734403a96fad68cb2ef2b340adddd9cadd5894007aac703dcdb4a4cb8326c538

Analysis

max time kernel
297s
max time network
303s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
10/03/2024, 21:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MEMZ 3.0/MEMZ.bat
Size

12KB
MD5

13a43c26bb98449fd82d2a552877013a
SHA1

71eb7dc393ac1f204488e11f5c1eef56f1e746af
SHA256

5f52365accb76d679b2b3946870439a62eb8936b9a0595f0fb0198138106b513
SHA512

602518b238d80010fa88c2c88699f70645513963ef4f148a0345675738cf9b0c23b9aeb899d9f7830cc1e5c7e9c7147b2dc4a9222770b4a052ee0c879062cd5a
SSDEEP

384:nnLhRNiqt0kCH2LR0GPXxGiZgCz+KG/yKhLdW79HOli+lz3:nLhRN9t0SR4iZtzlREBWhuF

Score

7^/10

bootkit persistence

Malware Config

Signatures

Executes dropped EXE 7 IoCs

pid	Process
580	MEMZ.exe
1044	MEMZ.exe
1884	MEMZ.exe
1880	MEMZ.exe
1640	MEMZ.exe
2348	MEMZ.exe
2120	MEMZ.exe

Loads dropped DLL 7 IoCs

pid	Process
580	MEMZ.exe
580	MEMZ.exe
580	MEMZ.exe
580	MEMZ.exe
580	MEMZ.exe
580	MEMZ.exe
580	MEMZ.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	MEMZ.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\devmgmt.msc	mmc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.google.com\ = "25"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "416269983"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d94d2d3723739f48802cd6414eea5c7e000000000200000000001066000000010000200000008e9c28cb7f3468c80ae932fd31bee4c461152cb53502e20c45d6d11afc311c40000000000e80000000020000200000005ea1f282b8a8206d5b2ca3b4414cd382353e8bb2c1fb67529f99e6f7b151bcbc20000000938dfc382b27bcfe6f545c42effe46a0b5bbcf146191925058e706e6579fe17240000000432a8c1744763137e2594fed987a6beb49bd21e205899a85b39d83807e0a7860ac14c9324e3b1f08975da68173e7984572e6122f0c237279ec9b462b020f5eba	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d94d2d3723739f48802cd6414eea5c7e0000000002000000000010660000000100002000000012b74c6211bb84d693f186bca5c7357b4759f5556667997f90f09b5aab472d62000000000e80000000020000200000006957467df9690c839fda830074579231999e590e347d864928e2b49d4021b89a900000003ae7611d6762db5f87474da657355314b74979b54fb44fde48668780df6ebad02ebbf5817b17006806c5241e657cb8c26cd6417a0dd97858af8130f39745be941ae601f0616e77c350494d7c39eb7ed5c30e6ec38f69dc73840c73fb88f232bb04e73c66274a9e1671f702f571fc502c6d17794c33a26980051db0072e0151007b86a21b17f095f188339144fb493c7b4000000020ed77b6c2654c10643926db98a9cac6e911657d43f5f71ee9083296d78838275d0eabb6819ca59b07f2bfc27d27876461cde67f4d8cd8562973364be5956e8b	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{CBCCA641-DF29-11EE-B6BE-66DD11CD6629} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.google.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 704ca6a83673da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com\Total = "25"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE

