a9cd3d966d453afd424d9ac54df414b80073bb51d249f4089185976fb316e254

Analysis

max time kernel
150s
max time network
138s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
07-04-2023 01:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MEMZ 3.0/MEMZ.bat
Size

12KB
MD5

13a43c26bb98449fd82d2a552877013a
SHA1

71eb7dc393ac1f204488e11f5c1eef56f1e746af
SHA256

5f52365accb76d679b2b3946870439a62eb8936b9a0595f0fb0198138106b513
SHA512

602518b238d80010fa88c2c88699f70645513963ef4f148a0345675738cf9b0c23b9aeb899d9f7830cc1e5c7e9c7147b2dc4a9222770b4a052ee0c879062cd5a
SSDEEP

384:nnLhRNiqt0kCH2LR0GPXxGiZgCz+KG/yKhLdW79HOli+lz3:nLhRN9t0SR4iZtzlREBWhuF

Score

7^/10

bootkit persistence

Malware Config

Signatures

Executes dropped EXE 7 IoCs

Processes:

MEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exe

pid process

840 MEMZ.exe
700 MEMZ.exe
1732 MEMZ.exe
1096 MEMZ.exe
1108 MEMZ.exe
524 MEMZ.exe
1480 MEMZ.exe
Loads dropped DLL 1 IoCs

Processes:

MEMZ.exe

pid process

840 MEMZ.exe
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

MEMZ.exe

description ioc process

File opened for modification \??\PhysicalDrive0 MEMZ.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
840	MEMZ.exe
700	MEMZ.exe
1732	MEMZ.exe
1096	MEMZ.exe
1108	MEMZ.exe
524	MEMZ.exe
1480	MEMZ.exe

pid	process
840	MEMZ.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	MEMZ.exe

Modifies Internet Explorer settings 1 TTPs 38 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "387601537"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f0af5f87fd68d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A9A2C611-D4F0-11ED-9D84-FAEC88B9DA95} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000dbb59ddc676e394a83d3f942d26f43ca0000000002000000000010660000000100002000000033ce7a748c5bad3d59f847d85bb20ad168d8ce300d878301c000a215611461da000000000e8000000002000020000000bd0be522c4cdd737673bb2f43ebd3becee1d67ecdb0b1a67af50699a3ac4e79720000000dc43ad677d180974642b83dd2a9a20824ffe9fa2318bee6e3c60784ab9f46518400000003250f4b54d65fa76eb31e75e0fe2db622e749219f430dbfaf0aebc3b8f61b65c84d77bd649ec7a7eef338a7913e3200e5565cbdf8dadfbbb7d56c4632e2c3de9	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000dbb59ddc676e394a83d3f942d26f43ca00000000020000000000106600000001000020000000bcbbb625ae7c676b514156df1bfd3061b095a310689e4ce5b825fb0cb430008e000000000e8000000002000020000000cdb6f4d5db53b88f97c636a9eb2ecac4a2b697f955d009f4ac4a75e7d74928b09000000007b1da03a5e3cf8bfb1f2a5bf414320c9181f1b8f9015b97c4ff669ab81791498f490ee0460d84a656d3444f1000900241bb8281b8d7b96ce3258293f92086c17ce90a3bad7727b47d95fef77f40fadce1861ec5deec2cb4c6558040f5d1914fa4c7d4164566a4a5ed509c455670992221509724cbcf1d8507d2f4a86800edd55fd70ad2023cc0917c4564852e2c0ba6400000001088b7870d70d3de4eba12addffad9fb99a692764b4ec1fa290adfc8ab0af2ae423640d55175f119385b0b5baae0d534569181c219c74b16be34949d3fe2df47	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

