hxxps://github[.]com/Matelpro777/MEMZ-4[.]0-pannel/blob/master/MEMZ-Clean[.]exe

Analysis

max time kernel
58s
max time network
59s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
18-08-2024 02:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Matelpro777/MEMZ-4.0-pannel/blob/master/MEMZ-Clean.exe

Score

8^/10

discovery

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
5316	MEMZ-Clean.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
62	raw.githubusercontent.com
61	raw.githubusercontent.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ-Clean.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 590178.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4272	msedge.exe
4272	msedge.exe
4312	msedge.exe
4312	msedge.exe
4260	identity_helper.exe
4260	identity_helper.exe
5232	msedge.exe
5232	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs

pid	Process
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe
4312	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5316	MEMZ-Clean.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4312 wrote to memory of 840	4312	msedge.exe	85
PID 4312 wrote to memory of 840	4312	msedge.exe	85
PID 4312 wrote to memory of 2060	4312	msedge.exe	86
PID 4312 wrote to memory of 2060	4312	msedge.exe	86
PID 4312 wrote to memory of 2060	4312	msedge.exe	86
PID 4312 wrote to memory of 2060	4312	msedge.exe	86
PID 4312 wrote to memory of 2060	4312	msedge.exe	86
PID 4312 wrote to memory of 2060	4312	msedge.exe	86
PID 4312 wrote to memory of 2060	4312	msedge.exe	86
PID 4312 wrote to memory of 2060	4312	msedge.exe	86
PID 4312 wrote to memory of 2060	4312	msedge.exe	86
PID 4312 wrote to memory of 2060	4312	msedge.exe	86
PID 4312 wrote to memory of 2060	4312	msedge.exe	86
PID 4312 wrote to memory of 2060	4312	msedge.exe	86
PID 4312 wrote to memory of 2060	4312	msedge.exe	86
PID 4312 wrote to memory of 2060	4312	msedge.exe	86
PID 4312 wrote to memory of 2060	4312	msedge.exe	86
PID 4312 wrote to memory of 2060	4312	msedge.exe	86
PID 4312 wrote to memory of 2060	4312	msedge.exe	86
PID 4312 wrote to memory of 2060	4312	msedge.exe	86
PID 4312 wrote to memory of 2060	4312	msedge.exe	86
PID 4312 wrote to memory of 2060	4312	msedge.exe	86
PID 4312 wrote to memory of 2060	4312	msedge.exe	86
PID 4312 wrote to memory of 2060	4312	msedge.exe	86
PID 4312 wrote to memory of 2060	4312	msedge.exe	86
PID 4312 wrote to memory of 2060	4312	msedge.exe	86
PID 4312 wrote to memory of 2060	4312	msedge.exe	86
PID 4312 wrote to memory of 2060	4312	msedge.exe	86
PID 4312 wrote to memory of 2060	4312	msedge.exe	86
PID 4312 wrote to memory of 2060	4312	msedge.exe	86
PID 4312 wrote to memory of 2060	4312	msedge.exe	86
PID 4312 wrote to memory of 2060	4312	msedge.exe	86
PID 4312 wrote to memory of 2060	4312	msedge.exe	86
PID 4312 wrote to memory of 2060	4312	msedge.exe	86
PID 4312 wrote to memory of 2060	4312	msedge.exe	86
PID 4312 wrote to memory of 2060	4312	msedge.exe	86
PID 4312 wrote to memory of 2060	4312	msedge.exe	86
PID 4312 wrote to memory of 2060	4312	msedge.exe	86
PID 4312 wrote to memory of 2060	4312	msedge.exe	86
PID 4312 wrote to memory of 2060	4312	msedge.exe	86
PID 4312 wrote to memory of 2060	4312	msedge.exe	86
PID 4312 wrote to memory of 2060	4312	msedge.exe	86
PID 4312 wrote to memory of 4272	4312	msedge.exe	87
PID 4312 wrote to memory of 4272	4312	msedge.exe	87
PID 4312 wrote to memory of 2468	4312	msedge.exe	88
PID 4312 wrote to memory of 2468	4312	msedge.exe	88
PID 4312 wrote to memory of 2468	4312	msedge.exe	88
PID 4312 wrote to memory of 2468	4312	msedge.exe	88
PID 4312 wrote to memory of 2468	4312	msedge.exe	88
PID 4312 wrote to memory of 2468	4312	msedge.exe	88
PID 4312 wrote to memory of 2468	4312	msedge.exe	88
PID 4312 wrote to memory of 2468	4312	msedge.exe	88
PID 4312 wrote to memory of 2468	4312	msedge.exe	88
PID 4312 wrote to memory of 2468	4312	msedge.exe	88
PID 4312 wrote to memory of 2468	4312	msedge.exe	88
PID 4312 wrote to memory of 2468	4312	msedge.exe	88
PID 4312 wrote to memory of 2468	4312	msedge.exe	88
PID 4312 wrote to memory of 2468	4312	msedge.exe	88
PID 4312 wrote to memory of 2468	4312	msedge.exe	88
PID 4312 wrote to memory of 2468	4312	msedge.exe	88
PID 4312 wrote to memory of 2468	4312	msedge.exe	88
PID 4312 wrote to memory of 2468	4312	msedge.exe	88
PID 4312 wrote to memory of 2468	4312	msedge.exe	88
PID 4312 wrote to memory of 2468	4312	msedge.exe	88