Runs regedit.exe 1 IoCs

pid	Process
2884	regedit.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
580	MEMZ.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1044	MEMZ.exe
1044	MEMZ.exe
1044	MEMZ.exe
1044	MEMZ.exe
1884	MEMZ.exe
1884	MEMZ.exe
1044	MEMZ.exe
1880	MEMZ.exe
1044	MEMZ.exe
1884	MEMZ.exe
1880	MEMZ.exe
1880	MEMZ.exe
1044	MEMZ.exe
1884	MEMZ.exe
1044	MEMZ.exe
1880	MEMZ.exe
1884	MEMZ.exe
1880	MEMZ.exe
1044	MEMZ.exe
1884	MEMZ.exe
1880	MEMZ.exe
1044	MEMZ.exe
1884	MEMZ.exe
1884	MEMZ.exe
1880	MEMZ.exe
1044	MEMZ.exe
1880	MEMZ.exe
1884	MEMZ.exe
1044	MEMZ.exe
1880	MEMZ.exe
1884	MEMZ.exe
1044	MEMZ.exe
1044	MEMZ.exe
1884	MEMZ.exe
1880	MEMZ.exe
1044	MEMZ.exe
1884	MEMZ.exe
1880	MEMZ.exe
1880	MEMZ.exe
1884	MEMZ.exe
1044	MEMZ.exe
1044	MEMZ.exe
1640	MEMZ.exe
1884	MEMZ.exe
1880	MEMZ.exe
1044	MEMZ.exe
1884	MEMZ.exe
1640	MEMZ.exe
1880	MEMZ.exe
1880	MEMZ.exe
1884	MEMZ.exe
1044	MEMZ.exe
1640	MEMZ.exe
2348	MEMZ.exe
1044	MEMZ.exe
1640	MEMZ.exe
1884	MEMZ.exe
1880	MEMZ.exe
2348	MEMZ.exe
1880	MEMZ.exe
1884	MEMZ.exe
1044	MEMZ.exe
1640	MEMZ.exe
2348	MEMZ.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2884	regedit.exe
2952	mmc.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: 33	2952	mmc.exe
Token: SeIncBasePriorityPrivilege	2952	mmc.exe
Token: 33	2952	mmc.exe
Token: SeIncBasePriorityPrivilege	2952	mmc.exe
Token: 33	1600	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1600	AUDIODG.EXE
Token: 33	1600	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1600	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1912	cscript.exe
2080	iexplore.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2080	iexplore.exe
2080	iexplore.exe
1816	IEXPLORE.EXE
1816	IEXPLORE.EXE
1816	IEXPLORE.EXE
1816	IEXPLORE.EXE
2552	mmc.exe
2952	mmc.exe
2952	mmc.exe
1988	IEXPLORE.EXE
1988	IEXPLORE.EXE
1988	IEXPLORE.EXE
1988	IEXPLORE.EXE
2572	IEXPLORE.EXE
2572	IEXPLORE.EXE
2572	IEXPLORE.EXE
2572	IEXPLORE.EXE
1664	IEXPLORE.EXE
1664	IEXPLORE.EXE
1664	IEXPLORE.EXE
1664	IEXPLORE.EXE
1816	IEXPLORE.EXE
1816	IEXPLORE.EXE
2120	MEMZ.exe
1692	IEXPLORE.EXE
1692	IEXPLORE.EXE
1692	IEXPLORE.EXE
1692	IEXPLORE.EXE
2120	MEMZ.exe
1988	IEXPLORE.EXE
1988	IEXPLORE.EXE
1948	IEXPLORE.EXE
1948	IEXPLORE.EXE
1948	IEXPLORE.EXE
1948	IEXPLORE.EXE
2120	MEMZ.exe
2572	IEXPLORE.EXE
2572	IEXPLORE.EXE
2572	IEXPLORE.EXE
2572	IEXPLORE.EXE
2656	IEXPLORE.EXE
2656	IEXPLORE.EXE
2120	MEMZ.exe
2656	IEXPLORE.EXE
2656	IEXPLORE.EXE
1664	IEXPLORE.EXE
1664	IEXPLORE.EXE
1664	IEXPLORE.EXE
1664	IEXPLORE.EXE
2120	MEMZ.exe
2316	IEXPLORE.EXE
2316	IEXPLORE.EXE
2120	MEMZ.exe
1692	IEXPLORE.EXE
1692	IEXPLORE.EXE
2316	IEXPLORE.EXE
2316	IEXPLORE.EXE
2120	MEMZ.exe
1692	IEXPLORE.EXE
1692	IEXPLORE.EXE
676	IEXPLORE.EXE
676	IEXPLORE.EXE
676	IEXPLORE.EXE
676	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1924 wrote to memory of 1912	1924	cmd.exe	29
PID 1924 wrote to memory of 1912	1924	cmd.exe	29
PID 1924 wrote to memory of 1912	1924	cmd.exe	29
PID 1924 wrote to memory of 580	1924	cmd.exe	30
PID 1924 wrote to memory of 580	1924	cmd.exe	30
PID 1924 wrote to memory of 580	1924	cmd.exe	30
PID 1924 wrote to memory of 580	1924	cmd.exe	30
PID 580 wrote to memory of 1044	580	MEMZ.exe	31
PID 580 wrote to memory of 1044	580	MEMZ.exe	31
PID 580 wrote to memory of 1044	580	MEMZ.exe	31
PID 580 wrote to memory of 1044	580	MEMZ.exe	31
PID 580 wrote to memory of 1884	580	MEMZ.exe	32
PID 580 wrote to memory of 1884	580	MEMZ.exe	32
PID 580 wrote to memory of 1884	580	MEMZ.exe	32
PID 580 wrote to memory of 1884	580	MEMZ.exe	32
PID 580 wrote to memory of 1880	580	MEMZ.exe	33
PID 580 wrote to memory of 1880	580	MEMZ.exe	33
PID 580 wrote to memory of 1880	580	MEMZ.exe	33
PID 580 wrote to memory of 1880	580	MEMZ.exe	33
PID 580 wrote to memory of 1640	580	MEMZ.exe	34
PID 580 wrote to memory of 1640	580	MEMZ.exe	34
PID 580 wrote to memory of 1640	580	MEMZ.exe	34
PID 580 wrote to memory of 1640	580	MEMZ.exe	34
PID 580 wrote to memory of 2348	580	MEMZ.exe	35
PID 580 wrote to memory of 2348	580	MEMZ.exe	35
PID 580 wrote to memory of 2348	580	MEMZ.exe	35
PID 580 wrote to memory of 2348	580	MEMZ.exe	35
PID 580 wrote to memory of 2120	580	MEMZ.exe	36
PID 580 wrote to memory of 2120	580	MEMZ.exe	36
PID 580 wrote to memory of 2120	580	MEMZ.exe	36
PID 580 wrote to memory of 2120	580	MEMZ.exe	36
PID 2120 wrote to memory of 1076	2120	MEMZ.exe	37
PID 2120 wrote to memory of 1076	2120	MEMZ.exe	37
PID 2120 wrote to memory of 1076	2120	MEMZ.exe	37
PID 2120 wrote to memory of 1076	2120	MEMZ.exe	37
PID 2120 wrote to memory of 2080	2120	MEMZ.exe	38
PID 2120 wrote to memory of 2080	2120	MEMZ.exe	38
PID 2120 wrote to memory of 2080	2120	MEMZ.exe	38
PID 2120 wrote to memory of 2080	2120	MEMZ.exe	38
PID 2080 wrote to memory of 1816	2080	iexplore.exe	40
PID 2080 wrote to memory of 1816	2080	iexplore.exe	40
PID 2080 wrote to memory of 1816	2080	iexplore.exe	40
PID 2080 wrote to memory of 1816	2080	iexplore.exe	40
PID 2120 wrote to memory of 2884	2120	MEMZ.exe	44
PID 2120 wrote to memory of 2884	2120	MEMZ.exe	44
PID 2120 wrote to memory of 2884	2120	MEMZ.exe	44
PID 2120 wrote to memory of 2884	2120	MEMZ.exe	44
PID 2120 wrote to memory of 2552	2120	MEMZ.exe	45
PID 2120 wrote to memory of 2552	2120	MEMZ.exe	45
PID 2120 wrote to memory of 2552	2120	MEMZ.exe	45
PID 2120 wrote to memory of 2552	2120	MEMZ.exe	45
PID 2552 wrote to memory of 2952	2552	mmc.exe	46
PID 2552 wrote to memory of 2952	2552	mmc.exe	46
PID 2552 wrote to memory of 2952	2552	mmc.exe	46
PID 2552 wrote to memory of 2952	2552	mmc.exe	46
PID 2080 wrote to memory of 1988	2080	iexplore.exe	47
PID 2080 wrote to memory of 1988	2080	iexplore.exe	47
PID 2080 wrote to memory of 1988	2080	iexplore.exe	47
PID 2080 wrote to memory of 1988	2080	iexplore.exe	47
PID 2080 wrote to memory of 2572	2080	iexplore.exe	48
PID 2080 wrote to memory of 2572	2080	iexplore.exe	48
PID 2080 wrote to memory of 2572	2080	iexplore.exe	48
PID 2080 wrote to memory of 2572	2080	iexplore.exe	48
PID 2080 wrote to memory of 1664	2080	iexplore.exe	50