MEMZ.exe

pid process

840 MEMZ.exe

pid	process
840	MEMZ.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

MEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exe

pid	process
700	MEMZ.exe
1096	MEMZ.exe
524	MEMZ.exe
1732	MEMZ.exe
1108	MEMZ.exe
700	MEMZ.exe
1108	MEMZ.exe
1096	MEMZ.exe
1732	MEMZ.exe
524	MEMZ.exe
700	MEMZ.exe
1096	MEMZ.exe
524	MEMZ.exe
1108	MEMZ.exe
1732	MEMZ.exe
700	MEMZ.exe
524	MEMZ.exe
1108	MEMZ.exe
1096	MEMZ.exe
1732	MEMZ.exe
700	MEMZ.exe
1096	MEMZ.exe
524	MEMZ.exe
1108	MEMZ.exe
1732	MEMZ.exe
700	MEMZ.exe
524	MEMZ.exe
1096	MEMZ.exe
1108	MEMZ.exe
1732	MEMZ.exe
1096	MEMZ.exe
700	MEMZ.exe
524	MEMZ.exe
1108	MEMZ.exe
1732	MEMZ.exe
700	MEMZ.exe
524	MEMZ.exe
1096	MEMZ.exe
1108	MEMZ.exe
1732	MEMZ.exe
700	MEMZ.exe
1096	MEMZ.exe
524	MEMZ.exe
1108	MEMZ.exe
1732	MEMZ.exe
700	MEMZ.exe
524	MEMZ.exe
1108	MEMZ.exe
1096	MEMZ.exe
1732	MEMZ.exe
700	MEMZ.exe
1096	MEMZ.exe
1108	MEMZ.exe
524	MEMZ.exe
1732	MEMZ.exe
700	MEMZ.exe
1108	MEMZ.exe
524	MEMZ.exe
1096	MEMZ.exe
1732	MEMZ.exe
700	MEMZ.exe
524	MEMZ.exe
1108	MEMZ.exe
1096	MEMZ.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

AUDIODG.EXE

description	pid	process
Token: 33	692	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	692	AUDIODG.EXE
Token: 33	692	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	692	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

cscript.exeiexplore.exe

pid process

748 cscript.exe
1792 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1792 iexplore.exe
1792 iexplore.exe
360 IEXPLORE.EXE
360 IEXPLORE.EXE
360 IEXPLORE.EXE
360 IEXPLORE.EXE

pid	process
748	cscript.exe
1792	iexplore.exe

pid	process
1792	iexplore.exe
1792	iexplore.exe
360	IEXPLORE.EXE
360	IEXPLORE.EXE
360	IEXPLORE.EXE
360	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 43 IoCs

Processes:

cmd.exeMEMZ.exeMEMZ.exeiexplore.exe

description	pid	process	target process
PID 1740 wrote to memory of 748	1740	cmd.exe	cscript.exe
PID 1740 wrote to memory of 748	1740	cmd.exe	cscript.exe
PID 1740 wrote to memory of 748	1740	cmd.exe	cscript.exe
PID 1740 wrote to memory of 840	1740	cmd.exe	MEMZ.exe
PID 1740 wrote to memory of 840	1740	cmd.exe	MEMZ.exe
PID 1740 wrote to memory of 840	1740	cmd.exe	MEMZ.exe
PID 1740 wrote to memory of 840	1740	cmd.exe	MEMZ.exe
PID 840 wrote to memory of 700	840	MEMZ.exe	MEMZ.exe
PID 840 wrote to memory of 700	840	MEMZ.exe	MEMZ.exe
PID 840 wrote to memory of 700	840	MEMZ.exe	MEMZ.exe
PID 840 wrote to memory of 700	840	MEMZ.exe	MEMZ.exe
PID 840 wrote to memory of 1732	840	MEMZ.exe	MEMZ.exe
PID 840 wrote to memory of 1732	840	MEMZ.exe	MEMZ.exe
PID 840 wrote to memory of 1732	840	MEMZ.exe	MEMZ.exe
PID 840 wrote to memory of 1732	840	MEMZ.exe	MEMZ.exe
PID 840 wrote to memory of 1096	840	MEMZ.exe	MEMZ.exe
PID 840 wrote to memory of 1096	840	MEMZ.exe	MEMZ.exe
PID 840 wrote to memory of 1096	840	MEMZ.exe	MEMZ.exe
PID 840 wrote to memory of 1096	840	MEMZ.exe	MEMZ.exe
PID 840 wrote to memory of 1108	840	MEMZ.exe	MEMZ.exe
PID 840 wrote to memory of 1108	840	MEMZ.exe	MEMZ.exe
PID 840 wrote to memory of 1108	840	MEMZ.exe	MEMZ.exe
PID 840 wrote to memory of 1108	840	MEMZ.exe	MEMZ.exe
PID 840 wrote to memory of 524	840	MEMZ.exe	MEMZ.exe
PID 840 wrote to memory of 524	840	MEMZ.exe	MEMZ.exe
PID 840 wrote to memory of 524	840	MEMZ.exe	MEMZ.exe
PID 840 wrote to memory of 524	840	MEMZ.exe	MEMZ.exe
PID 840 wrote to memory of 1480	840	MEMZ.exe	MEMZ.exe
PID 840 wrote to memory of 1480	840	MEMZ.exe	MEMZ.exe
PID 840 wrote to memory of 1480	840	MEMZ.exe	MEMZ.exe
PID 840 wrote to memory of 1480	840	MEMZ.exe	MEMZ.exe
PID 1480 wrote to memory of 900	1480	MEMZ.exe	notepad.exe
PID 1480 wrote to memory of 900	1480	MEMZ.exe	notepad.exe
PID 1480 wrote to memory of 900	1480	MEMZ.exe	notepad.exe
PID 1480 wrote to memory of 900	1480	MEMZ.exe	notepad.exe
PID 1480 wrote to memory of 1792	1480	MEMZ.exe	iexplore.exe
PID 1480 wrote to memory of 1792	1480	MEMZ.exe	iexplore.exe
PID 1480 wrote to memory of 1792	1480	MEMZ.exe	iexplore.exe
PID 1480 wrote to memory of 1792	1480	MEMZ.exe	iexplore.exe
PID 1792 wrote to memory of 360	1792	iexplore.exe	IEXPLORE.EXE
PID 1792 wrote to memory of 360	1792	iexplore.exe	IEXPLORE.EXE
PID 1792 wrote to memory of 360	1792	iexplore.exe	IEXPLORE.EXE
PID 1792 wrote to memory of 360	1792	iexplore.exe	IEXPLORE.EXE

