hxxps://drive[.]google[.]com/uc?id=1UxZ22uZAf7D-EgC-ilXkVYw-XfjH32oS&export=download

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20-08-2024 22:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/uc?id=1UxZ22uZAf7D-EgC-ilXkVYw-XfjH32oS&export=download

Score

8^/10

discovery

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
4692	memz-trojan_1Z-PTV1.exe
5100	memz-trojan_1Z-PTV1.tmp

Loads dropped DLL 1 IoCs

pid	Process
5100	memz-trojan_1Z-PTV1.tmp

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
5	drive.google.com
9	drive.google.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	memz-trojan_1Z-PTV1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	memz-trojan_1Z-PTV1.tmp

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	memz-trojan_1Z-PTV1.tmp
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\	memz-trojan_1Z-PTV1.tmp

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	memz-trojan_1Z-PTV1.tmp
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2718105630-359604950-2820636825-1000\{EE6872E9-EFDC-4BE5-8131-0159D7CBA662}	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 347366.crdownload:SmartScreen	msedge.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	211	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
1740	msedge.exe
1740	msedge.exe
3720	msedge.exe
3720	msedge.exe
4564	identity_helper.exe
4564	identity_helper.exe
4512	msedge.exe
4512	msedge.exe
2148	msedge.exe
2148	msedge.exe
5548	msedge.exe
5548	msedge.exe
1436	msedge.exe
1436	msedge.exe
1436	msedge.exe
1436	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 22 IoCs

pid	Process
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3720 wrote to memory of 4356	3720	msedge.exe	85
PID 3720 wrote to memory of 4356	3720	msedge.exe	85
PID 3720 wrote to memory of 3028	3720	msedge.exe	86
PID 3720 wrote to memory of 3028	3720	msedge.exe	86
PID 3720 wrote to memory of 3028	3720	msedge.exe	86
PID 3720 wrote to memory of 3028	3720	msedge.exe	86
PID 3720 wrote to memory of 3028	3720	msedge.exe	86
PID 3720 wrote to memory of 3028	3720	msedge.exe	86
PID 3720 wrote to memory of 3028	3720	msedge.exe	86
PID 3720 wrote to memory of 3028	3720	msedge.exe	86
PID 3720 wrote to memory of 3028	3720	msedge.exe	86
PID 3720 wrote to memory of 3028	3720	msedge.exe	86
PID 3720 wrote to memory of 3028	3720	msedge.exe	86
PID 3720 wrote to memory of 3028	3720	msedge.exe	86
PID 3720 wrote to memory of 3028	3720	msedge.exe	86
PID 3720 wrote to memory of 3028	3720	msedge.exe	86
PID 3720 wrote to memory of 3028	3720	msedge.exe	86
PID 3720 wrote to memory of 3028	3720	msedge.exe	86
PID 3720 wrote to memory of 3028	3720	msedge.exe	86
PID 3720 wrote to memory of 3028	3720	msedge.exe	86
PID 3720 wrote to memory of 3028	3720	msedge.exe	86
PID 3720 wrote to memory of 3028	3720	msedge.exe	86
PID 3720 wrote to memory of 3028	3720	msedge.exe	86
PID 3720 wrote to memory of 3028	3720	msedge.exe	86
PID 3720 wrote to memory of 3028	3720	msedge.exe	86
PID 3720 wrote to memory of 3028	3720	msedge.exe	86
PID 3720 wrote to memory of 3028	3720	msedge.exe	86
PID 3720 wrote to memory of 3028	3720	msedge.exe	86
PID 3720 wrote to memory of 3028	3720	msedge.exe	86
PID 3720 wrote to memory of 3028	3720	msedge.exe	86
PID 3720 wrote to memory of 3028	3720	msedge.exe	86
PID 3720 wrote to memory of 3028	3720	msedge.exe	86
PID 3720 wrote to memory of 3028	3720	msedge.exe	86
PID 3720 wrote to memory of 3028	3720	msedge.exe	86
PID 3720 wrote to memory of 3028	3720	msedge.exe	86
PID 3720 wrote to memory of 3028	3720	msedge.exe	86
PID 3720 wrote to memory of 3028	3720	msedge.exe	86
PID 3720 wrote to memory of 3028	3720	msedge.exe	86
PID 3720 wrote to memory of 3028	3720	msedge.exe	86
PID 3720 wrote to memory of 3028	3720	msedge.exe	86
PID 3720 wrote to memory of 3028	3720	msedge.exe	86
PID 3720 wrote to memory of 3028	3720	msedge.exe	86
PID 3720 wrote to memory of 1740	3720	msedge.exe	87
PID 3720 wrote to memory of 1740	3720	msedge.exe	87
PID 3720 wrote to memory of 3404	3720	msedge.exe	88
PID 3720 wrote to memory of 3404	3720	msedge.exe	88
PID 3720 wrote to memory of 3404	3720	msedge.exe	88
PID 3720 wrote to memory of 3404	3720	msedge.exe	88
PID 3720 wrote to memory of 3404	3720	msedge.exe	88
PID 3720 wrote to memory of 3404	3720	msedge.exe	88
PID 3720 wrote to memory of 3404	3720	msedge.exe	88
PID 3720 wrote to memory of 3404	3720	msedge.exe	88
PID 3720 wrote to memory of 3404	3720	msedge.exe	88
PID 3720 wrote to memory of 3404	3720	msedge.exe	88
PID 3720 wrote to memory of 3404	3720	msedge.exe	88
PID 3720 wrote to memory of 3404	3720	msedge.exe	88
PID 3720 wrote to memory of 3404	3720	msedge.exe	88
PID 3720 wrote to memory of 3404	3720	msedge.exe	88
PID 3720 wrote to memory of 3404	3720	msedge.exe	88
PID 3720 wrote to memory of 3404	3720	msedge.exe	88
PID 3720 wrote to memory of 3404	3720	msedge.exe	88
PID 3720 wrote to memory of 3404	3720	msedge.exe	88
PID 3720 wrote to memory of 3404	3720	msedge.exe	88
PID 3720 wrote to memory of 3404	3720	msedge.exe	88

