2ca4803498d7d375a61bfab2a3a4cf7e0eec41d116e50a838791a55b164e0f8c

Resubmissions

13-02-2025 01:26

250213-btppra1pcz 10

17-01-2025 20:14

17-01-2025 20:12

17-01-2025 17:25

17-01-2025 17:21

17-01-2025 14:16

17-01-2025 14:12

16-01-2025 12:52

Analysis

max time kernel
150s
max time network
147s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
17-01-2025 17:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Malware-1-master/MEMZ-Destructive.bat
Size

13KB
MD5

4e2a7f369378a76d1df4d8c448f712af
SHA1

1192b4d01254a8704e6d6ae17dc2ec28a7ad5a49
SHA256

5e2cd213ff47b7657abd9167c38ffd8b53c13261fe22adddea92b5a2d9e320ad
SHA512

90e6eedca424e2ee37c78e0c0380db490c049b0378541812734c134510c40c6e4c48c4e213f395339ed99ff337ef087b6056ac5aafb246c1789ca6082dcabd2e
SSDEEP

192:AOyUySl0UaDz2gWsIzlmj+BxZ3yqueWQx0lZicyC8Sh31xcjBzyxwn7AVhllz3:AVODaDSHMql3yqlxy5L1xcjwrlz3

Score

7^/10

bootkit discovery execution persistence

Malware Config

Signatures

Executes dropped EXE 7 IoCs

pid	Process
2916	MEMZ.exe
2244	MEMZ.exe
1628	MEMZ.exe
1936	MEMZ.exe
940	MEMZ.exe
1132	MEMZ.exe
1020	MEMZ.exe

Loads dropped DLL 1 IoCs

pid	Process
2916	MEMZ.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	MEMZ.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\devmgmt.msc	mmc.exe
File opened for modification	C:\Windows\System32\devmgmt.msc	mmc.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe

Modifies Internet Explorer settings 1 TTPs 45 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "25"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c0b300aa0469db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{DA4F6E41-D4F7-11EF-88C4-7A9F8CACAEA3} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com\Total = "25"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.google.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c6cd204d92e1ff4db532eb9229d52db5000000000200000000001066000000010000200000009f3c44ed9d80183a1fe99f7d94afa05b14507f7a1f859931e87e11f23677ec82000000000e800000000200002000000089d93cf1e442b1f11d9646c878d0da73727bd0394af3afe06b79d69f31ab2f31200000001aebf7908f490ba7c55e3ac6abe91015b790956b71924a33ccbf1e666625657b40000000fe87539b8ccd39e4635e6eab1b8ace6a4467e980a7e7935f5bfee77da364eb5f08108323c74dfb1e6c8176972f0484d58c330154b145f9f8339537c24d12fa0e	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c6cd204d92e1ff4db532eb9229d52db500000000020000000000106600000001000020000000bfe667681363a85014f4fb65a239f329224cb07f265560225519ef541e2a99c7000000000e8000000002000020000000ea11a19110287267cf7bd29e68c7c690e862dc925b62ff08851dff4fc1dddbff9000000083357235b68344ea872ae2025e9401e52a0d39f6647b482d85ecef7c08c5cdcba8b946057d29873ad424b83e5e1d7437cf933ca2cdc5bd7e3ac5d40d3feb0f5a789b9fccfed42b53f349d46757d457acb1062f286c8297397c020c8690b4a7416278bf0f01149e1083736551fe320c062ed57fcf882705f2bf52f60b5578f97e3f9c985a95172678c75ee29caae80757400000006b6d9a8956e1e6a11344d34e17037ee9adc0e094afb954765e5b57d69bb6d1689ea20d91adbf43f0616d1053d97a5c7e1b810ac444073c6295d82f9cb40daaa9	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.google.com\ = "25"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE

