3d4c345b9b6c298b218274cfe2141b2f2842b113534a557100c1671a8b7edb76

Analysis

max time kernel
50s
max time network
43s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
07-09-2024 17:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MEMZ 3.0/MEMZ.bat
Size

12KB
MD5

13a43c26bb98449fd82d2a552877013a
SHA1

71eb7dc393ac1f204488e11f5c1eef56f1e746af
SHA256

5f52365accb76d679b2b3946870439a62eb8936b9a0595f0fb0198138106b513
SHA512

602518b238d80010fa88c2c88699f70645513963ef4f148a0345675738cf9b0c23b9aeb899d9f7830cc1e5c7e9c7147b2dc4a9222770b4a052ee0c879062cd5a
SSDEEP

384:nnLhRNiqt0kCH2LR0GPXxGiZgCz+KG/yKhLdW79HOli+lz3:nLhRN9t0SR4iZtzlREBWhuF

Score

7^/10

bootkit discovery execution persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Control Panel\International\Geo\Nation	MEMZ.exe

Executes dropped EXE 7 IoCs

pid	Process
660	MEMZ.exe
4916	MEMZ.exe
4996	MEMZ.exe
3152	MEMZ.exe
2808	MEMZ.exe
3696	MEMZ.exe
4912	MEMZ.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	MEMZ.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\4183903823\2290032291.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\1601268389\715946058.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdge.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IETld\LowMic	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\SubSysId = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 7d62b48d4d01db01	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI\IsSignedIn = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Revision = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\google.com\ = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\Active = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 5d86f98d4d01db01	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{A8A88C49-5EB2-4990-A1A2-087602 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-SubSysId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-Revision = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\ACGPolicyState = "6"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Content	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Privacy	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VendorId = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Cookies	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\EnablementState = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\google.com\Total = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath\dummySetting = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DXFeatureLevel = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\ACGStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Cookies\CacheLimit = "1"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "25"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VendorId = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Explorer\Main\OperationalData = "1"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\www.google.com	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\www.google.com\ = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\Total\ = "0"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Content\CacheLimit = "256000"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Privacy\InProgressFlags = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{AEBA21FA-782A-4A90-978D-B72164 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\DynamicCodePolicy = 00000000	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\CIStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Explorer\Main	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\google.com\NumberOfSubdomains = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\google.com\NumberOfSubdoma = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active\{F62C1631-091A-4124-8559-B8556932C864} = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\google.com\NumberOfSubdomains = "1"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\google.com\Total = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath	MicrosoftEdge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3696	MEMZ.exe
3152	MEMZ.exe
3152	MEMZ.exe
3696	MEMZ.exe
4916	MEMZ.exe
4916	MEMZ.exe
3696	MEMZ.exe
4916	MEMZ.exe
3696	MEMZ.exe
4916	MEMZ.exe
3152	MEMZ.exe
2808	MEMZ.exe
3152	MEMZ.exe
2808	MEMZ.exe
4996	MEMZ.exe
4996	MEMZ.exe
4996	MEMZ.exe
2808	MEMZ.exe
4996	MEMZ.exe
2808	MEMZ.exe
3152	MEMZ.exe
3152	MEMZ.exe
4916	MEMZ.exe
4916	MEMZ.exe
3696	MEMZ.exe
3696	MEMZ.exe
4916	MEMZ.exe
3696	MEMZ.exe
4916	MEMZ.exe
3696	MEMZ.exe
3152	MEMZ.exe
3152	MEMZ.exe
4996	MEMZ.exe
4996	MEMZ.exe
2808	MEMZ.exe
2808	MEMZ.exe
4996	MEMZ.exe
4996	MEMZ.exe
2808	MEMZ.exe
2808	MEMZ.exe
3152	MEMZ.exe
3152	MEMZ.exe
3696	MEMZ.exe
3696	MEMZ.exe
4916	MEMZ.exe
4916	MEMZ.exe
4916	MEMZ.exe
4916	MEMZ.exe
3696	MEMZ.exe
3696	MEMZ.exe
3152	MEMZ.exe
3152	MEMZ.exe
2808	MEMZ.exe
2808	MEMZ.exe
4996	MEMZ.exe
4996	MEMZ.exe
2808	MEMZ.exe
3152	MEMZ.exe
3152	MEMZ.exe
2808	MEMZ.exe
3696	MEMZ.exe
4916	MEMZ.exe
3696	MEMZ.exe
4916	MEMZ.exe