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\MEMZ.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1924
- C:\Windows\system32\cscript.exe
  cscript x.js
  2⤵
  - Suspicious use of FindShellTrayWindow
  PID:1912
- C:\Users\Admin\AppData\Roaming\MEMZ.exe
  "C:\Users\Admin\AppData\Roaming\MEMZ.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious use of WriteProcessMemory
  PID:580
- - C:\Users\Admin\AppData\Roaming\MEMZ.exe
    "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1044
- - C:\Users\Admin\AppData\Roaming\MEMZ.exe
    "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1884
- - C:\Users\Admin\AppData\Roaming\MEMZ.exe
    "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1880
- - C:\Users\Admin\AppData\Roaming\MEMZ.exe
    "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1640
- - C:\Users\Admin\AppData\Roaming\MEMZ.exe
    "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2348
- - C:\Users\Admin\AppData\Roaming\MEMZ.exe
    "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /main
    3⤵
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2120
  - - C:\Windows\SysWOW64\notepad.exe
      "C:\Windows\System32\notepad.exe" \note.txt
      4⤵
      PID:1076
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" https://google.co.ck/search?q=best+way+to+kill+yourself
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2080
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2080 CREDAT:275457 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1816
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2080 CREDAT:275473 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1988
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2080 CREDAT:799758 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2572
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2080 CREDAT:734249 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1664
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2080 CREDAT:275505 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1692
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2080 CREDAT:472137 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1948
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2080 CREDAT:996416 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2656
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2080 CREDAT:1455158 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2316
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2080 CREDAT:1324124 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:676
  - - C:\Windows\SysWOW64\regedit.exe
      "C:\Windows\System32\regedit.exe"
      4⤵
      Runs regedit.exe
      Suspicious behavior: GetForegroundWindowSpam
      PID:2884
  - - C:\Windows\SysWOW64\mmc.exe
      "C:\Windows\system32\mmc.exe" "C:\Windows\System32\devmgmt.msc"
      4⤵
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2552
    - - C:\Windows\system32\mmc.exe
        
        "C:\Windows\System32\devmgmt.msc" "C:\Windows\System32\devmgmt.msc"
        5⤵
        Drops file in System32 directory
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2952
  - - C:\Windows\SysWOW64\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      PID:2096

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x47c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_34D61B4A2A4AE0D3DDAB879224BCA77B

Filesize
2KB

MD5
fc92b2c6175b15300cba0822c2bace0d

SHA1
c23875c1655a5fd48099d82762aa3045fd20d476

SHA256
bb50723924f16869f441be92ce21befefc21a10095b851b74f688f57e90b8947

SHA512
572165088628a78f91cd74dc75b211d6c1159de36209e286ef8b23f900538484558edfa1a662f2882132a1c7680633a617fd473f5c8a13211a0ab3820c0bdc0a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
7e8f359f842f63d4f8e11b673e763622

SHA1
a7865040b538d6aaa80bc37e89372c61b7427be8

SHA256
f04843e27ab3a622e565eea01945462567d713146b1cbca62c89d2495e924450

SHA512
f417bf439068b5205190c6ca559d14b0aa4a19af87530fc4e46eda587f80281cb8e567bf6caaa74b02f29f1247afec461eebf2ce1e6a079f675d1f304c9b1fd4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\329C03A4966B136B54FB137DCA798EB7

Filesize
5B

MD5
5bfa51f3a417b98e7443eca90fc94703

SHA1
8c015d80b8a23f780bdd215dc842b0f5551f63bd

SHA256
bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128

SHA512
4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
67KB

MD5
753df6889fd7410a2e9fe333da83a429

SHA1
3c425f16e8267186061dd48ac1c77c122962456e

SHA256
b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

SHA512
9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A16C6C16D94F76E0808C087DFC657D99_8F0CBD8C47BA2D164C9E6FDB222DBC71

Filesize
472B

MD5
562c1305690263b343cfbabd7a401e6c

SHA1
c6a624083ccb8f1b7aba90b7c4b1e3ac66c2942c

SHA256
0f0f1c33614d42186e73e4feb4d03d3605e903c06390461d86784fc36b6789ad

SHA512
60e3060ff1172c76a85e85b09a8e9eb9c1eb918f82da83fc79cd4eb150adb4a2e02403bded0ad91643b246d587907d2b2ba6ed185ef6cb14307b51203682e3f4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
1KB

