a9cd3d966d453afd424d9ac54df414b80073bb51d249f4089185976fb316e254

Resubmissions

07-04-2023 07:32

230407-jdb3qaad5w 7

07-04-2023 07:29

230407-jbkbbaad5t 7

07-04-2023 07:26

230407-h9vz2age59 7

Analysis

max time kernel
508s
max time network
410s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
07-04-2023 07:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MEMZ 3.0/MEMZ.bat
Size

12KB
MD5

13a43c26bb98449fd82d2a552877013a
SHA1

71eb7dc393ac1f204488e11f5c1eef56f1e746af
SHA256

5f52365accb76d679b2b3946870439a62eb8936b9a0595f0fb0198138106b513
SHA512

602518b238d80010fa88c2c88699f70645513963ef4f148a0345675738cf9b0c23b9aeb899d9f7830cc1e5c7e9c7147b2dc4a9222770b4a052ee0c879062cd5a
SSDEEP

384:nnLhRNiqt0kCH2LR0GPXxGiZgCz+KG/yKhLdW79HOli+lz3:nLhRN9t0SR4iZtzlREBWhuF

Score

7^/10

bootkit persistence

Malware Config

Signatures

Executes dropped EXE 7 IoCs

Processes:

MEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exe

pid process

1952 MEMZ.exe
860 MEMZ.exe
1892 MEMZ.exe
1048 MEMZ.exe
816 MEMZ.exe
880 MEMZ.exe
968 MEMZ.exe
Loads dropped DLL 1 IoCs

Processes:

MEMZ.exe

pid process

1952 MEMZ.exe
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

MEMZ.exe

description ioc process

File opened for modification \??\PhysicalDrive0 MEMZ.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1952	MEMZ.exe
860	MEMZ.exe
1892	MEMZ.exe
1048	MEMZ.exe
816	MEMZ.exe
880	MEMZ.exe
968	MEMZ.exe

pid	process
1952	MEMZ.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	MEMZ.exe

Modifies Internet Explorer settings 1 TTPs 48 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007837404bb2ac374381d657b4bfd4f9e200000000020000000000106600000001000020000000bbbeef644b3ed2521224c2bb138ac56100fb21d8fee363f531c4d19c6855dca4000000000e8000000002000020000000a75c4287021fe7a2567377f35675b37df04fd545ac38ba89d66709691a7c3911900000001a73c6ce79f254f72ef3a89737859a3a8f32c299ddef10a5135b4144686cd315fcde1980837afeb191f14f93f5d9b105b8f74bf93c07d6a909aa98cd43c8fe835b9d55d6a0805beb38ce8c1798cd71d1a0d8db1fe93f7989d0dcd21145a93b813d204bfcc5554b54ad3dd7796a1dc503c2cee40239c62e29ca56cfd52089d051311df867cbc40e99181f2bb20c73c7cb40000000fe249cbacfd7a1056d85d6f7a8412135ea495dc144166ba5edb16122b0d8711ead295d5d1ce54cb971e021a478bb13d9c001564a368babd8d17c0d662ebe322f	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\DOMStorage\pcoptimizerpro.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "20"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\DOMStorage\pcoptimizerpro.com\ = "20"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007837404bb2ac374381d657b4bfd4f9e200000000020000000000106600000001000020000000e231b9a15dba830627bcb5ee93b8ac00991193829ba80700c57167c386df9c69000000000e8000000002000020000000b63a3d5c6db31ad9a4f9d028d607c4a4d9423d5102f17f26cf0802d1c3131a82200000000e5aaff8097c447fadb3543feac9ac46eb44e7ce5b3fae4f6738bf9d154dd99940000000951f16c0443a308b87e4cc35765f5a4abbf1389e99462f5cb0b2ac0f2c185429dc3e38eae9b04c256c1107f190d6414743940641b0033ead1c8cd92955b08f6b	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\DOMStorage\pcoptimizerpro.com\Total = "20"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\DOMStorage\pcoptimizerpro.com\ = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "387624980"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{3EB835B1-D527-11ED-B8E8-C6F40EA7D53E} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\DOMStorage\pcoptimizerpro.com\Total = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 30add71d3469d901	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\DOMStorage\pcoptimizerpro.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

