734403a96fad68cb2ef2b340adddd9cadd5894007aac703dcdb4a4cb8326c538

max time kernel
152s
max time network
151s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
10-03-2024 19:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MEMZ 3.0/MEMZ.bat
Size

12KB
MD5

13a43c26bb98449fd82d2a552877013a
SHA1

71eb7dc393ac1f204488e11f5c1eef56f1e746af
SHA256

5f52365accb76d679b2b3946870439a62eb8936b9a0595f0fb0198138106b513
SHA512

602518b238d80010fa88c2c88699f70645513963ef4f148a0345675738cf9b0c23b9aeb899d9f7830cc1e5c7e9c7147b2dc4a9222770b4a052ee0c879062cd5a
SSDEEP

384:nnLhRNiqt0kCH2LR0GPXxGiZgCz+KG/yKhLdW79HOli+lz3:nLhRN9t0SR4iZtzlREBWhuF

Score

7^/10

bootkit persistence

Malware Config

Signatures

Executes dropped EXE 7 IoCs

Processes:

MEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exe

pid process

1076 MEMZ.exe
2076 MEMZ.exe
2720 MEMZ.exe
1912 MEMZ.exe
2380 MEMZ.exe
1660 MEMZ.exe
1540 MEMZ.exe
Loads dropped DLL 7 IoCs

Processes:

MEMZ.exe

pid process

1076 MEMZ.exe
1076 MEMZ.exe
1076 MEMZ.exe
1076 MEMZ.exe
1076 MEMZ.exe
1076 MEMZ.exe
1076 MEMZ.exe
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

MEMZ.exe

description ioc process

File opened for modification \??\PhysicalDrive0 MEMZ.exe
Drops file in System32 directory 1 IoCs

Processes:

mmc.exe

description ioc process

File opened for modification C:\Windows\System32\devmgmt.msc mmc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
1076	MEMZ.exe
2076	MEMZ.exe
2720	MEMZ.exe
1912	MEMZ.exe
2380	MEMZ.exe
1660	MEMZ.exe
1540	MEMZ.exe

pid	process
1076	MEMZ.exe
1076	MEMZ.exe
1076	MEMZ.exe
1076	MEMZ.exe
1076	MEMZ.exe
1076	MEMZ.exe
1076	MEMZ.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	MEMZ.exe

description	ioc	process
File opened for modification	C:\Windows\System32\devmgmt.msc	mmc.exe

Modifies Internet Explorer settings 1 TTPs 51 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009d182698a4727943a65bc6c9ecfd0fc500000000020000000000106600000001000020000000562bf2c4377bd989e16f1c0d1f2a4d2b5a839df406d1f6050fbe17ebc3736c7e000000000e8000000002000020000000d1bdae210459ca0d87fe9c4b41c663939d792c1bfb6ffd7f6c1f3147bbd16aeb90000000242fce43aab783f5a87944cde653d595510f19d0d66313fbfb1ee75c87eaaa700961d783d78110e9615d67ded1034caefdf8f4c6f888ddc69298ee25c0927d8c693ef3b6e75391b640ab866f3598c64917025e6ceb83be0a7e76eb470a9830eeccd3ef845baaf3e684aef75fbf1e4d0dde25c32ccf1417daf7d02d62cdbc6e307e59156a1f35fb4bcb20bea42e6a7a5240000000ce5587ccfc4045d3843cb7361200032ab5413a8817bb914e6133d6ad45528783ec46cd98f0c9d71a9b7b96d8f75b28367f8317c0b32548c3f942942db9544120	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{55930B51-DF28-11EE-8119-4A4F109F65B0} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009d182698a4727943a65bc6c9ecfd0fc500000000020000000000106600000001000020000000ed4d7e7722f2b016e9443295cc19d19e2c9b89274ec0c9f6c164909046686bba000000000e80000000020000200000003f60085f9853e3f5d23555ab8e2ed8a1aa4c3c0c86d1115851770b09bf471d1820000000c3c5ca7fa4c060d9985459fec3b63238721448d2cdb5514306bcd121f094addb40000000540e7b9c057a10937fe35782840d578f1e21fecb3a4d4cbf20c7c7a92aed1a6b1acf78ddc222b9ea604341af5daed25221703d3afe6d9110f2ff9b70c55da1d1	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "25"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 20f552273573da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "416269350"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.google.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com\Total = "25"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.google.com\ = "25"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