MD5
a5caead01378ea5e8b3b48bb4bf465d0

SHA1
ce6015bd0e6d004add7413334ed0ba90c7b857ab

SHA256
272105992830f2dd4e9a8e228fd8d223f899263ed8dbb1bc66a4c0a3ecb65d53

SHA512
9a85c23e184d0efb3c74dde0954a49a780e364d3eabff32ee80ae3452867812487a44a7580632e233c0abcacc1d8248c0df1582bdaff0725b49e167538cfd3af

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

Filesize
724B

MD5
ac89a852c2aaa3d389b2d2dd312ad367

SHA1
8f421dd6493c61dbda6b839e2debb7b50a20c930

SHA256
0b720e19270c672f9b6e0ec40b468ac49376807de08a814573fe038779534f45

SHA512
c6a88f33688cc0c287f04005e07d5b5e4a8721d204aa429f93ade2a56aeb86e05d89a8f7a44c1e93359a185a4c5f418240c6cdbc5a21314226681c744cf37f36

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2DDCD2B5F37625B82E81F4976CEE400_09B924C8A99A26A75B535D3B83388BE5

Filesize
471B

MD5
0bbb0c0a7acaae6f119c49a57aded9ad

SHA1
def2006a613312d647661ef94f6ac9d43b84202a

SHA256
da2482009e08ab5c1df8db6f2b5454e5a32becbb50e9bc9e3a23982ebd55dbc9

SHA512
7dd647c57f9c57487195c453c1bfd3500e9bf17ae68fd175d3cc2469ba718cc0369d1b0fcc11cf47513a2fb9286dbbe0dd20c47bed4037e449caee77519fcc7d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_34D61B4A2A4AE0D3DDAB879224BCA77B

Filesize
488B

MD5
6a0acb931b5e381a82618540873a8220

SHA1
3b40cd1e5faae3d74cdeab22a39c65879c81e4f1

SHA256
8dd48a153c05b7378bee5a9f1d8d20abd89ea67d3eabe81d304a55d62ef4b981

SHA512
68e12c2756a20ce24229809003a4bae7f5de28ea158dcbb57a0e87c1dcc1cec7384856bcbf772b98979c75bdbfd25f3041922fe5c4b4556739b1948f07be759d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
c798e29ca65018df713dcf6a2a6842aa

SHA1
5d8c17610d7299d93d8d1a7ee21d212bea24c5f4

SHA256
d0a48d8aa9d23d2e98aacab4e2e655650ad4099c9a73a948ddf558269224215e

SHA512
57a2b0ee77b94a3ece631cfbcc768acf61251398381d42b9213609d8e1a43c5453ccaf471b62eaee7c07e1c402ac6b8a0f3f34a323567336300cbd75b55fe4ac

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\329C03A4966B136B54FB137DCA798EB7

Filesize
426B

MD5
20f60ed1fe2b26c828435669c802bfd3

SHA1
858dcb68d9a260480b4c15d97c96402d231470db

SHA256
e83641677a44e4b46791efa7a1a190771b9f6e4a1be037628ecc6a14461096e7

SHA512
e4dc3ac6b6554b7a977220784155a6602d2c08f48d966a5cf79a7713669e42f6521832079f3a14aa90c2f6c87671c91fb4497035c4697c99a5427de79990c492

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\329C03A4966B136B54FB137DCA798EB7

Filesize
426B

MD5
8e243e26b47bdefa3c87312f984cd4d3

SHA1
365f096ff80e45cb9265c13bfd06c84fefd9c9ba

SHA256
0af46b1dc3cb7e34525c65806980875d0645a68c4097f57ebe83b4c85259ff42

SHA512
30bdc6a552a71ab067331e47b11fc56006e84a35df7d6c03fcca8c932c96d975d45bf648a6b91db915556f51a0224a9422cf1b430e21f495ca8a82b148d830ba

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\329C03A4966B136B54FB137DCA798EB7

Filesize
426B

MD5
14604190b81635fea38a8551a4cfcdaf

SHA1
52f4fd448c419960f49d8622c69b1816fbfd4d1a

SHA256
78981e621051fbe29f924ec147e0baaf5667c220d607f18cdb70c420a3a56d97

SHA512
005512be5cb979dc35ed5c3b5f28182281f563e07ffe5222177dc40338d04f2efabf828a741e45bb06862f211f754ff474faaf2c16bca5d54aaf7f1774972ebc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\329C03A4966B136B54FB137DCA798EB7

Filesize
426B

MD5
7558bcee6c3a4c4873b4517054ebc5c3

SHA1
c1e6db901bd950cf7c6ce97d74d46055ce1d0892

SHA256
87e85dc6ff6c89d878689bcae5f423568e18570c1abd7ca56f2aed9a60ed8230

SHA512
5d6de4c48f5aa0073c9d984dff08938136ef28e06f60bbb04c284a0cb946957acbe442d92c523a55521d334000aa9d3b36be9f5f5262d22bed0ffe53b61853c7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e6b55236de4e1fce5a0e254941a6d242

SHA1
19127274843e6b609f75d7761a148aa4a19401f2

SHA256
243282d5439df9020813e6d0ee63b80ea7dc59589442210ad5b2c935c4392a81

SHA512
387829dc4f14400127ef79fbed205a1f1233c73c739a644a2404502333ac967603456b6032b7c7d615143220b48b0c47c53057b9541aafd293057bde55029a41

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9449b92da7a43602e7f90bd1c0fa7462

