734403a96fad68cb2ef2b340adddd9cadd5894007aac703dcdb4a4cb8326c538

max time kernel
151s
max time network
157s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
11-03-2024 01:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eeeeeeeeeeeeee/Malware_pack_2/Malware_pack_2/MEMZ 3.0 (1)/MEMZ 3.0/MEMZ.bat
Size

12KB
MD5

13a43c26bb98449fd82d2a552877013a
SHA1

71eb7dc393ac1f204488e11f5c1eef56f1e746af
SHA256

5f52365accb76d679b2b3946870439a62eb8936b9a0595f0fb0198138106b513
SHA512

602518b238d80010fa88c2c88699f70645513963ef4f148a0345675738cf9b0c23b9aeb899d9f7830cc1e5c7e9c7147b2dc4a9222770b4a052ee0c879062cd5a
SSDEEP

384:nnLhRNiqt0kCH2LR0GPXxGiZgCz+KG/yKhLdW79HOli+lz3:nLhRN9t0SR4iZtzlREBWhuF

Score

7^/10

bootkit persistence

Malware Config

Signatures

Executes dropped EXE 7 IoCs

Processes:

MEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exe

pid process

2488 MEMZ.exe
2508 MEMZ.exe
2744 MEMZ.exe
2732 MEMZ.exe
1572 MEMZ.exe
1340 MEMZ.exe
628 MEMZ.exe
Loads dropped DLL 1 IoCs

Processes:

MEMZ.exe

pid process

2488 MEMZ.exe
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

MEMZ.exe

description ioc process

File opened for modification \??\PhysicalDrive0 MEMZ.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2488	MEMZ.exe
2508	MEMZ.exe
2744	MEMZ.exe
2732	MEMZ.exe
1572	MEMZ.exe
1340	MEMZ.exe
628	MEMZ.exe

pid	process
2488	MEMZ.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	MEMZ.exe

Modifies Internet Explorer settings 1 TTPs 53 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009d182698a4727943a65bc6c9ecfd0fc500000000020000000000106600000001000020000000535dbd0995e26b768f3cc477cb3be29f035f8db7515443f8d650170439e0107d000000000e800000000200002000000089834826f9c876456bde45d16fc26272e4573e60c82147239455602c6b8e8ce99000000058b4291e01769090e380a97ba7544122fdd2d5ca15a1a2a900a645bcbc4d3c95a42997ebed29c4337efbaab55407a1591798857c7486079fefd775af0846add0ac59ca1ff61c44d8f2698d0e261f960c7f07896e871a2079f76646639ee114940bccb221dde01c4dec2a602843d49424eabb24ab5aa92833c9a04a2190ca10e57f39e71ccff4c50ad5ee96edf77d888640000000852340037f93b477d9cef5e3abf2a441a44971ce382617104c8ce4fc54b9a7c05a9ff5a491c2c93b93f248249310d7b8e2753a7ca82a5e2676428859018d6098	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009d182698a4727943a65bc6c9ecfd0fc5000000000200000000001066000000010000200000008cee6455c0fce1e514fdcee80ed43af5c8aec0f6512e014c1bdbcdac2a0fc135000000000e8000000002000020000000eff6395320dd1269eb2915e2c24fe5748d03c8d7a553fe9b9001dce47d76d69120000000b6ad496fc9f56f06687029eedbb493382f1fc3e7b0ff57c3c1ca89175280bf4a400000007048170843cc7295252bef6e4b2b3e16f6142dde3fdcf170ba780bc90a67f64fecd431e6acf8a9795ca949c00a6c12fe1113a7dada9e1956c10e54d03d7caf87	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 50e52cc55173da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "416281627"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "21"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.google.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.google.com\ = "21"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com\Total = "21"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E804A221-DF44-11EE-8466-6E6327E9C5D7} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

