734403a96fad68cb2ef2b340adddd9cadd5894007aac703dcdb4a4cb8326c538

max time kernel
150s
max time network
144s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
11-03-2024 01:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MEMZ 3.0/MEMZ.bat
Size

12KB
MD5

13a43c26bb98449fd82d2a552877013a
SHA1

71eb7dc393ac1f204488e11f5c1eef56f1e746af
SHA256

5f52365accb76d679b2b3946870439a62eb8936b9a0595f0fb0198138106b513
SHA512

602518b238d80010fa88c2c88699f70645513963ef4f148a0345675738cf9b0c23b9aeb899d9f7830cc1e5c7e9c7147b2dc4a9222770b4a052ee0c879062cd5a
SSDEEP

384:nnLhRNiqt0kCH2LR0GPXxGiZgCz+KG/yKhLdW79HOli+lz3:nLhRN9t0SR4iZtzlREBWhuF

Score

7^/10

bootkit persistence

Malware Config

Signatures

Executes dropped EXE 7 IoCs

Processes:

MEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exe

pid process

1072 MEMZ.exe
1488 MEMZ.exe
940 MEMZ.exe
752 MEMZ.exe
1096 MEMZ.exe
796 MEMZ.exe
1152 MEMZ.exe
Loads dropped DLL 1 IoCs

Processes:

MEMZ.exe

pid process

1072 MEMZ.exe
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

MEMZ.exe

description ioc process

File opened for modification \??\PhysicalDrive0 MEMZ.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
1072	MEMZ.exe
1488	MEMZ.exe
940	MEMZ.exe
752	MEMZ.exe
1096	MEMZ.exe
796	MEMZ.exe
1152	MEMZ.exe

pid	process
1072	MEMZ.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	MEMZ.exe

Modifies Internet Explorer settings 1 TTPs 51 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEIEXPLORE.EXEiexplore.exeIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ffebb09deeb747419e902f1accea58f70000000002000000000010660000000100002000000021b294fb9f638c48b5718eba957f51f8422c5aa0d40b01d8485bc50ef9871453000000000e800000000200002000000052a9748aac472d6994a42c9f6701f7b4f1631a94f56ca9780026c0b805b5365790000000039f87e96a1447ac20286594c5cbb570b3c2cca3f86499ac31066894485d3cb9912edd95d305a3bb4e3175b0331ead28496978292765cc9fc6b81089a90280f88aaf5076ce15776a7a666d7ae0e6cca422c50b18f45302b19c96dc614c087f54eb437a8105813f762c484d3058d6e6609e8e3ae48ca8297b6cd71b30c3602ad909eb87fa15178a5e890f89922ad84b5e40000000f81159e95e77a553d8aeaf620002d47cc2ff43e56b33e57c7503cd81b10fbac1045bc107c16f476c5241e8ffc4c3292dcb51754003b3fc6da6e66d7e1fa70d29	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{D63F0301-DF44-11EE-8BFA-D2EFD46A7D0E} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "21"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com\Total = "21"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "416281602"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 80d32fa95173da01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ffebb09deeb747419e902f1accea58f7000000000200000000001066000000010000200000006970e1d5aada2cf78f78eecf1405a1f5fac2247040e4d87428bb01e2381ecdc2000000000e8000000002000020000000e76b7eeaa739e3e215ff3292923a7448183b0262b87976301b404e36eeebca77200000002faf599ec728ec2e639dadc35a6bd973ef211067f019f5bf7a352dfbab0073bf4000000080c1ef55c6b025f722e736248f40f264538069c5ac603b79990d625a2353e01ce2f1af9555b1a95b43a3ce9d670483e2916ad049d7bf6283c1a374f459505925	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.google.com\ = "21"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.google.com	IEXPLORE.EXE

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

MEMZ.exe

pid process

1072 MEMZ.exe

pid	process
1072	MEMZ.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

MEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exe

pid	process
1488	MEMZ.exe
1488	MEMZ.exe
1488	MEMZ.exe
1488	MEMZ.exe
1488	MEMZ.exe
940	MEMZ.exe
940	MEMZ.exe
752	MEMZ.exe
1488	MEMZ.exe
940	MEMZ.exe
752	MEMZ.exe
1488	MEMZ.exe
940	MEMZ.exe
752	MEMZ.exe
1488	MEMZ.exe
940	MEMZ.exe
1488	MEMZ.exe
752	MEMZ.exe
940	MEMZ.exe
1488	MEMZ.exe
752	MEMZ.exe
940	MEMZ.exe
1488	MEMZ.exe
752	MEMZ.exe
940	MEMZ.exe
1096	MEMZ.exe
1488	MEMZ.exe
752	MEMZ.exe
796	MEMZ.exe
940	MEMZ.exe
1096	MEMZ.exe
752	MEMZ.exe
1488	MEMZ.exe
796	MEMZ.exe
940	MEMZ.exe
1096	MEMZ.exe
752	MEMZ.exe
1488	MEMZ.exe
796	MEMZ.exe
940	MEMZ.exe
1096	MEMZ.exe
752	MEMZ.exe
1488	MEMZ.exe
796	MEMZ.exe
940	MEMZ.exe
1096	MEMZ.exe
1488	MEMZ.exe
752	MEMZ.exe
796	MEMZ.exe
940	MEMZ.exe
1096	MEMZ.exe
1488	MEMZ.exe
796	MEMZ.exe
752	MEMZ.exe
940	MEMZ.exe
1096	MEMZ.exe
1488	MEMZ.exe
796	MEMZ.exe
752	MEMZ.exe
940	MEMZ.exe
1488	MEMZ.exe
1096	MEMZ.exe
796	MEMZ.exe
752	MEMZ.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

