734403a96fad68cb2ef2b340adddd9cadd5894007aac703dcdb4a4cb8326c538

max time kernel
150s
max time network
149s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
10-03-2024 19:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eeeeeeeeeeeeee/Malware_pack_2/Malware_pack_2/MEMZ 3.0 (1)/MEMZ 3.0/MEMZ.bat
Size

12KB
MD5

13a43c26bb98449fd82d2a552877013a
SHA1

71eb7dc393ac1f204488e11f5c1eef56f1e746af
SHA256

5f52365accb76d679b2b3946870439a62eb8936b9a0595f0fb0198138106b513
SHA512

602518b238d80010fa88c2c88699f70645513963ef4f148a0345675738cf9b0c23b9aeb899d9f7830cc1e5c7e9c7147b2dc4a9222770b4a052ee0c879062cd5a
SSDEEP

384:nnLhRNiqt0kCH2LR0GPXxGiZgCz+KG/yKhLdW79HOli+lz3:nLhRN9t0SR4iZtzlREBWhuF

Score

7^/10

bootkit persistence

Malware Config

Signatures

Executes dropped EXE 7 IoCs

Processes:

MEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exe

pid process

780 MEMZ.exe
1428 MEMZ.exe
2212 MEMZ.exe
1276 MEMZ.exe
1244 MEMZ.exe
1340 MEMZ.exe
852 MEMZ.exe
Loads dropped DLL 7 IoCs

Processes:

MEMZ.exe

pid process

780 MEMZ.exe
780 MEMZ.exe
780 MEMZ.exe
780 MEMZ.exe
780 MEMZ.exe
780 MEMZ.exe
780 MEMZ.exe
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

MEMZ.exe

description ioc process

File opened for modification \??\PhysicalDrive0 MEMZ.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
780	MEMZ.exe
1428	MEMZ.exe
2212	MEMZ.exe
1276	MEMZ.exe
1244	MEMZ.exe
1340	MEMZ.exe
852	MEMZ.exe

pid	process
780	MEMZ.exe
780	MEMZ.exe
780	MEMZ.exe
780	MEMZ.exe
780	MEMZ.exe
780	MEMZ.exe
780	MEMZ.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	MEMZ.exe

Modifies Internet Explorer settings 1 TTPs 53 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.google.com\ = "21"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com\Total = "21"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.google.com	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 70afa5243573da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002dcc56832ee45b40af0f973e997a3e3e0000000002000000000010660000000100002000000038c291c28e20faad71173d44c4fa7cc071daed1edd9667445d8f3f186c10c341000000000e80000000020000200000001fd9dbc3fec5212a8ee63dcbb3d7efdbf11922960211378e45d0b8775344763d90000000d79b99f347109ba44c46184f1bea607a5ab2c5deae581fe1e2a4d2ad6eb58aea39477e2392241b2933ec1a9d1431fa6afa25ddde3ef7ec0183d83709236a655606ef35251676fc04ce7e6031a702b2dd94a723d9b00879ebac5b9d9ab212c93f4720a138fc5c2e0bf29833785449a74e64b6a0c41945a81d42431bfd23eb67a03d4973e5626f238823ad84e6dd7c0b18400000002e34bb584f70f89dc05214a6bf46f15061d55198a4673e48d8b12aac298be7e158e5cc8dd10af264e86ef3d1a6e73749a58ed3d8976c36499c33352b1604b3ce	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "21"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{5251A3C1-DF28-11EE-9988-CEEE273A2359} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002dcc56832ee45b40af0f973e997a3e3e000000000200000000001066000000010000200000002a8e27f58556aa0de4b36a84e357dd1a841a8813c0b3b675053fc2652b2be705000000000e8000000002000020000000b89d09248606cea64873462a44ea72fc88ddc4cc957d6abd7ef6f5b862cca08e2000000064405b7e7b0aeb02f10a235d832fb4985b819da8769f20802fcafb1257a3ee7d400000007073f2700dddd28fecffb0bb85ed6e00e190ffe3a3b420fb98dde6baae273abbd8b96eca4845278edb02dc7f10b6f741feae6c46c72d1adfccef8466c39da703	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "416269345"	iexplore.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