MEMZ.exe

pid process

2488 MEMZ.exe

pid	process
2488	MEMZ.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

MEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exe

pid	process
2732	MEMZ.exe
1340	MEMZ.exe
2732	MEMZ.exe
2508	MEMZ.exe
2744	MEMZ.exe
1572	MEMZ.exe
1572	MEMZ.exe
2744	MEMZ.exe
2508	MEMZ.exe
1340	MEMZ.exe
2732	MEMZ.exe
1572	MEMZ.exe
2744	MEMZ.exe
2508	MEMZ.exe
2732	MEMZ.exe
1340	MEMZ.exe
2732	MEMZ.exe
1572	MEMZ.exe
2744	MEMZ.exe
2508	MEMZ.exe
1340	MEMZ.exe
1572	MEMZ.exe
2744	MEMZ.exe
2508	MEMZ.exe
1340	MEMZ.exe
2732	MEMZ.exe
1572	MEMZ.exe
2732	MEMZ.exe
2744	MEMZ.exe
2508	MEMZ.exe
1340	MEMZ.exe
1572	MEMZ.exe
2744	MEMZ.exe
2508	MEMZ.exe
2732	MEMZ.exe
1340	MEMZ.exe
1340	MEMZ.exe
1572	MEMZ.exe
2732	MEMZ.exe
2744	MEMZ.exe
2508	MEMZ.exe
1572	MEMZ.exe
2744	MEMZ.exe
2508	MEMZ.exe
2732	MEMZ.exe
1340	MEMZ.exe
1340	MEMZ.exe
2732	MEMZ.exe
1572	MEMZ.exe
2744	MEMZ.exe
2508	MEMZ.exe
1572	MEMZ.exe
2744	MEMZ.exe
2508	MEMZ.exe
1340	MEMZ.exe
2732	MEMZ.exe
2732	MEMZ.exe
1572	MEMZ.exe
2744	MEMZ.exe
2508	MEMZ.exe
1340	MEMZ.exe
1572	MEMZ.exe
2744	MEMZ.exe
2508	MEMZ.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

AUDIODG.EXE

description	pid	process
Token: 33	2492	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2492	AUDIODG.EXE
Token: 33	2492	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2492	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

cscript.exeiexplore.exe

pid process

1484 cscript.exe
3040 iexplore.exe

pid	process
1484	cscript.exe
3040	iexplore.exe

Suspicious use of SetWindowsHookEx 20 IoCs

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

pid	process
3040	iexplore.exe
3040	iexplore.exe
1824	IEXPLORE.EXE
1824	IEXPLORE.EXE
1824	IEXPLORE.EXE
1824	IEXPLORE.EXE
736	IEXPLORE.EXE
736	IEXPLORE.EXE
736	IEXPLORE.EXE
736	IEXPLORE.EXE
988	IEXPLORE.EXE
988	IEXPLORE.EXE
988	IEXPLORE.EXE
988	IEXPLORE.EXE
1328	IEXPLORE.EXE
1328	IEXPLORE.EXE
1328	IEXPLORE.EXE
1328	IEXPLORE.EXE
1824	IEXPLORE.EXE
1824	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 59 IoCs

Processes:

cmd.exeMEMZ.exeMEMZ.exeiexplore.exe

description	pid	process	target process
PID 1652 wrote to memory of 1484	1652	cmd.exe	cscript.exe
PID 1652 wrote to memory of 1484	1652	cmd.exe	cscript.exe
PID 1652 wrote to memory of 1484	1652	cmd.exe	cscript.exe
PID 1652 wrote to memory of 2488	1652	cmd.exe	MEMZ.exe
PID 1652 wrote to memory of 2488	1652	cmd.exe	MEMZ.exe
PID 1652 wrote to memory of 2488	1652	cmd.exe	MEMZ.exe
PID 1652 wrote to memory of 2488	1652	cmd.exe	MEMZ.exe
PID 2488 wrote to memory of 2508	2488	MEMZ.exe	MEMZ.exe
PID 2488 wrote to memory of 2508	2488	MEMZ.exe	MEMZ.exe
PID 2488 wrote to memory of 2508	2488	MEMZ.exe	MEMZ.exe
PID 2488 wrote to memory of 2508	2488	MEMZ.exe	MEMZ.exe
PID 2488 wrote to memory of 2732	2488	MEMZ.exe	MEMZ.exe
PID 2488 wrote to memory of 2732	2488	MEMZ.exe	MEMZ.exe
PID 2488 wrote to memory of 2732	2488	MEMZ.exe	MEMZ.exe
PID 2488 wrote to memory of 2732	2488	MEMZ.exe	MEMZ.exe
PID 2488 wrote to memory of 2744	2488	MEMZ.exe	MEMZ.exe
PID 2488 wrote to memory of 2744	2488	MEMZ.exe	MEMZ.exe
PID 2488 wrote to memory of 2744	2488	MEMZ.exe	MEMZ.exe
PID 2488 wrote to memory of 2744	2488	MEMZ.exe	MEMZ.exe
PID 2488 wrote to memory of 1340	2488	MEMZ.exe	MEMZ.exe
PID 2488 wrote to memory of 1340	2488	MEMZ.exe	MEMZ.exe
PID 2488 wrote to memory of 1340	2488	MEMZ.exe	MEMZ.exe
PID 2488 wrote to memory of 1340	2488	MEMZ.exe	MEMZ.exe
PID 2488 wrote to memory of 1572	2488	MEMZ.exe	MEMZ.exe
PID 2488 wrote to memory of 1572	2488	MEMZ.exe	MEMZ.exe
PID 2488 wrote to memory of 1572	2488	MEMZ.exe	MEMZ.exe
PID 2488 wrote to memory of 1572	2488	MEMZ.exe	MEMZ.exe
PID 2488 wrote to memory of 628	2488	MEMZ.exe	MEMZ.exe
PID 2488 wrote to memory of 628	2488	MEMZ.exe	MEMZ.exe
PID 2488 wrote to memory of 628	2488	MEMZ.exe	MEMZ.exe
PID 2488 wrote to memory of 628	2488	MEMZ.exe	MEMZ.exe
PID 628 wrote to memory of 2460	628	MEMZ.exe	notepad.exe
PID 628 wrote to memory of 2460	628	MEMZ.exe	notepad.exe
PID 628 wrote to memory of 2460	628	MEMZ.exe	notepad.exe
PID 628 wrote to memory of 2460	628	MEMZ.exe	notepad.exe
PID 628 wrote to memory of 3040	628	MEMZ.exe	iexplore.exe
PID 628 wrote to memory of 3040	628	MEMZ.exe	iexplore.exe
PID 628 wrote to memory of 3040	628	MEMZ.exe	iexplore.exe
PID 628 wrote to memory of 3040	628	MEMZ.exe	iexplore.exe
PID 3040 wrote to memory of 1824	3040	iexplore.exe	IEXPLORE.EXE
PID 3040 wrote to memory of 1824	3040	iexplore.exe	IEXPLORE.EXE
PID 3040 wrote to memory of 1824	3040	iexplore.exe	IEXPLORE.EXE
PID 3040 wrote to memory of 1824	3040	iexplore.exe	IEXPLORE.EXE
PID 3040 wrote to memory of 736	3040	iexplore.exe	IEXPLORE.EXE
PID 3040 wrote to memory of 736	3040	iexplore.exe	IEXPLORE.EXE
PID 3040 wrote to memory of 736	3040	iexplore.exe	IEXPLORE.EXE
PID 3040 wrote to memory of 736	3040	iexplore.exe	IEXPLORE.EXE
PID 3040 wrote to memory of 988	3040	iexplore.exe	IEXPLORE.EXE
PID 3040 wrote to memory of 988	3040	iexplore.exe	IEXPLORE.EXE
PID 3040 wrote to memory of 988	3040	iexplore.exe	IEXPLORE.EXE
PID 3040 wrote to memory of 988	3040	iexplore.exe	IEXPLORE.EXE
PID 3040 wrote to memory of 1328	3040	iexplore.exe	IEXPLORE.EXE
PID 3040 wrote to memory of 1328	3040	iexplore.exe	IEXPLORE.EXE
PID 3040 wrote to memory of 1328	3040	iexplore.exe	IEXPLORE.EXE
PID 3040 wrote to memory of 1328	3040	iexplore.exe	IEXPLORE.EXE
PID 628 wrote to memory of 2000	628	MEMZ.exe	notepad.exe
PID 628 wrote to memory of 2000	628	MEMZ.exe	notepad.exe
PID 628 wrote to memory of 2000	628	MEMZ.exe	notepad.exe
PID 628 wrote to memory of 2000	628	MEMZ.exe	notepad.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\eeeeeeeeeeeeee\Malware_pack_2\Malware_pack_2\MEMZ 3.0 (1)\MEMZ 3.0\MEMZ.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1652
- C:\Windows\system32\cscript.exe
  cscript x.js
  2⤵
  - Suspicious use of FindShellTrayWindow
  PID:1484
- C:\Users\Admin\AppData\Roaming\MEMZ.exe
  "C:\Users\Admin\AppData\Roaming\MEMZ.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious use of WriteProcessMemory
  PID:2488
- - C:\Users\Admin\AppData\Roaming\MEMZ.exe
    "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2508
- - C:\Users\Admin\AppData\Roaming\MEMZ.exe
    "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2732
- - C:\Users\Admin\AppData\Roaming\MEMZ.exe
    "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2744
- - C:\Users\Admin\AppData\Roaming\MEMZ.exe
    "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1340
- - C:\Users\Admin\AppData\Roaming\MEMZ.exe
    "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1572
- - C:\Users\Admin\AppData\Roaming\MEMZ.exe
    "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /main
    3⤵
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    - Suspicious use of WriteProcessMemory
    PID:628
  - - C:\Windows\SysWOW64\notepad.exe
      "C:\Windows\System32\notepad.exe" \note.txt
      4⤵
      PID:2460
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" https://google.co.ck/search?q=internet+explorer+is+the+best+browser
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3040
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3040 CREDAT:275457 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1824
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3040 CREDAT:472083 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:736
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3040 CREDAT:472100 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:988
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3040 CREDAT:668700 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1328
  - - C:\Windows\SysWOW64\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:2000