mmc.exe

pid process

1984 mmc.exe

pid	process
1984	mmc.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

mmc.exe

description	pid	process
Token: 33	1984	mmc.exe
Token: SeIncBasePriorityPrivilege	1984	mmc.exe
Token: 33	1984	mmc.exe
Token: SeIncBasePriorityPrivilege	1984	mmc.exe
Token: 33	1984	mmc.exe
Token: SeIncBasePriorityPrivilege	1984	mmc.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

cscript.exeiexplore.exe

pid process

2192 cscript.exe
2904 iexplore.exe

pid	process
2192	cscript.exe
2904	iexplore.exe

Suspicious use of SetWindowsHookEx 21 IoCs

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXEmmc.exemmc.exeIEXPLORE.EXEIEXPLORE.EXE

pid	process
2904	iexplore.exe
2904	iexplore.exe
396	IEXPLORE.EXE
396	IEXPLORE.EXE
396	IEXPLORE.EXE
396	IEXPLORE.EXE
2324	IEXPLORE.EXE
2324	IEXPLORE.EXE
2324	IEXPLORE.EXE
2324	IEXPLORE.EXE
2456	mmc.exe
1984	mmc.exe
1984	mmc.exe
2452	IEXPLORE.EXE
2452	IEXPLORE.EXE
2452	IEXPLORE.EXE
2452	IEXPLORE.EXE
1888	IEXPLORE.EXE
1888	IEXPLORE.EXE
1888	IEXPLORE.EXE
1888	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

cmd.exeMEMZ.exeMEMZ.exeiexplore.exemmc.exe

description	pid	process	target process
PID 2924 wrote to memory of 2192	2924	cmd.exe	cscript.exe
PID 2924 wrote to memory of 2192	2924	cmd.exe	cscript.exe
PID 2924 wrote to memory of 2192	2924	cmd.exe	cscript.exe
PID 2924 wrote to memory of 1072	2924	cmd.exe	MEMZ.exe
PID 2924 wrote to memory of 1072	2924	cmd.exe	MEMZ.exe
PID 2924 wrote to memory of 1072	2924	cmd.exe	MEMZ.exe
PID 2924 wrote to memory of 1072	2924	cmd.exe	MEMZ.exe
PID 1072 wrote to memory of 1488	1072	MEMZ.exe	MEMZ.exe
PID 1072 wrote to memory of 1488	1072	MEMZ.exe	MEMZ.exe
PID 1072 wrote to memory of 1488	1072	MEMZ.exe	MEMZ.exe
PID 1072 wrote to memory of 1488	1072	MEMZ.exe	MEMZ.exe
PID 1072 wrote to memory of 940	1072	MEMZ.exe	MEMZ.exe
PID 1072 wrote to memory of 940	1072	MEMZ.exe	MEMZ.exe
PID 1072 wrote to memory of 940	1072	MEMZ.exe	MEMZ.exe
PID 1072 wrote to memory of 940	1072	MEMZ.exe	MEMZ.exe
PID 1072 wrote to memory of 752	1072	MEMZ.exe	MEMZ.exe
PID 1072 wrote to memory of 752	1072	MEMZ.exe	MEMZ.exe
PID 1072 wrote to memory of 752	1072	MEMZ.exe	MEMZ.exe
PID 1072 wrote to memory of 752	1072	MEMZ.exe	MEMZ.exe
PID 1072 wrote to memory of 1096	1072	MEMZ.exe	MEMZ.exe
PID 1072 wrote to memory of 1096	1072	MEMZ.exe	MEMZ.exe
PID 1072 wrote to memory of 1096	1072	MEMZ.exe	MEMZ.exe
PID 1072 wrote to memory of 1096	1072	MEMZ.exe	MEMZ.exe
PID 1072 wrote to memory of 796	1072	MEMZ.exe	MEMZ.exe
PID 1072 wrote to memory of 796	1072	MEMZ.exe	MEMZ.exe
PID 1072 wrote to memory of 796	1072	MEMZ.exe	MEMZ.exe
PID 1072 wrote to memory of 796	1072	MEMZ.exe	MEMZ.exe
PID 1072 wrote to memory of 1152	1072	MEMZ.exe	MEMZ.exe
PID 1072 wrote to memory of 1152	1072	MEMZ.exe	MEMZ.exe
PID 1072 wrote to memory of 1152	1072	MEMZ.exe	MEMZ.exe
PID 1072 wrote to memory of 1152	1072	MEMZ.exe	MEMZ.exe
PID 1152 wrote to memory of 1892	1152	MEMZ.exe	notepad.exe
PID 1152 wrote to memory of 1892	1152	MEMZ.exe	notepad.exe
PID 1152 wrote to memory of 1892	1152	MEMZ.exe	notepad.exe
PID 1152 wrote to memory of 1892	1152	MEMZ.exe	notepad.exe
PID 1152 wrote to memory of 2904	1152	MEMZ.exe	iexplore.exe
PID 1152 wrote to memory of 2904	1152	MEMZ.exe	iexplore.exe
PID 1152 wrote to memory of 2904	1152	MEMZ.exe	iexplore.exe
PID 1152 wrote to memory of 2904	1152	MEMZ.exe	iexplore.exe
PID 2904 wrote to memory of 396	2904	iexplore.exe	IEXPLORE.EXE
PID 2904 wrote to memory of 396	2904	iexplore.exe	IEXPLORE.EXE
PID 2904 wrote to memory of 396	2904	iexplore.exe	IEXPLORE.EXE
PID 2904 wrote to memory of 396	2904	iexplore.exe	IEXPLORE.EXE
PID 2904 wrote to memory of 2324	2904	iexplore.exe	IEXPLORE.EXE
PID 2904 wrote to memory of 2324	2904	iexplore.exe	IEXPLORE.EXE
PID 2904 wrote to memory of 2324	2904	iexplore.exe	IEXPLORE.EXE
PID 2904 wrote to memory of 2324	2904	iexplore.exe	IEXPLORE.EXE
PID 1152 wrote to memory of 2456	1152	MEMZ.exe	mmc.exe
PID 1152 wrote to memory of 2456	1152	MEMZ.exe	mmc.exe
PID 1152 wrote to memory of 2456	1152	MEMZ.exe	mmc.exe
PID 1152 wrote to memory of 2456	1152	MEMZ.exe	mmc.exe
PID 2456 wrote to memory of 1984	2456	mmc.exe	mmc.exe
PID 2456 wrote to memory of 1984	2456	mmc.exe	mmc.exe
PID 2456 wrote to memory of 1984	2456	mmc.exe	mmc.exe
PID 2456 wrote to memory of 1984	2456	mmc.exe	mmc.exe
PID 2904 wrote to memory of 2452	2904	iexplore.exe	IEXPLORE.EXE
PID 2904 wrote to memory of 2452	2904	iexplore.exe	IEXPLORE.EXE
PID 2904 wrote to memory of 2452	2904	iexplore.exe	IEXPLORE.EXE
PID 2904 wrote to memory of 2452	2904	iexplore.exe	IEXPLORE.EXE
PID 2904 wrote to memory of 1888	2904	iexplore.exe	IEXPLORE.EXE
PID 2904 wrote to memory of 1888	2904	iexplore.exe	IEXPLORE.EXE
PID 2904 wrote to memory of 1888	2904	iexplore.exe	IEXPLORE.EXE
PID 2904 wrote to memory of 1888	2904	iexplore.exe	IEXPLORE.EXE