SHA1
d0d1846b26550c9b3e5b70e0edf7ea65286b90f9

SHA256
fd4d41d4d17c5bff40957d819e0c473d1c0cec2ae415c93e65f059d99a1e30dc

SHA512
3972b1aa49da2fa19424542f7801a325ca92584a74e3b2d7d0d1cf606d8a8ecdbf46ca5faceabd12e82f27b5e9b27cdd3e873c6262903b3b2849927f61b60723

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
95c047414468f8444c96390ff32d7b38

SHA1
1e35be1ee7c5bb2e47de660ebe1ef2617fcc7700

SHA256
af2adde5b048fd467a2b9f5b0455c9d357a75138b34d5f6764b2e1a27d3d966d

SHA512
fb16dabb3cdb145d85d6076248782bba2d73893b37521f18f262007d42839cac9895565a999ebe6c9d3b70a68af68615e5269108d06c211533f0b73b4f7de6f2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0550944215b71badc0514becffd19356

SHA1
f4bb98501e6650c39d269c643178420c172dbb06

SHA256
4c9818f289ea88db6c36398ed16ef19e2017e6100b8f1f7121ee6fcfd2a55cd7

SHA512
efa7228364687016bff7ddb2785c7de9a4b3d1ca553d019c2a0a233c858c2315dd2d95b723892711d5e1a0012fd3d48e905424248cd7021b6ac416235e0e64c8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ac576fc19ce83b002849158a6be0bd8e

SHA1
2b94de441b1139be2be140adfdcb39654ab4e787

SHA256
8fcf0cc40a006d75608222a9e0bcf4d9028983182bdb4c01b2fc4b043e70a84b

SHA512
12b10bfe0cd21846277c6859a57e95a7fd933bc584c4297a7f7ac43f8dc3264de416e741f9090a6231195941a95b08b69ac3441a0d35be09d2ab8dfa1bf18e56

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ad506c6c1f64382c4d63aacbdb986bd8

SHA1
f66ffa26188a19b7bf16fcd27dec83b1415ffc89

SHA256
307970f94eb16dd32ed7d64017dad196f83c8766e6453c2c1e85705aced3ac4c

SHA512
745e51ec793f88a516ba46f38f4f3d38ddfeda19c8e7aa404e4559e8f74b8ff0a8405e65134a9b3d75d4cb254b3d00f44cbfc8f65173ced57e260d8ff66c0b82

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d12c5cd3a7304cb3505d9746a65869ea

SHA1
20104e8da20a34995278b178335154b89a0787b5

SHA256
1faeb2e8b92eae49e71a18959fb73b49cd619ded5df864cb6aa35eeec1eca4c1

SHA512
f08bed5d93e387a7aa501677e9c01748da4d06828196a9f5196602a34def7ef1da0fa8e9b982a43023ba8573b3c340ea9db8decb3febf532308df4d93ba5c11e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
44390466f23f756408a414c2556064a3

SHA1
29f864e58c02c804c3535f13e0e42a34e9e1efdc

SHA256
de43aeb698e84bf767fcc492c3f1d72fec38912f67a949314201678e635ea1a0

SHA512
e16e732b22379169a8e947acf90791ca6b96ca465a4b5c04bb42ff2951d4266690dce50bcd5e25cfb0c2b0bcc6ac25218258b83562d2d0fd4707fecaf18a1da6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d0201200d9a42fbfe4d993893a7dd218

SHA1
a3ef47c99f5c30361b337cc9e650bcc6a4c552f5

SHA256
c136b65373207b939071bff769815fd22cb236d7e218b3e00fe9e56e85d93067

SHA512
52ff83a62b5e28d21867757f2a9db24ab5bde8bf6b5c03c4eef57403dcb0f7ed64f50abc3ba22c77f3eabb50ce78d294a8f5e9f58cfef40bcc9e11ce71c88ca3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
781c694d9591f85b54005c42e1dfff27

SHA1
686f208df79f1833e896713b139c4475a6af16d3

SHA256
79b97997e13604707b22f371092f23ed3865574dae895c44c0fe6e01b09cfdaf

SHA512
451dbdddd7c0baa891a8396e93f7b2ffdf4283c3f22e0552bc8b7dd1aa7e3de4a65bd2bb1cddac6a575634602e89ca26c23c2bf21d38cf9dbaaf159fd3aecc6e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9e51ec540e40d6f5098e9cf8ad6d610d

SHA1
060de78d1fb1ae24b1b98edc38984873d1786dbf

SHA256
7f68451774fcaaed34f402f71b3d4ba45f00a5d155c735c600500659ba7171f2

SHA512
89626218a77d983503d6e8c17d1ee96a75a298687edbfeebd3880d3726957261147f18dc1740334f6ec65dd230773d46b49bdab959ccb775bef22cb69c8ae31e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b6922b0c2f3383ca6f547017805dded0

SHA1
5bb73e49d91e0f5e74855df883b0c7c0f2c2c563

SHA256
1f139cf9136a0c250b0a8f7565b50d8ef2b24167f578047a509c7a6763517bc9

SHA512
4fee6c98ce8f4f3309d2485360016866a8e7ee37a53f3cc34b3f34acf3c8c63ad025fec8e4a4f87cd785b3a7e5fdd169c8cb6ab3a96ba52250b35a9c9b9d13ad

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
df915ace0f27aa2632fa862f91a7c901

SHA1
75f8dad31ed7478030a6454bffdb0a468e01df15

SHA256
e08558b17abc14bde7fd761e9e418315ca107bebbfa3577fefdc237c0f9dcf2e

SHA512
7bd3d56d7c3300b4b2f5e385efbf9d27b4b7787015bfa8d37f3590f533d3fd4ab9b48f108295bd87c0f3ea784e1af90fd0007a23b053cd5bedf1d2d38d75fb01