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
2348	MicrosoftEdgeCP.exe
2348	MicrosoftEdgeCP.exe
2348	MicrosoftEdgeCP.exe
2348	MicrosoftEdgeCP.exe
2348	MicrosoftEdgeCP.exe
2348	MicrosoftEdgeCP.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	1412	taskmgr.exe
Token: SeSystemProfilePrivilege	1412	taskmgr.exe
Token: SeCreateGlobalPrivilege	1412	taskmgr.exe
Token: SeDebugPrivilege	4888	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4888	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4888	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4888	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4628	MicrosoftEdge.exe
Token: SeDebugPrivilege	4628	MicrosoftEdge.exe
Token: SeShutdownPrivilege	4916	MEMZ.exe

Suspicious use of FindShellTrayWindow 43 IoCs

pid	Process
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe

Suspicious use of SendNotifyMessage 42 IoCs

pid	Process
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe
1412	taskmgr.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
4912	MEMZ.exe
4628	MicrosoftEdge.exe
2348	MicrosoftEdgeCP.exe
4888	MicrosoftEdgeCP.exe
2348	MicrosoftEdgeCP.exe
4916	MEMZ.exe
3152	MEMZ.exe
2808	MEMZ.exe
4996	MEMZ.exe
4916	MEMZ.exe
3152	MEMZ.exe
4996	MEMZ.exe
2808	MEMZ.exe
4916	MEMZ.exe
3152	MEMZ.exe
2808	MEMZ.exe
4996	MEMZ.exe
4916	MEMZ.exe
3152	MEMZ.exe
4996	MEMZ.exe
2808	MEMZ.exe
4916	MEMZ.exe
3152	MEMZ.exe
4996	MEMZ.exe
2808	MEMZ.exe
4916	MEMZ.exe
3152	MEMZ.exe
2808	MEMZ.exe
4996	MEMZ.exe
4916	MEMZ.exe
3152	MEMZ.exe
2808	MEMZ.exe
4996	MEMZ.exe
4916	MEMZ.exe
3152	MEMZ.exe
2808	MEMZ.exe
4996	MEMZ.exe
4916	MEMZ.exe
3152	MEMZ.exe
4996	MEMZ.exe
2808	MEMZ.exe
4916	MEMZ.exe
3152	MEMZ.exe
2808	MEMZ.exe
4996	MEMZ.exe
4916	MEMZ.exe
3152	MEMZ.exe
2808	MEMZ.exe
4996	MEMZ.exe
4916	MEMZ.exe
3152	MEMZ.exe
2808	MEMZ.exe
4996	MEMZ.exe
4916	MEMZ.exe
3152	MEMZ.exe
4996	MEMZ.exe
2808	MEMZ.exe
4916	MEMZ.exe
3152	MEMZ.exe
4996	MEMZ.exe
2808	MEMZ.exe
4916	MEMZ.exe
3152	MEMZ.exe
4996	MEMZ.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 5044 wrote to memory of 3192	5044	cmd.exe	76
PID 5044 wrote to memory of 3192	5044	cmd.exe	76
PID 5044 wrote to memory of 660	5044	cmd.exe	77
PID 5044 wrote to memory of 660	5044	cmd.exe	77
PID 5044 wrote to memory of 660	5044	cmd.exe	77
PID 660 wrote to memory of 4916	660	MEMZ.exe	78
PID 660 wrote to memory of 4916	660	MEMZ.exe	78
PID 660 wrote to memory of 4916	660	MEMZ.exe	78
PID 660 wrote to memory of 4996	660	MEMZ.exe	79
PID 660 wrote to memory of 4996	660	MEMZ.exe	79
PID 660 wrote to memory of 4996	660	MEMZ.exe	79
PID 660 wrote to memory of 3152	660	MEMZ.exe	80
PID 660 wrote to memory of 3152	660	MEMZ.exe	80
PID 660 wrote to memory of 3152	660	MEMZ.exe	80
PID 660 wrote to memory of 2808	660	MEMZ.exe	81
PID 660 wrote to memory of 2808	660	MEMZ.exe	81
PID 660 wrote to memory of 2808	660	MEMZ.exe	81