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\MEMZ.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2924
- C:\Windows\system32\cscript.exe
  cscript x.js
  2⤵
  - Suspicious use of FindShellTrayWindow
  PID:2192
- C:\Users\Admin\AppData\Roaming\MEMZ.exe
  "C:\Users\Admin\AppData\Roaming\MEMZ.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious use of WriteProcessMemory
  PID:1072
- - C:\Users\Admin\AppData\Roaming\MEMZ.exe
    "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1488
- - C:\Users\Admin\AppData\Roaming\MEMZ.exe
    "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:940
- - C:\Users\Admin\AppData\Roaming\MEMZ.exe
    "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:752
- - C:\Users\Admin\AppData\Roaming\MEMZ.exe
    "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1096
- - C:\Users\Admin\AppData\Roaming\MEMZ.exe
    "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:796
- - C:\Users\Admin\AppData\Roaming\MEMZ.exe
    "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /main
    3⤵
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    - Suspicious use of WriteProcessMemory
    PID:1152
  - - C:\Windows\SysWOW64\notepad.exe
      "C:\Windows\System32\notepad.exe" \note.txt
      4⤵
      PID:1892
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" https://google.co.ck/search?q=how+to+code+a+virus+in+visual+basic
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2904
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2904 CREDAT:275457 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:396
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2904 CREDAT:209953 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2324
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2904 CREDAT:537618 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2452
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2904 CREDAT:406579 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1888
  - - C:\Windows\SysWOW64\mmc.exe
      "C:\Windows\System32\mmc.exe"
      4⤵
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2456
    - - C:\Windows\system32\mmc.exe
        
        "C:\Windows\system32\mmc.exe"
        5⤵
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
25815685f4efc87d1162095a54295fad

SHA1
78c369eebfa4cbd40ceda7a9fb935b1ff9568b04

SHA256
7f8831f8c3b72f6e05ba336c028530a99e7846970778d639def50eedb9d35cf4

SHA512
435c1da6733c8c59a10d1f0b51b157d0cc8647f784a1753abf89edd845d2b1535765b448da3f14b44e925c0531cf9595cd9a06939a7a749a1356ebdae3f721dc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\329C03A4966B136B54FB137DCA798EB7

Filesize
5B

MD5
5bfa51f3a417b98e7443eca90fc94703

SHA1
8c015d80b8a23f780bdd215dc842b0f5551f63bd

SHA256
bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128

SHA512
4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
67KB

MD5
753df6889fd7410a2e9fe333da83a429

SHA1
3c425f16e8267186061dd48ac1c77c122962456e

SHA256
b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

SHA512
9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A16C6C16D94F76E0808C087DFC657D99_8F0CBD8C47BA2D164C9E6FDB222DBC71