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Matelpro777/MEMZ-4.0-pannel/blob/master/MEMZ-Clean.exe
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xb4,0x108,0x7ff83a3746f8,0x7ff83a374708,0x7ff83a374718
  2⤵
  PID:840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,9539719745105188900,17381393956628138700,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2116 /prefetch:2
  2⤵
  PID:2060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,9539719745105188900,17381393956628138700,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2276 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,9539719745105188900,17381393956628138700,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2840 /prefetch:8
  2⤵
  PID:2468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,9539719745105188900,17381393956628138700,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
  2⤵
  PID:3804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,9539719745105188900,17381393956628138700,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
  2⤵
  PID:1808
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,9539719745105188900,17381393956628138700,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5216 /prefetch:8
  2⤵
  PID:1972
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,9539719745105188900,17381393956628138700,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5216 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2100,9539719745105188900,17381393956628138700,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5476 /prefetch:8
  2⤵
  PID:4944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,9539719745105188900,17381393956628138700,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5396 /prefetch:1
  2⤵
  PID:3216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2100,9539719745105188900,17381393956628138700,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6000 /prefetch:8
  2⤵
  PID:2220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2100,9539719745105188900,17381393956628138700,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6148 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5232
- C:\Users\Admin\Downloads\MEMZ-Clean.exe
  "C:\Users\Admin\Downloads\MEMZ-Clean.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5316
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=batch+virus+download
    3⤵
    PID:5628
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff83a3746f8,0x7ff83a374708,0x7ff83a374718
      4⤵
      PID:5644
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=my+computer+is+doing+weird+things+wtf+is+happenin+plz+halp
    3⤵
    PID:2500
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff83a3746f8,0x7ff83a374708,0x7ff83a374718
      4⤵
      PID:316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,9539719745105188900,17381393956628138700,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5840 /prefetch:1
  2⤵
  PID:5708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,9539719745105188900,17381393956628138700,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6252 /prefetch:1
  2⤵
  PID:5844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,9539719745105188900,17381393956628138700,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2168 /prefetch:1
  2⤵
  PID:5952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,9539719745105188900,17381393956628138700,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2128 /prefetch:1
  2⤵
  PID:5524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,9539719745105188900,17381393956628138700,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5612 /prefetch:1
  2⤵
  PID:5536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,9539719745105188900,17381393956628138700,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6348 /prefetch:1
  2⤵
  PID:5228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,9539719745105188900,17381393956628138700,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:1
  2⤵
  PID:5792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,9539719745105188900,17381393956628138700,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5400 /prefetch:1
  2⤵
  PID:6092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,9539719745105188900,17381393956628138700,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5392 /prefetch:1
  2⤵
  PID:1812