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\MEMZ.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1740

C:\Windows\system32\cscript.exe
cscript x.js
2⤵
- Suspicious use of FindShellTrayWindow
PID:748

C:\Users\Admin\AppData\Roaming\MEMZ.exe
"C:\Users\Admin\AppData\Roaming\MEMZ.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of WriteProcessMemory
PID:840

C:\Users\Admin\AppData\Roaming\MEMZ.exe
"C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:700

C:\Users\Admin\AppData\Roaming\MEMZ.exe
"C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1732

C:\Users\Admin\AppData\Roaming\MEMZ.exe
"C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1096

C:\Users\Admin\AppData\Roaming\MEMZ.exe
"C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1108

C:\Users\Admin\AppData\Roaming\MEMZ.exe
"C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:524

C:\Users\Admin\AppData\Roaming\MEMZ.exe
"C:\Users\Admin\AppData\Roaming\MEMZ.exe" /main
3⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of WriteProcessMemory
PID:1480

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\System32\notepad.exe" \note.txt
4⤵
PID:900

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://google.co.ck/search?q=best+way+to+kill+yourself
4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1792

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1792 CREDAT:275457 /prefetch:2
5⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:360

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2fc
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:692

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
61KB

MD5
e71c8443ae0bc2e282c73faead0a6dd3

SHA1
0c110c1b01e68edfacaeae64781a37b1995fa94b

SHA256
95b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72

SHA512
b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
a1a230df554b304da89ffa231bbb656b

SHA1
7ad7beaf6cb8a1051d2c36537e8b4fc31619432f

SHA256
7df708f3506c94b365c2fc761699f75ece8da2df1b94b7b11497a25b7e998b4b

SHA512
d1524cb606c76e5dabc48178c9d66783eb21da6577ee5e19a3344144657d11458e9810dbc5b3efb8a3341f9edb90fccdf57a0db8f0c3f02d6060e05b3bbe5bc2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
27a14b6b9937288472cb12003db4ef8b

SHA1
76326bca61a364797d3b4199c0ceba954031dffa

SHA256
47b1056f5c34bcade50dda4a9f27ef5b2f29911d643b2f41727cba42a11872f0

SHA512
505c72d6d3f83c40ed2e2883ed1acd7f4f42b38f672ec53f5bb862354010efa1605b2a473093abfca26e3ca477f1363d909d0cc52b3b781b114ae2352dbd4b0e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
27300eeaab7fa09c812002a1f31d3bc7