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x518
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

Filesize
717B

MD5
822467b728b7a66b081c91795373789a

SHA1
d8f2f02e1eef62485a9feffd59ce837511749865

SHA256
af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9

SHA512
bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
25815685f4efc87d1162095a54295fad

SHA1
78c369eebfa4cbd40ceda7a9fb935b1ff9568b04

SHA256
7f8831f8c3b72f6e05ba336c028530a99e7846970778d639def50eedb9d35cf4

SHA512
435c1da6733c8c59a10d1f0b51b157d0cc8647f784a1753abf89edd845d2b1535765b448da3f14b44e925c0531cf9595cd9a06939a7a749a1356ebdae3f721dc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
67KB

MD5
753df6889fd7410a2e9fe333da83a429

SHA1
3c425f16e8267186061dd48ac1c77c122962456e

SHA256
b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

SHA512
9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A16C6C16D94F76E0808C087DFC657D99_8F0CBD8C47BA2D164C9E6FDB222DBC71

Filesize
472B

MD5
562c1305690263b343cfbabd7a401e6c

SHA1
c6a624083ccb8f1b7aba90b7c4b1e3ac66c2942c

SHA256
0f0f1c33614d42186e73e4feb4d03d3605e903c06390461d86784fc36b6789ad

SHA512
60e3060ff1172c76a85e85b09a8e9eb9c1eb918f82da83fc79cd4eb150adb4a2e02403bded0ad91643b246d587907d2b2ba6ed185ef6cb14307b51203682e3f4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

Filesize
724B

MD5
ac89a852c2aaa3d389b2d2dd312ad367

SHA1
8f421dd6493c61dbda6b839e2debb7b50a20c930

SHA256
0b720e19270c672f9b6e0ec40b468ac49376807de08a814573fe038779534f45

SHA512
c6a88f33688cc0c287f04005e07d5b5e4a8721d204aa429f93ade2a56aeb86e05d89a8f7a44c1e93359a185a4c5f418240c6cdbc5a21314226681c744cf37f36

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2DDCD2B5F37625B82E81F4976CEE400_09B924C8A99A26A75B535D3B83388BE5

Filesize
471B

MD5
0bbb0c0a7acaae6f119c49a57aded9ad

SHA1
def2006a613312d647661ef94f6ac9d43b84202a

SHA256
da2482009e08ab5c1df8db6f2b5454e5a32becbb50e9bc9e3a23982ebd55dbc9

SHA512
7dd647c57f9c57487195c453c1bfd3500e9bf17ae68fd175d3cc2469ba718cc0369d1b0fcc11cf47513a2fb9286dbbe0dd20c47bed4037e449caee77519fcc7d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

Filesize
192B

MD5
842b70bd013e9e94a1433d723cd9eee3

SHA1
9fbb9793daf6387c4d53d0647225d4d9092f0842

SHA256
fd01853ff7c78301818670ab738f455820acfe65125bd13fcf234aac06e7d900

SHA512
70ef5cb38425a92b541ffcd58acb506c2394a5a820097191048b0394b3bf36e82997fdd83cdbabb33cf3609ccc5ec1e62caa522c2e3bfe8b74f19cf3d80e9282

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
c24b521e33878d75c7e731769f6be009

SHA1
74671f5fae96dc7899134ac2fdd514981ac21b4f

SHA256
6978b07cdc5291053d847bb67e7528cf91fe730fe55fe2fbba3f130d7001fcd8

SHA512
d02cae7d3fed07e72711dd1f89f079e78f580100ba75af1cabb3b5a93011e27b6ef1c474cdbf2fcb1c5df7c5dac8f07e1565b64e9d7a546bdadcaba5a599843e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6fba0d4c64af26f15b808f88898b7d89

SHA1
bc8deb59281d3887361655d9737425ec25ba3723

SHA256
6415be482e0572ed735d89d4df5961c1b0041077aaa62665f7b78a18dbc687b5

SHA512
eb6aeaa8f7ba693a35966ea71fe7d5bd21a17dc8242f9c6fd49a5445b3fa875ee8d952af8599ada560743c6a84a43a1515bb0c37bd2f9f018fcdccc16e583744

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
497b06fe6703438ee0ebfb37096234af

SHA1
f3eaec5e800fa84444da8cbf4cac0be4fc423321

SHA256
4bd4d7220ab13cf4da77374a49f2bd5937e673249aaeab80943fcb7c70454cd3

SHA512
e6e90e1b449d9835539107fce40a106c4254b979ababef6d2e65419a04ca57210217b241dedbd2512260e0a422dc0cf88cf9fd0d833da571e025b8e8a525fc5d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f362c411f0c36068651efc7b2edf6434