MEMZ.exe

pid process

1952 MEMZ.exe

pid	process
1952	MEMZ.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

MEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exe

pid	process
860	MEMZ.exe
1892	MEMZ.exe
816	MEMZ.exe
1048	MEMZ.exe
880	MEMZ.exe
860	MEMZ.exe
1892	MEMZ.exe
816	MEMZ.exe
1048	MEMZ.exe
880	MEMZ.exe
860	MEMZ.exe
1892	MEMZ.exe
816	MEMZ.exe
1048	MEMZ.exe
880	MEMZ.exe
1892	MEMZ.exe
860	MEMZ.exe
1048	MEMZ.exe
816	MEMZ.exe
880	MEMZ.exe
860	MEMZ.exe
1892	MEMZ.exe
1048	MEMZ.exe
816	MEMZ.exe
880	MEMZ.exe
860	MEMZ.exe
1892	MEMZ.exe
1048	MEMZ.exe
816	MEMZ.exe
880	MEMZ.exe
860	MEMZ.exe
1892	MEMZ.exe
1048	MEMZ.exe
816	MEMZ.exe
880	MEMZ.exe
860	MEMZ.exe
1892	MEMZ.exe
1048	MEMZ.exe
816	MEMZ.exe
880	MEMZ.exe
860	MEMZ.exe
1892	MEMZ.exe
1048	MEMZ.exe
816	MEMZ.exe
880	MEMZ.exe
860	MEMZ.exe
1892	MEMZ.exe
1048	MEMZ.exe
816	MEMZ.exe
880	MEMZ.exe
860	MEMZ.exe
1892	MEMZ.exe
816	MEMZ.exe
1048	MEMZ.exe
880	MEMZ.exe
860	MEMZ.exe
1892	MEMZ.exe
1048	MEMZ.exe
816	MEMZ.exe
880	MEMZ.exe
1892	MEMZ.exe
860	MEMZ.exe
1048	MEMZ.exe
816	MEMZ.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

AUDIODG.EXE

description	pid	process
Token: 33	1536	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1536	AUDIODG.EXE
Token: 33	1536	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1536	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

cscript.exeiexplore.exe

pid process

288 cscript.exe
1256 iexplore.exe
Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

iexplore.exeIEXPLORE.EXEMEMZ.exe

pid process

1256 iexplore.exe
1256 iexplore.exe
1428 IEXPLORE.EXE
1428 IEXPLORE.EXE
1428 IEXPLORE.EXE
1428 IEXPLORE.EXE
968 MEMZ.exe

pid	process
288	cscript.exe
1256	iexplore.exe

pid	process
1256	iexplore.exe
1256	iexplore.exe
1428	IEXPLORE.EXE
1428	IEXPLORE.EXE
1428	IEXPLORE.EXE
1428	IEXPLORE.EXE
968	MEMZ.exe

Suspicious use of WriteProcessMemory 43 IoCs

Processes:

cmd.exeMEMZ.exeMEMZ.exeiexplore.exe

description	pid	process	target process
PID 1976 wrote to memory of 288	1976	cmd.exe	cscript.exe
PID 1976 wrote to memory of 288	1976	cmd.exe	cscript.exe
PID 1976 wrote to memory of 288	1976	cmd.exe	cscript.exe
PID 1976 wrote to memory of 1952	1976	cmd.exe	MEMZ.exe
PID 1976 wrote to memory of 1952	1976	cmd.exe	MEMZ.exe
PID 1976 wrote to memory of 1952	1976	cmd.exe	MEMZ.exe
PID 1976 wrote to memory of 1952	1976	cmd.exe	MEMZ.exe
PID 1952 wrote to memory of 860	1952	MEMZ.exe	MEMZ.exe
PID 1952 wrote to memory of 860	1952	MEMZ.exe	MEMZ.exe
PID 1952 wrote to memory of 860	1952	MEMZ.exe	MEMZ.exe
PID 1952 wrote to memory of 860	1952	MEMZ.exe	MEMZ.exe
PID 1952 wrote to memory of 1892	1952	MEMZ.exe	MEMZ.exe
PID 1952 wrote to memory of 1892	1952	MEMZ.exe	MEMZ.exe
PID 1952 wrote to memory of 1892	1952	MEMZ.exe	MEMZ.exe
PID 1952 wrote to memory of 1892	1952	MEMZ.exe	MEMZ.exe
PID 1952 wrote to memory of 1048	1952	MEMZ.exe	MEMZ.exe
PID 1952 wrote to memory of 1048	1952	MEMZ.exe	MEMZ.exe
PID 1952 wrote to memory of 1048	1952	MEMZ.exe	MEMZ.exe
PID 1952 wrote to memory of 1048	1952	MEMZ.exe	MEMZ.exe
PID 1952 wrote to memory of 816	1952	MEMZ.exe	MEMZ.exe
PID 1952 wrote to memory of 816	1952	MEMZ.exe	MEMZ.exe
PID 1952 wrote to memory of 816	1952	MEMZ.exe	MEMZ.exe
PID 1952 wrote to memory of 816	1952	MEMZ.exe	MEMZ.exe
PID 1952 wrote to memory of 880	1952	MEMZ.exe	MEMZ.exe
PID 1952 wrote to memory of 880	1952	MEMZ.exe	MEMZ.exe
PID 1952 wrote to memory of 880	1952	MEMZ.exe	MEMZ.exe
PID 1952 wrote to memory of 880	1952	MEMZ.exe	MEMZ.exe
PID 1952 wrote to memory of 968	1952	MEMZ.exe	MEMZ.exe
PID 1952 wrote to memory of 968	1952	MEMZ.exe	MEMZ.exe
PID 1952 wrote to memory of 968	1952	MEMZ.exe	MEMZ.exe
PID 1952 wrote to memory of 968	1952	MEMZ.exe	MEMZ.exe
PID 968 wrote to memory of 824	968	MEMZ.exe	notepad.exe
PID 968 wrote to memory of 824	968	MEMZ.exe	notepad.exe
PID 968 wrote to memory of 824	968	MEMZ.exe	notepad.exe
PID 968 wrote to memory of 824	968	MEMZ.exe	notepad.exe
PID 968 wrote to memory of 1256	968	MEMZ.exe	iexplore.exe
PID 968 wrote to memory of 1256	968	MEMZ.exe	iexplore.exe
PID 968 wrote to memory of 1256	968	MEMZ.exe	iexplore.exe
PID 968 wrote to memory of 1256	968	MEMZ.exe	iexplore.exe
PID 1256 wrote to memory of 1428	1256	iexplore.exe	IEXPLORE.EXE
PID 1256 wrote to memory of 1428	1256	iexplore.exe	IEXPLORE.EXE
PID 1256 wrote to memory of 1428	1256	iexplore.exe	IEXPLORE.EXE
PID 1256 wrote to memory of 1428	1256	iexplore.exe	IEXPLORE.EXE