SHA1
595b23a152fb5688e088d75e516cd8c7535ba1f0

SHA256
1aae99631535f0fce6ea8f0c54b43dbd887aa0133cfdd1125087e7d8b1593f40

SHA512
8fd71d3be67d728757ffef9a49a7d1ab3fa19cd0a45768e3f4e3a12d6a0ec5c72f729077fedc7066c3e61ebed609c7033b0f6efbcdec98ca406f320db767c71d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
856cce591177bc6a514799d48d35f288

SHA1
0f905f535591e4fc3950d1270d5f72c0bd22ad9b

SHA256
bebac0ea8e492235acb56dfa9220ccd6a4cbf37a9cd9be1037621626ca61a761

SHA512
1751235d6f3c6fdd451441391a2c39ea396dcd0ab8cd562ace7232a57cf28045a4bd55fa5935a813fe6817fba1d304f45c6bc437c8a5bd0a8d88ea61ad471a7b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
2e464de09ad2c0207fe8fd5e31fda238

SHA1
a49cc46b5c8947ce7245fb0bb4cf688065c440b1

SHA256
5d30141230fec8de75d0b0a1368c5006b62816c0e6137a54892ef3054c9ad182

SHA512
5897c3baf225bf37aaf43424b6ecbeecfc8cd727944ee9707c02e45f725297c56101b83299869a524d987e9aae504447015d593ab2b558f6909d09e2be264168

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
4a77a819e0981c29fc0ab65814d4c389

SHA1
1f58685e6f664855c6795f9f7b9641d7550f8754

SHA256
5a319f61595b8a262d46ee76a05116f0e3aa34670b8979b6770053ad123e4cce

SHA512
8f6235a2c87608d52616a76047dc8c6ae4defdd67ab137aa8bd4affbd0d5bb7d652e4a77ee107d9690ee0c34328f1122ea0de5001167504f3f0002b283edf93a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\07asiie\imagestore.dat
Filesize
9KB

MD5
a85c576c84890704e3ff62ab48b4c344

SHA1
08a7906669792f57e174eb112cf93b762a79c30a

SHA256
1fabb2dec2d1dd8288301b64aed13c3dcb2f649d3eb97f516d5a18efd12cc1c0

SHA512
8bf7eae308484e3df045e515e599d70044c1211c06f9177169396a33ab663158372a2dedb94b049670231cc95b77af49b57b9fc2877d579b6058aa6ba60800c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T210ZMR0\favicon[2].ico
Filesize
5KB

MD5
f3418a443e7d841097c714d69ec4bcb8

SHA1
49263695f6b0cdd72f45cf1b775e660fdc36c606

SHA256
6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770

SHA512
82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TF0W5LQL\suggestions[1].en-US
Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabDAA9.tmp
Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\x
Filesize
4KB

MD5
b6873c6cbfc8482c7f0e2dcb77fb7f12

SHA1
844b14037e1f90973a04593785dc88dfca517673

SHA256
0a0cad82d9284ccc3c07de323b76ee2d1c0b328bd2ce59073ed5ac4eb7609bd1

SHA512
f3aa3d46d970db574113f40f489ff8a5f041606e79c4ab02301b283c66ff05732be4c5edc1cf4a851da9fbaaa2f296b97fc1135210966a0e2dfc3763398dfcaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\x
Filesize
10KB

MD5
fc59b7d2eb1edbb9c8cb9eb08115a98e

SHA1
90a6479ce14f8548df54c434c0a524e25efd9d17

SHA256
a05b9be9dd87492f265094146e18d628744c6b09c0e7efaabf228a9f1091a279

SHA512
3392cfc0dbddb37932e76da5a49f4e010a49aaa863c882b85cccab676cd458cfc8f880d8a0e0dc7581175f447e6b0a002da1591ecd14756650bb74996eacd2b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\x.js
Filesize
448B

MD5
8eec8704d2a7bc80b95b7460c06f4854

SHA1
1b34585c1fa7ec0bd0505478ac9dbb8b8d19f326

SHA256
aa01b8864b43e92077a106ed3d4656a511f3ba1910fba40c78a32ee6a621d596

SHA512
e274b92810e9a30627a65f87448d784967a2fcfbf49858cbe6ccb841f09e0f53fde253ecc1ea0c7de491d8cc56a6cf8c79d1b7c657e72928cfb0479d11035210