Runs regedit.exe 1 IoCs

pid	Process
944	regedit.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
2916	MEMZ.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2244	MEMZ.exe
940	MEMZ.exe
1936	MEMZ.exe
1132	MEMZ.exe
1628	MEMZ.exe
1132	MEMZ.exe
940	MEMZ.exe
2244	MEMZ.exe
1936	MEMZ.exe
1628	MEMZ.exe
1132	MEMZ.exe
1628	MEMZ.exe
2244	MEMZ.exe
1936	MEMZ.exe
940	MEMZ.exe
1132	MEMZ.exe
2244	MEMZ.exe
940	MEMZ.exe
1628	MEMZ.exe
1936	MEMZ.exe
1132	MEMZ.exe
940	MEMZ.exe
1628	MEMZ.exe
2244	MEMZ.exe
1936	MEMZ.exe
2244	MEMZ.exe
940	MEMZ.exe
1628	MEMZ.exe
1132	MEMZ.exe
1936	MEMZ.exe
1936	MEMZ.exe
1132	MEMZ.exe
1628	MEMZ.exe
2244	MEMZ.exe
940	MEMZ.exe
2244	MEMZ.exe
1132	MEMZ.exe
1936	MEMZ.exe
940	MEMZ.exe
1628	MEMZ.exe
1132	MEMZ.exe
940	MEMZ.exe
1936	MEMZ.exe
2244	MEMZ.exe
1628	MEMZ.exe
940	MEMZ.exe
2244	MEMZ.exe
1936	MEMZ.exe
1132	MEMZ.exe
1628	MEMZ.exe
1132	MEMZ.exe
1628	MEMZ.exe
940	MEMZ.exe
1936	MEMZ.exe
2244	MEMZ.exe
1132	MEMZ.exe
940	MEMZ.exe
2244	MEMZ.exe
1628	MEMZ.exe
1936	MEMZ.exe
2244	MEMZ.exe
1132	MEMZ.exe
940	MEMZ.exe
1936	MEMZ.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
944	regedit.exe
2500	mmc.exe
1732	mmc.exe

Suspicious behavior: SetClipboardViewer 1 IoCs

pid	Process
1732	mmc.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: 33	2500	mmc.exe
Token: SeIncBasePriorityPrivilege	2500	mmc.exe
Token: 33	2500	mmc.exe
Token: SeIncBasePriorityPrivilege	2500	mmc.exe
Token: 33	1732	mmc.exe
Token: SeIncBasePriorityPrivilege	1732	mmc.exe
Token: 33	1732	mmc.exe
Token: SeIncBasePriorityPrivilege	1732	mmc.exe
Token: 33	2552	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2552	AUDIODG.EXE
Token: 33	2552	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2552	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
620	cscript.exe
540	iexplore.exe