MEMZ.exe

pid process

780 MEMZ.exe

pid	process
780	MEMZ.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

MEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exe

pid	process
1428	MEMZ.exe
1428	MEMZ.exe
1428	MEMZ.exe
2212	MEMZ.exe
1276	MEMZ.exe
2212	MEMZ.exe
1244	MEMZ.exe
1276	MEMZ.exe
1428	MEMZ.exe
2212	MEMZ.exe
1244	MEMZ.exe
1276	MEMZ.exe
1428	MEMZ.exe
1244	MEMZ.exe
2212	MEMZ.exe
1428	MEMZ.exe
1276	MEMZ.exe
1340	MEMZ.exe
1340	MEMZ.exe
1244	MEMZ.exe
2212	MEMZ.exe
1428	MEMZ.exe
1276	MEMZ.exe
1244	MEMZ.exe
2212	MEMZ.exe
1340	MEMZ.exe
1428	MEMZ.exe
1276	MEMZ.exe
1244	MEMZ.exe
2212	MEMZ.exe
1340	MEMZ.exe
1428	MEMZ.exe
1276	MEMZ.exe
1244	MEMZ.exe
2212	MEMZ.exe
1340	MEMZ.exe
1428	MEMZ.exe
1276	MEMZ.exe
1244	MEMZ.exe
2212	MEMZ.exe
1340	MEMZ.exe
1428	MEMZ.exe
1276	MEMZ.exe
1244	MEMZ.exe
2212	MEMZ.exe
1340	MEMZ.exe
1428	MEMZ.exe
1276	MEMZ.exe
1244	MEMZ.exe
2212	MEMZ.exe
1340	MEMZ.exe
1428	MEMZ.exe
1276	MEMZ.exe
1244	MEMZ.exe
2212	MEMZ.exe
1340	MEMZ.exe
1428	MEMZ.exe
1276	MEMZ.exe
1244	MEMZ.exe
2212	MEMZ.exe
1340	MEMZ.exe
1428	MEMZ.exe
1276	MEMZ.exe
1244	MEMZ.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

AUDIODG.EXE

description	pid	process
Token: 33	2680	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2680	AUDIODG.EXE
Token: 33	2680	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2680	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

cscript.exeiexplore.exe

pid process

556 cscript.exe
2076 iexplore.exe

pid	process
556	cscript.exe
2076	iexplore.exe

Suspicious use of SetWindowsHookEx 20 IoCs

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

pid	process
2076	iexplore.exe
2076	iexplore.exe
836	IEXPLORE.EXE
836	IEXPLORE.EXE
836	IEXPLORE.EXE
836	IEXPLORE.EXE
2292	IEXPLORE.EXE
2292	IEXPLORE.EXE
2292	IEXPLORE.EXE
2292	IEXPLORE.EXE
1904	IEXPLORE.EXE
1904	IEXPLORE.EXE
1904	IEXPLORE.EXE
1904	IEXPLORE.EXE
1584	IEXPLORE.EXE
1584	IEXPLORE.EXE
1584	IEXPLORE.EXE
1584	IEXPLORE.EXE
836	IEXPLORE.EXE
836	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 55 IoCs

Processes:

cmd.exeMEMZ.exeMEMZ.exeiexplore.exe

description	pid	process	target process
PID 996 wrote to memory of 556	996	cmd.exe	cscript.exe
PID 996 wrote to memory of 556	996	cmd.exe	cscript.exe
PID 996 wrote to memory of 556	996	cmd.exe	cscript.exe
PID 996 wrote to memory of 780	996	cmd.exe	MEMZ.exe
PID 996 wrote to memory of 780	996	cmd.exe	MEMZ.exe
PID 996 wrote to memory of 780	996	cmd.exe	MEMZ.exe
PID 996 wrote to memory of 780	996	cmd.exe	MEMZ.exe
PID 780 wrote to memory of 1428	780	MEMZ.exe	MEMZ.exe
PID 780 wrote to memory of 1428	780	MEMZ.exe	MEMZ.exe
PID 780 wrote to memory of 1428	780	MEMZ.exe	MEMZ.exe
PID 780 wrote to memory of 1428	780	MEMZ.exe	MEMZ.exe
PID 780 wrote to memory of 2212	780	MEMZ.exe	MEMZ.exe
PID 780 wrote to memory of 2212	780	MEMZ.exe	MEMZ.exe
PID 780 wrote to memory of 2212	780	MEMZ.exe	MEMZ.exe
PID 780 wrote to memory of 2212	780	MEMZ.exe	MEMZ.exe
PID 780 wrote to memory of 1276	780	MEMZ.exe	MEMZ.exe
PID 780 wrote to memory of 1276	780	MEMZ.exe	MEMZ.exe
PID 780 wrote to memory of 1276	780	MEMZ.exe	MEMZ.exe
PID 780 wrote to memory of 1276	780	MEMZ.exe	MEMZ.exe
PID 780 wrote to memory of 1244	780	MEMZ.exe	MEMZ.exe
PID 780 wrote to memory of 1244	780	MEMZ.exe	MEMZ.exe
PID 780 wrote to memory of 1244	780	MEMZ.exe	MEMZ.exe
PID 780 wrote to memory of 1244	780	MEMZ.exe	MEMZ.exe
PID 780 wrote to memory of 1340	780	MEMZ.exe	MEMZ.exe
PID 780 wrote to memory of 1340	780	MEMZ.exe	MEMZ.exe
PID 780 wrote to memory of 1340	780	MEMZ.exe	MEMZ.exe
PID 780 wrote to memory of 1340	780	MEMZ.exe	MEMZ.exe
PID 780 wrote to memory of 852	780	MEMZ.exe	MEMZ.exe
PID 780 wrote to memory of 852	780	MEMZ.exe	MEMZ.exe
PID 780 wrote to memory of 852	780	MEMZ.exe	MEMZ.exe
PID 780 wrote to memory of 852	780	MEMZ.exe	MEMZ.exe
PID 852 wrote to memory of 2000	852	MEMZ.exe	notepad.exe
PID 852 wrote to memory of 2000	852	MEMZ.exe	notepad.exe
PID 852 wrote to memory of 2000	852	MEMZ.exe	notepad.exe
PID 852 wrote to memory of 2000	852	MEMZ.exe	notepad.exe
PID 852 wrote to memory of 2076	852	MEMZ.exe	iexplore.exe
PID 852 wrote to memory of 2076	852	MEMZ.exe	iexplore.exe
PID 852 wrote to memory of 2076	852	MEMZ.exe	iexplore.exe
PID 852 wrote to memory of 2076	852	MEMZ.exe	iexplore.exe
PID 2076 wrote to memory of 836	2076	iexplore.exe	IEXPLORE.EXE
PID 2076 wrote to memory of 836	2076	iexplore.exe	IEXPLORE.EXE
PID 2076 wrote to memory of 836	2076	iexplore.exe	IEXPLORE.EXE
PID 2076 wrote to memory of 836	2076	iexplore.exe	IEXPLORE.EXE
PID 2076 wrote to memory of 2292	2076	iexplore.exe	IEXPLORE.EXE
PID 2076 wrote to memory of 2292	2076	iexplore.exe	IEXPLORE.EXE
PID 2076 wrote to memory of 2292	2076	iexplore.exe	IEXPLORE.EXE
PID 2076 wrote to memory of 2292	2076	iexplore.exe	IEXPLORE.EXE
PID 2076 wrote to memory of 1904	2076	iexplore.exe	IEXPLORE.EXE
PID 2076 wrote to memory of 1904	2076	iexplore.exe	IEXPLORE.EXE
PID 2076 wrote to memory of 1904	2076	iexplore.exe	IEXPLORE.EXE
PID 2076 wrote to memory of 1904	2076	iexplore.exe	IEXPLORE.EXE
PID 2076 wrote to memory of 1584	2076	iexplore.exe	IEXPLORE.EXE
PID 2076 wrote to memory of 1584	2076	iexplore.exe	IEXPLORE.EXE
PID 2076 wrote to memory of 1584	2076	iexplore.exe	IEXPLORE.EXE
PID 2076 wrote to memory of 1584	2076	iexplore.exe	IEXPLORE.EXE

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\eeeeeeeeeeeeee\Malware_pack_2\Malware_pack_2\MEMZ 3.0 (1)\MEMZ 3.0\MEMZ.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:996
- C:\Windows\system32\cscript.exe
  cscript x.js
  2⤵
  - Suspicious use of FindShellTrayWindow
  PID:556
- C:\Users\Admin\AppData\Roaming\MEMZ.exe
  "C:\Users\Admin\AppData\Roaming\MEMZ.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious use of WriteProcessMemory
  PID:780
- - C:\Users\Admin\AppData\Roaming\MEMZ.exe
    "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1428
- - C:\Users\Admin\AppData\Roaming\MEMZ.exe
    "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2212
- - C:\Users\Admin\AppData\Roaming\MEMZ.exe
    "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1276
- - C:\Users\Admin\AppData\Roaming\MEMZ.exe
    "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1244
- - C:\Users\Admin\AppData\Roaming\MEMZ.exe
    "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1340
- - C:\Users\Admin\AppData\Roaming\MEMZ.exe
    "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /main
    3⤵
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    - Suspicious use of WriteProcessMemory
    PID:852
  - - C:\Windows\SysWOW64\notepad.exe
      "C:\Windows\System32\notepad.exe" \note.txt
      4⤵
      PID:2000
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" https://google.co.ck/search?q=how+to+remove+memz+trojan+virus
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2076
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2076 CREDAT:275457 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:836
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2076 CREDAT:668680 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2292
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2076 CREDAT:865293 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1904
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2076 CREDAT:865317 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1584