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\z.zip
Filesize
7KB

MD5
cf0c19ef6909e5c1f10c8460ba9299d8

SHA1
875b575c124acfc1a4a21c1e05acb9690e50b880

SHA256
abb834ebd4b7d7f8ddf545976818f41b3cb51d2b895038a56457616d3a2c6776

SHA512
d930a022a373c283f35d103e277487c2034a0b0814913b8f6ec695b45e20528667aa830eeab58e4483d523bd6a755a16a5379095cb137db6c91909a545a19a2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEMZ3~1.0\z.zip
Filesize
7KB

MD5
cf0c19ef6909e5c1f10c8460ba9299d8

SHA1
875b575c124acfc1a4a21c1e05acb9690e50b880

SHA256
abb834ebd4b7d7f8ddf545976818f41b3cb51d2b895038a56457616d3a2c6776

SHA512
d930a022a373c283f35d103e277487c2034a0b0814913b8f6ec695b45e20528667aa830eeab58e4483d523bd6a755a16a5379095cb137db6c91909a545a19a2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarDAAA.tmp
Filesize
161KB

MD5
73b4b714b42fc9a6aaefd0ae59adb009

SHA1
efdaffd5b0ad21913d22001d91bf6c19ecb4ac41

SHA256
c0cf8cc04c34b5b80a2d86ad0eafb2dd71436f070c86b0321fba0201879625fd

SHA512
73af3c51b15f89237552b1718bef21fd80788fa416bab2cb2e7fb3a60d56249a716eda0d2dd68ab643752272640e7eaaaf57ce64bcb38373ddc3d035fb8d57cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarDC27.tmp
Filesize
161KB

MD5
be2bec6e8c5653136d3e72fe53c98aa3

SHA1
a8182d6db17c14671c3d5766c72e58d87c0810de

SHA256
1919aab2a820642490169bdc4e88bd1189e22f83e7498bf8ebdfb62ec7d843fd

SHA512
0d1424ccdf0d53faf3f4e13d534e12f22388648aa4c23edbc503801e3c96b7f73c7999b760b5bef4b5e9dd923dffe21a21889b1ce836dd428420bf0f4f5327ff

Download Submit
C:\Users\Admin\AppData\Roaming\MEMZ.exe
Filesize
12KB

MD5
a7bcf7ea8e9f3f36ebfb85b823e39d91

SHA1
761168201520c199dba68add3a607922d8d4a86e

SHA256
3ff64f10603f0330fa2386ff99471ca789391ace969bd0ec1c1b8ce1b4a6db42

SHA512
89923b669d31e590189fd06619bf27e47c5a47e82be6ae71fdb1b9b3b30b06fb7ca8ffed6d5c41ac410a367f2eb07589291e95a2644877d6bffd52775a5b1523

Download Submit
C:\Users\Admin\AppData\Roaming\MEMZ.exe
Filesize
12KB

MD5
a7bcf7ea8e9f3f36ebfb85b823e39d91

SHA1
761168201520c199dba68add3a607922d8d4a86e

SHA256
3ff64f10603f0330fa2386ff99471ca789391ace969bd0ec1c1b8ce1b4a6db42

SHA512
89923b669d31e590189fd06619bf27e47c5a47e82be6ae71fdb1b9b3b30b06fb7ca8ffed6d5c41ac410a367f2eb07589291e95a2644877d6bffd52775a5b1523

Download Submit
C:\Users\Admin\AppData\Roaming\MEMZ.exe
Filesize
12KB

MD5
a7bcf7ea8e9f3f36ebfb85b823e39d91

SHA1
761168201520c199dba68add3a607922d8d4a86e

SHA256
3ff64f10603f0330fa2386ff99471ca789391ace969bd0ec1c1b8ce1b4a6db42

SHA512
89923b669d31e590189fd06619bf27e47c5a47e82be6ae71fdb1b9b3b30b06fb7ca8ffed6d5c41ac410a367f2eb07589291e95a2644877d6bffd52775a5b1523