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
2380	mmc.exe
2500	mmc.exe
2500	mmc.exe
1964	mmc.exe
1732	mmc.exe
1732	mmc.exe
540	iexplore.exe
540	iexplore.exe
2332	IEXPLORE.EXE
2332	IEXPLORE.EXE
2332	IEXPLORE.EXE
2332	IEXPLORE.EXE
1992	IEXPLORE.EXE
1992	IEXPLORE.EXE
1992	IEXPLORE.EXE
1992	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2848 wrote to memory of 620	2848	cmd.exe	32
PID 2848 wrote to memory of 620	2848	cmd.exe	32
PID 2848 wrote to memory of 620	2848	cmd.exe	32
PID 2848 wrote to memory of 2916	2848	cmd.exe	33
PID 2848 wrote to memory of 2916	2848	cmd.exe	33
PID 2848 wrote to memory of 2916	2848	cmd.exe	33
PID 2848 wrote to memory of 2916	2848	cmd.exe	33
PID 2916 wrote to memory of 2244	2916	MEMZ.exe	34
PID 2916 wrote to memory of 2244	2916	MEMZ.exe	34
PID 2916 wrote to memory of 2244	2916	MEMZ.exe	34
PID 2916 wrote to memory of 2244	2916	MEMZ.exe	34
PID 2916 wrote to memory of 1628	2916	MEMZ.exe	35
PID 2916 wrote to memory of 1628	2916	MEMZ.exe	35
PID 2916 wrote to memory of 1628	2916	MEMZ.exe	35
PID 2916 wrote to memory of 1628	2916	MEMZ.exe	35
PID 2916 wrote to memory of 940	2916	MEMZ.exe	36
PID 2916 wrote to memory of 940	2916	MEMZ.exe	36
PID 2916 wrote to memory of 940	2916	MEMZ.exe	36
PID 2916 wrote to memory of 940	2916	MEMZ.exe	36
PID 2916 wrote to memory of 1936	2916	MEMZ.exe	37
PID 2916 wrote to memory of 1936	2916	MEMZ.exe	37
PID 2916 wrote to memory of 1936	2916	MEMZ.exe	37
PID 2916 wrote to memory of 1936	2916	MEMZ.exe	37
PID 2916 wrote to memory of 1132	2916	MEMZ.exe	38
PID 2916 wrote to memory of 1132	2916	MEMZ.exe	38
PID 2916 wrote to memory of 1132	2916	MEMZ.exe	38
PID 2916 wrote to memory of 1132	2916	MEMZ.exe	38
PID 2916 wrote to memory of 1020	2916	MEMZ.exe	39
PID 2916 wrote to memory of 1020	2916	MEMZ.exe	39
PID 2916 wrote to memory of 1020	2916	MEMZ.exe	39
PID 2916 wrote to memory of 1020	2916	MEMZ.exe	39
PID 1020 wrote to memory of 664	1020	MEMZ.exe	40
PID 1020 wrote to memory of 664	1020	MEMZ.exe	40
PID 1020 wrote to memory of 664	1020	MEMZ.exe	40
PID 1020 wrote to memory of 664	1020	MEMZ.exe	40
PID 1020 wrote to memory of 944	1020	MEMZ.exe	41
PID 1020 wrote to memory of 944	1020	MEMZ.exe	41
PID 1020 wrote to memory of 944	1020	MEMZ.exe	41
PID 1020 wrote to memory of 944	1020	MEMZ.exe	41
PID 1020 wrote to memory of 2380	1020	MEMZ.exe	42
PID 1020 wrote to memory of 2380	1020	MEMZ.exe	42
PID 1020 wrote to memory of 2380	1020	MEMZ.exe	42
PID 1020 wrote to memory of 2380	1020	MEMZ.exe	42
PID 2380 wrote to memory of 2500	2380	mmc.exe	43
PID 2380 wrote to memory of 2500	2380	mmc.exe	43
PID 2380 wrote to memory of 2500	2380	mmc.exe	43
PID 2380 wrote to memory of 2500	2380	mmc.exe	43
PID 1020 wrote to memory of 1964	1020	MEMZ.exe	45
PID 1020 wrote to memory of 1964	1020	MEMZ.exe	45
PID 1020 wrote to memory of 1964	1020	MEMZ.exe	45
PID 1020 wrote to memory of 1964	1020	MEMZ.exe	45
PID 1964 wrote to memory of 1732	1964	mmc.exe	46
PID 1964 wrote to memory of 1732	1964	mmc.exe	46
PID 1964 wrote to memory of 1732	1964	mmc.exe	46
PID 1964 wrote to memory of 1732	1964	mmc.exe	46
PID 1020 wrote to memory of 540	1020	MEMZ.exe	47
PID 1020 wrote to memory of 540	1020	MEMZ.exe	47
PID 1020 wrote to memory of 540	1020	MEMZ.exe	47
PID 1020 wrote to memory of 540	1020	MEMZ.exe	47
PID 540 wrote to memory of 2332	540	iexplore.exe	48
PID 540 wrote to memory of 2332	540	iexplore.exe	48
PID 540 wrote to memory of 2332	540	iexplore.exe	48
PID 540 wrote to memory of 2332	540	iexplore.exe	48
PID 540 wrote to memory of 1992	540	iexplore.exe	50