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
278c4d0cdcfc8b0822a311d17f07dade

SHA1
f885014056291f261f3b07c1c9c78f730f205ce5

SHA256
14817f78926eb0496c64b2aec3bde2b64a4655e9932ff1d9765a4e66af30f6a7

SHA512
312b74860d9fe2860e37f718284a346a76adae036342536f081008c451b8aa9615c00b447fd44f9daa737e240fa572ed3a67564db42b4e839709f0c8ea398610

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d6149c1d00b59b84c6b9523500c9cc76

SHA1
bab0b49ad1851674cc86a2c8ad2079ac3bbb6459

SHA256
29df1625fdf44f678c30d5145e3ab76d57124ecb44fe3a4e7875c26d3aa5694f

SHA512
0e308acf6b6a398db622cd9521a6420595e12d2fbc13dd000618ae5667ccada7d93971742f31ac03a3c24d2f6e912c0aee5893641dec336dc5e45a79fa76cd66

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A16C6C16D94F76E0808C087DFC657D99_8F0CBD8C47BA2D164C9E6FDB222DBC71

Filesize
402B

MD5
cf528062f47115125d0bc7584a95513e

SHA1
2f676067f128dc288ed312a4fb173505352a70e3

SHA256
0aba75dceb0918852336171e7a0d1aad01bf2693ac5e08493c2937e3cf1fe927

SHA512
24c23982ef50217284f7bb7510acbef8fb78860472235cde421a16f79ee8bd5cd87e7f979769afc3eb5e223dab655fe4aca1e9b5072df712d17b6fafd1143f65

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
482B

MD5
1b1dfb3c78105621d49c515ac8880207

SHA1
05751ade387095934a3004ea0d5a06c3be6c936f

SHA256
642d5b9036dcc698c20553850a9bd7fc50158e1df9ac2a68e909b3f507e28a6a

SHA512
43ae5b9a541967aa837f35a52430f94bea75af4995d7807f614633cef5ea49e79701bc13fb27c748e5f67c91daea2e55a771f40933038638f1b16c14c69f02ba

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

Filesize
392B

MD5
8f4725913922100b8c589a8f7933d4e3

SHA1
914f6e8b7fc9589502e8279b779e499a92240bc0

SHA256
8bb99d252658d3170f5c241356be060a2fcabfa9d050a6ba68611d6b2368c957

SHA512
f91357a7b9aa2569a1d58e560030572ba2b47859dbb45302cdfc87551bc687acdd7b5026facd6e55a588c6f7a404b8909c5f1e5b1d6ee600f3e2e49417b40d96

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2DDCD2B5F37625B82E81F4976CEE400_09B924C8A99A26A75B535D3B83388BE5

Filesize
406B

MD5
8af9dec47d9dd1ea6adc0ce54a6bc32c

SHA1
58f705a8363c6906e52b3ab6e86d1f75ba40944a

SHA256
73525fe1e7cc278000f11d73a1ccdb93ec3698c30e39d89042a9f076b4c2b3db

SHA512
35b640ac48360d6bb472e8f614ce039280e06ec49e26347e918497911d54a90e942d6ca2be05eb50ad52e2edcd53083a0d668e8ea5c4ce8e8ba345fb67f110d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\AWX9EARA\www.google[1].xml

Filesize
99B

MD5
35c7546f29b32a05d9806711372bc9a2

SHA1
e426cd7a9ef3ce412431cc843969e1890a1b608b

SHA256
aa853a5806ca4589ecdcad9acebf8c5842ab36f45490293cf87ba28dac2644bb

SHA512
7feed3fff8fceec48182af3ca37fb0e67585779cee0712abcf7aa093a29f13d79bc1da0cc6d6574c61482975f276dafa823f680ca41baad9e0f6f8104723d9d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\jre0bgm\imagestore.dat

Filesize
5KB

MD5
7d39884545ad8e3aede71d280920c680

SHA1
108f01a1fe3f1207cd3e4aa9a519e9f896bf2840

SHA256
d9454fc9183ff9a0b22e2acf963451b6c8178a5a98aa2403a4a9a42597abd9f4

SHA512
b867e0ec79f39c68bf46afb8b5492362e378526f37c966113aff40137194befd4326398a2b1e62b70c3d52499d92ff68305cecfc66950e16a97bd6ad77b33963

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\75OMIGJ7\favicon[1].ico

Filesize
5KB

MD5
f3418a443e7d841097c714d69ec4bcb8

SHA1
49263695f6b0cdd72f45cf1b775e660fdc36c606

SHA256
6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770

SHA512
82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\75OMIGJ7\webworker[1].js

Filesize
102B

MD5
5734e3c2032fb7e4b757980f70c5867e

SHA1
22d3e354a89c167d3bebf6b73d6e11e550213a38

SHA256
91e9008a809223ca505257c7cb9232b7bf13e7fbf45e3f6dd2cfca538e7141eb

SHA512
1f748444532bc406964c1be8f3128c47144de38add5c78809bbcdae21bf3d26600a376df41bf91c4cd3c74a9fae598d51c76d653a23357310343c58b3b6d7739

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B4HDT8MX\3WHTNGOF.htm

Filesize
150B

MD5
2eeb2e0202b1bf9daf39ac6eb1466b42

SHA1
26abaa251ff391b4311c5cfa927be41b09ced5d3

SHA256
66f963290dda5adc89f8ce4e16676df4540d5b8f600e0fecf86e03a4fcfc1c02

SHA512
101659d11d34d4d38aeeb181917a7ab7630dd6909699a018166a9cbbb4346eeb9801c75c57fb67b63f330bd363b7367ba99ab604bdd9f097127474207b871e16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B4HDT8MX\logo_48[1].png