Download Submit
C:\Users\Admin\AppData\Roaming\MEMZ.exe
Filesize
12KB

MD5
a7bcf7ea8e9f3f36ebfb85b823e39d91

SHA1
761168201520c199dba68add3a607922d8d4a86e

SHA256
3ff64f10603f0330fa2386ff99471ca789391ace969bd0ec1c1b8ce1b4a6db42

SHA512
89923b669d31e590189fd06619bf27e47c5a47e82be6ae71fdb1b9b3b30b06fb7ca8ffed6d5c41ac410a367f2eb07589291e95a2644877d6bffd52775a5b1523

Download Submit
C:\Users\Admin\AppData\Roaming\MEMZ.exe
Filesize
12KB

MD5
a7bcf7ea8e9f3f36ebfb85b823e39d91

SHA1
761168201520c199dba68add3a607922d8d4a86e

SHA256
3ff64f10603f0330fa2386ff99471ca789391ace969bd0ec1c1b8ce1b4a6db42

SHA512
89923b669d31e590189fd06619bf27e47c5a47e82be6ae71fdb1b9b3b30b06fb7ca8ffed6d5c41ac410a367f2eb07589291e95a2644877d6bffd52775a5b1523

Download Submit
C:\Users\Admin\AppData\Roaming\MEMZ.exe
Filesize
12KB

MD5
a7bcf7ea8e9f3f36ebfb85b823e39d91

SHA1
761168201520c199dba68add3a607922d8d4a86e

SHA256
3ff64f10603f0330fa2386ff99471ca789391ace969bd0ec1c1b8ce1b4a6db42

SHA512
89923b669d31e590189fd06619bf27e47c5a47e82be6ae71fdb1b9b3b30b06fb7ca8ffed6d5c41ac410a367f2eb07589291e95a2644877d6bffd52775a5b1523

Download Submit
C:\Users\Admin\AppData\Roaming\MEMZ.exe
Filesize
12KB

MD5
a7bcf7ea8e9f3f36ebfb85b823e39d91

SHA1
761168201520c199dba68add3a607922d8d4a86e

SHA256
3ff64f10603f0330fa2386ff99471ca789391ace969bd0ec1c1b8ce1b4a6db42

SHA512
89923b669d31e590189fd06619bf27e47c5a47e82be6ae71fdb1b9b3b30b06fb7ca8ffed6d5c41ac410a367f2eb07589291e95a2644877d6bffd52775a5b1523

Download Submit
C:\Users\Admin\AppData\Roaming\MEMZ.exe
Filesize
12KB

MD5
a7bcf7ea8e9f3f36ebfb85b823e39d91

SHA1
761168201520c199dba68add3a607922d8d4a86e

SHA256
3ff64f10603f0330fa2386ff99471ca789391ace969bd0ec1c1b8ce1b4a6db42

SHA512
89923b669d31e590189fd06619bf27e47c5a47e82be6ae71fdb1b9b3b30b06fb7ca8ffed6d5c41ac410a367f2eb07589291e95a2644877d6bffd52775a5b1523

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\KZE833WU.txt
Filesize
606B

MD5
0c714dda2a6c42393271ad80fc92c364

SHA1
8d67afa5e87af05cee5ecf0b541f7a5e8f5840be

SHA256
084ff56807c1dc4f0f9a24fb4bb3d7d39beef02f4f92f8be6d19d924430b94d0

SHA512
7e988f71414f89196e69c50388f21ed2eb24f5bb379a50a120a5d2127e0714093c72f8ab35d49a75ac89838e8bcbe580aba40680b93c4c62813cf93239bd300b

Download Submit
C:\note.txt
Filesize
218B

MD5
afa6955439b8d516721231029fb9ca1b

SHA1
087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

SHA256
8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

SHA512
5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

Download Submit
\Users\Admin\AppData\Roaming\MEMZ.exe
Filesize
12KB

MD5
a7bcf7ea8e9f3f36ebfb85b823e39d91

SHA1
761168201520c199dba68add3a607922d8d4a86e

SHA256
3ff64f10603f0330fa2386ff99471ca789391ace969bd0ec1c1b8ce1b4a6db42

SHA512
89923b669d31e590189fd06619bf27e47c5a47e82be6ae71fdb1b9b3b30b06fb7ca8ffed6d5c41ac410a367f2eb07589291e95a2644877d6bffd52775a5b1523

Download Submit