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x1f4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
7e8f359f842f63d4f8e11b673e763622

SHA1
a7865040b538d6aaa80bc37e89372c61b7427be8

SHA256
f04843e27ab3a622e565eea01945462567d713146b1cbca62c89d2495e924450

SHA512
f417bf439068b5205190c6ca559d14b0aa4a19af87530fc4e46eda587f80281cb8e567bf6caaa74b02f29f1247afec461eebf2ce1e6a079f675d1f304c9b1fd4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
67KB

MD5
753df6889fd7410a2e9fe333da83a429

SHA1
3c425f16e8267186061dd48ac1c77c122962456e

SHA256
b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

SHA512
9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A16C6C16D94F76E0808C087DFC657D99_8F0CBD8C47BA2D164C9E6FDB222DBC71

Filesize
472B

MD5
562c1305690263b343cfbabd7a401e6c

SHA1
c6a624083ccb8f1b7aba90b7c4b1e3ac66c2942c

SHA256
0f0f1c33614d42186e73e4feb4d03d3605e903c06390461d86784fc36b6789ad

SHA512
60e3060ff1172c76a85e85b09a8e9eb9c1eb918f82da83fc79cd4eb150adb4a2e02403bded0ad91643b246d587907d2b2ba6ed185ef6cb14307b51203682e3f4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

Filesize
724B

MD5
ac89a852c2aaa3d389b2d2dd312ad367

SHA1
8f421dd6493c61dbda6b839e2debb7b50a20c930

SHA256
0b720e19270c672f9b6e0ec40b468ac49376807de08a814573fe038779534f45

SHA512
c6a88f33688cc0c287f04005e07d5b5e4a8721d204aa429f93ade2a56aeb86e05d89a8f7a44c1e93359a185a4c5f418240c6cdbc5a21314226681c744cf37f36

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2DDCD2B5F37625B82E81F4976CEE400_09B924C8A99A26A75B535D3B83388BE5

Filesize
471B

MD5
0bbb0c0a7acaae6f119c49a57aded9ad

SHA1
def2006a613312d647661ef94f6ac9d43b84202a

SHA256
da2482009e08ab5c1df8db6f2b5454e5a32becbb50e9bc9e3a23982ebd55dbc9

SHA512
7dd647c57f9c57487195c453c1bfd3500e9bf17ae68fd175d3cc2469ba718cc0369d1b0fcc11cf47513a2fb9286dbbe0dd20c47bed4037e449caee77519fcc7d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
d4665b40ea7fbd9018e774d8a0f2fca4

SHA1
b034525ff830c5bd882280b208da231cdbd7eb78

SHA256
06074ffd3b7fb0c56490b1dcbd62cca7fc972ccc2f2ed08de4c2947d480522f5

SHA512
38c0b40c968b9d3e657618f142a87723a87f3bbece5e3712263b330e82c7566cbb1d6d09c40756d581abc346c2550750793440516d0c205341fb1a060c8c5302

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
157ccbf668c25bdd754c79ca3e843722

SHA1
d2795bda8da83bd57b8503562a766be8c34e3bf3

SHA256
3863aa7331cc0d488dd769d1ad0ea5dae8f8dcdd4b8061e53af02ecfbf0cc6a0

SHA512
9be75217f43ba251ec46428a2ea72f2c9db1993a5f13558bff28feb2b1644bb11318ab4d64b665ce14110a578150e5862431b14f17c140624d8f339945006615

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a774e38ca5768d6ec7714a32bcd7d77c

SHA1
316d7c0c8387459ec93c833f8903d2ebda196847

SHA256
7113f72ae398d0e40e3c5479c7b8585f494b59eec826846868acba761ad1399d

SHA512
773b7ccd4823626271cfa6809083d3fde6e5cee95cc8d85b8e91b54c6dfabfc47cb99759d5e49ce07619376443770fa5b86796a7710d7e7cd1fd16dd898e46f4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
21c848ef787e4239f6013b4f48a7a299