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://drive.google.com/uc?id=1UxZ22uZAf7D-EgC-ilXkVYw-XfjH32oS&export=download
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbb6b846f8,0x7ffbb6b84708,0x7ffbb6b84718
  2⤵
  PID:4356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,1329170133698052998,8470970222286531222,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2092 /prefetch:2
  2⤵
  PID:3028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,1329170133698052998,8470970222286531222,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2076,1329170133698052998,8470970222286531222,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2776 /prefetch:8
  2⤵
  PID:3404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,1329170133698052998,8470970222286531222,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
  2⤵
  PID:4112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,1329170133698052998,8470970222286531222,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
  2⤵
  PID:2504
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,1329170133698052998,8470970222286531222,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5152 /prefetch:8
  2⤵
  PID:3988
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,1329170133698052998,8470970222286531222,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5152 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,1329170133698052998,8470970222286531222,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6136 /prefetch:1
  2⤵
  PID:3588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,1329170133698052998,8470970222286531222,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3056 /prefetch:1
  2⤵
  PID:1964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,1329170133698052998,8470970222286531222,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1292 /prefetch:1
  2⤵
  PID:2620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,1329170133698052998,8470970222286531222,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6056 /prefetch:1
  2⤵
  PID:3776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,1329170133698052998,8470970222286531222,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5980 /prefetch:1
  2⤵
  PID:4840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,1329170133698052998,8470970222286531222,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3484 /prefetch:1
  2⤵
  PID:4568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,1329170133698052998,8470970222286531222,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5636 /prefetch:1
  2⤵
  PID:2180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2076,1329170133698052998,8470970222286531222,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3508 /prefetch:8
  2⤵
  PID:208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2076,1329170133698052998,8470970222286531222,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=3484 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:4512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,1329170133698052998,8470970222286531222,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6064 /prefetch:1
  2⤵
  PID:2500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,1329170133698052998,8470970222286531222,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5736 /prefetch:1
  2⤵
  PID:5132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,1329170133698052998,8470970222286531222,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5244 /prefetch:1
  2⤵
  PID:5176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,1329170133698052998,8470970222286531222,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5564 /prefetch:1
  2⤵
  PID:5976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,1329170133698052998,8470970222286531222,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5420 /prefetch:1
  2⤵
  PID:5124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,1329170133698052998,8470970222286531222,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5528 /prefetch:1
  2⤵
  PID:5908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2076,1329170133698052998,8470970222286531222,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3480 /prefetch:8
  2⤵
  PID:5348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,1329170133698052998,8470970222286531222,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5464 /prefetch:1
  2⤵
  PID:5344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2076,1329170133698052998,8470970222286531222,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3536 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,1329170133698052998,8470970222286531222,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4176 /prefetch:1
  2⤵
  PID:5580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,1329170133698052998,8470970222286531222,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6208 /prefetch:1
  2⤵
  PID:5668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,1329170133698052998,8470970222286531222,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6844 /prefetch:1
  2⤵
  PID:3984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,1329170133698052998,8470970222286531222,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7392 /prefetch:1
  2⤵
  PID:4344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,1329170133698052998,8470970222286531222,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6668 /prefetch:1
  2⤵
  PID:5748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2076,1329170133698052998,8470970222286531222,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7480 /prefetch:8
  2⤵
  PID:5744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2076,1329170133698052998,8470970222286531222,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7016 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5548
- C:\Users\Admin\Downloads\memz-trojan_1Z-PTV1.exe
  "C:\Users\Admin\Downloads\memz-trojan_1Z-PTV1.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4692
- - C:\Users\Admin\AppData\Local\Temp\is-7T8F9.tmp\memz-trojan_1Z-PTV1.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-7T8F9.tmp\memz-trojan_1Z-PTV1.tmp" /SL5="$70228,1573616,832512,C:\Users\Admin\Downloads\memz-trojan_1Z-PTV1.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Modifies registry class
    PID:5100
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.fileplanet.com/windows
      4⤵
      PID:6072
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0x108,0x128,0x7ffbb6b846f8,0x7ffbb6b84708,0x7ffbb6b84718
        5⤵
        