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2188

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ff63763eedb406987ced076e36ec9acf

SHA1
16365aa97cd1a115412f8ae436d5d4e9be5f7b5d

SHA256
8f460e8b7a67f0c65b7248961a7c71146c9e7a19772b193972b486dbf05b8e4c

SHA512
ce90336169c8b2de249d4faea2519bf7c3df48ae9d77cdf471dd5dbd8e8542d47d9348080a098074aa63c255890850ee3b80ddb8eef8384919fdca3bb9371d9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2783c40400a8912a79cfd383da731086

SHA1
001a131fe399c30973089e18358818090ca81789

SHA256
331fa67da5f67bbb42794c3aeab8f7819f35347460ffb352ccc914e0373a22c5

SHA512
b7c7d3aa966ad39a86aae02479649d74dcbf29d9cb3a7ff8b9b2354ea60704da55f5c0df803fd0a7191170a8e72fdd5eacfa1a739d7a74e390a7b74bdced1685

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000f

Filesize
209KB

MD5
3e552d017d45f8fd93b94cfc86f842f2

SHA1
dbeebe83854328e2575ff67259e3fb6704b17a47

SHA256
27d9c4613df7a3c04da0b79c13217aa69992b441acb7e44bf2a7578ca87d97d6

SHA512
e616436f2f15615429c7c5c37de3990c3e86c5e1da7d75a0f524fc458b75d44a5be1a3648a628d63e1cf8aa062e08b538f2f2bc9c6a0b42157beb24f82c571d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
c667c9cda36aa6be97e8ab534a37663a

SHA1
0c3c50dfce6a341c75bb2a94211b051e488f4b6d

SHA256
902ca75d4d467da7f8001dc9c2698fdbebf7cccdb2f47220132a085536e88e1d

SHA512
465b203d8adf5208854053b52688d56effdeeeec298e5316681a900ab3c4ff190532192326afd3337aeb56a513c166e992bc0307205124ce47d887e874463d45

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
caa5df53b7e34f4cb59a3d1fdbe00abc

SHA1
8f2f1b0d428b6530c4e0d3351ddbe4ab268267f8

SHA256
e47e7f50d1a368cbb646de63bbc59082d82e3a90c5ef714a099cb135d1f5be34

SHA512
3c566c00e99984386cf11118f5f9211ba93299d644c0d45269ca901fa5eaa43da2a48e3efd677db7bb3564c8f7e83df7a6ecf65e9d57a8750b15937e5ac4aa10

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
ca98c962dd9dc436f80cc8ad83bf67c5

SHA1
7c799af95ad4ed03764613c358db93c8666b9344

SHA256
6941ec27cf5bfae77e298ef973f2e53414bffc7d57186485913bf590e12bb529

SHA512
8a32143b25262412d0d927a2e2dcd73f9ce68076abb4ed08ea4b2dad8cf094d57958e858db0e2df608a42ef4c071d42a6d03b9047d3e4327fefaf9e331dedb62

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
34683b7a39937d0767f78f280d9117e5

SHA1
9e3bb06f3baea250c5d4751cc4ac10f02df33262

SHA256
81d34fd25a07e48df06babb545f0a4286c3ae022ae07bb6de8ba5029304cf588

SHA512
9e4d6f8c5ba76f7cfbd025f63f304d5fc93c87a9a54c59ea98a38a3b7f3d79cb4e4839050bc484a1192888a7e3b4f998d8ffa067e86d6e6b144219dcd9950f35

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e6b92376e972815ef5faaf852e84b428

SHA1
d400e1fc7d819c2d274b77c7d5a8d0cef379b8e7

SHA256
4699cbea0e00e573ef5025b07ae55a99cae87bc4ce3a348e1ac4ae49566821e7

SHA512
bbb9588057e2018f340f57eb82a36a60ce242ebce02519e2bff0ac05c8c03b1b623a2b421d28490431ef9d5e10fbf65c272492a838ba121a9097a2af94b60ba6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
22097d163620617f255dd2e5eff0da72