SHA1
8fa2788775951ef1a9cda61ba61c051ece62f4b4

SHA256
b781311bfa63924043ba3fd92cc85abc3485c8d34dc2239bb7989484a6c89cd7

SHA512
3055d6cf5fc667305e73f74c9a2105396d02e1b9963b0ad07aeb1d83d08a2168b57c053f2f1f664ffbf43430be81b9f5c0c7374cd9be6a6da4d378b328298ed8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4526bd96692648e661a87d51becdae9d

SHA1
d8db1f6a506d3368905766234b22ed562519539e

SHA256
8e3b6b2bd500cef13dbaf753cdabdfe375b1c9d46377797d531979c605a12ce4

SHA512
90ce78233e37b6fae73c142094fee95661a661c12bf2fa311c12dfa6232051bd82dd924414f6a49871a586db972fc6948b45450c928c7b20595b7bb763b96ce9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
850a94c5a2e6a1655a24000d33752dcc

SHA1
84969a81b6e3607aa60a5cb36fb65204555dab03

SHA256
5388cf87f4e9e0dd0e874bbb3b59202579dc65255294e2660c254804f5ee0cfa

SHA512
66baa5c6e14c7fd834612e7b3ea5a3aafffe7352aa79970722c2c92dfad46cfa3d2ade5a2e10c90fbac5c73eeb150da9c175f80db2da28ca91b272003576806a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ff2f1a1e6461b34f6201b4f8a0e34720

SHA1
d913dc145c26fac3cc21b51d6c0229a9dda04283

SHA256
5acbd944ef66d0b3a9d89e21801526f72b9f4ced891d2fcff11b85f142e92dc2

SHA512
89889cd55f83226fb55ef6078a1acb9087387e978b585d1fd9b53553d352a4d2da3d26f22d866b520e9dc3524c9fe6be83ed318a39855f16e918d838db996fe2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
490e9864c6043c45c4dc1a7ba0dc1e62

SHA1
56a3448750e91c244284f2e8f870aa6046410287

SHA256
7b4a694bb789cd5e4ef705ea8bc2f531f3f115d7f8c953c829aeb9a14d8d3293

SHA512
d77fa47caa7d0af04b381ba47a2f5bdf5b4519d98f35023dfb15e8f8cc9390afc6a69fd56030072d0a28db909fb1fd23aaa855299b240781166b50e4e6b1a069

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
adca2454cad5c8529b1f1dde3db776a8

SHA1
6869eaa5634f7023cb466e8aa3e3f33e766a0dc4

SHA256
918d20c613e187bb79732523d2183b50e544e9aec867b61fbc06cda49824707a

SHA512
35efe00756a35ee5ce8fa1fe3fca2f4fdf628317443a8e15cacf141ead0c2b335c83d32b6b81463b2d18ef36fcef45a5f9aea6410cfa3118ed4ae171dde4338a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a8d627b082cb433108599e535087a5e6

SHA1
1ddb48b74f1e1ea9d08457f825f8410705bc9017

SHA256
982d1570b038d05a1c7db653996738b237af97cb330353fa6c95ea3d37410e2b

SHA512
8d02417283ff905eb9cfed04efdbce7928ff5a9f7cbc05e87cc5cf7be3314aa2329353d820a0fb3267c831f8f4274bb5ad6f4753054dd6dfb7f9210c4774e870

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a67fc787dd4c60b350c63cf85be99468

SHA1
9922fea909a700a963d8bd6120cabc669bf1a748

SHA256
7e0fe30b12c8931e39a10cdf1af472f7498e4dd26a22fa567b018f420eb91a73

SHA512
693a2f5531c0b1118a32251362689eb19ac9e9dbb0f5c7afb3cabf2f1679b4d140db0a81d2d61d03308e3a7b0c925b634057e4e08ae84559c0e8e0979132908d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
13369b5e41da547b49fc7576a4422a3b

SHA1
3d02d138e0ec23a63539f620165a23c6ca175096

SHA256
70bb6a1f86e2ce93d2b707e8f51ef8980c0cd555e397bb37103d07f6510ed668

SHA512
71a63ce2066855b9b92d722a8d3dd6af200eb64c60e795822793e159b8008211ff88bfe85fbb6046b2080e4a7c6db66f26a8dabdebaf9664a2703481b9906e6b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A16C6C16D94F76E0808C087DFC657D99_8F0CBD8C47BA2D164C9E6FDB222DBC71