        PID:6092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,1329170133698052998,8470970222286531222,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5856 /prefetch:1
  2⤵
  PID:5704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,1329170133698052998,8470970222286531222,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=7208 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1436

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2892

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4652

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x468 0x300
1⤵
PID:6096

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ab8ce148cb7d44f709fb1c460d03e1b0

SHA1
44d15744015155f3e74580c93317e12d2cc0f859

SHA256
014006a90e43ea9a1903b08b843a5aab8ad3823d22e26e5b113fad5f9fa620ff

SHA512
f685423b1eaee18a2a06030b4b2977335f62499c0041c142a92f6e6f846c2b9ce54324b6ae94efbbb303282dcda70e2b1597c748fddc251c0b3122a412c2d7c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
38f59a47b777f2fc52088e96ffb2baaf

SHA1
267224482588b41a96d813f6d9e9d924867062db

SHA256
13569c5681c71dc42ab57d34879f5a567d7b94afe0e8f6d7c6f6c1314fb0087b

SHA512
4657d13e1bb7cdd7e83f5f2562f5598cca12edf839626ae96da43e943b5550fab46a14b9018f1bec90de88cc714f637605531ccda99deb9e537908ddb826113b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

Filesize
67KB

MD5
4bb360ae7e6ad48f41e6e661dc509bc9

SHA1
e6b8d6b2466d7c701dd2a651d7336a41c079d998

SHA256
39d340184c17611060bc98bdb9e79f805a4ac94299a957850e25a709c50236b3

SHA512
adce176f426c1e1908bb707d3a608bbaa40fbbf69bf0d104bf3f0db0b2f567cc4e5ecb274459023b1918d93df6a4a78198308f3de609c73b006ced2e280ee56b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
43KB