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\MEMZ.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1976

C:\Windows\system32\cscript.exe
cscript x.js
2⤵
- Suspicious use of FindShellTrayWindow
PID:288

C:\Users\Admin\AppData\Roaming\MEMZ.exe
"C:\Users\Admin\AppData\Roaming\MEMZ.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of WriteProcessMemory
PID:1952

C:\Users\Admin\AppData\Roaming\MEMZ.exe
"C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:860

C:\Users\Admin\AppData\Roaming\MEMZ.exe
"C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1892

C:\Users\Admin\AppData\Roaming\MEMZ.exe
"C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1048

C:\Users\Admin\AppData\Roaming\MEMZ.exe
"C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:816

C:\Users\Admin\AppData\Roaming\MEMZ.exe
"C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:880

C:\Users\Admin\AppData\Roaming\MEMZ.exe
"C:\Users\Admin\AppData\Roaming\MEMZ.exe" /main
3⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:968

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\System32\notepad.exe" \note.txt
4⤵
PID:824

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://pcoptimizerpro.com/
4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1256

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1256 CREDAT:275457 /prefetch:2
5⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1428

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2f4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1536

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416

Filesize
1KB

MD5
55540a230bdab55187a841cfe1aa1545

SHA1
363e4734f757bdeb89868efe94907774a327695e

SHA256
d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb

SHA512
c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
61KB

MD5
e71c8443ae0bc2e282c73faead0a6dd3

SHA1
0c110c1b01e68edfacaeae64781a37b1995fa94b

SHA256
95b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72

SHA512
b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
61KB

MD5
e71c8443ae0bc2e282c73faead0a6dd3

SHA1
0c110c1b01e68edfacaeae64781a37b1995fa94b

SHA256
95b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72

SHA512
b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9b3d9a64a88cb46eb534fcfb60be65d9

SHA1
f16fd1b882e5b0b46b759baf6ccb163be31a3847

SHA256
e099964e98e7bdb445d9b91bafa86b09410fd31cfd9824b17ab30bde9ec4a719

SHA512
52e7fde5115724b3c7273b0e03d72672a845b74a4486d74a032d2f32ee65c47cfa08f57077f41475f13823b8fb11fc6ba24611bdd32f314d65b6977b100833f5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
67c99d46d895a2efaa75c30f1fa12675

SHA1
43de849277ff185c346f23fea370560b63c0de83

SHA256
7c3591d2988bb79025f7bae1875640c7dc5fa861d3a65d62623b804ecd442347

SHA512
d0c44b2755d3182182de24fc8edae838fb919ab4730de7e34d64fe21b634f36cb9b83c6c775474593cb47a489da0c6307e112590fae131e1ef2c83940cb4f4fc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2a6c5a13eeaa3b0ac11e0d0e2f21277f