Filesize
402B

MD5
e97a86236277dc7ad72395d2019160a4

SHA1
a33dde9187e63c1baab4c379df8bf640452ba7ef

SHA256
9c624b3012f77ef0d260bf469f98ead1f4fda4ffafc3cff8e3e74acae9680152

SHA512
2579d695e86ecfeb10724b4c9462707a152c5ecd8c51f0e9e38b5ba566b251a591b1455f348a8a3f3c98bda1e62e633d7388577887f07e7c4b305e6860889503

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

Filesize
392B

MD5
2d1053441a1f9fff227a8859603ac03f

SHA1
f4a6293e108cd75e0ba8d069509e16c6a6dd84c1

SHA256
74e8cd0b9b94a8c622dcbd68df5d6cf11eaf4424526b8832064c8c1b4929239c

SHA512
1dd41903155f3a219c88b4c40101692fe23259780584c59434e943d2650b517e240e2eb9b4b02a65a65c00a5bf6b6ab7d03673c43848a9b7ea556726dd5d8a7b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2DDCD2B5F37625B82E81F4976CEE400_09B924C8A99A26A75B535D3B83388BE5

Filesize
406B

MD5
b4730f745c068216bfcab2d98235a359

SHA1
0101ecd89b192c5a98875615adb189edaf7aa5ec

SHA256
b43296a18d7c6e2265d7ca335719af5e5dd1a13cdf912ba5e1eea180558fa7ef

SHA512
03d57db717c02c21feeecb9cb9b5c2e14f5b71eec717d083ee5a3be4214e4fef8324ae7a1450ffd6d20d906dbe7082db2c07b10930b6269285b5ec212675e3d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\HPFL3Q8T\www.google[1].xml

Filesize
94B

MD5
18d29fb170611772dc2fe7edee7ccb76

SHA1
fc6f361e1cd4f1b705527e4a3dd24a8fc39b4a0c

SHA256
02c75f0ebead079d17e394b82408f9d54503a7489db0b1acec2ace5c62dfafb2

SHA512
9370fa7cd39d16e23246fd5335ece4461be144a5e7e2278cd3be0d2e48b112951b7b545c1e4ac68224b043761a173bda49b727b2b4c9c5a3e587311e97c9c945

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\3pl5scb\imagestore.dat

Filesize
5KB

MD5
c64b7624a6f3e17ed514dc37efc950c9

SHA1
01b1e760844b22a50b43f759de9f375abc9fab52

SHA256
f14eba7245575689d171b46c2d6e379c2cdf888912f0b202f0dae9c33416b8c4

SHA512
f4627e55130b21fd4e0203bfefc9806a4699f7ee15544ae8c0cea6959def1b8c43a932402822236f60cf15f88edc8cf74069b6db0f59654a8f064b3a5afc9b24

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4JZQ5QLK\TG_XdOEg3NKIdftsV7XidAgI3OvClCw0-7YgJxQ1GFY[1].js

Filesize
23KB

MD5
a364179c3816839427c4d9fdbe8ecf3b

SHA1
fd423514f4f0e614688a99571b9165b4e212119b

SHA256
4c6fd774e120dcd28875fb6c57b5e2740808dcebc2942c34fbb6202714351856

SHA512
c4e29c47bb229a293d79a1aa4b9e226ff6261b723b75e0479df367fc7eee3ac006e4993e5406f510aa35da592b525e3f6a0bf62f8671cfa576cae40a627bc45e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4JZQ5QLK\styles__ltr[1].css

Filesize
55KB

MD5
eb4bc511f79f7a1573b45f5775b3a99b

SHA1
d910fb51ad7316aa54f055079374574698e74b35

SHA256
7859a62e04b0acb06516eb12454de6673883ecfaeaed6c254659bca7cd59c050

SHA512
ec9bdf1c91b6262b183fd23f640eac22016d1f42db631380676ed34b962e01badda91f9cbdfa189b42fe3182a992f1b95a7353af41e41b2d6e1dab17e87637a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8ADCJI8Z\KFOlCnqEu92Fr1MmEU9fBBc9[1].ttf

Filesize
34KB

MD5
4d88404f733741eaacfda2e318840a98

SHA1
49e0f3d32666ac36205f84ac7457030ca0a9d95f

SHA256
b464107219af95400af44c949574d9617de760e100712d4dec8f51a76c50dda1

SHA512
2e5d3280d5f7e70ca3ea29e7c01f47feb57fe93fc55fd0ea63641e99e5d699bb4b1f1f686da25c91ba4f64833f9946070f7546558cbd68249b0d853949ff85c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8ADCJI8Z\KFOlCnqEu92Fr1MmYUtfBBc9[1].ttf

