home

memothis.exe

MemoThis

ISFORU Co. Ltd.

It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘MemoThis Agent’.
Publisher:
IsforU Co., Ltd.  (signed by ISFORU Co. Ltd.)

Product:
MemoThis

Version:
11, 11, 1, 0

MD5:
92313c48a21d21d4778d21b59d37bb3f

SHA-1:
0e9713419dbc6e220384f3bedc6c2bb0f04974fa

SHA-256:
609f6c5061961d09bce94acfb0e48803995cb5bfe84874926a8c938710e612c3

Scanner detections:
1 / 68

Status:
Inconclusive  (not enough data for an accurate detection)

Analysis date:
4/24/2024 2:16:11 AM UTC  (today)

Scan engine
Detection
Engine version

Malwarebytes
Trojan.Keylogger
v2016.02.29.02

File size:
548.9 KB (562,048 bytes)

Product version:
11, 11, 1, 0

Copyright:
Copyright(c) IsforU Co., Ltd. All rights reserved.

Original file name:
memothis.exe

File type:
Executable application (Win32 EXE)

Common path:
C:\Documents and Settings\{user}\Application data\memothis\memothis.exe

Digital Signature
Signed by:
ISFORU Co. Ltd.

Authority:
Thawte, Inc.

Valid from:
7/22/2010 9:00:00 AM

Valid to:
9/20/2012 8:59:59 AM

Subject:
CN=ISFORU Co. Ltd., OU=Dev Team, O=ISFORU Co. Ltd., L=Mapo-gu, S=Seoul, C=KR

Issuer:
CN=Thawte Code Signing CA - G2, O="Thawte, Inc.", C=US

Serial number:
54C92AB2C9B41B853A81CAD82D42F77F

File PE Metadata
Compilation timestamp:
8/1/2012 1:48:18 PM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
9.0

CTPH (ssdeep):
12288:UZZKXGb1L03wGVZfYCKax/nQGzNJwomYE9dwlEPoh:8ZKXkagafnKax/nQG5J1mYE+h

Entry address:
0x67DF6

Entry point:
E8, AD, 04, 00, 00, E9, 37, FD, FF, FF, 3B, 0D, 28, B0, 47, 00, 75, 02, F3, C3, E9, 2F, 05, 00, 00, 6A, 14, 68, 08, 74, 47, 00, E8, E1, 03, 00, 00, 83, 65, FC, 00, FF, 4D, 10, 78, 3A, 8B, 4D, 08, 2B, 4D, 0C, 89, 4D, 08, FF, 55, 14, EB, ED, 8B, 45, EC, 89, 45, E4, 8B, 45, E4, 8B, 00, 89, 45, E0, 8B, 45, E0, 81, 38, 63, 73, 6D, E0, 74, 0B, C7, 45, DC, 00, 00, 00, 00, 8B, 45, DC, C3, E8, E9, 05, 00, 00, 8B, 65, E8, C7, 45, FC, FE, FF, FF, FF, E8, D7, 03, 00, 00, C2, 10, 00, 6A, 0C, 68, 28, 74, 47, 00, E8, 83...
 
[+]

Entropy:
6.6908

Code size:
430.5 KB (440,832 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
MemoThis Agent

Command:
"C:\Documents and Settings\{user}\Application data\memothis\memothis.exe" update


Scan memothis.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.