MD5
e352d970a4f70796e375f56686933101

SHA1
20638161142277687374c446440c3239840362b4

SHA256
8a346ccc26d3ae6ded2665b27b443d6f17580650d3fdd44ef1bb6305bee37d52

SHA512
b2c95bc6a7bd4cc5ef1d7ea17d839219a1aa5eba6baeb5eab6a57ec0a7adbc341eb7c4d328bcc03476d73fd4d70f3a4bdec471a22f9eb3e42eb2cae94eeb1ccc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
64KB

MD5
d6b36c7d4b06f140f860ddc91a4c659c

SHA1
ccf16571637b8d3e4c9423688c5bd06167bfb9e9

SHA256
34013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92

SHA512
2a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
19KB

MD5
2e86a72f4e82614cd4842950d2e0a716

SHA1
d7b4ee0c9af735d098bff474632fc2c0113e0b9c

SHA256
c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f

SHA512
7a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
63KB

MD5
710d7637cc7e21b62fd3efe6aba1fd27

SHA1
8645d6b137064c7b38e10c736724e17787db6cf3

SHA256
c0997474b99524325dfedb5c020436e7ea9f9c9a1a759ed6daf7bdd4890bdc2b

SHA512
19aa77bed3c441228789cf8f931ca6194cc8d4bc7bb85d892faf5eaeda67d22c8c3b066f8ceda8169177da95a1fe111bd3436ceeaf4c784bd2bf96617f4d0c44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
88KB

MD5
b38fbbd0b5c8e8b4452b33d6f85df7dc

SHA1
386ba241790252df01a6a028b3238de2f995a559

SHA256
b18b9eb934a5b3b81b16c66ec3ec8e8fecdb3d43550ce050eb2523aabc08b9cd

SHA512
546ca9fb302bf28e3a178e798dd6b80c91cba71d0467257b8ed42e4f845aa6ecb858f718aac1e0865b791d4ecf41f1239081847c75c6fb3e9afd242d3704ad16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008

Filesize
1.2MB

MD5
ae79a3e945e45f571fdf9ab94bcab4ee

SHA1
eac343e9f3660f78ea5e2f1bd634c8123f207642

SHA256
039c61c90725ad5a7422c5f00cc6d85ff2c57e3f7697b75ec57668e62fc209f7

SHA512
0bfd27261eae0cc6462b71fce73461639fd1b6071797b29e047b16940ce25e79bb50032c289401fef4a10d22f0b1afd801dc9d29e0dbc085486d5fdeb88cb814

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000021

Filesize
20KB

MD5
87e8230a9ca3f0c5ccfa56f70276e2f2

SHA1
eb116c8fd20cb2f85b7a942c7dae3b0ed6d27fe7

SHA256
e18d7214e7d3d47d913c0436f5308b9296ca3c6cd34059bf9cbf03126bafafe9

SHA512
37690a81a9e48b157298080746aa94289a4c721c762b826329e70b41ba475bb0261d048f9ab8e7301e43305c5ebf53246c20da8cd001130bf156e8b3bd38b9b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000022

Filesize
43KB

MD5
687afd62f10e05221177ba00861973ac

SHA1
d137e0e0d621b770be3a34d6c580a1d5d6de176a

SHA256
be6666dc8588d8d727de93a5bec4a859f1c6c216a631b67bc686e52818400e49

SHA512
0ed219cfb57234cc070058d9ed2bf4182405b2d1ba66c46727a1d3d9935566d8e0f2c03e66c2a703928b45aa557a07b902bcb05fe2a1beaf67aa7b30a8d197fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000025