SHA1
2fc83c4eb53b46ea94b69f011a108c9141122848

SHA256
e250f7eeea3a926342ebb7049ddeaf4f15af90e4a058bec83e3015ddd52e4821

SHA512
17a3061073912c32656463c41294a1b3f7fdd5d89f66bb2ec716dcbe955adfbb22cedca80818bab187aec693e5e489e1ea6b40507ae38ac3e2ae7e632c2a9412

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fe69598cca2b0aaf90a4b620c6946c96

SHA1
81b41a9d66da033f4fd63175afd9b546b90cc087

SHA256
117ae15514409d7c49ba31de70ce45d5d209dd618efb65c9acb50f21c21f0143

SHA512
a54e74e35e856d278e6f1f55ea57b0a6b2cd14eb88d439e19e36bf31b2d45cd52540d1419b78c8dc3b9d7e28723006966025a0943b3454cc82064fbacca07d9c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
216348358749639be19d917664b4c101

SHA1
3e301c16e2d992da899ec66ee9b329f8b566aed7

SHA256
115ffaeabca4e2536bf998a7c99566b975cf820932e8f8a9b9a8229a5777a4c8

SHA512
6ef99a051788012b10d470a1603a65445960cbbd10ea9d6c917706f4af0b2cbb399e78375c5f3843dee25995360af18017a8721865f2576ac7774c87016ccbd7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d664b8ad479a59a8d7581eb6a658cdb4

SHA1
5d2ea3c05550e6e09602406c1a91a63dcf54b554

SHA256
ecb763ae2e8c9215ee83093146847a62f299d4382625ed0ec4bde6e9204078ee

SHA512
2841dd998b4eb049aa25076ec0e05ef9ae0191829bcfb164ed89ca715dc4c54c3597662c89d43607fb3c0bfaf4b5a41fa92b2c849180729e6a3d68ef1605d5e3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6558c7199aceb4d70907b474c1e3012a

SHA1
395160db2b4ee17f8862de70c936de50aeb63007

SHA256
f82376b0a6796f185c7f566fa0bb70477b0602ae92e89e44d466a32185e15c81

SHA512
42e9a0ac11d018e0ceb7f18585774595dcc6ca8f3c3d9c6481b78238ff4d44cf1549631404a008a5406a6a495f1d304da8a326a0efdec0e929a7c1120c65dff5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bd74a9ff9498e1d8766afa6fd3254bf0

SHA1
91434fdfb9b853ed24957e1fc021305c23772d28

SHA256
46ea1f3dcde58bcfbb55bd1512cc24b254a063c3e4faa9e37c9c93951c687a2e

SHA512
f7b49765897f9e04760a9e2093da79053100b0bb99f1ff63a155a9c8cb8a5be5c21c91ed1e3967547d33bb654a8bac61ec8feb9d31004a07ea66351b24e36fa4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2d68986a045b50f53bab435ae50f7acd

SHA1
94bbdacd09a076cf87b171401fb2c0cc4abdb116

SHA256
1d30a23f370ec5387e408c5fe0682eb6113eb15453c06aaba574f9bdb0542ef5

SHA512
923126605a341961b5c0b37bef4eadebfe11e07a3dd3f0cc6fc0b06df7f62e6b1dbdf9d6643bf8f3d9e13376838ecc60f31b594a25e31fe4a36e43ffeaade0b2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6f1afa558b63872c6c13ea13f4025702

SHA1
f87bef02f9fac84e0b429b5d8860abc6c7dc7b51

SHA256
ff754ceeca0c5b5ac860f95267e1cd3b8077c2fed04265b5b85784cd68140722

SHA512
7eded29edf458d06ec083b60f05342ad1c53e4daac19a2b80c206304b833fc6917566cdd8293bb7c9c2341da2907f4e3b995b26319b8b6b4e679f1039f26cef2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7221436512d5a40c49ebf6c59a3f62c7

SHA1
fd7f3c1c55e8fa01854a256dd517e95a5e1d1acf

SHA256
a2a88ee9c88d9615d983f596ba77453c696fbc52a759188380f514edb4462698

SHA512
f29dd2b1573ebe88d8915499a191261a0f5240fd395c3f4216f979749a716ad7b76110cf2f61a4d6b1a5dc8cf1443c5a6d8903ab251a4a939cdf4704530b767c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
75237d67560f377de97473186a53bb50

SHA1
54d2bff1ede53ec3398dff3e6c2a0ad03ceec7c7

SHA256
57ac45ff1b2725ab9919d1762741f9b58fecd28eaaa27b005d9d0dbf0a63ddfa

SHA512
c4843fcd3c22f2e5f360f77487125032f9ca4a8dd395185434e9baf82cf41d9ca6c543e681ee65a8a3f1d9300c0efb5d66bf99dbe99092921ebedf24c7f2f2ce