MEMZ.exe

pid process

1076 MEMZ.exe

pid	process
1076	MEMZ.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

MEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exe

pid	process
2076	MEMZ.exe
2076	MEMZ.exe
2076	MEMZ.exe
2720	MEMZ.exe
2380	MEMZ.exe
1912	MEMZ.exe
2076	MEMZ.exe
1912	MEMZ.exe
2720	MEMZ.exe
2380	MEMZ.exe
1660	MEMZ.exe
2076	MEMZ.exe
1912	MEMZ.exe
1660	MEMZ.exe
2720	MEMZ.exe
2380	MEMZ.exe
2076	MEMZ.exe
2720	MEMZ.exe
1912	MEMZ.exe
1660	MEMZ.exe
2076	MEMZ.exe
2380	MEMZ.exe
1912	MEMZ.exe
2720	MEMZ.exe
1660	MEMZ.exe
1912	MEMZ.exe
2076	MEMZ.exe
1660	MEMZ.exe
2380	MEMZ.exe
2720	MEMZ.exe
1912	MEMZ.exe
1660	MEMZ.exe
2720	MEMZ.exe
2076	MEMZ.exe
2380	MEMZ.exe
2720	MEMZ.exe
1660	MEMZ.exe
1912	MEMZ.exe
2380	MEMZ.exe
2076	MEMZ.exe
1660	MEMZ.exe
1912	MEMZ.exe
2076	MEMZ.exe
2720	MEMZ.exe
2380	MEMZ.exe
1660	MEMZ.exe
1912	MEMZ.exe
2076	MEMZ.exe
2720	MEMZ.exe
2380	MEMZ.exe
2720	MEMZ.exe
1660	MEMZ.exe
2076	MEMZ.exe
1912	MEMZ.exe
1912	MEMZ.exe
1660	MEMZ.exe
2076	MEMZ.exe
2380	MEMZ.exe
2720	MEMZ.exe
2076	MEMZ.exe
2380	MEMZ.exe
1912	MEMZ.exe
1660	MEMZ.exe
2720	MEMZ.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

mmc.exe

pid process

536 mmc.exe

pid	process
536	mmc.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

mmc.exeAUDIODG.EXE

description	pid	process
Token: 33	536	mmc.exe
Token: SeIncBasePriorityPrivilege	536	mmc.exe
Token: 33	536	mmc.exe
Token: SeIncBasePriorityPrivilege	536	mmc.exe
Token: 33	1568	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1568	AUDIODG.EXE
Token: 33	1568	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1568	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

cscript.exeiexplore.exe

pid process

2996 cscript.exe
1012 iexplore.exe

pid	process
2996	cscript.exe
1012	iexplore.exe

Suspicious use of SetWindowsHookEx 21 IoCs

Processes:

mmc.exemmc.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

pid	process
2636	mmc.exe
536	mmc.exe
536	mmc.exe
1012	iexplore.exe
1012	iexplore.exe
2856	IEXPLORE.EXE
2856	IEXPLORE.EXE
2856	IEXPLORE.EXE
2856	IEXPLORE.EXE
2568	IEXPLORE.EXE
2568	IEXPLORE.EXE
2568	IEXPLORE.EXE
2568	IEXPLORE.EXE
2560	IEXPLORE.EXE
2560	IEXPLORE.EXE
2560	IEXPLORE.EXE
2560	IEXPLORE.EXE
3068	IEXPLORE.EXE
3068	IEXPLORE.EXE
3068	IEXPLORE.EXE
3068	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