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Malware-1-master\MEMZ-Destructive.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2848
- C:\Windows\system32\cscript.exe
  cscript x.js
  2⤵
  - Suspicious use of FindShellTrayWindow
  PID:620
- C:\Users\Admin\AppData\Roaming\MEMZ.exe
  "C:\Users\Admin\AppData\Roaming\MEMZ.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious use of WriteProcessMemory
  PID:2916
- - C:\Users\Admin\AppData\Roaming\MEMZ.exe
    "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2244
- - C:\Users\Admin\AppData\Roaming\MEMZ.exe
    "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1628
- - C:\Users\Admin\AppData\Roaming\MEMZ.exe
    "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:940
- - C:\Users\Admin\AppData\Roaming\MEMZ.exe
    "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1936
- - C:\Users\Admin\AppData\Roaming\MEMZ.exe
    "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1132
- - C:\Users\Admin\AppData\Roaming\MEMZ.exe
    "C:\Users\Admin\AppData\Roaming\MEMZ.exe" /main
    3⤵
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1020
  - - C:\Windows\SysWOW64\notepad.exe
      "C:\Windows\System32\notepad.exe" \note.txt
      4⤵
      System Location Discovery: System Language Discovery
      PID:664
  - - C:\Windows\SysWOW64\regedit.exe
      "C:\Windows\System32\regedit.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Runs regedit.exe
      Suspicious behavior: GetForegroundWindowSpam
      PID:944
  - - C:\Windows\SysWOW64\mmc.exe
      "C:\Windows\system32\mmc.exe" "C:\Windows\System32\devmgmt.msc"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2380
    - - C:\Windows\system32\mmc.exe
        
        "C:\Windows\System32\devmgmt.msc" "C:\Windows\System32\devmgmt.msc"
        5⤵
        Drops file in System32 directory
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2500
  - - C:\Windows\SysWOW64\mmc.exe
      "C:\Windows\system32\mmc.exe" "C:\Windows\System32\devmgmt.msc"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1964
    - - C:\Windows\system32\mmc.exe
        
        "C:\Windows\System32\devmgmt.msc" "C:\Windows\System32\devmgmt.msc"
        5⤵
        Drops file in System32 directory
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious behavior: SetClipboardViewer
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1732
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://google.co.ck/search?q=is+illuminati+real
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:540
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:540 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2332
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:540 CREDAT:275478 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1992

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x500
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\05DDC6AA91765AACACDB0A5F96DF8199

Filesize
854B

MD5
e935bc5762068caf3e24a2683b1b8a88

SHA1
82b70eb774c0756837fe8d7acbfeec05ecbf5463

SHA256
a8accfcfeb51bd73df23b91f4d89ff1a9eb7438ef5b12e8afda1a6ff1769e89d

SHA512
bed4f6f5357b37662623f1f8afed1a3ebf3810630b2206a0292052a2e754af9dcfe34ee15c289e3d797a8f33330e47c14cbefbc702f74028557ace29bf855f9e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
273ff677888fa82c7b7de7cd7cd1afb6

SHA1
796192d452b8044349c604adc3576423b2c21004

SHA256
510338dc2cd22605d968c4fe02b4f82e036be4c784f57e312067bffef1842fd3

SHA512
5d7a08ba6cbf2a88c806427c6d0fe4c678aa2bf921a4f752bd029cde945397d86bd08f6074c39a7072dbcabe44f1b8d66cd076861324a4e4623bab72fa718671

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4FA45AE1010E09657982D8D28B3BD38E_EB153A79B5AB80C6592F798A4A3667A5

Filesize
472B

MD5
766dcbceceb99c1bb9b3ee02d18187eb

SHA1
50e38eaacc2a4a533f1aeb0affc076a24ef030af

SHA256
83f771647dd16e667cf88e34a69765c0974fec2c1dcdc9a1ed19bdb95fbc82e7

SHA512
3a6ed996e75f6c535605c6ea0bb18345033f1c38e143931370639f7592dfc67574c005bc8a680630d2b91f821593242fecfc020b0068585077d70e663936d027

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199

Filesize
170B

MD5
9807d2f0192c75139e63519117243fa5

SHA1
ca5afe09c99235644bef688b02d244f2a345d6f2

SHA256
f369a176865ec1da6240f9ad24b31e821c8c2ff340fd22ab59226d74b33ed8ed

SHA512
ea157aa5f2024bb673f384d9b255ed002abda23740c099d59a0ab50da70f66bdd7ed1fa380e34d8e3538ed925b930ee0a628ad1c2c633e79698e939d9c8bc9a3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
9a14f9a2d3ac096dc82de331e688ff58

SHA1
b6f82f61886331e688c4974f3c2b84311bf25dba

SHA256
6525b3b8e2148794c107eb5ee0270c22f89f1ab98594dbde03f1c08c756f7401

SHA512
858369ac68dda914bea1d9cb855bd6b5a794066cb31cf13e9c4e9cb77102010559a42e8069cd6d3edbc3fa8b2674561b564af231dce44b2e86793800275b5cad