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d6046ec358781e877070aff8ebcf878c

SHA1
dbb96f5c3a465cbd13b96a866dfccf7d43ff49fc

SHA256
168d08eb1be0465a929398c44f0045a1e7d56f86d58231371af38ec81998beb4

SHA512
02377bfb5045c21867e1a81f3d991f4bd8df6781877d7ad483e47f3ab5464a194538f21f4d44b2f95194e2259f95a4093e65f8bafa3e6fd815a827b6cae7f672

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3577c2ab9cedbab7d634a16dc1fc761b

SHA1
e30340c27f63154a9202127ea376ce6ef6ed4a17

SHA256
a3cc55720d7fa5b345d0a7dafb839384a01db16a3b4f20bc472b6c7d8b91529f

SHA512
2de9f3a20bb94f7eb3548b19ccc7c116065029bd774f5b0f5b01217061f531c76c2e7d3b2f531344fedda5e9283b15a2df36e1827e25df2866af869d6f5a4233

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
573b675153864de342f8407842ff371e

SHA1
db319a87d6af441cffa7de0bf6e4ddb7ef6c4eb7

SHA256
0a567b8f8480fe052ef975ab06dbb7ef89a636d13b34f3c2759ecde50ec91a98

SHA512
93e87e6a927580cbe764f7b80374adfe9fdc22465f1c9ca312c085ff66479a7986a8710d0261d6a411e2dfccd9762779d22f56a85a7d2e818380721758071b7f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
75da43c42a044e60712330cdd6bde6d9

SHA1
04dcfd3eef586a6f0be30a94a9087887b2111fef

SHA256
18620e97f2c4dfe4174401533ba74f18dfa3b031823ac292cb090379589ad522

SHA512
bd22a3fc84948c7a30f616fab6403d77b60b832f628182df784831cb792fb7bfe60fedadfce3ca96648eeb710022bac109aa77a9e23eb20fbe71abeb83269c5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3260a87a545c0d10d30776e7d49e3cf8

SHA1
6964514d704ee303742ea15ae375798699c5bae4

SHA256
33cea78b9acfdae2342763a82a85a03c54a3034f1f6283d5da682e58f4254f5c

SHA512
b54b3621788c4fa6555fd3d9b644890cc6319f2d4700d4b3d2f3bcf774290d9235c7e1da6504a6e27f4c5bc7984942e8b6f1e59b7d63b5e206473aa923d754a2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ef403c7ce521906271210fa29d0a2714

SHA1
9952cf39c85ed5b00b814a542dcfec89b73f59dd

SHA256
f13e678629108d69d48268b962447b7e7b774c7d6200548f2f65aa18af47b501

SHA512
37d5d003012c40b40a48a5f13f94eec0d867e79f9ebe1b6dbc142cc5f7f53b69bbd1d0eb828883d12a7af924ada36e8ac875dc3c776678aedb49e0b8b1ee42e1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4ee580735e6d57a2aec126295d443af9

SHA1
77dc5ee7d9e77a0dbc5718bd62f3b3d108778d55

SHA256
53b3622d051a6bed71369c78feeca420debbec0391f06e8c7026a5b001947d18

SHA512
fe80594bcf6cd17d248e1dc7225344318ffc6b50c613eb1060a67571f862d947b2cd2f532821dc3e7da9345769d1a57426f749f6c92ba1a2dc3ba8c15689937e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
eb0aebc0f7d129e484b861f8c728fa02

SHA1
06e50b6a9a7189e1873a498e30e3e9b8aff7709e

SHA256
ffc47f1ee969a6a21cd1b44207cbfb8f4e942bff2d1d8579089ddce36cbb6cfa

SHA512
e06d8d603472cace69a6be1dac36b6864d31c0c5a9ac6bba069232285e24911778f9adef9a069addd3a481abb031a6fae87a5043de9a08e1da7809bd545fb8ac

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f3701a510054736eec1fb513efdc3b81

SHA1
d7005fd6e6aad4c5b8a0c7d3347fab6b68b683d3

SHA256
d0db63170e890c3c5e6de9b240f0600caf693ff56eaaf47c99a080f410b4d7c0

SHA512
640898e07af79cc676bb856ef59b9494cf112a6a0d7ea5bf2025151cf7396af7c8a2c4dc72df486922f625ee0f5da1bbe28ae1bed0cc422b60fab426b0caff3d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
925994ba201c7f8dbcaf661944b140c3