Filesize
2KB

MD5
ef9941290c50cd3866e2ba6b793f010d

SHA1
4736508c795667dcea21f8d864233031223b7832

SHA256
1b9efb22c938500971aac2b2130a475fa23684dd69e43103894968df83145b8a

SHA512
a0c69c70117c5713caf8b12f3b6e8bbb9cdaf72768e5db9db5831a3c37541b87613c6b020dd2f9b8760064a8c7337f175e7234bfe776eee5e3588dc5662419d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B4HDT8MX\recaptcha__en[1].js

Filesize
489KB

MD5
d52ac252287f3b65932054857f7c26a7

SHA1
940b62eae6fb008d6f15dfb7aaf6fb125dba1fec

SHA256
4c06e93049378bf0cdbbe5d3a1d0c302ac2d35faec13623ad812ee41495a2a57

SHA512
c08ff9d988aea4c318647c79ae8ca9413b6f226f0efbdab1cdd55ec04b6760812716ff27e0ee86941e8a654d39cddd56251d8392a0ac2c4c8839f27853556154

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CTT6L9LH\KFOlCnqEu92Fr1MmYUtfBBc9[1].ttf

Filesize
34KB

MD5
4d99b85fa964307056c1410f78f51439

SHA1
f8e30a1a61011f1ee42435d7e18ba7e21d4ee894

SHA256
01027695832f4a3850663c9e798eb03eadfd1462d0b76e7c5ac6465d2d77dbd0

SHA512
13d93544b16453fe9ac9fc025c3d4320c1c83a2eca4cd01132ce5c68b12e150bc7d96341f10cbaa2777526cf72b2ca0cd64458b3df1875a184bbb907c5e3d731

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CTT6L9LH\TG_XdOEg3NKIdftsV7XidAgI3OvClCw0-7YgJxQ1GFY[1].js

Filesize
23KB

MD5
a364179c3816839427c4d9fdbe8ecf3b

SHA1
fd423514f4f0e614688a99571b9165b4e212119b

SHA256
4c6fd774e120dcd28875fb6c57b5e2740808dcebc2942c34fbb6202714351856

SHA512
c4e29c47bb229a293d79a1aa4b9e226ff6261b723b75e0479df367fc7eee3ac006e4993e5406f510aa35da592b525e3f6a0bf62f8671cfa576cae40a627bc45e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CTT6L9LH\api[1].js

Filesize
850B

MD5
33d99cfc94db7d1ab5149b1e677b4c85

SHA1
ffec081b0a5b325f2b124ea8804ba0de9beae98c

SHA256
0e945fe9e80b82b1ac2e714f03672ed0c439e61e489430ba46623245399fca25

SHA512
315ed3f0edae2d3057be354d7d97ab298f51e791c03cd19c46d96e0116a6757033e509d92633eafba9365d6588af2b96cce4b0088020a88eac5086d07a0b3b26

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P2GIJQ9P\KFOlCnqEu92Fr1MmEU9fBBc9[1].ttf

Filesize
34KB

MD5
4d88404f733741eaacfda2e318840a98

SHA1
49e0f3d32666ac36205f84ac7457030ca0a9d95f

SHA256
b464107219af95400af44c949574d9617de760e100712d4dec8f51a76c50dda1

SHA512
2e5d3280d5f7e70ca3ea29e7c01f47feb57fe93fc55fd0ea63641e99e5d699bb4b1f1f686da25c91ba4f64833f9946070f7546558cbd68249b0d853949ff85c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P2GIJQ9P\KFOmCnqEu92Fr1Mu4mxP[1].ttf

Filesize
34KB

MD5
372d0cc3288fe8e97df49742baefce90

SHA1
754d9eaa4a009c42e8d6d40c632a1dad6d44ec21

SHA256
466989fd178ca6ed13641893b7003e5d6ec36e42c2a816dee71f87b775ea097f

SHA512
8447bc59795b16877974cd77c52729f6ff08a1e741f68ff445c087ecc09c8c4822b83e8907d156a00be81cb2c0259081926e758c12b3aea023ac574e4a6c9885

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P2GIJQ9P\styles__ltr[1].css

Filesize
55KB

MD5
eb4bc511f79f7a1573b45f5775b3a99b

SHA1
d910fb51ad7316aa54f055079374574698e74b35

SHA256
7859a62e04b0acb06516eb12454de6673883ecfaeaed6c254659bca7cd59c050

SHA512
ec9bdf1c91b6262b183fd23f640eac22016d1f42db631380676ed34b962e01badda91f9cbdfa189b42fe3182a992f1b95a7353af41e41b2d6e1dab17e87637a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1B8D.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\x

Filesize
10KB

MD5
fc59b7d2eb1edbb9c8cb9eb08115a98e

SHA1
90a6479ce14f8548df54c434c0a524e25efd9d17

SHA256
a05b9be9dd87492f265094146e18d628744c6b09c0e7efaabf228a9f1091a279

SHA512
3392cfc0dbddb37932e76da5a49f4e010a49aaa863c882b85cccab676cd458cfc8f880d8a0e0dc7581175f447e6b0a002da1591ecd14756650bb74996eacd2b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\x