Filesize
97KB

MD5
d1c7df5cfb5110dfde66840f0c26ee40

SHA1
efec08abcb5795aab64b3f8976e592ca56d5948a

SHA256
06f0a6ebf5a5ab1031f40c0dc2a6c9ee312f2b3d80067225eb6ad8e07a17c7ba

SHA512
c0a2ee603a38e86e79563dcb4ffdb047c16954ab39e335b0d16377def86a3e8d3abe4bcd5559a893aded466bdd55340d486bd85fa6c3bc4e725b8b78df9e4b3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
b30e9168e006bbae2ea560e217a4738c

SHA1
00a2a50fed11c5f010525595ed583692d493a41b

SHA256
1cd9cdf5cf29926b2b595ecd8c76199cc978802f128763454b8d642c2a925a70

SHA512
0e92221ed16ef4e129951b10e1a48227e010a074f8843ae9626cd5f1dedcfe9b350445fce121c117e0cf13ffab17c9185bc4050be69ba740927bb216fdd66742

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
deafc9afe27c384b7640a41f8cee923c

SHA1
2b80e0a955ad5757e832379bee915eead1dc73fb

SHA256
54945f4490340654e888881e99b858d0b4c6881ed7e8deab1acf97f436e0e339

SHA512
f29f7f3a691021ffc66f9947a5f6ab3fcc694b0bde72d5d005d3c938716f9da4c2fe31a3026f0e9bac81c7f9c7116a01c703070882a9c020e8e8875dd273ff20

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
0d001f4992a0b15e42b707e48d8a8b45

SHA1
e85d54e53d3a0702ea63227f060ae9ae6383c99b

SHA256
f4df37f068fc8453cd7fcb122f7edf3c96490790563630705ce71130d0bc618e

SHA512
e174b52c30958b27ac373ad0569df24554dab6a83d4f57a2757350fa0017e680b3ad3131a29a396187aa6cd460efa4ae95909c1b8f3d20e909c64f5c847e53d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
b03266e7da6c1f39289aaa0969fa4cd0

SHA1
d9fa2dab90d986eceee50e5c93008a90c59c8b1e

SHA256
2ff2c651f8ac0643528a9244c02bde9d938e2293e0a224e3894a40f854c2fbfb

SHA512
658d1e0f3c78ecc45b0b89105375858067f0fda955e98e8042b831e2f1746e8cfa9244de22925c89f068f22c1b290bcc446115b15f6b25efd388f4cb9a98e075

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
88c71c0ba82b4c76f906ca944a05e62f

SHA1
35de997aaaf63d588d248e4df12a61be2cd14860

SHA256
403c6b71579236c797296c0040b298495f222681cb093016c24c720ee08286ec

SHA512
1c38a834873d95673c98692e143b26921d0c8fbc870033af69a4d197bc851173a804fa5c2020f5ee9277038945d5e1cd192f4a55c0044d5c53183a28f19cff0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4eecbb380678e92b093413baf55463ed

SHA1
34c437cc21fc4e0d22e00ab3ae35ad94e2240f18

SHA256
9d61f758da4f0fa296e804811aef0898b9a0388dbb2f0a35074872b444d39c2c

SHA512
35a1c07b7c37b48c1b0546da317b507e64b124e8bf99c58d9ffde4cf2a2351fb807086a211450662882f8f961086ac61e60c19f644f57c673f8f426b03f4561c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
b80ca838cd37eed8b311bd9b60748ecf

SHA1
04f06826b434802813cd0618f6777c4551ff5566

SHA256
71bafca4735593b2edddb742c19beb7f703e4ea7d3b91fe6d82f94626fec72d4

SHA512
4ce9b4284ba30165586ce7f2c1e4db8bb571cc95032f1d699e6be9a7f10fbb63ec41b7d3f77af67d60ae15fbf8524891ae06823fe197d5e47f008f557449bfd7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
9725dfab9b52d3e35fdd311634dad755