SHA1
02704adbe8bf3bcc92411d621ca43aa6c955a567

SHA256
de0f7456371b0c97ad77e202f3f9b3e1cd45f537df888f47d2c65e1c7b9bb003

SHA512
7673dd158a8b37bbfd81bac46ff5895dab99f328f5896ac78fd3fe1de42774256440a98e844a5b871d4c396c645586642cdb1b4002ac8d8a8396861c2b7776f4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
efb30a1b0cbbd317a2ee0a1bb13826f0

SHA1
c13a7e56d4fdc3fa2a485838e7be082fd5ecf280

SHA256
50ab8c3b03a63dd66dd6ae3f95131f4ba264272854876b28c58f9d3f27207874

SHA512
0b4e8481b5ce2c2c180d5770ea7abf74249558bf7f5bdc92aedd093f782601edcee728b5c688ef25ac4a75abc404c43413dc651f9b096b044e51cfe3bd739152

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1983d24bbd4d27e22bbba509a2a43fbd

SHA1
3f30d27f815aad8c95431a8ba3750b0417519f6e

SHA256
939bc73a8039c3f930cdcc9f090080ba923f25a5cb77af11a661be1de5f36a8e

SHA512
fe1ac1768d0d1b653bc1d2a17b435152f31701da374b550b0f73b9b5936f5fc4c4dcb1f7e577ab04ce9d556fe8ccbf83fb81a740c830d720974db54867afd1cf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0532c4475969e653bc1e4b3cd9ae7611

SHA1
58b10e5c63749433a06f6df1ddaccac8f5db3f45

SHA256
d8176dd939f4f90f1dce0ab4ba1da973b95afc078ebd2df50288f044c8b35ae4

SHA512
3697f3f8d6c3b6b1b11bd80f8cc57f7a5eaa7aca62bb714f16d8b96e9c40b4380435ebfcc8d92f835a2ad7c37da5b8b7b72d451dbfe547b233072478a4cafc8f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
59d1d7cfcc636904cf1e03dff255ff6c

SHA1
e406f07f35b9f213d61bf725453aab536cb741e2

SHA256
541d4d325775889c359cf2d858a4117d91426c7ee76bdd2750c3e2fd8fcaba32

SHA512
535ba0a6d0b2deccd9d8bed4d406f79f7f3d01abc5cf72d8b4649aab838feb3eec3b88e28e0637c143c75ee7ddec1ffb1aef9ed7934a34193daaeaf9c524dbb3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\KJXXCBYB\pcoptimizerpro[1].xml

Filesize
13B

MD5
c1ddea3ef6bbef3e7060a1a9ad89e4c5

SHA1
35e3224fcbd3e1af306f2b6a2c6bbea9b0867966

SHA256
b71e4d17274636b97179ba2d97c742735b6510eb54f22893d3a2daff2ceb28db

SHA512
6be8cec7c862afae5b37aa32dc5bb45912881a3276606da41bf808a4ef92c318b355e616bf45a257b995520d72b7c08752c0be445dceade5cf79f73480910fed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\z62wpf5\imagestore.dat

Filesize
8KB

MD5
b5871200babdaf3905a43b4c9cafec19

SHA1
5bbf4a829b5a6208f9e2e5219877c72b15ed3cf1

SHA256
f7026e2dce17d940e31b81f8f1af34b38901e7d185808aec42da73d5070d5dd7

SHA512
45454ed9f295eda0b40b8780514b2ac4fcc0ec64c01c6171ec980976cd05449790d17713d0e1e6d0436cba7fededbd2ccba4527aecf2bb0b99861bcfd40b36a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KTB503AZ\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UOYUJSME\PCOP[1].ico

Filesize
6KB

MD5
6303f12d8874cff180eecf8f113f75e9

SHA1
f68c3b96b039a05a77657a76f4330482877dc047

SHA256
cd2756b9a2e47b55a7e8e6b6ab2ca63392ed8b6ff400b8d2c99d061b9a4a615e

SHA512
6c0c234b9249ed2d755faf2d568c88e6f3db3665df59f4817684b78aaa03edaf1adc72a589d7168e0d706ddf4db2d6e69c6b25a317648bdedf5b1b4ab2ab92c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\x

Filesize
5KB

MD5
0e5e715fe91c637d556372045d79cc15

SHA1
af6178f7eb7ffaec14769fb83d5de84fe5b28659

SHA256
a6d8aaba524286079bfe11c73f65cdcc6e5807d660e1018b99659b50bf80cb76

SHA512
ff8d704ba553d2a4c5f732ee1dde05973afecc62b9609885900df55ea03036ff88090624d0979f9e1c0ed37663e76960fb7fc10d7050311528c63a46e2cc2018