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4FA45AE1010E09657982D8D28B3BD38E_EB153A79B5AB80C6592F798A4A3667A5

Filesize
398B

MD5
981f4227aed3c8dd343eaebf6c3249ad

SHA1
a9cc87f096ec6944448e8f5f4e8b6ddd6782b363

SHA256
06ced93a474f0c53f313e4068f14934cacb12e63b328cb0ae6dc2dc22b627d14

SHA512
425e4bfa5b2ab958b30595b238263ecf1b46a9f209dbff039a863ad60f8ddde0131ea3cd6b506c76849b2e257ccb2edee03459c09fef58efb8b00fbee07ff090

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7ebbb4204499fec0bb9f2e501dcf6f32

SHA1
8764ca91df1cae1102ee46d2021f0e581bceb34e

SHA256
dfa2f8b95d65965efb18d7578ccc5dbdddef817e325cdb9ffcfdadf1c3544fe0

SHA512
605a384f0707552f3d2befe864a6e2ba55c41d810ffcf88ac89c387de4da79aaf0800fe8c50bc5657c43c6ec0c3bdd2936ba279cee21a656d5c1d538925da9b4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
606b0cffe10a2371b6fd75eb292c0e34

SHA1
a915d79f689434183bfb2e03344503d1a27c3099

SHA256
c8ff3ee09a521872f0cec30231d5fcfa17a52c761ce6afa1e24d7dfe99eebe15

SHA512
691fc2fc575f701a3c91a1b6afa65f54ec9f308ad4e42fba4c984540e0787414c2a52402079c0792667441fad8d12747118199d33b666730ba870f708e365d01

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5b29283cda7d93e6ad35d5d887805a3d

SHA1
3333f5635efc8278af74a51205dba724b459478f

SHA256
818c675aa7a2b060db147b851d9f2e9476c779c89cbfbf09f92f150e0a5e716b

SHA512
83f12908ce9e4263fc2326ea34d3f47261a3997435eebaff5b0e0c54722892aba0fb3e49af3fdfdf75d9a9acf607aa569f64a417ef900bfcc4eaa1fcafde634e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bc09b55c757c53c4fd899b2ea19c38c1

SHA1
7bebe58e50fbcdbb39e43402d0c00acf9cb7d190

SHA256
a34c0ea1172d8de6f13310be4054cd7788865c9ccc05dc94a44c5cf7fbf43ed2

SHA512
b38319c9c06322fd80dd7c48fd6ac12064ec81c5f7f937750e21ceb717c332fd1ad3be1944d9357a6432e467ba4bbd631f3dbd8112ce87d8398358ea91e0d64f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
796d7f9cbde1377cc14fbeaea9fc92e7

SHA1
b751c0ba4d61f37dcaeb8f02fcf7e2e4eb64612c

SHA256
731d9b2f1421a35a9a63bdd497fffc38cc30bbb8fa1037b1a7ad1616b76c3e91

SHA512
81b7bca9f15228a2c1cbe9eff763d40e5ae39b7d41570bf40e2391c9f7fc5f05ed653a2aab70adefabd3bde6572d0305939a5c52cbb62cb56a941e3a22c5c2ff

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a94b32e0379b6a50cb910eb71ba5311c

SHA1
282fd948bcf96d79926f24115844c333ce82bfff

SHA256
696839ae70cc99926c3d981d8396367db2d4f203fd17653c88e9e95128529a61

SHA512
1ffa23df782ebe96b73114ee8ae1b966ea3774e7d0e7e9b59e89983bbf301a7161920748ebcbdfed3419701cf02bd878fe7c5408775c70af65305276b0db970c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
361fa5f4ca74f7b62cf6bf9d47c6842c

SHA1
1c5cd7d61b6cb46851165b502e2392054dbc24fa

SHA256
efa905a17bbf4ed1fb73bd8154bc4540669b28eccbba9957606464069a7e6296

SHA512
9311a283c457c045dea49a5a76001450e8e412a189e559dc0e3b756f8ed9666677d0e6b2250fc0a2bea94abf3ca4881167bd155be1a01592bdac283a44b28393