Filesize
472B

MD5
562c1305690263b343cfbabd7a401e6c

SHA1
c6a624083ccb8f1b7aba90b7c4b1e3ac66c2942c

SHA256
0f0f1c33614d42186e73e4feb4d03d3605e903c06390461d86784fc36b6789ad

SHA512
60e3060ff1172c76a85e85b09a8e9eb9c1eb918f82da83fc79cd4eb150adb4a2e02403bded0ad91643b246d587907d2b2ba6ed185ef6cb14307b51203682e3f4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

Filesize
724B

MD5
ac89a852c2aaa3d389b2d2dd312ad367

SHA1
8f421dd6493c61dbda6b839e2debb7b50a20c930

SHA256
0b720e19270c672f9b6e0ec40b468ac49376807de08a814573fe038779534f45

SHA512
c6a88f33688cc0c287f04005e07d5b5e4a8721d204aa429f93ade2a56aeb86e05d89a8f7a44c1e93359a185a4c5f418240c6cdbc5a21314226681c744cf37f36

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2DDCD2B5F37625B82E81F4976CEE400_09B924C8A99A26A75B535D3B83388BE5

Filesize
471B

MD5
0bbb0c0a7acaae6f119c49a57aded9ad

SHA1
def2006a613312d647661ef94f6ac9d43b84202a

SHA256
da2482009e08ab5c1df8db6f2b5454e5a32becbb50e9bc9e3a23982ebd55dbc9

SHA512
7dd647c57f9c57487195c453c1bfd3500e9bf17ae68fd175d3cc2469ba718cc0369d1b0fcc11cf47513a2fb9286dbbe0dd20c47bed4037e449caee77519fcc7d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
41a2adf2cf2e917d6648ce1832cd4ea2

SHA1
43d4cbe8b3e766e1ba6081101c61eaf96ae76ec3

SHA256
183469052e3c8879ac010c54846a3a24fa8362b89617cda87e38b505862b9cd7

SHA512
477f5f28f09ca808a43b5c36690f43952e6d814ce1bb1629bd25fa0bd618d3eda359785020ae67269b4baa7e5024baafbb4b1f6cc2fd17997fc0889d774f5766

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ddd3600fcd6b82821a32b9c78419a480

SHA1
e87843dfb2e1fd4858c65ac6765843e24b1b21ae

SHA256
79f99dbb37dbad7cb26315e36a24abc06230419b69c27e29b00e0b16e33e0c2d

SHA512
c23a25bcf0faef48cbeadd28d6015d208c2c9f1d6631741fc1b56d9be6ea1e72f5281f81e6ccae0f9222ce45a69745903bce279cc3bed56de094b0f248974dbf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c14acc8283698582caca3f79bcd26736

SHA1
fcd54cf8fac4be1b5d2c6eab94bda1af9d252a43

SHA256
507e75675aac243613c2c9c9da136124ed2eecef7ee7cebbea68152285ac50eb

SHA512
85a0f67c6d5bf62c7a24d110d506916a5219ead039899b528adb3867b5dd272efb617ec47a32040787a9d7610bc24d4eec2c70ab2d15b2dd607bea5bb33b0480

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c4661e2869c2c24abe90b033a892648c

SHA1
ca573247b13da3b01ca4f5ef84164be2f5f20aae

SHA256
aab39fa0106693d0beeaa6c6ee220b8c3fee5e403eb4b26fde9bec07794d451d

SHA512
67eca9661129ac9f85e6c5d6b416075993b0cc2bb5b7be37f7fadfaad37934787f7c567dc38c22dd22b806793dd91fb175f9b4b835af85287ca9193edf387f95

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
820d7cd52650caa4b100a0b2c0f77f6a

SHA1
1e77b653afb8f5b63db5b620cd285860d27fce65

SHA256
08531196d3d43068d633c156b3b408b2b519a99ece4f71c14e880d129b8f7fc5

SHA512
5787a61dadd4576ffea2c5b8e9becf962773393c2b4300882846b4ccbdfbd94ea97c550bb0de77e30094d63e59861842d59ff42842dafd694376f3e0809f210f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
cab78e08ef999d4d7b4992acc5df671f

SHA1
41078cb04a89cce851e7e628b561f7b2b7b10831

SHA256
fbdbcc0a81931a1cf2cb872b1b7e2a7136ea104ae87dbde1771d58ecaff7f911

SHA512
afbc46af81bd1ac41782105766265b3998da58ada74d00015b4fac71ec09772e14e79328363610fd2a7deb21f91149d451eebc0b97b7062839071f5e7f33998d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
355e17f38ef9952ea30d0fada9894f56

SHA1
5a27b2ca20d14c0ee8e2a3f328cfc73afbb84f36

SHA256
a8d4fbc83ab1a6c53e069b5f337e61d1d9791482356cce0f3a40a502f69927ad

SHA512
8b97059a4d2e9aff4c871a474771e780244695b8dccf79ce1a45e9211579c1bcc61e0e9bc199ceeb2dd632737e5cac23b9181ade03a9ef0bb036115515288bc1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
903992a96b369cdaac5ff4acc929ab64