cmd.exeMEMZ.exeMEMZ.exemmc.exeiexplore.exe

description	pid	process	target process
PID 2228 wrote to memory of 2996	2228	cmd.exe	cscript.exe
PID 2228 wrote to memory of 2996	2228	cmd.exe	cscript.exe
PID 2228 wrote to memory of 2996	2228	cmd.exe	cscript.exe
PID 2228 wrote to memory of 1076	2228	cmd.exe	MEMZ.exe
PID 2228 wrote to memory of 1076	2228	cmd.exe	MEMZ.exe
PID 2228 wrote to memory of 1076	2228	cmd.exe	MEMZ.exe
PID 2228 wrote to memory of 1076	2228	cmd.exe	MEMZ.exe
PID 1076 wrote to memory of 2076	1076	MEMZ.exe	MEMZ.exe
PID 1076 wrote to memory of 2076	1076	MEMZ.exe	MEMZ.exe
PID 1076 wrote to memory of 2076	1076	MEMZ.exe	MEMZ.exe
PID 1076 wrote to memory of 2076	1076	MEMZ.exe	MEMZ.exe
PID 1076 wrote to memory of 2720	1076	MEMZ.exe	MEMZ.exe
PID 1076 wrote to memory of 2720	1076	MEMZ.exe	MEMZ.exe
PID 1076 wrote to memory of 2720	1076	MEMZ.exe	MEMZ.exe
PID 1076 wrote to memory of 2720	1076	MEMZ.exe	MEMZ.exe
PID 1076 wrote to memory of 1912	1076	MEMZ.exe	MEMZ.exe
PID 1076 wrote to memory of 1912	1076	MEMZ.exe	MEMZ.exe
PID 1076 wrote to memory of 1912	1076	MEMZ.exe	MEMZ.exe
PID 1076 wrote to memory of 1912	1076	MEMZ.exe	MEMZ.exe
PID 1076 wrote to memory of 2380	1076	MEMZ.exe	MEMZ.exe
PID 1076 wrote to memory of 2380	1076	MEMZ.exe	MEMZ.exe
PID 1076 wrote to memory of 2380	1076	MEMZ.exe	MEMZ.exe
PID 1076 wrote to memory of 2380	1076	MEMZ.exe	MEMZ.exe
PID 1076 wrote to memory of 1660	1076	MEMZ.exe	MEMZ.exe
PID 1076 wrote to memory of 1660	1076	MEMZ.exe	MEMZ.exe
PID 1076 wrote to memory of 1660	1076	MEMZ.exe	MEMZ.exe
PID 1076 wrote to memory of 1660	1076	MEMZ.exe	MEMZ.exe
PID 1076 wrote to memory of 1540	1076	MEMZ.exe	MEMZ.exe
PID 1076 wrote to memory of 1540	1076	MEMZ.exe	MEMZ.exe
PID 1076 wrote to memory of 1540	1076	MEMZ.exe	MEMZ.exe
PID 1076 wrote to memory of 1540	1076	MEMZ.exe	MEMZ.exe
PID 1540 wrote to memory of 2748	1540	MEMZ.exe	notepad.exe
PID 1540 wrote to memory of 2748	1540	MEMZ.exe	notepad.exe
PID 1540 wrote to memory of 2748	1540	MEMZ.exe	notepad.exe
PID 1540 wrote to memory of 2748	1540	MEMZ.exe	notepad.exe
PID 1540 wrote to memory of 2636	1540	MEMZ.exe	mmc.exe
PID 1540 wrote to memory of 2636	1540	MEMZ.exe	mmc.exe
PID 1540 wrote to memory of 2636	1540	MEMZ.exe	mmc.exe
PID 1540 wrote to memory of 2636	1540	MEMZ.exe	mmc.exe
PID 2636 wrote to memory of 536	2636	mmc.exe	mmc.exe
PID 2636 wrote to memory of 536	2636	mmc.exe	mmc.exe
PID 2636 wrote to memory of 536	2636	mmc.exe	mmc.exe
PID 2636 wrote to memory of 536	2636	mmc.exe	mmc.exe
PID 1540 wrote to memory of 1012	1540	MEMZ.exe	iexplore.exe
PID 1540 wrote to memory of 1012	1540	MEMZ.exe	iexplore.exe
PID 1540 wrote to memory of 1012	1540	MEMZ.exe	iexplore.exe
PID 1540 wrote to memory of 1012	1540	MEMZ.exe	iexplore.exe
PID 1012 wrote to memory of 2856	1012	iexplore.exe	IEXPLORE.EXE
PID 1012 wrote to memory of 2856	1012	iexplore.exe	IEXPLORE.EXE
PID 1012 wrote to memory of 2856	1012	iexplore.exe	IEXPLORE.EXE
PID 1012 wrote to memory of 2856	1012	iexplore.exe	IEXPLORE.EXE
PID 1012 wrote to memory of 2568	1012	iexplore.exe	IEXPLORE.EXE
PID 1012 wrote to memory of 2568	1012	iexplore.exe	IEXPLORE.EXE
PID 1012 wrote to memory of 2568	1012	iexplore.exe	IEXPLORE.EXE
PID 1012 wrote to memory of 2568	1012	iexplore.exe	IEXPLORE.EXE
PID 1012 wrote to memory of 2560	1012	iexplore.exe	IEXPLORE.EXE
PID 1012 wrote to memory of 2560	1012	iexplore.exe	IEXPLORE.EXE
PID 1012 wrote to memory of 2560	1012	iexplore.exe	IEXPLORE.EXE
PID 1012 wrote to memory of 2560	1012	iexplore.exe	IEXPLORE.EXE
PID 1012 wrote to memory of 3068	1012	iexplore.exe	IEXPLORE.EXE
PID 1012 wrote to memory of 3068	1012	iexplore.exe	IEXPLORE.EXE
PID 1012 wrote to memory of 3068	1012	iexplore.exe	IEXPLORE.EXE
PID 1012 wrote to memory of 3068	1012	iexplore.exe	IEXPLORE.EXE

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\MEMZ.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2228

C:\Windows\system32\cscript.exe
cscript x.js
2⤵
- Suspicious use of FindShellTrayWindow
PID:2996

C:\Users\Admin\AppData\Roaming\MEMZ.exe
"C:\Users\Admin\AppData\Roaming\MEMZ.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of WriteProcessMemory
PID:1076

C:\Users\Admin\AppData\Roaming\MEMZ.exe
"C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2076

C:\Users\Admin\AppData\Roaming\MEMZ.exe
"C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2720

C:\Users\Admin\AppData\Roaming\MEMZ.exe
"C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1912

C:\Users\Admin\AppData\Roaming\MEMZ.exe
"C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2380

C:\Users\Admin\AppData\Roaming\MEMZ.exe
"C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1660

C:\Users\Admin\AppData\Roaming\MEMZ.exe
"C:\Users\Admin\AppData\Roaming\MEMZ.exe" /main
3⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of WriteProcessMemory
PID:1540

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\System32\notepad.exe" \note.txt
4⤵
PID:2748

C:\Windows\SysWOW64\mmc.exe
"C:\Windows\system32\mmc.exe" "C:\Windows\System32\devmgmt.msc"
4⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2636

C:\Windows\system32\mmc.exe
"C:\Windows\System32\devmgmt.msc" "C:\Windows\System32\devmgmt.msc"
5⤵
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:536

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://google.co.ck/search?q=virus.exe
4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1012

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1012 CREDAT:275457 /prefetch:2
5⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2856

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1012 CREDAT:275482 /prefetch:2
5⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2568

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1012 CREDAT:537625 /prefetch:2
5⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2560

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1012 CREDAT:734230 /prefetch:2
5⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3068

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0xc8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
7e8f359f842f63d4f8e11b673e763622

SHA1
a7865040b538d6aaa80bc37e89372c61b7427be8

SHA256
f04843e27ab3a622e565eea01945462567d713146b1cbca62c89d2495e924450

SHA512
f417bf439068b5205190c6ca559d14b0aa4a19af87530fc4e46eda587f80281cb8e567bf6caaa74b02f29f1247afec461eebf2ce1e6a079f675d1f304c9b1fd4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\329C03A4966B136B54FB137DCA798EB7