Filesize
34KB

MD5
4d99b85fa964307056c1410f78f51439

SHA1
f8e30a1a61011f1ee42435d7e18ba7e21d4ee894

SHA256
01027695832f4a3850663c9e798eb03eadfd1462d0b76e7c5ac6465d2d77dbd0

SHA512
13d93544b16453fe9ac9fc025c3d4320c1c83a2eca4cd01132ce5c68b12e150bc7d96341f10cbaa2777526cf72b2ca0cd64458b3df1875a184bbb907c5e3d731

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8ADCJI8Z\KFOmCnqEu92Fr1Mu4mxP[1].ttf

Filesize
34KB

MD5
372d0cc3288fe8e97df49742baefce90

SHA1
754d9eaa4a009c42e8d6d40c632a1dad6d44ec21

SHA256
466989fd178ca6ed13641893b7003e5d6ec36e42c2a816dee71f87b775ea097f

SHA512
8447bc59795b16877974cd77c52729f6ff08a1e741f68ff445c087ecc09c8c4822b83e8907d156a00be81cb2c0259081926e758c12b3aea023ac574e4a6c9885

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8ADCJI8Z\favicon[1].ico

Filesize
5KB

MD5
f3418a443e7d841097c714d69ec4bcb8

SHA1
49263695f6b0cdd72f45cf1b775e660fdc36c606

SHA256
6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770

SHA512
82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9ZQLLOZN\api[1].js

Filesize
850B

MD5
33d99cfc94db7d1ab5149b1e677b4c85

SHA1
ffec081b0a5b325f2b124ea8804ba0de9beae98c

SHA256
0e945fe9e80b82b1ac2e714f03672ed0c439e61e489430ba46623245399fca25

SHA512
315ed3f0edae2d3057be354d7d97ab298f51e791c03cd19c46d96e0116a6757033e509d92633eafba9365d6588af2b96cce4b0088020a88eac5086d07a0b3b26

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OORQXHVT\logo_48[1].png

Filesize
2KB

MD5
ef9941290c50cd3866e2ba6b793f010d

SHA1
4736508c795667dcea21f8d864233031223b7832

SHA256
1b9efb22c938500971aac2b2130a475fa23684dd69e43103894968df83145b8a

SHA512
a0c69c70117c5713caf8b12f3b6e8bbb9cdaf72768e5db9db5831a3c37541b87613c6b020dd2f9b8760064a8c7337f175e7234bfe776eee5e3588dc5662419d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OORQXHVT\recaptcha__en[1].js

Filesize
489KB

MD5
d52ac252287f3b65932054857f7c26a7

SHA1
940b62eae6fb008d6f15dfb7aaf6fb125dba1fec

SHA256
4c06e93049378bf0cdbbe5d3a1d0c302ac2d35faec13623ad812ee41495a2a57

SHA512
c08ff9d988aea4c318647c79ae8ca9413b6f226f0efbdab1cdd55ec04b6760812716ff27e0ee86941e8a654d39cddd56251d8392a0ac2c4c8839f27853556154

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OORQXHVT\webworker[1].js

Filesize
102B

MD5
5734e3c2032fb7e4b757980f70c5867e

SHA1
22d3e354a89c167d3bebf6b73d6e11e550213a38

SHA256
91e9008a809223ca505257c7cb9232b7bf13e7fbf45e3f6dd2cfca538e7141eb

SHA512
1f748444532bc406964c1be8f3128c47144de38add5c78809bbcdae21bf3d26600a376df41bf91c4cd3c74a9fae598d51c76d653a23357310343c58b3b6d7739

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabE1D9.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\EEEEEE~1\MALWAR~1\MALWAR~1\MEMZ3~1.0(1\MEMZ3~1.0\z.zip

Filesize
7KB

MD5
cf0c19ef6909e5c1f10c8460ba9299d8

SHA1
875b575c124acfc1a4a21c1e05acb9690e50b880

SHA256
abb834ebd4b7d7f8ddf545976818f41b3cb51d2b895038a56457616d3a2c6776

SHA512
d930a022a373c283f35d103e277487c2034a0b0814913b8f6ec695b45e20528667aa830eeab58e4483d523bd6a755a16a5379095cb137db6c91909a545a19a2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarE1DB.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarE412.tmp

