

            SHA1

            761168201520c199dba68add3a607922d8d4a86e

            SHA256

            3ff64f10603f0330fa2386ff99471ca789391ace969bd0ec1c1b8ce1b4a6db42

            SHA512

            89923b669d31e590189fd06619bf27e47c5a47e82be6ae71fdb1b9b3b30b06fb7ca8ffed6d5c41ac410a367f2eb07589291e95a2644877d6bffd52775a5b1523

            Download Submit
          • C:\Users\Admin\AppData\Roaming\MEMZ.exe
            Filesize

            12KB

            MD5

            a7bcf7ea8e9f3f36ebfb85b823e39d91

            SHA1

            761168201520c199dba68add3a607922d8d4a86e

            SHA256

            3ff64f10603f0330fa2386ff99471ca789391ace969bd0ec1c1b8ce1b4a6db42

            SHA512

            89923b669d31e590189fd06619bf27e47c5a47e82be6ae71fdb1b9b3b30b06fb7ca8ffed6d5c41ac410a367f2eb07589291e95a2644877d6bffd52775a5b1523

            Download Submit
          • C:\Users\Admin\AppData\Roaming\MEMZ.exe
            Filesize

            12KB

            MD5

            a7bcf7ea8e9f3f36ebfb85b823e39d91

            SHA1

            761168201520c199dba68add3a607922d8d4a86e

            SHA256

            3ff64f10603f0330fa2386ff99471ca789391ace969bd0ec1c1b8ce1b4a6db42

            SHA512

            89923b669d31e590189fd06619bf27e47c5a47e82be6ae71fdb1b9b3b30b06fb7ca8ffed6d5c41ac410a367f2eb07589291e95a2644877d6bffd52775a5b1523

            Download Submit
          • C:\Users\Admin\AppData\Roaming\MEMZ.exe
            Filesize

            12KB

            MD5

            a7bcf7ea8e9f3f36ebfb85b823e39d91

            SHA1

            761168201520c199dba68add3a607922d8d4a86e

            SHA256

            3ff64f10603f0330fa2386ff99471ca789391ace969bd0ec1c1b8ce1b4a6db42

            SHA512

            89923b669d31e590189fd06619bf27e47c5a47e82be6ae71fdb1b9b3b30b06fb7ca8ffed6d5c41ac410a367f2eb07589291e95a2644877d6bffd52775a5b1523

            Download Submit
          • C:\Users\Admin\AppData\Roaming\MEMZ.exe
            Filesize

            12KB

            MD5

            a7bcf7ea8e9f3f36ebfb85b823e39d91

            SHA1

            761168201520c199dba68add3a607922d8d4a86e

            SHA256

            3ff64f10603f0330fa2386ff99471ca789391ace969bd0ec1c1b8ce1b4a6db42

            SHA512

            89923b669d31e590189fd06619bf27e47c5a47e82be6ae71fdb1b9b3b30b06fb7ca8ffed6d5c41ac410a367f2eb07589291e95a2644877d6bffd52775a5b1523

            Download Submit
          • C:\Users\Admin\AppData\Roaming\MEMZ.exe
            Filesize

            12KB

            MD5

            a7bcf7ea8e9f3f36ebfb85b823e39d91

            SHA1

            761168201520c199dba68add3a607922d8d4a86e

            SHA256

            3ff64f10603f0330fa2386ff99471ca789391ace969bd0ec1c1b8ce1b4a6db42

            SHA512

            89923b669d31e590189fd06619bf27e47c5a47e82be6ae71fdb1b9b3b30b06fb7ca8ffed6d5c41ac410a367f2eb07589291e95a2644877d6bffd52775a5b1523

            Download Submit
          • C:\Users\Admin\AppData\Roaming\MEMZ.exe
            Filesize

            12KB

            MD5

            a7bcf7ea8e9f3f36ebfb85b823e39d91

            SHA1

            761168201520c199dba68add3a607922d8d4a86e

            SHA256

            3ff64f10603f0330fa2386ff99471ca789391ace969bd0ec1c1b8ce1b4a6db42

            SHA512

            89923b669d31e590189fd06619bf27e47c5a47e82be6ae71fdb1b9b3b30b06fb7ca8ffed6d5c41ac410a367f2eb07589291e95a2644877d6bffd52775a5b1523