Filesize
5B

MD5
5bfa51f3a417b98e7443eca90fc94703

SHA1
8c015d80b8a23f780bdd215dc842b0f5551f63bd

SHA256
bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128

SHA512
4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
67KB

MD5
753df6889fd7410a2e9fe333da83a429

SHA1
3c425f16e8267186061dd48ac1c77c122962456e

SHA256
b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

SHA512
9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A16C6C16D94F76E0808C087DFC657D99_8F0CBD8C47BA2D164C9E6FDB222DBC71

Filesize
472B

MD5
562c1305690263b343cfbabd7a401e6c

SHA1
c6a624083ccb8f1b7aba90b7c4b1e3ac66c2942c

SHA256
0f0f1c33614d42186e73e4feb4d03d3605e903c06390461d86784fc36b6789ad

SHA512
60e3060ff1172c76a85e85b09a8e9eb9c1eb918f82da83fc79cd4eb150adb4a2e02403bded0ad91643b246d587907d2b2ba6ed185ef6cb14307b51203682e3f4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

Filesize
724B

MD5
ac89a852c2aaa3d389b2d2dd312ad367

SHA1
8f421dd6493c61dbda6b839e2debb7b50a20c930

SHA256
0b720e19270c672f9b6e0ec40b468ac49376807de08a814573fe038779534f45

SHA512
c6a88f33688cc0c287f04005e07d5b5e4a8721d204aa429f93ade2a56aeb86e05d89a8f7a44c1e93359a185a4c5f418240c6cdbc5a21314226681c744cf37f36

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2DDCD2B5F37625B82E81F4976CEE400_09B924C8A99A26A75B535D3B83388BE5

Filesize
471B

MD5
0bbb0c0a7acaae6f119c49a57aded9ad

SHA1
def2006a613312d647661ef94f6ac9d43b84202a

SHA256
da2482009e08ab5c1df8db6f2b5454e5a32becbb50e9bc9e3a23982ebd55dbc9

SHA512
7dd647c57f9c57487195c453c1bfd3500e9bf17ae68fd175d3cc2469ba718cc0369d1b0fcc11cf47513a2fb9286dbbe0dd20c47bed4037e449caee77519fcc7d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
be83e66a9a534b1cc36f057bfae70b9e

SHA1
794cde83e73c6908cb1de4f5a5451f7af255d037

SHA256
cc57eaf85f9e1af995d7130b51fe3ec97d299159a3063b2e7bf6d19217f8ff4b

SHA512
3eae26f566ef39d30d6387501453179ac018ea2203426a211651da981432d3aad55dd5cd58987a782a42eeb945ff6d736e57c49513da37558ac1fd9b30ed65c6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
238a382bcad2130dc55746c0828a701e

SHA1
51dffc206c205288594ad91064169d1182fb19df

SHA256
a207babf2c4cf288a5336b34eeda574297613a16636020c3022dbf68d038e1fc

SHA512
7d8c5e8b96f6aa2423fc25b193171af8dff5a447c718c70dbd790e35b0fa2ae100cb089a12b0bb31c6735d8fb550e3179ae19b9fcf1c4b956e1c5dc50abc4852

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
22db475739e01a8e120a55023acd3dea

SHA1
feb31ed3ad5fc26f05261b70b11c04f3223407ff

SHA256
409c04ec2c0a5ba73eb700f0bc82166eb8a07c25bc2b274bf306b7c7056b2733

SHA512
ef20e524b8fc7968c1d75d07a1b735b0aec3dae422ab829fee677af7b2cefd2dad9cc5d2ec0df678c1ec1968587a96d57ee757bb315d4ac937f27e8850b304b1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7c2c466a6e1bee855038cc93634de9f7

SHA1
86e646c3c417369bd90880b80b19abef98508c2c

SHA256
375885e02c715832e9450cd04f220976452bcf238235c54ceb55dbfdd00834a4

SHA512
74013e6bf6f7fb3827f9d85d5ef68aa13387d91542a440ed6d78dc78b175cb063501d31e0a0fe72aecee27874bd8280083ed312262032657a24d99c7f7c45bc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3d4c7e1dbed9b8c2790d298b0bb058eb

SHA1
59602723b5b01971d4431a108d7accab518dadf3

SHA256
cb4f54e52934fd38a2a2633860ee28e2cf9a0ce1219ebc73ae7d76efdfd7016a

SHA512
17e46d0f6a870158f2a5e41f9511e18e5a9c849e4f045239eab4cc72f755164a4520266787a65aecf01d777d01f208ecae3fb3ad97e73e97894410a253f1780a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b9804b81b5e0554589185b51030d1389

SHA1
adbace1e86c8bba4301435bb873e428b8a0a61ef

SHA256
fe0f2ee94d83269cb1ffe98304d74a91c3194d80d8d0ccbf1759ce20503df824

SHA512
d48c6d027b80f6126d1dbd09138b077f084e240f1bf96df59e69bc9503c723e15ce8beb6fdd8a0d28358b135937e3a2677de8a0f85f7b8920428444b55791383

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
54ac76a1e946478554d6e753355e1058

SHA1
6805e237849fc48b60e3c3b11911521b036bb2ae

SHA256
1fdebb1fdb510937eff230104c503c9729924b68df2d6d2cc75d209f9fa011a8

SHA512
6d811eca7198576512a63dedb16eecaca6dbf8b9029eae8edba09123db91c2e4b52d1de8dc4f16d6c364b5ea93f04db63e3cdd154ba4f0fd9d9e22fe75590c39

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
14aefdb4446ba9ae80cf38f69528d204