SHA1
f8589e76475ff9b438e711dc815c8c836d2fdfe3

SHA256
38309cb983432750ebf993b3c93db326da10453ccacef9a1b695046e0a99989e

SHA512
1862e3a93775600b8dc057189e5887bc838680117be2320b7cfde4ad5f75fa14cb9dcae9d69c6380562e03a8c0d8facdd2b0dcf5a26f2d480503c5c88007cda4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
bc5a898e1abe98c4d79777ee6f2743fb

SHA1
0a1be7c0d5e1a7f5bee105c8476af58216949ab9

SHA256
76eaa4af7f8a4d24e104593f6d0284057a9828f55e90bdc47564a6f4a9fa1e1f

SHA512
d0f1fb33c43b0636fa4dd95a26161dec10aadca2b8f66d40b59d4bc5ebd663c588e330da0f3d7ebe37f768daf4fb51e52f61a48822f88808074ee7f0c24ad178

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9d000c5744f416df3a36fcddbca51985

SHA1
a6391a883807cde47fd92e5632b850099d4979c8

SHA256
545c8681319754aaa680ab55a396b1e5f83755932f359b18ad67071c82852c1c

SHA512
ecbb69273f530115982113976258071176662ceadf022e9feb3f20c4d94d8ccc528b0c505fd534c7199d7ee07bbdd2486d035ecee9cbbe67b4150a6056750980

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c207be9ed6d3808617795025f53a625e

SHA1
8c25ca426f427ce33edfc6af817d0e2bc1b33480

SHA256
f8c70d495345cacaa649f16d2185743e4cd6ce3ef5586cc54f419a9b65d1c6f6

SHA512
76dc33cb00c4db1a82bd99a8abc0b54d97b4faea83980aa14722623db97b9951ba6fcd3ff08dab0c8c6c527a53914749fa29f91cdf0943b76b9ab91a1e54370d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
182381446fdac7b9b511f940f976f081

SHA1
bd03b90cc3f58385b2943d0514913f1ed3dfedf2

SHA256
66b32a5ebd11b0e9fa1cc39bda9b0e22748769245627c7a482e903e996c8291a

SHA512
faa0e29914c68af4b9b47dc93621888128bd4ed5854f5ef5aa49c327680134cdf8ab036c5d1c13ca810ebc464120e215f992d304ee363b07d8e9fb1f3ed0a32d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a73fef842938c60eb3ac0f4928da8253

SHA1
813012dd726076e3bc980b5bcc243e876abc3c23

SHA256
096b66cf02c3ebdbb17f1156d1a2561911a725052784a2ef9438a74c772b2040

SHA512
347e23f7b3b8b4f5e00b8365a40892ccf725c23bc04a6e3273e935b46c7311f65a53b2c8bb82c28d48b1ebdb91d5efb49b8638385fd67d4c29195968688247ea

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6b7fb64b95fa66983e2193179a01a981

SHA1
a4e1d9cdbe468836df6b5816234b03ec06ffce17

SHA256
d0084f4d6452cf0a0cb2d4dd85b4f6ab676062cb4601ce06e005a4e141baaab3

SHA512
9fd0d68522bfbef3b842f906ac2753ce998c1863b82180cef4b3d7e48803a571a2ffbb25dec615b76b95584982d222013e1100c16cb7ad8356dbde224b6daf38

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2c19e40bf91c5c86869855cb93896ff8

SHA1
d3dc6e0779b75225b3abd9235b680fc26501e6b4

SHA256
381e985579d0a57754be5e8b7216384f3e81b7f16e1fa75383ad7336fd6bfa13

SHA512
faa4ab9e3c9570c1cabf2a2870bef6b80fc735623e2b9bcc32ce6d6d38990129dd6cbdf68c65bc340a4d3ad91689e2a678f574160409fb1461394e410344456d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7db3517815873cd7f9345449078bacf2

SHA1
fe5172083a4f38c770028376e7ec75e8b83a11c5

SHA256
7714f0d3f87e798a020e65d56d0f7b90ec51d0e08d5264550acee3c055edcb3e

SHA512
2bd5636f22e5782a5ddc0a65db6a36f574f519795c1754345ae844c6cb92ee1d5472c0dd9a04302a2cf1d5bcd3d2e0f2f89d92a682cdc30095c07692df9f7730

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a86db830f049e2a336af1d1b42a23b95

SHA1
870e09b054e45918899efc9dc8ba6cc76d16c7b8

SHA256
40a3351fd320c7276a8b3c1db107f6363d599ffade6367dfd67f79838593e378

SHA512
7e0a8980fba1fed292ac92490cbab38edb19c6c83e310ccc1b08faba57539de77b4db3b88bf2314671141775850ed4543377505515ece528634d257cc138aa45

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0738c05df6ab0674556fe9c998d1618c

SHA1
58b55679b0430eccef0d6edf9320b2953c98ecce

SHA256
402688ab2d2b86e16686f724c69ff97276cacd733a1ba5735a84e8f7f8aa9dc7

SHA512
5cbc560ec81e837974128e33883716de27d1e45f9d87f59d66d2e35725293af926dd6bcde29c30af5add8b9e805c0acfc695ac5fc10fe07f89e4e28960d63bfb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
badc1250e6a7844d2a0226277476762e