            Download Submit
          • C:\Users\Admin\AppData\Roaming\MEMZ.exe
            Filesize

            12KB

            MD5

            a7bcf7ea8e9f3f36ebfb85b823e39d91

            SHA1

            761168201520c199dba68add3a607922d8d4a86e

            SHA256

            3ff64f10603f0330fa2386ff99471ca789391ace969bd0ec1c1b8ce1b4a6db42

            SHA512

            89923b669d31e590189fd06619bf27e47c5a47e82be6ae71fdb1b9b3b30b06fb7ca8ffed6d5c41ac410a367f2eb07589291e95a2644877d6bffd52775a5b1523

            Download Submit
          • C:\note.txt
            Filesize

            218B

            MD5

            afa6955439b8d516721231029fb9ca1b

            SHA1

            087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

            SHA256

            8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

            SHA512

            5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

            Download Submit
          • memory/68-444-0x000001ED72AC0000-0x000001ED72AE0000-memory.dmp
            Filesize

            128KB

            Download
          • memory/68-483-0x000001ED73030000-0x000001ED73032000-memory.dmp
            Filesize

            8KB

            Download
          • memory/68-457-0x000001ED73E20000-0x000001ED73E22000-memory.dmp
            Filesize

            8KB

            Download
          • memory/3012-370-0x000001DF29100000-0x000001DF29102000-memory.dmp
            Filesize

            8KB

            Download
          • memory/3012-385-0x000001DF29C80000-0x000001DF29C82000-memory.dmp
            Filesize

            8KB

            Download
          • memory/3012-383-0x000001DF29C60000-0x000001DF29C62000-memory.dmp
            Filesize

            8KB

            Download
          • memory/3012-381-0x000001DF29C40000-0x000001DF29C42000-memory.dmp
            Filesize

            8KB

            Download
          • memory/3012-376-0x000001DF29340000-0x000001DF29342000-memory.dmp
            Filesize

            8KB

            Download
          • memory/3012-374-0x000001DF291E0000-0x000001DF291E2000-memory.dmp
            Filesize

            8KB

            Download
          • memory/3012-372-0x000001DF29120000-0x000001DF29122000-memory.dmp
            Filesize

            8KB

            Download
          • memory/3012-366-0x000001DF28FC0000-0x000001DF28FC2000-memory.dmp
            Filesize

            8KB

            Download
          • memory/3012-411-0x000001DF28C10000-0x000001DF28C12000-memory.dmp
            Filesize

            8KB

            Download
          • memory/3012-413-0x000001DF28C30000-0x000001DF28C32000-memory.dmp
            Filesize

            8KB

            Download
          • memory/3012-368-0x000001DF28FE0000-0x000001DF28FE2000-memory.dmp
            Filesize

            8KB

            Download
          • memory/4160-401-0x000001559FF00000-0x000001559FF01000-memory.dmp
            Filesize

            4KB

            Download
          • memory/4160-341-0x000001559E450000-0x000001559E452000-memory.dmp
            Filesize

            8KB

            Download
          • memory/4160-400-0x000001559FCF0000-0x000001559FCF1000-memory.dmp
            Filesize

            4KB

            Download
          • memory/4160-340-0x000001559E410000-0x000001559E412000-memory.dmp
            Filesize

            8KB

            Download
          • memory/4160-338-0x0000015599BE0000-0x0000015599BE2000-memory.dmp
            Filesize

            8KB

            Download
          • memory/4160-336-0x0000015599BB0000-0x0000015599BB1000-memory.dmp
            Filesize

            4KB

            Download
          • memory/4160-317-0x000001559A100000-0x000001559A110000-memory.dmp
            Filesize

            64KB

            Download
          • memory/4160-299-0x0000015599820000-0x0000015599830000-memory.dmp
            Filesize

            64KB

            Download