SHA1
15f58e29a434ca3d0588c3825aef2f8d9949cf6b

SHA256
7fb9523854b3a6684b13f87dcd1e4e00b42559727e22dea3b20a4e278f87ebf1

SHA512
42c4c2bd3e3dd6ee36cb3670a44c58aba18584d7dcbda6579a533ea51280b1158fd79a53ed295eef096436eb497bdd669def89941e6ceee4d322841f568be573

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a04a43804a66d362135972e35a6e4a60

SHA1
0033a35774112558794c752bdad9218d316b9c6c

SHA256
b66198cd5a26931bcdbc09b53777238e213f26cc8e2b356130236134f0a10815

SHA512
e0cf40b85801e36c340f681a8aa437db26f3aff48c4b2ddc6be5909c1f0603aa5f1036b20b3ec77af76476c192781f834e5099996f23614a7e7dc14b847dfd8e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
186243004954fdc95fc9c21c361aaedc

SHA1
9df84a83cc8a7a3c70df4c989cb5a8cbb3f47abe

SHA256
2e8a37a9bb479c0253a3787107b84346524bfb48096e29deb87b0e08f34ddae0

SHA512
a2adbad6a27504b7158c6f30b049ced178c05d5bb9d5087db72a1698cc673d5d067b82de0de17ebcb7ab01d8a2f82c6ae335053aae7a5bca7fa294128c755ad7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c2062607b4d29446ade9ba1fc7074fbf

SHA1
d585775ef45cc7287986135aa3aca3f90cb2cad7

SHA256
4109d1f181e8fbd8f9f6f6b8163331c044510f2b7c8c87cf081aa77145d760a7

SHA512
4e248b4a3ef6f9612ac81b82d3caffb79b015c9973ffc1bf96f23a01cf14e25aff91fbf23434969073850f608d28e4ba519467a7c45e7e9fe252b163fc8f71ff

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8d904d01d14d15b78832e559c18a2ba1

SHA1
939b024482350a80f46ee8ae588e8ed43b640333

SHA256
f18acdfdf95c1ae14144fdeef401512deb8fd90d52487d86688bfce05c4ce28f

SHA512
eefd54d3f2ffbc468beb0abb335b6b983503ebb2e159ab1b6fc99a2b6ad1c86687dfc02b216c2497309a70b0f9c224d7521450658fe7dc226030b346fbbf9c9a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3b2445975b2830cc8ca9a609777081ca

SHA1
68402d5bbaeabf1070b9a4ec13c37e686bbeed8e

SHA256
ce69068bb4b08d7458d871bd6bb5e390759796f8915bbb639dea4bfcd8af1d04

SHA512
d3a3753abea3369c52851a36ac83725ab8ba8e1843b574462c5c461dbe4b89b92e5437f29a14dfbfe05f9b19fbfaf6b8ff4c20b19740abd11c4ae121c9e179ee

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5538417795986e2b901cfde43355dc61

SHA1
9855a53b13bb92f699ae12cb76ae760df0fe90ef

SHA256
541daa638e933cfad2950c89a66bc8230773863fd41ef8f1b61715ba3f43e5d1

SHA512
03944b142a6d4cff63ce705c1aca621aafebb2258d0fc9a4cc3fb1c526c346f7d577f1992b6877fb5c2372c5e07c70d9bc9f585b4f3ee85602be4bca49f201fe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
45fc615bb5f9aca5a74eb3e794c35e45

SHA1
56400cb702a98d15bcf106f95b1a4c43f3f05a57

SHA256
b2a050c72cb639b16b27a2bd4285445fd63e07fed86ccbe63b00870d6af2f743

SHA512
7db712efb718c17b48b0a80b227bf291d8ed7db780634a0abf9756e2b49c372d92355f836a9a3a94443b4f903e3d075e4ef5c34d4c5bbbff221ecbbba0870345

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8bde8e4bb972deb339964a0f1252779f

SHA1
15cac6bf4050464ecbffb40ba3ad0ae3d7977679

SHA256
098e7761e36bc1fc46a2ebbde542e2f44bc00f64e722324cbda62d56fa19e48b

SHA512
f7439fe23be6dfc674e4baf21327903d2de6c166de3cf9b7bd92d263dc202eec7bf65f384ca8302575da4a96c2e91e377a843af6473e9a3f0c605aea7dc256b7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2b8baea7fb529e6a169fccb00932b3fb

SHA1
485f993f184bab925515abaa7598cc5c99f964fc

SHA256
a0b0219bf98051ea3f652287596910286a7e0012ddbef04cb0497af6b0cea63a

SHA512
11904ba8e93304f330383a481a37d104a1eeac1481f7c50ea377fc32e414448a9f762fb50307ce9d0a5148138c3df5c4770e0a86750585b03cf378decbf77604

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
65b243d21e4a8c6d5ee255a498bab531

SHA1
4ab11d003d41e92ad59923d185904d1cd82df1dd

SHA256
bc4fcd7e935d2da57bec8eb70b40c263adcfa895441a61f502faba2739c9aac3

SHA512
a79360c8d3c85b49b2bc85242e193a5e978425a19a884abcb7a32dbcc6acbdfba544738351d479b7acce8a89c6a757b566dc48ba935e4c742cd31254892bfd39

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5b7a165ce6bab6e242feb1a14bb20e40