PID 660 wrote to memory of 3696	660	MEMZ.exe	82
PID 660 wrote to memory of 3696	660	MEMZ.exe	82
PID 660 wrote to memory of 3696	660	MEMZ.exe	82
PID 660 wrote to memory of 4912	660	MEMZ.exe	83
PID 660 wrote to memory of 4912	660	MEMZ.exe	83
PID 660 wrote to memory of 4912	660	MEMZ.exe	83
PID 4912 wrote to memory of 4456	4912	MEMZ.exe	85
PID 4912 wrote to memory of 4456	4912	MEMZ.exe	85
PID 4912 wrote to memory of 4456	4912	MEMZ.exe	85
PID 2348 wrote to memory of 2084	2348	MicrosoftEdgeCP.exe	93
PID 2348 wrote to memory of 2084	2348	MicrosoftEdgeCP.exe	93
PID 2348 wrote to memory of 2084	2348	MicrosoftEdgeCP.exe	93
PID 2348 wrote to memory of 2084	2348	MicrosoftEdgeCP.exe	93
PID 2348 wrote to memory of 2084	2348	MicrosoftEdgeCP.exe	93
PID 2348 wrote to memory of 2084	2348	MicrosoftEdgeCP.exe	93
PID 2348 wrote to memory of 2084	2348	MicrosoftEdgeCP.exe	93
PID 2348 wrote to memory of 2084	2348	MicrosoftEdgeCP.exe	93
PID 2348 wrote to memory of 2084	2348	MicrosoftEdgeCP.exe	93
PID 2348 wrote to memory of 2084	2348	MicrosoftEdgeCP.exe	93
PID 2348 wrote to memory of 2084	2348	MicrosoftEdgeCP.exe	93
PID 2348 wrote to memory of 2084	2348	MicrosoftEdgeCP.exe	93

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\MEMZ.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:5044
- C:\Windows\system32\cscript.exe
  cscript x.js
  2⤵
  PID:3192
- C:\Users\Admin\AppData\Roaming\MEMZ.exe
  "C:\Users\Admin\AppData\Roaming\MEMZ.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:660
- - C:\Users\Admin\AppData\Roaming\MEMZ.exe
    "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:4916
- - C:\Users\Admin\AppData\Roaming\MEMZ.exe
    "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4996
- - C:\Users\Admin\AppData\Roaming\MEMZ.exe
    "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3152
- - C:\Users\Admin\AppData\Roaming\MEMZ.exe
    "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2808
- - C:\Users\Admin\AppData\Roaming\MEMZ.exe
    "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:3696
- - C:\Users\Admin\AppData\Roaming\MEMZ.exe
    "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /main
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4912
  - - C:\Windows\SysWOW64\notepad.exe
      "C:\Windows\System32\notepad.exe" \note.txt
      4⤵
      System Location Discovery: System Language Discovery
      PID:4456

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1412

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4628

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:4388

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2348

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4888

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:2084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\F0CCHQWK\recaptcha__en[1].js