SHA1
d746bc6326520f811b18f7047227835b2397d8d2

SHA256
10881cf906ebf6b7135c09ac3cc9a2653b00d97492653523007751cf6a3526fc

SHA512
42d268bd4b181e7c071c1093dc6272424091ff16b6bb04c6bb014c29cb4f6ed6ce06e4ce679aebd921848a481ec6b6661cea12c9a5657984a9bda60d1e29b2ac

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a7ca3b454fc9cba27e7c0ee3925a5ce1

SHA1
679efdc9470ea17720e40ab8bc90c6d34e284e00

SHA256
ac1eeb5e494627e34044180800bd166545a11a6629eea4dd27a3b19ecafb5bda

SHA512
2d3e8d455fe78d050c908caf0907ffc13a8ad3842d96bc8cd47884a0ae362f498d2afda7bfeeab78507d8340291328ed4087a1b6f59d73303cd07ef36d2ca630

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
90be02edbe16f254f8a9071b19571ce1

SHA1
a4599452be56d6856904bb912d674d3dcf84cdeb

SHA256
554353acceff91bbb3b5c9518b91680dd3825c2623d61180f3814962057be2a9

SHA512
1352569de3b3ef77726ed22173143f8dc1f50e038f981f397fd3cf97ed7402e612746f922c85f606b2d6d755cd1139986abeef5e46eb64bf4a799d02c45789d9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0d8bb899ea22735dc1b155cc12018438

SHA1
75053c6b9697ba48f2d5df08d3592364f52edc06

SHA256
759bbaa291f7b4f29949202747899f5d29d19f24c2ac3e45ca40fc7c33adba17

SHA512
5f8a3c5e5ca7a2f601d1eea0ecf3d25fd213760dd46dda7add32b47814f637081ae7df00483745a52e76697cb5ce1faa682e52aab37d77f6e69c8cbb951404de

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
bd6b465f2d70a30785c4d16ae87a7cc6

SHA1
9a601eff75dc9248f3b3916077651e3e2e7abd9d

SHA256
b66057f9d3803378b018eeed036e6b79fc98babba8ddcc24cd813f5034336061

SHA512
726cf0b4797ba4a822611b46ba3bb9f4e554132f9bfec638b7ceccac24f350193b0211aa262c178c23fb30460b1a94dc765f2001b8c2e4847a86f3f3ed1c3d55

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d8ae162083c15042351c3214fb9495a6

SHA1
810ac3a87ede6532a6a9de7674cfc680c8dee0ac

SHA256
6a674c9e8bf0bd3bd26e9ade6e4d3f6df07c76862d8719e4bd55f68896a88b52

SHA512
477a687e5b684369e611083ce060ad929d0adb7fcca7eba492841678c5adb33c078ef4c1dee40d05a785df3d140171dc81cbdd0eee26b495da4988b93c084a5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
548e1b7defa69b63f71c5acc6b47e865

SHA1
f1e95a79c4954e1ea48724945ef1d4b18663fb8f

SHA256
d401b088e970e620a92b4aa815786e3011f79e0b0132696e731832e4aa1e79f0

SHA512
34d152dd4457a7a2bc988ac9ea0b15d765536a8fbd3e7788e07d9966548ccdeb5e398b764e55a92e9814e10c60568403b4627dcb5c6c791b4e184006d2f09367

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
980707630e8705807a7df29e3c18a911

SHA1
b195e19140dee3c097bd04473c54f436804de4af

SHA256
7856301dd19e78f8e600e7b7d62e75d1ddd50cf4bb53013a54e57aeb79787cff

SHA512
4a8b1786ca738d6aed873edad16b499b7a1a5ebc1a6637853c1c405971bc63a53fa230a83a84115a2b194f0e9cd67870bd52d7942fe0592944c564af842ca973

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A16C6C16D94F76E0808C087DFC657D99_8F0CBD8C47BA2D164C9E6FDB222DBC71

Filesize
402B

MD5
38ad6ead6eaf4d4e004fd7e2296f393d

SHA1
9d680f2768387b72095355f7d001b3a9511e642c

SHA256
65b8bacb3eca865613de6c8ac227e9fb31ae3c7ec012e67e71e44c29fd28c7bf

SHA512
6083b25f744c08e912590796dbd82a5b860a0e166b67e7ae9f4479bb0057a527f5ef53bb42491c141da1895bd6eb42da5397be8fb394ec39d57053cf328b5560

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

Filesize
392B

MD5
c4e0a1c39d1851e96007e9a8bbc75653

SHA1
d2d653193faf237a6478b6571bcdee35a530947c

SHA256
8d2b0ce2e2408e8bc4a94881ca83c967a78bf43c61839e5ec4c3464e0842ea47

SHA512
6642305f273408cc49ab3ae708460a2fa29de0765f63c19a3f00042aed05913104d3868685c54e0d1cf5692e35331a4ce74530d631e98c8cd0dee1f6a5f2964f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2DDCD2B5F37625B82E81F4976CEE400_09B924C8A99A26A75B535D3B83388BE5

Filesize
406B

MD5
c981d64f27adf4719b6dba9a0409ca61

SHA1
327b564edf75dd72f8b33394f5480f98a0f1d39c

SHA256
c6f3d612b3035431b61037f21f66bc4f3fe9cc0983bb2c313e76cd54283755bc

SHA512
4b1d1bf30641292569caf748bb27190187498eb8aa45e99034281e0d6ffa63dc960742d46b2033ccaa96b1193c0e44da42b5d86956702fed62ffc74bae284134