SHA1
c42005730edd792e5b30d50c5bd068d904e35d75

SHA256
39db6d6376b5a28723a664c571afad4bb6286992a6006bfdfbd2fcf154e77d29

SHA512
0f29b2936460b85b8fc89928a13577716223382c4b50c5b810bfcd6ec3e2160d5c4069426ba97eda1984da203bc2d0bcf8f65b209a005fa6d8c371bf66e59187

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e8f4caeda832b243395070786937122a

SHA1
ee61e8e7a7c932ac0d0755e09635faeeb71ad1f8

SHA256
6d3cee3a165c16982632c8595bdcc75fff3169ba30b18185e45fef6ef318a855

SHA512
53f53f575219f10739d1f14d2bf6f2429bf6ea6acecbbfccf961314e869a8fdbf74d8022c7360dbacd6e9a25d91f9fdafc811b616badceedc1f829be352ce63b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e12e58b616904585e1232f6f2e84059b

SHA1
53c0ce888c0efebda413220e92dde3ca2fadaf53

SHA256
4ef1438e481849c67cebf82bdf79d3e24ceddb2198b80dd3c523e18a4e467fe7

SHA512
ca3bfafdbea963f46e0128333842d5ee17124f41f56eeef6580829712af1ead746b4176101534a305c73d826dd59c0045370fac06b6588536c9b342c520a0564

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
28657faed66c172d0e269fd34754a696

SHA1
fbf0c6cd49507fd3fd3337f2b3fb5d2367a2f10b

SHA256
1fc0b508b8ecda43a0ee37684d3b9822e74cf17044e118cab5c5203f2813bd2e

SHA512
43c209bba0ce844e47dbc9c4e5450801db8d210c132b81c20edf27212d59785972479b6e9c621fbc33b226a0c4df0185b83dacf0a4104ff68729db583fbce2b4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b32f6137559cf41c242eb922ccab0427

SHA1
7ac974442b117ea2b11bc8e479b01b2ad2ecbbdc

SHA256
fdc6775ab9a9da1cfd145f8d705f22647eb5e83af12ae707323eab07712eea37

SHA512
09049f56148a5451d015728177b7eace349951fa2b5febc0970a8ef2d57598cc82d82e7bcb2ecd142b5ed6b1d406af94654631bcd9195d196ad988acbdff83f8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A16C6C16D94F76E0808C087DFC657D99_8F0CBD8C47BA2D164C9E6FDB222DBC71

Filesize
402B

MD5
33f8d8b00ff3ddfd0be6a1fb126bcf82

SHA1
ff743cee62a7d6d62a1556cb18a1c6aa91c2379d

SHA256
0a840e64851bb0066d9cf6e79b27107b690d4535c801b00e22966ec866b0026b

SHA512
26998370ddc9c4a41233c69f5331ebc2f49fbedacba6cbb7c78aa4a1706dfefcb208a1dcbf70a7e27f3ba2c075343419742b8d68be11fe1c2d73b7538c84bb86

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

Filesize
392B

MD5
e6e39870b9c32706ef3525caf2f6fec2

SHA1
104cbf3ddab305478e39083b66dcd57851fbed8d

SHA256
2970b71cd61df111a11060c38dad451a5d439bd585aae570875a20e448deab94

SHA512
75e06a6556c31fe71eae79960c1d7e55574b324d277db46d5d3cc86b5fc20e09fd650a5e4b7295a694de9d95994ab6c3755d81406b2a026ea3eb73e16952e0cb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2DDCD2B5F37625B82E81F4976CEE400_09B924C8A99A26A75B535D3B83388BE5

Filesize
406B

MD5
e8717e3f1dff10f90162417445bdab47

SHA1
1a33013fe74c957075c10fedac147ecb18c8a595

SHA256
24b11e6da8b87cb80cf8892314c007846227dd57b8b898745d9c5fbc1c7ddf2f

SHA512
3cf8f3db1d4bb370e9fe92c3aee9353e799982bd33848c01a0cbe451a2fdce2b73c2367313a43487603d040afec3b9a6c5323fd372198b85ead7bb5fff36def0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\3FOZBNDP\www.google[1].xml

Filesize
98B

MD5
1dcfc43683ff4b769a23d7d2a784b326

SHA1
40780c3d69b5807815472e199729304f737a8c3d

SHA256
087a5ed8cd82147deabdb400dcb09e26a999f02f6b48109c19d6d2c2041a933d

SHA512
1205e52c474cdc96816fde7a4100b6c48ae4133b0a934f0272121b67023a0f95d573d7f8cec7a33ef71831223ebca23f72de5380f3b1a20042d894a3dd3b096a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\jq7rho9\imagestore.dat

Filesize
5KB

MD5
5ad93de7ce227a141e62bb2db2db22c3

SHA1
e7a1e090dd50a384a5e7e8b2e2d4a89b14a946a1

SHA256
2820be6efb5d9eb1b8353e37eb8e14216917d59d0d92266ff6c8fc4f6e7e2751

SHA512
4d3e504d5859815a0790384806efdd1d743101cff8581ca7aaaf29f51ce37cb75a3f300553b7572d5fbad6621a594878eae98e6ed53560a5d95b2f682258260e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OFFQJ7AH\KFOlCnqEu92Fr1MmEU9fBBc9[1].ttf