SHA1
50bad5f7da0515ca2392d40e22d5d68721e0a953

SHA256
ef7920b030801f9e79f930c0e0d5767592ea308f3545e4e06390f20c0274e474

SHA512
aca0d3361bb1e0cef5392b7d1d34b61e3e4dee5f5aca57dd512bcf084316171159286adab2db5c44083ec4ecc55a8c5accd9d69c5aaba7f4677148b1197bb480

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
76d7b385921bc17f2bb967ff2eee0b7a

SHA1
579fcdbd93e94c71a68b49d4c2f47a92729c3035

SHA256
78f83de2b4bb89121038b1fa81283a60e4e7e9ea604c45a742b8165cb6638937

SHA512
cc7a8a1e30ddd32b14c17fbd47a00bb014d8b98573ff3cf5f0b2e6975d8c2b36b3b870adf40237bff0e5cbee9cc34769e8a553e45574598f767418ff696e9837

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8195655aa1b2c901036b2343700b046c

SHA1
19168948126b5a48be963abc12aba5bc084c10c5

SHA256
5ee9867926e71019b4d7c495b31acf84263fec6ceb2452dd2141bd1735ddfe59

SHA512
61f8c635ad296557929e86e1d4cbb985114e71779eef3f9ca535d405664b5dcbd22e2d2be203ad3e5075134fca093596f91f7880649bcc909d4b7129b7778065

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a8fec2d266adcd31c1da47d429b769f8

SHA1
bdb99db6d1685d239e1a1c29ada966849ea77320

SHA256
607bd638ac840f7ee5cebb1425d9db02239155c1c83d664a42771f2f3d3697a9

SHA512
bfeb2610f3f95865a885784e0d02a743532007d504b8dd9c9e510622e8d784dd0c9fb6ceb84892201fefafaff7718fd45523a29baa39adc44c914c6b64773eb1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
93b164d39b930864dbdcaf4efd949962

SHA1
af44f76cd034204c3a24160a2186a895c6f9f6fe

SHA256
eddf6d3bf1d5829a9e6e9c685d2e63f0e414a9f8407669179e268e59a3d64e53

SHA512
164259a1a87f22d461310354482c84f40b60d785348a363a17176a08744d991afba257b821a0a752cff4d0edd902c1e2d55db0ac0445fe88f1fedda8c7d61fee

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ffa7603b658ffd82943e0011f862c2a6

SHA1
04f733f6cff6acefaaa54b87f390407706f33279

SHA256
b426e781c09df4de00ce2cd7b7d48dac3acc1326132fb236167e7733817300b5

SHA512
da74c4b1367371c638058c8db056bd393401e7e752ddacb591936f9d3102c58aae82f42ea56ce708ff0159226c1a25a0f34187bc8fedcfdb56070a804e9edaa1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
eadde6a33599e397e8f33fda7a7e4591

SHA1
4644b2677249d50dbe1d8b14ad257ad3c52da4b6

SHA256
5867c0a6a633aa0baaf4a0824dabc16c85e15aa336e430d6ef00286fb2ab351d

SHA512
97b5355b6bb78ae311721d15f3bf489fd3b7c5168b3f8ceee69245903f380bd3c80aa43629ebe5148e125defa482b6132bfb652539c431d7c5c2a330e3d12e27

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
59f42b11e3096b0582a3772d70d49296

SHA1
67445020d7f177245ad3580959fb754ef5b7d5c0

SHA256
780e1f30fbba28790121d422035b7939b63bc428bb72c4409f05ed854134e893

SHA512
f36975a9f3093404fe795c27722109ed33e4afa99b9bc0df4ceeb17fb779458bace0f286ea4e5e55e8a18b0e8ffa9bf8c3a3d0411a2947a9191a1dc926aa6238

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
62fbfaafb566a6532e1c3933a1b9a155

SHA1
7eeba7620fe4baec9cbb4f4d78026f3e8ce8ba51

SHA256
a1f33a48563b4a7a4dbd2efed5aeefbfc6bb2eb8fe006449e6afc78a8697d0e8

SHA512
8c5db70cfb86f3894ad922e2da1ece5fe946793835adfe417c41f6168c4326295fe3567d0c00a7b2ec495eaf90af0501b53e477533c1c5740e6a00ffb975d6a3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A16C6C16D94F76E0808C087DFC657D99_8F0CBD8C47BA2D164C9E6FDB222DBC71

Filesize
402B

MD5
381bfad7a3f0fff66f67177c18544ac2

SHA1
84914e44eeb17e97ccad9c17433e1edb5196ab14

SHA256
900f7709f6ad1176a40bd635cec4c16f1232d5cfc8ae074d6f9d0fb93d15855d

SHA512
34aae85bf60290f76204959a8d4fd01764067511a1f20535ea96d7ece17857ff1136096346f6c0574726307052e4c602832587ab5c7f2e9978fe940e50de3bec