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3593b2f48c1fa0ef41871eb881be297b

SHA1
7cbb90c14a42b3c6652027b90f3268138623a1f4

SHA256
39503d964af43cc4cd128599157b0f702ed253731e05026dd064e8c26d4f83d4

SHA512
05f14a89f1d026c1b06589131032582d8cd85481c0dfa334cc19386d9060745be0cb0abfe0e5e9d303fedf932119274eea268233ca46e8604b9a73080e09a811

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a2e1c84d344c3e6bfdc6f10112fb14a9

SHA1
5f5179e56248d1b403d1e4a3a0c2599761ee1c51

SHA256
ae14b36af5b04a47ebd15115059888b9ca1245eff148b6b7a3cb3e277d331e59

SHA512
25bd5288f7367c8b268ad9129f32056cbb5fbd55cd2538c36f6868f1d3bf4b5cf63095e091087e4946c406059fc51efa18d132cae52b17e1ede610d76f60307f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\ULXWXT93\www.google[1].xml

Filesize
99B

MD5
d510a954d7219b6a53c16f275c67537d

SHA1
93bc99ee43ad89e087084baf29d9e5e2d1755495

SHA256
07276af873203324265811d736a6332803959da80e0b185a0757853c434ad4d6

SHA512
b0c648c91e48a8e7e8b72b6b46944db059ec5f939e6689b17d6f65fb431916dbb977e6ca01796650d0154bd21ce1a93716d3b0fff4a2a703dbcc9f74ea7ccfdf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\gsz3hkd\imagestore.dat

Filesize
5KB

MD5
8f89044e7cf71e1370f9e112f2fdd105

SHA1
c5ff677e59fac1d12b9420d0d37caab09015faff

SHA256
0c1a207d1311afe55392c9368fcea65538e1a0a0fdb52be74769e1c753e82bad

SHA512
d023da2bb8b0dde8265e1255fde7678542d3985482c5dac595a80fb4d3c5ee49da9489a69786c2ac28a73e0b6c9059cbf052770670e4b514703c94eaa1934d95

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1LNUKNV0\favicon[1].ico

Filesize
5KB

MD5
f3418a443e7d841097c714d69ec4bcb8

SHA1
49263695f6b0cdd72f45cf1b775e660fdc36c606

SHA256
6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770

SHA512
82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1LNUKNV0\webworker[1].js

Filesize
102B

MD5
dcf0dd9e2a4c0015bd80ce993ac84ff1

SHA1
6c4eda6061f7a7b9e05f439540fa26c261996fbe

SHA256
73943cf1ab8eff323e097bee9c52083255ee6e53b9abbeb193aa09fce212fa24

SHA512
f2d0a9e79d038ae1d00e6f4c08c3cf41af3e81ea8955e73052f89c4370027ba795080c867019497842a337f049d0112d8dd6c3f1bf5db8659d5f8428023128e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8452S9S3\KFOlCnqEu92Fr1MmEU9fBBc9[1].ttf

Filesize
34KB

MD5
4d88404f733741eaacfda2e318840a98

SHA1
49e0f3d32666ac36205f84ac7457030ca0a9d95f

SHA256
b464107219af95400af44c949574d9617de760e100712d4dec8f51a76c50dda1

SHA512
2e5d3280d5f7e70ca3ea29e7c01f47feb57fe93fc55fd0ea63641e99e5d699bb4b1f1f686da25c91ba4f64833f9946070f7546558cbd68249b0d853949ff85c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8452S9S3\KFOmCnqEu92Fr1Mu4mxP[1].ttf

Filesize
34KB

MD5
372d0cc3288fe8e97df49742baefce90

SHA1
754d9eaa4a009c42e8d6d40c632a1dad6d44ec21

SHA256
466989fd178ca6ed13641893b7003e5d6ec36e42c2a816dee71f87b775ea097f

SHA512
8447bc59795b16877974cd77c52729f6ff08a1e741f68ff445c087ecc09c8c4822b83e8907d156a00be81cb2c0259081926e758c12b3aea023ac574e4a6c9885