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\0SSNYS9H\www.google[1].xml

Filesize
95B

MD5
0f4f4a5d7ef33c61bec699f1d1054682

SHA1
259834b93e64585f8c3d92c7c7a59c26cedd2398

SHA256
1856cbf890f915ff223bfe82a2c95c847a902625f36a393e0b45d51d8bb1f35a

SHA512
5b45cb91010e5b19463b59e50c0e897fec85670e6b73a9e71aa719defacca78546df73b600f48f8afb264698d90a25fbd607483d6d2c4755b0c586db09166b63

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\jqfjk0y\imagestore.dat

Filesize
5KB

MD5
a0971e94c2ecbcf85fd7186e4158ea17

SHA1
80fa7ff26cd3147cb891fadc582de02b8d08d63b

SHA256
8160ec54cb7535bd8b4bd7434c749911e5f1f8177921cc773294dfbde0221f2d

SHA512
1087a81ab6747424086ca00aec0ed03c6646e3236e2ca83a46555e7d03e71e9987978ba710f080d19e1ddf871f6a6e041c811499dd3be2432ebbb17d804c5b35

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BD3NDTTD\KFOlCnqEu92Fr1MmEU9fBBc9[1].ttf

Filesize
34KB

MD5
4d88404f733741eaacfda2e318840a98

SHA1
49e0f3d32666ac36205f84ac7457030ca0a9d95f

SHA256
b464107219af95400af44c949574d9617de760e100712d4dec8f51a76c50dda1

SHA512
2e5d3280d5f7e70ca3ea29e7c01f47feb57fe93fc55fd0ea63641e99e5d699bb4b1f1f686da25c91ba4f64833f9946070f7546558cbd68249b0d853949ff85c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BD3NDTTD\KFOlCnqEu92Fr1MmYUtfBBc9[1].ttf

Filesize
34KB

MD5
4d99b85fa964307056c1410f78f51439

SHA1
f8e30a1a61011f1ee42435d7e18ba7e21d4ee894

SHA256
01027695832f4a3850663c9e798eb03eadfd1462d0b76e7c5ac6465d2d77dbd0

SHA512
13d93544b16453fe9ac9fc025c3d4320c1c83a2eca4cd01132ce5c68b12e150bc7d96341f10cbaa2777526cf72b2ca0cd64458b3df1875a184bbb907c5e3d731

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BD3NDTTD\KFOmCnqEu92Fr1Mu4mxP[1].ttf

Filesize
34KB

MD5
372d0cc3288fe8e97df49742baefce90

SHA1
754d9eaa4a009c42e8d6d40c632a1dad6d44ec21

SHA256
466989fd178ca6ed13641893b7003e5d6ec36e42c2a816dee71f87b775ea097f

SHA512
8447bc59795b16877974cd77c52729f6ff08a1e741f68ff445c087ecc09c8c4822b83e8907d156a00be81cb2c0259081926e758c12b3aea023ac574e4a6c9885

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BD3NDTTD\logo_48[1].png

Filesize
2KB

MD5
ef9941290c50cd3866e2ba6b793f010d

SHA1
4736508c795667dcea21f8d864233031223b7832

SHA256
1b9efb22c938500971aac2b2130a475fa23684dd69e43103894968df83145b8a

SHA512
a0c69c70117c5713caf8b12f3b6e8bbb9cdaf72768e5db9db5831a3c37541b87613c6b020dd2f9b8760064a8c7337f175e7234bfe776eee5e3588dc5662419d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BD3NDTTD\recaptcha__en[1].js

Filesize
489KB

MD5
d52ac252287f3b65932054857f7c26a7

SHA1
940b62eae6fb008d6f15dfb7aaf6fb125dba1fec

SHA256
4c06e93049378bf0cdbbe5d3a1d0c302ac2d35faec13623ad812ee41495a2a57

SHA512
c08ff9d988aea4c318647c79ae8ca9413b6f226f0efbdab1cdd55ec04b6760812716ff27e0ee86941e8a654d39cddd56251d8392a0ac2c4c8839f27853556154

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BD3NDTTD\webworker[1].js

Filesize
102B

MD5
5734e3c2032fb7e4b757980f70c5867e

SHA1
22d3e354a89c167d3bebf6b73d6e11e550213a38

SHA256
91e9008a809223ca505257c7cb9232b7bf13e7fbf45e3f6dd2cfca538e7141eb

SHA512
1f748444532bc406964c1be8f3128c47144de38add5c78809bbcdae21bf3d26600a376df41bf91c4cd3c74a9fae598d51c76d653a23357310343c58b3b6d7739

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IKDEMF4Q\styles__ltr[1].css

Filesize
55KB

MD5
eb4bc511f79f7a1573b45f5775b3a99b

SHA1
d910fb51ad7316aa54f055079374574698e74b35

SHA256
7859a62e04b0acb06516eb12454de6673883ecfaeaed6c254659bca7cd59c050

SHA512
ec9bdf1c91b6262b183fd23f640eac22016d1f42db631380676ed34b962e01badda91f9cbdfa189b42fe3182a992f1b95a7353af41e41b2d6e1dab17e87637a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NXAFS242\TG_XdOEg3NKIdftsV7XidAgI3OvClCw0-7YgJxQ1GFY[1].js