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\x

Filesize
10KB

MD5
fc59b7d2eb1edbb9c8cb9eb08115a98e

SHA1
90a6479ce14f8548df54c434c0a524e25efd9d17

SHA256
a05b9be9dd87492f265094146e18d628744c6b09c0e7efaabf228a9f1091a279

SHA512
3392cfc0dbddb37932e76da5a49f4e010a49aaa863c882b85cccab676cd458cfc8f880d8a0e0dc7581175f447e6b0a002da1591ecd14756650bb74996eacd2b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\x

Filesize
468B

MD5
f0d52887ffd650ba0c0d96c6b9f8faa5

SHA1
c58fbe36b32a4e7a42578e98a80bb5c5b379a5b4

SHA256
d2be4fb7ecaffb2ee061ffb750424b729a262b377da00768cddc439a42d053c1

SHA512
410b18a4cdbc64c5704e2ca22a3daa91faff44dd1cbbfd8c827b45136767be9ebf8efeb84741ffc318029397b6e243d9e16448991cb4accfd024c820d2a3c152

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\x.js

Filesize
448B

MD5
8eec8704d2a7bc80b95b7460c06f4854

SHA1
1b34585c1fa7ec0bd0505478ac9dbb8b8d19f326

SHA256
aa01b8864b43e92077a106ed3d4656a511f3ba1910fba40c78a32ee6a621d596

SHA512
e274b92810e9a30627a65f87448d784967a2fcfbf49858cbe6ccb841f09e0f53fde253ecc1ea0c7de491d8cc56a6cf8c79d1b7c657e72928cfb0479d11035210

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\z.zip

Filesize
7KB

MD5
cf0c19ef6909e5c1f10c8460ba9299d8

SHA1
875b575c124acfc1a4a21c1e05acb9690e50b880

SHA256
abb834ebd4b7d7f8ddf545976818f41b3cb51d2b895038a56457616d3a2c6776

SHA512
d930a022a373c283f35d103e277487c2034a0b0814913b8f6ec695b45e20528667aa830eeab58e4483d523bd6a755a16a5379095cb137db6c91909a545a19a2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEMZ3~1.0\z.zip

Filesize
7KB

MD5
cf0c19ef6909e5c1f10c8460ba9299d8

SHA1
875b575c124acfc1a4a21c1e05acb9690e50b880

SHA256
abb834ebd4b7d7f8ddf545976818f41b3cb51d2b895038a56457616d3a2c6776

SHA512
d930a022a373c283f35d103e277487c2034a0b0814913b8f6ec695b45e20528667aa830eeab58e4483d523bd6a755a16a5379095cb137db6c91909a545a19a2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarBCE1.tmp

Filesize
161KB

MD5
be2bec6e8c5653136d3e72fe53c98aa3

SHA1
a8182d6db17c14671c3d5766c72e58d87c0810de

SHA256
1919aab2a820642490169bdc4e88bd1189e22f83e7498bf8ebdfb62ec7d843fd

SHA512
0d1424ccdf0d53faf3f4e13d534e12f22388648aa4c23edbc503801e3c96b7f73c7999b760b5bef4b5e9dd923dffe21a21889b1ce836dd428420bf0f4f5327ff

Download Submit
C:\Users\Admin\AppData\Roaming\MEMZ.exe

Filesize
12KB

MD5
a7bcf7ea8e9f3f36ebfb85b823e39d91

SHA1
761168201520c199dba68add3a607922d8d4a86e

SHA256
3ff64f10603f0330fa2386ff99471ca789391ace969bd0ec1c1b8ce1b4a6db42

SHA512
89923b669d31e590189fd06619bf27e47c5a47e82be6ae71fdb1b9b3b30b06fb7ca8ffed6d5c41ac410a367f2eb07589291e95a2644877d6bffd52775a5b1523

Download Submit
C:\Users\Admin\AppData\Roaming\MEMZ.exe

Filesize
12KB

MD5
a7bcf7ea8e9f3f36ebfb85b823e39d91

SHA1
761168201520c199dba68add3a607922d8d4a86e

SHA256
3ff64f10603f0330fa2386ff99471ca789391ace969bd0ec1c1b8ce1b4a6db42

SHA512
89923b669d31e590189fd06619bf27e47c5a47e82be6ae71fdb1b9b3b30b06fb7ca8ffed6d5c41ac410a367f2eb07589291e95a2644877d6bffd52775a5b1523

Download Submit
C:\Users\Admin\AppData\Roaming\MEMZ.exe

Filesize
12KB

MD5
a7bcf7ea8e9f3f36ebfb85b823e39d91

SHA1
761168201520c199dba68add3a607922d8d4a86e

SHA256
3ff64f10603f0330fa2386ff99471ca789391ace969bd0ec1c1b8ce1b4a6db42

SHA512
89923b669d31e590189fd06619bf27e47c5a47e82be6ae71fdb1b9b3b30b06fb7ca8ffed6d5c41ac410a367f2eb07589291e95a2644877d6bffd52775a5b1523