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8452S9S3\styles__ltr[1].css

Filesize
76KB

MD5
a9a4c0df287886862263d8af0a6e096e

SHA1
4aeb13637cff035bb7cc47aaa42d61f306e0e474

SHA256
ad68a177a2d52e736095a6b7431fbfca3f840d66a1ea67090b55c5f90722b067

SHA512
a9605e4b740e3841366ecfb2ee8b44469057009279d8bd6b6455af13bd5863dc130a65c740b465e20e060a3cae4d74ef7b4da860ed144b89131c5406bf12cbef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IAE3FJ0M\KFOlCnqEu92Fr1MmYUtfBBc9[1].ttf

Filesize
34KB

MD5
4d99b85fa964307056c1410f78f51439

SHA1
f8e30a1a61011f1ee42435d7e18ba7e21d4ee894

SHA256
01027695832f4a3850663c9e798eb03eadfd1462d0b76e7c5ac6465d2d77dbd0

SHA512
13d93544b16453fe9ac9fc025c3d4320c1c83a2eca4cd01132ce5c68b12e150bc7d96341f10cbaa2777526cf72b2ca0cd64458b3df1875a184bbb907c5e3d731

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IAE3FJ0M\api[1].js

Filesize
870B

MD5
9a90c06ffab392f11cda0b80188775a8

SHA1
395386715f54948ab58be5ad918b494b1ab86156

SHA256
ef7a5d110fd5a78289d4f71807784696ef0625efca97453caa6f3051e74a4c6b

SHA512
e40292115e00e2e652be3de796da6e860f99901d58adbd543edcc281e80fbee45ba35cb6b436cd5f7bd654eee8ce722a8f5fc41c6a40478f77bd2d6fb44f5780

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IAE3FJ0M\xvnkv013T9iQERax3LRLfLP-YGjo9lA-elXqPIIu0pM[1].js

Filesize
25KB

MD5
d735f7826775631410df2363ec8ea7fb

SHA1
72622ae88b15219ad1b00c72b48e13b2dd10e6ec

SHA256
c6f9e4bf4d774fd8901116b1dcb44b7cb3fe6068e8f6503e7a55ea3c822ed293

SHA512
b4fda11a5e56e7d1344a38bcd0d086b366258c751f18de79147e763f848cb4fbc76720b211913be2d25163a77bd505d918780a7dc089e976069d12a68701db2b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\K3VL8XEP\logo_48[1].png

Filesize
2KB

MD5
ef9941290c50cd3866e2ba6b793f010d

SHA1
4736508c795667dcea21f8d864233031223b7832

SHA256
1b9efb22c938500971aac2b2130a475fa23684dd69e43103894968df83145b8a

SHA512
a0c69c70117c5713caf8b12f3b6e8bbb9cdaf72768e5db9db5831a3c37541b87613c6b020dd2f9b8760064a8c7337f175e7234bfe776eee5e3588dc5662419d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\K3VL8XEP\recaptcha__en[1].js

Filesize
545KB

MD5
1f233ff2deeaaacc3c11614068d6f46d

SHA1
6ab5f0fb0ada1228ef529e3d48961c36fbc21424

SHA256
dc987654372c681461a1ab9e9835fc0006367829e3f0cdccee51081109d7868f

SHA512
a44c564ba2ff696762dd9a9f05f38dbb839a594989bcae5c402222ae6d9a17a29942c99df9c473f043e928f98bdabb62299bb192613c72d5d5b3efde7dd36c63

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabC69C.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MALWAR~1\z.zip

Filesize
8KB

MD5
63ee4412b95d7ad64c54b4ba673470a7

SHA1
1cf423c6c2c6299e68e1927305a3057af9b3ce06

SHA256
44c1857b1c4894b3dfbaccbe04905652e634283dcf6b06c25a74b17021e2a268

SHA512
7ff153826bd5fed0a410f6d15a54787b79eba927d5b573c8a7f23f4ecef7bb223d79fd29fe8c2754fbf5b4c77ab7c41598f2989b6f4c7b2aa2f579ef4af06ee7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Malware-1-master\x