Filesize
537KB

MD5
c7be68088b0a823f1a4c1f77c702d1b4

SHA1
05d42d754afd21681c0e815799b88fbe1fbabf4e

SHA256
4943e91f7f53318d481ca07297395abbc52541c2be55d7276ecda152cd7ad9c3

SHA512
cb76505845e7fc0988ade0598e6ea80636713e20209e1260ee4413423b45235f57cb0a33fca7baf223e829835cb76a52244c3197e4c0c166dad9b946b9285222

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\W9Z10WT7\styles__ltr[1].css

Filesize
55KB

MD5
4adccf70587477c74e2fcd636e4ec895

SHA1
af63034901c98e2d93faa7737f9c8f52e302d88b

SHA256
0e04cd9eec042868e190cbdabf2f8f0c7172dcc54ab87eb616eca14258307b4d

SHA512
d3f071c0a0aa7f2d3b8e584c67d4a1adf1a9a99595cffc204bf43b99f5b19c4b98cec8b31e65a46c01509fc7af8787bd7839299a683d028e388fdc4ded678cb3

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\User\Default\DOMStore\5UGBSL8A\www.google[1].xml

Filesize
99B

MD5
ebde2c6970033882b0c196e16b64d210

SHA1
3598d44e4d2d36f557f0647e4143b032729ea6dc

SHA256
ab20326021e521c2cddeadd0588534bec8cdc019d3e5065a5248086c048739af

SHA512
03c6cc71d499164de6875fe5548947f76d5aee8be23b5b355768e2b779a710f56647064c29f5cf62b834859b095dcd146fb274c9c04838604d134e7616cd27b4

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\9RK01PUU\favicon[1].ico

Filesize
5KB

MD5
f3418a443e7d841097c714d69ec4bcb8

SHA1
49263695f6b0cdd72f45cf1b775e660fdc36c606

SHA256
6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770

SHA512
82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\Temp\~DFFDE755736CFFB265.TMP

Filesize
16KB

MD5
76d9ad7b0f97a6f4817e40c2059d2d19

SHA1
ab3a6a5f7b7b67054756522d0b81f55ebd589860

SHA256
d699f137e13063fbb1c234f09000d1f89f925826fd6c3e49a33b8c113b713bab

SHA512
f2c1634ea48e23bc2408f6366ab135e312f59246ff1f91107aa68a2e191623789732ea3473ca32e5ba43ccae4dc4b6222e863d4e34c6d71f29925e90ac37ed35

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\x

Filesize
10KB

MD5
fc59b7d2eb1edbb9c8cb9eb08115a98e

SHA1
90a6479ce14f8548df54c434c0a524e25efd9d17

SHA256
a05b9be9dd87492f265094146e18d628744c6b09c0e7efaabf228a9f1091a279

SHA512
3392cfc0dbddb37932e76da5a49f4e010a49aaa863c882b85cccab676cd458cfc8f880d8a0e0dc7581175f447e6b0a002da1591ecd14756650bb74996eacd2b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\x

Filesize
4KB

MD5
b6873c6cbfc8482c7f0e2dcb77fb7f12

SHA1
844b14037e1f90973a04593785dc88dfca517673

SHA256
0a0cad82d9284ccc3c07de323b76ee2d1c0b328bd2ce59073ed5ac4eb7609bd1

SHA512
f3aa3d46d970db574113f40f489ff8a5f041606e79c4ab02301b283c66ff05732be4c5edc1cf4a851da9fbaaa2f296b97fc1135210966a0e2dfc3763398dfcaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\x.js

Filesize
448B

MD5
8eec8704d2a7bc80b95b7460c06f4854

SHA1
1b34585c1fa7ec0bd0505478ac9dbb8b8d19f326

SHA256
aa01b8864b43e92077a106ed3d4656a511f3ba1910fba40c78a32ee6a621d596

SHA512
e274b92810e9a30627a65f87448d784967a2fcfbf49858cbe6ccb841f09e0f53fde253ecc1ea0c7de491d8cc56a6cf8c79d1b7c657e72928cfb0479d11035210