Download Submit
C:\Users\Admin\AppData\Roaming\MEMZ.exe

Filesize
12KB

MD5
a7bcf7ea8e9f3f36ebfb85b823e39d91

SHA1
761168201520c199dba68add3a607922d8d4a86e

SHA256
3ff64f10603f0330fa2386ff99471ca789391ace969bd0ec1c1b8ce1b4a6db42

SHA512
89923b669d31e590189fd06619bf27e47c5a47e82be6ae71fdb1b9b3b30b06fb7ca8ffed6d5c41ac410a367f2eb07589291e95a2644877d6bffd52775a5b1523

Download Submit
C:\Users\Admin\AppData\Roaming\MEMZ.exe

Filesize
12KB

MD5
a7bcf7ea8e9f3f36ebfb85b823e39d91

SHA1
761168201520c199dba68add3a607922d8d4a86e

SHA256
3ff64f10603f0330fa2386ff99471ca789391ace969bd0ec1c1b8ce1b4a6db42

SHA512
89923b669d31e590189fd06619bf27e47c5a47e82be6ae71fdb1b9b3b30b06fb7ca8ffed6d5c41ac410a367f2eb07589291e95a2644877d6bffd52775a5b1523

Download Submit
C:\Users\Admin\AppData\Roaming\MEMZ.exe

Filesize
12KB

MD5
a7bcf7ea8e9f3f36ebfb85b823e39d91

SHA1
761168201520c199dba68add3a607922d8d4a86e

SHA256
3ff64f10603f0330fa2386ff99471ca789391ace969bd0ec1c1b8ce1b4a6db42

SHA512
89923b669d31e590189fd06619bf27e47c5a47e82be6ae71fdb1b9b3b30b06fb7ca8ffed6d5c41ac410a367f2eb07589291e95a2644877d6bffd52775a5b1523

Download Submit
C:\Users\Admin\AppData\Roaming\MEMZ.exe

Filesize
12KB

MD5
a7bcf7ea8e9f3f36ebfb85b823e39d91

SHA1
761168201520c199dba68add3a607922d8d4a86e

SHA256
3ff64f10603f0330fa2386ff99471ca789391ace969bd0ec1c1b8ce1b4a6db42

SHA512
89923b669d31e590189fd06619bf27e47c5a47e82be6ae71fdb1b9b3b30b06fb7ca8ffed6d5c41ac410a367f2eb07589291e95a2644877d6bffd52775a5b1523

Download Submit
C:\Users\Admin\AppData\Roaming\MEMZ.exe

Filesize
12KB

MD5
a7bcf7ea8e9f3f36ebfb85b823e39d91

SHA1
761168201520c199dba68add3a607922d8d4a86e

SHA256
3ff64f10603f0330fa2386ff99471ca789391ace969bd0ec1c1b8ce1b4a6db42

SHA512
89923b669d31e590189fd06619bf27e47c5a47e82be6ae71fdb1b9b3b30b06fb7ca8ffed6d5c41ac410a367f2eb07589291e95a2644877d6bffd52775a5b1523

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\MZXP3OIV.txt

Filesize
601B

MD5
34b5c8ddbeb7ed458432a651461b3318

SHA1
bab1e60fcfd0c12579a91cff035ead8714d40e98

SHA256
91f8f70230c9f2c4d7b17546a127cfdbf766e82e8ad25ec6ebc69b9062fc37a0

SHA512
d00b0b28ef13ca85e51e3713152cda53c8130fa52821934d58da688bc7119b71e77c40bfa631b15cd4e66f3ca0bdd62753b58cffb673cefd8281815990a38780

Download Submit
C:\note.txt

Filesize
218B

MD5
afa6955439b8d516721231029fb9ca1b

SHA1
087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

SHA256
8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

SHA512
5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

Download Submit
\Users\Admin\AppData\Roaming\MEMZ.exe

Filesize
12KB

MD5
a7bcf7ea8e9f3f36ebfb85b823e39d91

SHA1
761168201520c199dba68add3a607922d8d4a86e

SHA256
3ff64f10603f0330fa2386ff99471ca789391ace969bd0ec1c1b8ce1b4a6db42

SHA512
89923b669d31e590189fd06619bf27e47c5a47e82be6ae71fdb1b9b3b30b06fb7ca8ffed6d5c41ac410a367f2eb07589291e95a2644877d6bffd52775a5b1523

Download Submit