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

Filesize
392B

MD5
bbdf16be03bad9c68da970ba6236be37

SHA1
ee79cd5e80dff98e34dc16e4cdde8e7c1b1066a2

SHA256
2f9fd57aa7b6d6a939307583515c1988da3015c0ab7aa6069b23460aa97d2608

SHA512
4518fcfb72019f8776598bb31966a92221179dead7c4b0d352b72c5e6db19ee8e5942eca0720ddcd6692a8977beb9abef391734c43ed62bc59bb5382d8ee3b2b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2DDCD2B5F37625B82E81F4976CEE400_09B924C8A99A26A75B535D3B83388BE5

Filesize
406B

MD5
261ef361be47b6de12783807f33f14ed

SHA1
a51b51455ebd049d9cc4ddf5e7a460f1aed305d3

SHA256
82572ffa32fb33537548a38cc8b3b9a87a1d62e6678b7c725ae10d7b00b82eed

SHA512
ef87c5b752fbbde0ef589c0b92b84e92c02179df59a02fa61d4e728f1ea0d4671f09739fddf9990cc23d881ce9b9118faafd97fec973344fb976580692932680

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\X3R9V1ZF\www.google[1].xml

Filesize
95B

MD5
5241dab5659368e277f2131a9f77821b

SHA1
30ca628b4ba35cd7ebad36b51befa7acb12fa57e

SHA256
fdd65a7f27846f9a6e84b02f7de90fb7486265831fa574407a95fcb06f12ce39

SHA512
b68181a4fba3286564b4bb9e065a19888be72dfc2fa17186b074268dfeb8a71b88e0c38ba3a9d9f9911097db4a6bffd3abe0626f2794cc935eb3f87d69d608d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\jq7rho9\imagestore.dat

Filesize
6KB

MD5
31cc18f8fdae9f8a970e122812f95af0

SHA1
4827270d1a5868324582903ba27fa9053a371474

SHA256
1dc8649912222d3bf2d61944ed824c80c25ffc5c57ec64cbec728eb8cc60d5e0

SHA512
ecd1bfcd8e3741c6d2a47fa204f92d6586044c92f3482ecd7642c09b316609a5bb09de32c66813fc6acc8afcd0d2cca2095ad8a1e041229b360f75a452ed86cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\jq7rho9\imagestore.dat

Filesize
5KB

MD5
08df04fae2978f029f779b48ebfaf08f

SHA1
8593cb17c2f4a4d51dd6cdeeda2a6a3d952c4957

SHA256
aaa8889ab53e33243249f2665494be0748c9715be9a85aecff7d8f5ced296fbe

SHA512
0a1d73f75259f57d1adbe09e9443dc5c455bff476f3caf38023b4216a1a51ea4a29618d2c5200032b1278e28b222fd64fd26287b40aa5f475444974bcfa36b2a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OFFQJ7AH\KFOlCnqEu92Fr1MmEU9fBBc9[1].ttf

Filesize
34KB

MD5
4d88404f733741eaacfda2e318840a98

SHA1
49e0f3d32666ac36205f84ac7457030ca0a9d95f

SHA256
b464107219af95400af44c949574d9617de760e100712d4dec8f51a76c50dda1

SHA512
2e5d3280d5f7e70ca3ea29e7c01f47feb57fe93fc55fd0ea63641e99e5d699bb4b1f1f686da25c91ba4f64833f9946070f7546558cbd68249b0d853949ff85c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OFFQJ7AH\KFOlCnqEu92Fr1MmYUtfBBc9[1].ttf

Filesize
34KB

MD5
4d99b85fa964307056c1410f78f51439

SHA1
f8e30a1a61011f1ee42435d7e18ba7e21d4ee894

SHA256
01027695832f4a3850663c9e798eb03eadfd1462d0b76e7c5ac6465d2d77dbd0

SHA512
13d93544b16453fe9ac9fc025c3d4320c1c83a2eca4cd01132ce5c68b12e150bc7d96341f10cbaa2777526cf72b2ca0cd64458b3df1875a184bbb907c5e3d731

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OFFQJ7AH\KFOmCnqEu92Fr1Mu4mxP[1].ttf

Filesize
34KB

MD5
372d0cc3288fe8e97df49742baefce90

SHA1
754d9eaa4a009c42e8d6d40c632a1dad6d44ec21

SHA256
466989fd178ca6ed13641893b7003e5d6ec36e42c2a816dee71f87b775ea097f

SHA512
8447bc59795b16877974cd77c52729f6ff08a1e741f68ff445c087ecc09c8c4822b83e8907d156a00be81cb2c0259081926e758c12b3aea023ac574e4a6c9885