Filesize
1KB

MD5
09e8f74ff61bbe9c86b8e865b0aaaded

SHA1
428b471996b4b14901d03736d867a17c20047e48

SHA256
32689d78fdc914164835e67f6ffd3c3ab7d36e173ef1f5aab0b6ab77dbba6982

SHA512
1ab71d7dac92eff8bae903159a7f42a6f97c8fea23a4879be86ae72181fe9252b576a81764666be74b47c37c53642a22136af0f2604868bc1539c6f2867d40a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\x

Filesize
1KB

MD5
c3f6ba2f73e292a6b54102a224d350e0

SHA1
28825d275a06c59164ae7201eab4604663ac2c71

SHA256
8c58b5d78ef40df3c5276351702cd38fb410726641a55312f6c2c665a663f6b5

SHA512
553c168ad8a035a697918b426b9301a20eb5fdae422bd9d0c09a8bd26d332d02db5dd3e5f24c8602397d2d1b877ce4f3ce598eb339580f757c0509a9c80a1647

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\x

Filesize
4KB

MD5
ec5b72546c1c5611803da039731e0d8f

SHA1
5ca75677ca9362491f0e85cc85b5774628131cdd

SHA256
5591d11dd216f7601353be12db1ab2707a38a5fe74f3b44fd7f6c6554422495e

SHA512
2362ba9faa8041badb5f2cf9f63e3b991ea35456294d7120fac018733f5d11208897ef8cd5b241eb80c6901e9e30f7c8366013f00050c515141110716f316456

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\x.js

Filesize
448B

MD5
8eec8704d2a7bc80b95b7460c06f4854

SHA1
1b34585c1fa7ec0bd0505478ac9dbb8b8d19f326

SHA256
aa01b8864b43e92077a106ed3d4656a511f3ba1910fba40c78a32ee6a621d596

SHA512
e274b92810e9a30627a65f87448d784967a2fcfbf49858cbe6ccb841f09e0f53fde253ecc1ea0c7de491d8cc56a6cf8c79d1b7c657e72928cfb0479d11035210

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEMZ3~1.0\z.zip

Filesize
7KB

MD5
cf0c19ef6909e5c1f10c8460ba9299d8

SHA1
875b575c124acfc1a4a21c1e05acb9690e50b880

SHA256
abb834ebd4b7d7f8ddf545976818f41b3cb51d2b895038a56457616d3a2c6776

SHA512
d930a022a373c283f35d103e277487c2034a0b0814913b8f6ec695b45e20528667aa830eeab58e4483d523bd6a755a16a5379095cb137db6c91909a545a19a2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2229.tmp

Filesize
175KB

MD5
dd73cead4b93366cf3465c8cd32e2796

SHA1
74546226dfe9ceb8184651e920d1dbfb432b314e

SHA256
a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

SHA512
ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFDBC2E7824CB705B7.TMP

Filesize
16KB

MD5
49c17bb0c749fcdb1e6c1663cd6712f8

SHA1
73b9dd6d83e9435c10f74409702739f9beb483ce

SHA256
f6dc8e1c03fadbc653af299e1ea9c8c32c2f74cd79d6502ce265e47bdca97310

SHA512
64f62242bb63ddbea15c355f7b37fca31fd5fc3dc147530405803bce04cdedf0e1f13199eca0493ba11cf1cc9ff012060b064ad5f34cd1522f6405381389e8a2

Download Submit
C:\Users\Admin\AppData\Roaming\MEMZ.exe

Filesize
12KB

MD5
a7bcf7ea8e9f3f36ebfb85b823e39d91

SHA1
761168201520c199dba68add3a607922d8d4a86e

SHA256
3ff64f10603f0330fa2386ff99471ca789391ace969bd0ec1c1b8ce1b4a6db42

SHA512
89923b669d31e590189fd06619bf27e47c5a47e82be6ae71fdb1b9b3b30b06fb7ca8ffed6d5c41ac410a367f2eb07589291e95a2644877d6bffd52775a5b1523

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\WKLP8BZ4.txt

Filesize
378B

MD5
ebacf0f8f5bcefb189b2f2d21334ecb5

SHA1
255aa4efccc69d11ad2da3f168b80d447e17135a

SHA256
50aeda3eab50f3d37e54c91fefddcc69251144ba6fa817e728223fb8fa24258c

SHA512
5988ee506c19c9bcba7d83ec5da6af25fd075a00e249046edef5b329cadb7812dd3697a483d0dcd26f07cd769dec774a36009b165bdcba790ba3066e60719f43

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\28c8b86deab549a1.customDestinations-ms

Filesize
3KB

MD5
50960f407b1413725594c5fc675bb018

SHA1
627560d14128ac9bcf6d202c1f300775919e2b4c

SHA256
d6cc96f2ddaa52ed9b32f0e3e89be1ad186396f6f65d28388e4352d37455ae6f

SHA512
1382b480e4c2c60a59f5fb37579f26b9ac1a1c1498f482c99f2ac818c320fd1e3a9eb297d0e9ceaa8c7920df02b3b47b0698a51359b97f11b90d00fb6260fcf1

Download Submit
C:\note.txt

Filesize
218B

MD5
afa6955439b8d516721231029fb9ca1b

SHA1
087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

SHA256
8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

SHA512
5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

Download Submit
memory/1912-150-0x00000000037E0000-0x00000000037E1000-memory.dmp

Filesize
4KB

Download
memory/2952-753-0x00000000022F0000-0x00000000022F1000-memory.dmp

Filesize
4KB

Download
memory/2952-1416-0x000007FEF5520000-0x000007FEF555A000-memory.dmp

Filesize
232KB

Download
memory/2952-754-0x000007FEF5520000-0x000007FEF555A000-memory.dmp

Filesize
232KB

Download
memory/2952-1165-0x00000000022F0000-0x00000000022F1000-memory.dmp

Filesize
4KB

Download