SHA1
77ab3de7889ffd34c4a6add023ffc3a7bf2650fe

SHA256
786bbe8351260fb043e01867ac7b2955131281f0ec5254f3309b7e8f376dc8e1

SHA512
c7b5ae54c9f5cebc39d7381953cfb370af539ea18fb52046fdfb3be60d8b9006f0e8846e92c1b35970e255a357f45dbbd1a2c8d7d9fa88ad441897ecedd231ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
ebb9d8e6d5a438c1a0116af27274815e

SHA1
8c1616fa709810c1ccc92d6defca29070ffb9e3c

SHA256
8857e24ec38eaac8ab0164ed78db38a0db162408e132e9b7b4bf62f830c72feb

SHA512
e43f2562918cee0ae4008761fca773a873509fb2d020fba5396158354dffb4b0a4ec89ef0d164629230c3d458de1a03a8e1552e4e4f9c35734dc73d98d200897

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
010e34e7260d40bb5fef65f99d4269b8

SHA1
49e7ef79004ae4ec7d6e0f77dfefcfda9980495a

SHA256
205e8ff3fc40c838224df3b68813473e40c730768f72f931ad03527ad22f0bb1

SHA512
2da1bbad218cfe942035a324ed506cdc9408a8bbab17cdf5f6ec91dd95f2cf7a605590bdca87c9a4bcfecde1813a03a4b0d957b81826cc9f00993d8489987c8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57fcde.TMP

Filesize
1KB

MD5
99294c6d6520254509d8c84661202e1b

SHA1
d7ac340d1a2b01d37025da834357e12ab941f8da

SHA256
4badba6df5a91d4d27e20b69aff98f26088638aeb2d9132fc6e5cfa2e6584510

SHA512
ff8ae18737b3f9dab5c0af81236ff7c34ebce654889d2b2b64a2c2b2195f449c8b016b93ef697981560d8f33ce542af31b91fca5e5bc39ddcb60ad40221077a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
33064cef9f9d88b4cffdb23865a10ab9

SHA1
c1a0a729b326e70b6ff26c53b8f5fbf1a6efe226

SHA256
93b585785a63ea17fb3cf7685c3bef9bb42a6cc6d0238ba9bb4f75d326be707f

SHA512
b049f6769dfe1e822416ab0c8c1c52cb832ceb489425d0a5ae4699c7457019713d37b6c58000e9c8d07d729839702a9b543de44c4a0ac3fa655783db6dac9e12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
4d8af4185ba6fb93805bab7dd03c1a62

SHA1
509ef6c74f6d463e4b17713c7d28e75fddb28883

SHA256
f7fa962a1cb0e44d7c61ad1954eec5b4325f64e83d44db4c5d657731bec783a6

SHA512
e9732299a214e873b99503920f2fdf23c30dba48685883f69767df3c12618d21b3f89be6b37218faacd8f5d02128e11ed98b09183c281655bae711ad5baa9ec2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
a8560877c23f8ae08a281384dd7b5f2c

SHA1
4f6441bfaf9f99a920441e5b2638fa12987962b1

SHA256
67a4401f04ff3d831494e5ab25e5f2b14c3c4f6bff2b91a6d9ac9975cfca517b

SHA512
adc71766261e01788f5fb02c6b8a9519ae84d24b6e17c7b02bbf3f0aa4e5fbdfc2cdb9a647b3f62dd55e2e5f9bc78dda09f055925fce8a757125b0424a35fd13

Download Submit
C:\Users\Admin\Downloads\MEMZ-Clean.exe

Filesize
12KB

MD5
9c642c5b111ee85a6bccffc7af896a51

SHA1
eca8571b994fd40e2018f48c214fab6472a98bab

SHA256
4bbf7589615ebdb6c769d6d2e7bdcb26072bac0cda6e225a4133ba8819e688d5

SHA512
23cc74b5a7bdf70ba789d1730a0009414cfb9c780544e3d8d841be58782b9a9a089969c4295a0da25d07285505992386486d6ff0524e75605b96bb99cd3aaa1c

Download Submit