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEMZ 3.0\z.zip

Filesize
7KB

MD5
cf0c19ef6909e5c1f10c8460ba9299d8

SHA1
875b575c124acfc1a4a21c1e05acb9690e50b880

SHA256
abb834ebd4b7d7f8ddf545976818f41b3cb51d2b895038a56457616d3a2c6776

SHA512
d930a022a373c283f35d103e277487c2034a0b0814913b8f6ec695b45e20528667aa830eeab58e4483d523bd6a755a16a5379095cb137db6c91909a545a19a2f

Download Submit
C:\Users\Admin\AppData\Roaming\MEMZ.exe

Filesize
12KB

MD5
a7bcf7ea8e9f3f36ebfb85b823e39d91

SHA1
761168201520c199dba68add3a607922d8d4a86e

SHA256
3ff64f10603f0330fa2386ff99471ca789391ace969bd0ec1c1b8ce1b4a6db42

SHA512
89923b669d31e590189fd06619bf27e47c5a47e82be6ae71fdb1b9b3b30b06fb7ca8ffed6d5c41ac410a367f2eb07589291e95a2644877d6bffd52775a5b1523

Download Submit
C:\note.txt

Filesize
218B

MD5
afa6955439b8d516721231029fb9ca1b

SHA1
087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

SHA256
8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

SHA512
5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

Download Submit
memory/2084-379-0x0000026590B40000-0x0000026590B42000-memory.dmp

Filesize
8KB

Download
memory/2084-524-0x0000026DED190000-0x0000026DED1A0000-memory.dmp

Filesize
64KB

Download
memory/2084-258-0x0000026DFE0A0000-0x0000026DFE0A2000-memory.dmp

Filesize
8KB

Download
memory/2084-256-0x0000026DFDDE0000-0x0000026DFDDE2000-memory.dmp

Filesize
8KB

Download
memory/2084-254-0x0000026DFDDC0000-0x0000026DFDDC2000-memory.dmp

Filesize
8KB

Download
memory/2084-278-0x0000026DFE5B0000-0x0000026DFE5D0000-memory.dmp

Filesize
128KB

Download
memory/2084-526-0x0000026DED190000-0x0000026DED1A0000-memory.dmp

Filesize
64KB

Download
memory/2084-532-0x0000026DED190000-0x0000026DED1A0000-memory.dmp

Filesize
64KB

Download
memory/2084-252-0x0000026DED5F0000-0x0000026DED5F2000-memory.dmp

Filesize
8KB

Download
memory/2084-250-0x0000026DED5D0000-0x0000026DED5D2000-memory.dmp

Filesize
8KB

Download
memory/2084-248-0x0000026DED1F0000-0x0000026DED1F2000-memory.dmp

Filesize
8KB

Download
memory/2084-324-0x0000026DFFD00000-0x0000026DFFE00000-memory.dmp

Filesize
1024KB

Download
memory/2084-322-0x0000026DFF460000-0x0000026DFF462000-memory.dmp

Filesize
8KB

Download
memory/2084-534-0x0000026DED190000-0x0000026DED1A0000-memory.dmp

Filesize
64KB

Download
memory/2084-521-0x0000026DED190000-0x0000026DED1A0000-memory.dmp

Filesize
64KB

Download
memory/4628-214-0x000001DA3DA60000-0x000001DA3DA62000-memory.dmp

Filesize
8KB

Download
memory/4628-286-0x000001DA47470000-0x000001DA47471000-memory.dmp

Filesize
4KB

Download
memory/4628-285-0x000001DA47460000-0x000001DA47461000-memory.dmp

Filesize
4KB

Download
memory/4628-179-0x000001DA40620000-0x000001DA40630000-memory.dmp

Filesize
64KB

Download
memory/4628-195-0x000001DA40720000-0x000001DA40730000-memory.dmp

Filesize
64KB

Download
memory/4888-221-0x0000028411E80000-0x0000028411F80000-memory.dmp

Filesize
1024KB

Download