Filesize
34KB

MD5
4d88404f733741eaacfda2e318840a98

SHA1
49e0f3d32666ac36205f84ac7457030ca0a9d95f

SHA256
b464107219af95400af44c949574d9617de760e100712d4dec8f51a76c50dda1

SHA512
2e5d3280d5f7e70ca3ea29e7c01f47feb57fe93fc55fd0ea63641e99e5d699bb4b1f1f686da25c91ba4f64833f9946070f7546558cbd68249b0d853949ff85c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OFFQJ7AH\KFOlCnqEu92Fr1MmYUtfBBc9[1].ttf

Filesize
34KB

MD5
4d99b85fa964307056c1410f78f51439

SHA1
f8e30a1a61011f1ee42435d7e18ba7e21d4ee894

SHA256
01027695832f4a3850663c9e798eb03eadfd1462d0b76e7c5ac6465d2d77dbd0

SHA512
13d93544b16453fe9ac9fc025c3d4320c1c83a2eca4cd01132ce5c68b12e150bc7d96341f10cbaa2777526cf72b2ca0cd64458b3df1875a184bbb907c5e3d731

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OFFQJ7AH\logo_48[1].png

Filesize
2KB

MD5
ef9941290c50cd3866e2ba6b793f010d

SHA1
4736508c795667dcea21f8d864233031223b7832

SHA256
1b9efb22c938500971aac2b2130a475fa23684dd69e43103894968df83145b8a

SHA512
a0c69c70117c5713caf8b12f3b6e8bbb9cdaf72768e5db9db5831a3c37541b87613c6b020dd2f9b8760064a8c7337f175e7234bfe776eee5e3588dc5662419d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OFFQJ7AH\recaptcha__en[1].js

Filesize
489KB

MD5
d52ac252287f3b65932054857f7c26a7

SHA1
940b62eae6fb008d6f15dfb7aaf6fb125dba1fec

SHA256
4c06e93049378bf0cdbbe5d3a1d0c302ac2d35faec13623ad812ee41495a2a57

SHA512
c08ff9d988aea4c318647c79ae8ca9413b6f226f0efbdab1cdd55ec04b6760812716ff27e0ee86941e8a654d39cddd56251d8392a0ac2c4c8839f27853556154

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PU2MMJX7\styles__ltr[1].css

Filesize
55KB

MD5
eb4bc511f79f7a1573b45f5775b3a99b

SHA1
d910fb51ad7316aa54f055079374574698e74b35

SHA256
7859a62e04b0acb06516eb12454de6673883ecfaeaed6c254659bca7cd59c050

SHA512
ec9bdf1c91b6262b183fd23f640eac22016d1f42db631380676ed34b962e01badda91f9cbdfa189b42fe3182a992f1b95a7353af41e41b2d6e1dab17e87637a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S96XYZ9E\KFOmCnqEu92Fr1Mu4mxP[1].ttf

Filesize
34KB

MD5
372d0cc3288fe8e97df49742baefce90

SHA1
754d9eaa4a009c42e8d6d40c632a1dad6d44ec21

SHA256
466989fd178ca6ed13641893b7003e5d6ec36e42c2a816dee71f87b775ea097f

SHA512
8447bc59795b16877974cd77c52729f6ff08a1e741f68ff445c087ecc09c8c4822b83e8907d156a00be81cb2c0259081926e758c12b3aea023ac574e4a6c9885

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S96XYZ9E\favicon[1].ico

Filesize
5KB

MD5
f3418a443e7d841097c714d69ec4bcb8

SHA1
49263695f6b0cdd72f45cf1b775e660fdc36c606

SHA256
6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770

SHA512
82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S96XYZ9E\webworker[1].js

Filesize
102B

MD5
5734e3c2032fb7e4b757980f70c5867e

SHA1
22d3e354a89c167d3bebf6b73d6e11e550213a38

SHA256
91e9008a809223ca505257c7cb9232b7bf13e7fbf45e3f6dd2cfca538e7141eb

SHA512
1f748444532bc406964c1be8f3128c47144de38add5c78809bbcdae21bf3d26600a376df41bf91c4cd3c74a9fae598d51c76d653a23357310343c58b3b6d7739

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SZ2A9SGY\TG_XdOEg3NKIdftsV7XidAgI3OvClCw0-7YgJxQ1GFY[1].js

Filesize
23KB

MD5
a364179c3816839427c4d9fdbe8ecf3b

SHA1
fd423514f4f0e614688a99571b9165b4e212119b

SHA256
4c6fd774e120dcd28875fb6c57b5e2740808dcebc2942c34fbb6202714351856

SHA512
c4e29c47bb229a293d79a1aa4b9e226ff6261b723b75e0479df367fc7eee3ac006e4993e5406f510aa35da592b525e3f6a0bf62f8671cfa576cae40a627bc45e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SZ2A9SGY\api[1].js

Filesize
850B

MD5
33d99cfc94db7d1ab5149b1e677b4c85

SHA1
ffec081b0a5b325f2b124ea8804ba0de9beae98c

SHA256
0e945fe9e80b82b1ac2e714f03672ed0c439e61e489430ba46623245399fca25

SHA512
315ed3f0edae2d3057be354d7d97ab298f51e791c03cd19c46d96e0116a6757033e509d92633eafba9365d6588af2b96cce4b0088020a88eac5086d07a0b3b26

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab8318.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\x

Filesize
10KB

MD5
fc59b7d2eb1edbb9c8cb9eb08115a98e

SHA1
90a6479ce14f8548df54c434c0a524e25efd9d17

SHA256
a05b9be9dd87492f265094146e18d628744c6b09c0e7efaabf228a9f1091a279

SHA512
3392cfc0dbddb37932e76da5a49f4e010a49aaa863c882b85cccab676cd458cfc8f880d8a0e0dc7581175f447e6b0a002da1591ecd14756650bb74996eacd2b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\x