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OFFQJ7AH\recaptcha__en[1].js

Filesize
489KB

MD5
d52ac252287f3b65932054857f7c26a7

SHA1
940b62eae6fb008d6f15dfb7aaf6fb125dba1fec

SHA256
4c06e93049378bf0cdbbe5d3a1d0c302ac2d35faec13623ad812ee41495a2a57

SHA512
c08ff9d988aea4c318647c79ae8ca9413b6f226f0efbdab1cdd55ec04b6760812716ff27e0ee86941e8a654d39cddd56251d8392a0ac2c4c8839f27853556154

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PU2MMJX7\styles__ltr[1].css

Filesize
55KB

MD5
eb4bc511f79f7a1573b45f5775b3a99b

SHA1
d910fb51ad7316aa54f055079374574698e74b35

SHA256
7859a62e04b0acb06516eb12454de6673883ecfaeaed6c254659bca7cd59c050

SHA512
ec9bdf1c91b6262b183fd23f640eac22016d1f42db631380676ed34b962e01badda91f9cbdfa189b42fe3182a992f1b95a7353af41e41b2d6e1dab17e87637a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PU2MMJX7\webworker[1].js

Filesize
102B

MD5
5734e3c2032fb7e4b757980f70c5867e

SHA1
22d3e354a89c167d3bebf6b73d6e11e550213a38

SHA256
91e9008a809223ca505257c7cb9232b7bf13e7fbf45e3f6dd2cfca538e7141eb

SHA512
1f748444532bc406964c1be8f3128c47144de38add5c78809bbcdae21bf3d26600a376df41bf91c4cd3c74a9fae598d51c76d653a23357310343c58b3b6d7739

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S96XYZ9E\favicon[1].ico

Filesize
5KB

MD5
f3418a443e7d841097c714d69ec4bcb8

SHA1
49263695f6b0cdd72f45cf1b775e660fdc36c606

SHA256
6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770

SHA512
82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S96XYZ9E\logo_48[1].png

Filesize
2KB

MD5
ef9941290c50cd3866e2ba6b793f010d

SHA1
4736508c795667dcea21f8d864233031223b7832

SHA256
1b9efb22c938500971aac2b2130a475fa23684dd69e43103894968df83145b8a

SHA512
a0c69c70117c5713caf8b12f3b6e8bbb9cdaf72768e5db9db5831a3c37541b87613c6b020dd2f9b8760064a8c7337f175e7234bfe776eee5e3588dc5662419d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SZ2A9SGY\TG_XdOEg3NKIdftsV7XidAgI3OvClCw0-7YgJxQ1GFY[1].js

Filesize
23KB

MD5
a364179c3816839427c4d9fdbe8ecf3b

SHA1
fd423514f4f0e614688a99571b9165b4e212119b

SHA256
4c6fd774e120dcd28875fb6c57b5e2740808dcebc2942c34fbb6202714351856

SHA512
c4e29c47bb229a293d79a1aa4b9e226ff6261b723b75e0479df367fc7eee3ac006e4993e5406f510aa35da592b525e3f6a0bf62f8671cfa576cae40a627bc45e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SZ2A9SGY\api[1].js

Filesize
850B

MD5
33d99cfc94db7d1ab5149b1e677b4c85

SHA1
ffec081b0a5b325f2b124ea8804ba0de9beae98c

SHA256
0e945fe9e80b82b1ac2e714f03672ed0c439e61e489430ba46623245399fca25

SHA512
315ed3f0edae2d3057be354d7d97ab298f51e791c03cd19c46d96e0116a6757033e509d92633eafba9365d6588af2b96cce4b0088020a88eac5086d07a0b3b26

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SZ2A9SGY\favicon[1].ico

Filesize
1KB

MD5
ac0cd867e03ed914827807d4715bdfe7

SHA1
4051a8c23756c10d9cc00fcde6f7215c780fdf6f

SHA256
b50546da121186fbffd2aec430249cb21c7c2e2c85e561a393a9df9abfc4477c

SHA512
fa11d1d76c39719c218b4ffa34de8dd44d398bdcbb236a666f0be6eeee96bcbe4da9ac65a89441ad284c0de21788c135dc4fd21f6f82c7039f00c8a7c705c8e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab55CF.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\EEEEEE~1\MALWAR~1\MALWAR~1\MEMZ3~1.0(1\MEMZ3~1.0\z.zip

Filesize
7KB

MD5
cf0c19ef6909e5c1f10c8460ba9299d8

SHA1
875b575c124acfc1a4a21c1e05acb9690e50b880

SHA256
abb834ebd4b7d7f8ddf545976818f41b3cb51d2b895038a56457616d3a2c6776

SHA512
d930a022a373c283f35d103e277487c2034a0b0814913b8f6ec695b45e20528667aa830eeab58e4483d523bd6a755a16a5379095cb137db6c91909a545a19a2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar55D2.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar58D4.tmp