Filesize
23KB

MD5
a364179c3816839427c4d9fdbe8ecf3b

SHA1
fd423514f4f0e614688a99571b9165b4e212119b

SHA256
4c6fd774e120dcd28875fb6c57b5e2740808dcebc2942c34fbb6202714351856

SHA512
c4e29c47bb229a293d79a1aa4b9e226ff6261b723b75e0479df367fc7eee3ac006e4993e5406f510aa35da592b525e3f6a0bf62f8671cfa576cae40a627bc45e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NXAFS242\api[1].js

Filesize
850B

MD5
33d99cfc94db7d1ab5149b1e677b4c85

SHA1
ffec081b0a5b325f2b124ea8804ba0de9beae98c

SHA256
0e945fe9e80b82b1ac2e714f03672ed0c439e61e489430ba46623245399fca25

SHA512
315ed3f0edae2d3057be354d7d97ab298f51e791c03cd19c46d96e0116a6757033e509d92633eafba9365d6588af2b96cce4b0088020a88eac5086d07a0b3b26

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\U4VLHPRO\favicon[1].ico

Filesize
5KB

MD5
f3418a443e7d841097c714d69ec4bcb8

SHA1
49263695f6b0cdd72f45cf1b775e660fdc36c606

SHA256
6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770

SHA512
82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabE419.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\x

Filesize
10KB

MD5
fc59b7d2eb1edbb9c8cb9eb08115a98e

SHA1
90a6479ce14f8548df54c434c0a524e25efd9d17

SHA256
a05b9be9dd87492f265094146e18d628744c6b09c0e7efaabf228a9f1091a279

SHA512
3392cfc0dbddb37932e76da5a49f4e010a49aaa863c882b85cccab676cd458cfc8f880d8a0e0dc7581175f447e6b0a002da1591ecd14756650bb74996eacd2b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\x

Filesize
4KB

MD5
62776aa746c8fce4ce9927006a8d89a5

SHA1
f381c276632f96b06bdb39247d164010bfc66041

SHA256
fa3efaa955921a3471aee42814af2b0a95597d020a57ee6298d740392a45158f

SHA512
68cb64f072f3af6d7ecb320967e8182d986df522b464e9136aac99515f43f2daf58358d28edfa3c8207dbaf533d8a8d5421a90fdc19411510ed75033ac337553

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\x.js

Filesize
448B

MD5
8eec8704d2a7bc80b95b7460c06f4854

SHA1
1b34585c1fa7ec0bd0505478ac9dbb8b8d19f326

SHA256
aa01b8864b43e92077a106ed3d4656a511f3ba1910fba40c78a32ee6a621d596

SHA512
e274b92810e9a30627a65f87448d784967a2fcfbf49858cbe6ccb841f09e0f53fde253ecc1ea0c7de491d8cc56a6cf8c79d1b7c657e72928cfb0479d11035210

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEMZ3~1.0\z.zip

Filesize
7KB

MD5
cf0c19ef6909e5c1f10c8460ba9299d8

SHA1
875b575c124acfc1a4a21c1e05acb9690e50b880

SHA256
abb834ebd4b7d7f8ddf545976818f41b3cb51d2b895038a56457616d3a2c6776

SHA512
d930a022a373c283f35d103e277487c2034a0b0814913b8f6ec695b45e20528667aa830eeab58e4483d523bd6a755a16a5379095cb137db6c91909a545a19a2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarE5A6.tmp

Filesize
175KB

MD5
dd73cead4b93366cf3465c8cd32e2796

SHA1
74546226dfe9ceb8184651e920d1dbfb432b314e

SHA256
a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

SHA512
ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

Download Submit
C:\Users\Admin\AppData\Roaming\MEMZ.exe

Filesize
12KB

MD5
a7bcf7ea8e9f3f36ebfb85b823e39d91

SHA1
761168201520c199dba68add3a607922d8d4a86e

SHA256
3ff64f10603f0330fa2386ff99471ca789391ace969bd0ec1c1b8ce1b4a6db42

SHA512
89923b669d31e590189fd06619bf27e47c5a47e82be6ae71fdb1b9b3b30b06fb7ca8ffed6d5c41ac410a367f2eb07589291e95a2644877d6bffd52775a5b1523

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\EQM3K9X6.txt

Filesize
377B

MD5
07b865ff28d07d639ed47028c27a7c41

SHA1
391ff7067644e5505e49a8b9570b2c109d416a07

SHA256
a0c61fdd6b599c0849f06f0003739c746e87498064ff76236a8f156357d3a725

SHA512
e947ee707366aaea89aac564d0e7b3725d3e57891eaa7aabdf89c3a92986a3bdca827044181fdcae4568a607988c4f2001ead247460fabd735d169fea89b57e3

Download Submit
C:\note.txt

Filesize
218B

MD5
afa6955439b8d516721231029fb9ca1b

SHA1
087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

SHA256
8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

SHA512
5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

Download Submit
memory/1984-774-0x0000000001EA0000-0x0000000001EA1000-memory.dmp

Filesize
4KB

Download
memory/2192-150-0x00000000023C0000-0x00000000023C1000-memory.dmp

Filesize
4KB

Download