Filesize
1KB

MD5
47202a82241a607dc2fe0c5c46b776db

SHA1
773d256024009cd3735805b67d60b604479deff0

SHA256
c656171ddd713409f7d7df0bd560fe5828b681eeed571822fcfb968ce647c907

SHA512
e11bf920664ab02205446963ea5cd614eb2859a0825af993ede65a569ed8574d3a37cc4434a454a2c12afe0633c826884b9c35e4e84e3c4d20a356e4c16e81cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\x

Filesize
3KB

MD5
3317250920b3b379217589dca70fc3ad

SHA1
04077df7fb58917926c60ea61c355bd1bb6de4a7

SHA256
5948846fc1a753b875590f3f1c4f7f40f6874d87bfe46aeb593891f5e67adc90

SHA512
34b3462c99320c026b6c908b32dbbe279ba305a750a28d2b4f75553e8a854b5123cf402658f328b5dcf5fc9ca5309022c81bb0f5742e137291dc436521880669

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\x

Filesize
4KB

MD5
b6873c6cbfc8482c7f0e2dcb77fb7f12

SHA1
844b14037e1f90973a04593785dc88dfca517673

SHA256
0a0cad82d9284ccc3c07de323b76ee2d1c0b328bd2ce59073ed5ac4eb7609bd1

SHA512
f3aa3d46d970db574113f40f489ff8a5f041606e79c4ab02301b283c66ff05732be4c5edc1cf4a851da9fbaaa2f296b97fc1135210966a0e2dfc3763398dfcaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\x

Filesize
1014B

MD5
1f4edfae8f0c79c7a562de3e9300bc01

SHA1
9ea28cfd78d124699583dc9a8590a688c6012dc9

SHA256
99ae60b6d65d31554a34ca31ef5fc7116a67438ef376388763e4d89c516ff7a9

SHA512
0eec72308e1bd84788745a926501df3312dd014fcfe41e28fea6e21f05874e3f515efb090562e0f066d6b66dbc5fadeb17d37b4cda3567d5809c1100e36a7a71

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\x.js

Filesize
448B

MD5
8eec8704d2a7bc80b95b7460c06f4854

SHA1
1b34585c1fa7ec0bd0505478ac9dbb8b8d19f326

SHA256
aa01b8864b43e92077a106ed3d4656a511f3ba1910fba40c78a32ee6a621d596

SHA512
e274b92810e9a30627a65f87448d784967a2fcfbf49858cbe6ccb841f09e0f53fde253ecc1ea0c7de491d8cc56a6cf8c79d1b7c657e72928cfb0479d11035210

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEMZ3~1.0\z.zip

Filesize
7KB

MD5
cf0c19ef6909e5c1f10c8460ba9299d8

SHA1
875b575c124acfc1a4a21c1e05acb9690e50b880

SHA256
abb834ebd4b7d7f8ddf545976818f41b3cb51d2b895038a56457616d3a2c6776

SHA512
d930a022a373c283f35d103e277487c2034a0b0814913b8f6ec695b45e20528667aa830eeab58e4483d523bd6a755a16a5379095cb137db6c91909a545a19a2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar8317.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar8447.tmp

Filesize
175KB

MD5
dd73cead4b93366cf3465c8cd32e2796

SHA1
74546226dfe9ceb8184651e920d1dbfb432b314e

SHA256
a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

SHA512
ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

Download Submit
C:\Users\Admin\AppData\Roaming\MEMZ.exe

Filesize
12KB

MD5
a7bcf7ea8e9f3f36ebfb85b823e39d91

SHA1
761168201520c199dba68add3a607922d8d4a86e

SHA256
3ff64f10603f0330fa2386ff99471ca789391ace969bd0ec1c1b8ce1b4a6db42

SHA512
89923b669d31e590189fd06619bf27e47c5a47e82be6ae71fdb1b9b3b30b06fb7ca8ffed6d5c41ac410a367f2eb07589291e95a2644877d6bffd52775a5b1523

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\KIWF1OZ5.txt

Filesize
374B

MD5
3a6e1f8e39db12aa3159ef251ef8ebd8

SHA1
b06fbc1a4946b1709a23b68fd09d955d21bf6347

SHA256
8b814586fd3c739be4177e94e2a32dd5ceb3045f4e94b0362abc06d7c5b7cb50

SHA512
ac0efcfbdaeb181b4a693d76b7f88b4f93676d8fa6634498274598210fca0c5d965e98806bbd614e707996e9014b375a2f969f4690cf0cfd767ed589bebb41f2

Download Submit
C:\note.txt

Filesize
218B

MD5
afa6955439b8d516721231029fb9ca1b

SHA1
087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

SHA256
8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

SHA512
5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

Download Submit
memory/536-182-0x000007FEF6C40000-0x000007FEF6C7A000-memory.dmp

Filesize
232KB

Download
memory/536-181-0x0000000002150000-0x0000000002151000-memory.dmp

Filesize
4KB

Download
memory/536-183-0x0000000002150000-0x0000000002151000-memory.dmp

Filesize
4KB

Download
memory/2996-150-0x00000000022E0000-0x00000000022E1000-memory.dmp

Filesize
4KB

Download