Filesize
11KB

MD5
1882f3dd051e401349f1af58d55b0a37

SHA1
6b0875f9e3164f3a9f21c1ec36748a7243515b47

SHA256
3c8cea1a86f07b018e637a1ea2649d907573f78c7e4025ef7e514362d09ff6c0

SHA512
fec96d873997b5c6c82a94f8796c88fc2dd38739277c517b8129277dcbda02576851f1e27bdb2fbb7255281077d5b9ba867f6dfe66bedfc859c59fdd3bbffacf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Malware-1-master\x

Filesize
1KB

MD5
fadc915ee9da82445439eead685af76d

SHA1
05ba94fe7353702d08082f71d551f4de3f81093e

SHA256
ebf1d05c8996abee44608f853d170e912e05db1aed3447edbd65b5a3d4099773

SHA512
63eb75722c28dfd4397b9596e4bdbf17566f59e31d3387d142949222012d1cc5c9d0ba0d4c34ef96d1c6a4e3c44a94f2d680276356b65e9f0d493c6941df07cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Malware-1-master\x

Filesize
1014B

MD5
da93c927459c183a3c824092416fcc1e

SHA1
917323bbfb07ab4d11f18b60ea62c8a7cd23a726

SHA256
ac677428621d950eda8f0449df0d94c5c69d523a3fdf41a993eddbcaa9302af8

SHA512
ab86f1d94638b827fa542b5252da6d1fae394f4cf01c86f6cb2629d0c316fe4732230699a39918b012cb1c347600a19980fdeb09e9d9c0bf0b3bb999877405f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Malware-1-master\x

Filesize
4KB

MD5
214f98cb6a54654a4ca5c456f16aed0a

SHA1
2229090d2f6a1814ba648e5b5a5ae26389cba5a0

SHA256
45f18ccd8df88c127304a7855a608661b52b0ca813e87e06d87da15259c45037

SHA512
5f058b05f166e2688df7b3960e135ada25bbcdfbb62a11da3cf9e70c08c51e5589a1e6ca2250318a694d27197f2c5ba1028c443831c43fba2171ca8e072e9873

Download Submit
C:\Users\Admin\AppData\Local\Temp\Malware-1-master\x.js

Filesize
448B

MD5
8eec8704d2a7bc80b95b7460c06f4854

SHA1
1b34585c1fa7ec0bd0505478ac9dbb8b8d19f326

SHA256
aa01b8864b43e92077a106ed3d4656a511f3ba1910fba40c78a32ee6a621d596

SHA512
e274b92810e9a30627a65f87448d784967a2fcfbf49858cbe6ccb841f09e0f53fde253ecc1ea0c7de491d8cc56a6cf8c79d1b7c657e72928cfb0479d11035210

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarC69D.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\MEMZ.exe

Filesize
14KB

MD5
19dbec50735b5f2a72d4199c4e184960

SHA1
6fed7732f7cb6f59743795b2ab154a3676f4c822

SHA256
a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d

SHA512
aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\KC7YMOIH.txt

Filesize
125B

MD5
78c4e35fef595f8ac0444226e2570817

SHA1
0441ceb21b4514555e868450bb64e8a4af8a0ef2

SHA256
9763b593eda7ba9c6d6c0cdfd2969a52e5d0a73f65ca76a41114bcd5dea669fc

SHA512
5647757b6f842d15a71e5c1ded9cc2b3ea71e0efe254ce5b75fcb075fa27e665b6c96f315fa55ba5981b2f83c1df6bc0c436faefa427a793e4d014cddc8282c3

Download Submit
C:\note.txt

Filesize
218B

MD5
afa6955439b8d516721231029fb9ca1b

SHA1
087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

SHA256
8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

SHA512
5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

Download Submit
memory/620-167-0x00000000033F0000-0x00000000033F1000-memory.dmp

Filesize
4KB

Download
memory/1732-194-0x000007FEF6710000-0x000007FEF674A000-memory.dmp

Filesize
232KB

Download
memory/2500-192-0x000007FEF6A00000-0x000007FEF6A3A000-memory.dmp

Filesize
232KB

Download
memory/2500-193-0x000007FEF6890000-0x000007FEF68CA000-memory.dmp

Filesize
232KB

Download
memory/2500-729-0x000007FEF6A00000-0x000007FEF6A3A000-memory.dmp

Filesize
232KB

Download