Filesize
175KB

MD5
dd73cead4b93366cf3465c8cd32e2796

SHA1
74546226dfe9ceb8184651e920d1dbfb432b314e

SHA256
a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

SHA512
ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

Download Submit
C:\Users\Admin\AppData\Local\Temp\eeeeeeeeeeeeee\Malware_pack_2\Malware_pack_2\MEMZ 3.0 (1)\MEMZ 3.0\x

Filesize
10KB

MD5
fc59b7d2eb1edbb9c8cb9eb08115a98e

SHA1
90a6479ce14f8548df54c434c0a524e25efd9d17

SHA256
a05b9be9dd87492f265094146e18d628744c6b09c0e7efaabf228a9f1091a279

SHA512
3392cfc0dbddb37932e76da5a49f4e010a49aaa863c882b85cccab676cd458cfc8f880d8a0e0dc7581175f447e6b0a002da1591ecd14756650bb74996eacd2b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\eeeeeeeeeeeeee\Malware_pack_2\Malware_pack_2\MEMZ 3.0 (1)\MEMZ 3.0\x

Filesize
2KB

MD5
1f636d9f6a70e4492820a5a6a8bcd129

SHA1
e4dbe4346349dfb954972f3213d7d703be6f0b57

SHA256
41557b8e572b20bd5bc071a986c70b12ea687e72c7640938eec970adb9567ea2

SHA512
db448924875505f8ed6c6ffc792d4de47d3cec9448df4669b5277884c49bb5cdfa6f65da4e2c868e80594404c3cb15289c0e54bb4b2c66b8ee4346eda11f1940

Download Submit
C:\Users\Admin\AppData\Local\Temp\eeeeeeeeeeeeee\Malware_pack_2\Malware_pack_2\MEMZ 3.0 (1)\MEMZ 3.0\x

Filesize
4KB

MD5
b6873c6cbfc8482c7f0e2dcb77fb7f12

SHA1
844b14037e1f90973a04593785dc88dfca517673

SHA256
0a0cad82d9284ccc3c07de323b76ee2d1c0b328bd2ce59073ed5ac4eb7609bd1

SHA512
f3aa3d46d970db574113f40f489ff8a5f041606e79c4ab02301b283c66ff05732be4c5edc1cf4a851da9fbaaa2f296b97fc1135210966a0e2dfc3763398dfcaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\eeeeeeeeeeeeee\Malware_pack_2\Malware_pack_2\MEMZ 3.0 (1)\MEMZ 3.0\x.js

Filesize
448B

MD5
8eec8704d2a7bc80b95b7460c06f4854

SHA1
1b34585c1fa7ec0bd0505478ac9dbb8b8d19f326

SHA256
aa01b8864b43e92077a106ed3d4656a511f3ba1910fba40c78a32ee6a621d596

SHA512
e274b92810e9a30627a65f87448d784967a2fcfbf49858cbe6ccb841f09e0f53fde253ecc1ea0c7de491d8cc56a6cf8c79d1b7c657e72928cfb0479d11035210

Download Submit
C:\Users\Admin\AppData\Roaming\MEMZ.exe

Filesize
12KB

MD5
a7bcf7ea8e9f3f36ebfb85b823e39d91

SHA1
761168201520c199dba68add3a607922d8d4a86e

SHA256
3ff64f10603f0330fa2386ff99471ca789391ace969bd0ec1c1b8ce1b4a6db42

SHA512
89923b669d31e590189fd06619bf27e47c5a47e82be6ae71fdb1b9b3b30b06fb7ca8ffed6d5c41ac410a367f2eb07589291e95a2644877d6bffd52775a5b1523

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\EOQA1OV8.txt

Filesize
375B

MD5
20cb91925e1b4b966f9874c5f20500a8

SHA1
3fb3ad61aa1b9afa1909c271e85c6bb4fa14d17d

SHA256
8802dd5e79545a4901105df380d44de6ae9d7699cebfd0458a1a424f31c93b5c

SHA512
524000934b640857fd1865e645acdb53a65b3ba199a2f268ecd6cdbf8c319330968f08188767a7d62e1375438a74dc3797a60c8dbf4e496f964ada57fd7c0504

Download Submit
C:\note.txt

Filesize
218B

MD5
afa6955439b8d516721231029fb9ca1b

SHA1
087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

SHA256
8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

SHA512
5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

Download Submit
memory/556-150-0x0000000001F20000-0x0000000001F21000-memory.dmp

Filesize
4KB

Download