Filesize
175KB

MD5
dd73cead4b93366cf3465c8cd32e2796

SHA1
74546226dfe9ceb8184651e920d1dbfb432b314e

SHA256
a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

SHA512
ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

Download Submit
C:\Users\Admin\AppData\Local\Temp\eeeeeeeeeeeeee\Malware_pack_2\Malware_pack_2\MEMZ 3.0 (1)\MEMZ 3.0\x

Filesize
10KB

MD5
fc59b7d2eb1edbb9c8cb9eb08115a98e

SHA1
90a6479ce14f8548df54c434c0a524e25efd9d17

SHA256
a05b9be9dd87492f265094146e18d628744c6b09c0e7efaabf228a9f1091a279

SHA512
3392cfc0dbddb37932e76da5a49f4e010a49aaa863c882b85cccab676cd458cfc8f880d8a0e0dc7581175f447e6b0a002da1591ecd14756650bb74996eacd2b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\eeeeeeeeeeeeee\Malware_pack_2\Malware_pack_2\MEMZ 3.0 (1)\MEMZ 3.0\x

Filesize
1KB

MD5
c4de51e0796742905d5e9f01e4e2bb81

SHA1
6bb13c00565aa3a66835e900e7172d4dfcbf0c8e

SHA256
25c09421128671175b97e855e9ae9a2b96199b346a82d61e12c3dfe03f52085e

SHA512
aee91ca817f46bc789cc6b7cf31ab19c16844f44f882cc5ef4b099ef55575b404fb9aac05912b30070d5cc751d0c1566f21900889ea354540fed57a9cf1fed77

Download Submit
C:\Users\Admin\AppData\Local\Temp\eeeeeeeeeeeeee\Malware_pack_2\Malware_pack_2\MEMZ 3.0 (1)\MEMZ 3.0\x

Filesize
4KB

MD5
c6e68ff1dc039af122429c3c5418630f

SHA1
771938ab02aaf6714782ea1c70420794848b1d9c

SHA256
b18e0bb23b9b78ca561b9499853ec5be84f67fcb7db5c7e207c6da1b89c17dbb

SHA512
837b8b31d381030b79a1b85449238b8770999dde21dd705aec81a0205cfc40cb2f65fb7877de479bae9ca96c1233a62078332c93db764389bd6f26985b61c9b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\eeeeeeeeeeeeee\Malware_pack_2\Malware_pack_2\MEMZ 3.0 (1)\MEMZ 3.0\x.js

Filesize
448B

MD5
8eec8704d2a7bc80b95b7460c06f4854

SHA1
1b34585c1fa7ec0bd0505478ac9dbb8b8d19f326

SHA256
aa01b8864b43e92077a106ed3d4656a511f3ba1910fba40c78a32ee6a621d596

SHA512
e274b92810e9a30627a65f87448d784967a2fcfbf49858cbe6ccb841f09e0f53fde253ecc1ea0c7de491d8cc56a6cf8c79d1b7c657e72928cfb0479d11035210

Download Submit
C:\Users\Admin\AppData\Roaming\MEMZ.exe

Filesize
12KB

MD5
a7bcf7ea8e9f3f36ebfb85b823e39d91

SHA1
761168201520c199dba68add3a607922d8d4a86e

SHA256
3ff64f10603f0330fa2386ff99471ca789391ace969bd0ec1c1b8ce1b4a6db42

SHA512
89923b669d31e590189fd06619bf27e47c5a47e82be6ae71fdb1b9b3b30b06fb7ca8ffed6d5c41ac410a367f2eb07589291e95a2644877d6bffd52775a5b1523

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\GHVI2DO5.txt

Filesize
378B

MD5
9fc31f000042c6f516412f956e3bd388

SHA1
a3f4c681c5a98addbc6d4784444abacf4af335bc

SHA256
8fb12d4a836ae19b65d54b144ae36ed6ddf13cf06a5e956ad2dce217eae2731b

SHA512
0922ece3d6c80a41b8b8ac1270fd3702a661571113aab2f2050c7c1941bb0257d2aa51d1c08aa239b356415c0def3b7a2ff0fe5235b80ba55b03ac46f6d4d355

Download Submit
C:\note.txt

Filesize
218B

MD5
afa6955439b8d516721231029fb9ca1b

SHA1
087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

SHA256
8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

SHA512
5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

Download Submit
memory/1484-150-0x00000000037D0000-0x00000000037D1000-memory.dmp

Filesize
4KB

Download