SHA1
fd110e84d066cbb12a2be44b873b320302c9c0b8

SHA256
8f3264a5753d67ba61d07aa513001b3f31eef7978a90bb6dc7a0aff4c1600d6a

SHA512
39e6ba292a79ee6d7fb677f607d921811e6cd5e513e672809220eeee87d4cd0eeb22b401a0136ba6c67543292392328b56a0d14d44747bb1143e04e1a06757f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
320b545f983368e9442373b17f845a31

SHA1
370b086f80771a7ce32fe4a24f39f6193d0cf420

SHA256
311181ddac5c797a44193c5ea96d77d9ea3e4d95668676a711d3a4468fb58109

SHA512
144fe348c322575faaadea4bba264e1a8d3cc29ff5c437a6d800b3fd47e520526e230d75f8d32d362552a7c5cc12f717fc3d04facda18e7f73e76664c7ffefa8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ea328aa0158dd84ad0d3308b363b79aa

SHA1
1f4352e7313c8b9180d7204b07ebd74ffc1dccfc

SHA256
54cd1528400a092fa8ce78b97f8d6df6f7c1f3fed2060349596578833cdbaf56

SHA512
036f21605de9222bead018425831af73d78aad194266c636ed52e7c61f2ae1633c0411052098b67edd6eec965e1a5c5f3969df661acd33741ac582b176b5de28

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
26b4838bab40e3a4e0cafe59144bb3b4

SHA1
124f8db4dbfe4f8d432964888cea1c314e38dad6

SHA256
ee020988ce9cb1aa5b2f8d319f00d4d862c0ed1a9571fba899e6ae4dbf5c7d3a

SHA512
6bd05cd32baf0ea2c81a28858fe200c9e4e7b346bdab196c64bb915646dbcbc5fb44e86681b143a485ab9a14d20184d515a23aa1a41475a32f1b5ed7627f5efc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
5a3b58bb1aa873d6c0c3007227aebd03

SHA1
176ec4b72f4f3ea470dd882f2ec2d859d0240636

SHA256
ad3642da07d1c4386d0cfe46a9cc882d58105774c5351a720ddc144a734d8d2b

SHA512
65e31cafa796c45ae91462e5bdffab1fdfd6eb2988c4f06f29adc8f3c0227ca1d1201bfe525193d1524e6daccce94d7b15fc7f414ca1c9931a0e29fb876dc374

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
467a1a15bf14bbc53ab8d2b9e36fb615

SHA1
0be9ed490e865cc4ed71f146d04d6e990d8c9a82

SHA256
54ac3d178ee2f7f1fa97479b8616f52c30134bd27f2bb5adb3ce9e08bb82e206

SHA512
43f0aa2dba0d58666c8096b125f8b6e7e2d130d0d8f3b15bb5a9c30ceacc810a19a6bfb4af7dad336b4c75b2e2d44e20cfc7af4ee3b1cb59fd5f488e8329fb94

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
4f60916ccb3060d01b087f3f57de3266

SHA1
729b11095c6261bd10954047bff8217ecf224898

SHA256
b2d019bb9c7c109663fcc775a80304bfc610ed10a3ca69796070b9f3ffd6fb5e

SHA512
a08c8df32a3f96780e555047207d7d5a442bacc54b6b14b8cdcb6bf85491060a4b22a22f3866b5cdc0f3120a88a45049706e323fe6a6218128bf271b7d454091

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
2a0436b3b6f1f78aab11b37d9baba03d

SHA1
c23197f93ea7c42da783514141b6c729698e5daa

SHA256
6f77e7e2c30e252d41c739f40533d3eb1b9603ffc2eced8104483e328409b5d2

SHA512
24cdfa8da693c7f4d97e79a338f0c2a300620385441aae2690cfb7079ab2a14bb552c83634d2b7e8ecbe320e32a43e1f700608a76dc609c38883c846dae40df4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
b41febc6c6e1cc388102ebaa1fd745b0

SHA1
a83d79cc908fc6e4b325b13fb84089f1453c132c

SHA256
b77c77321ecbf4bc154264b26f204e5bc0771a60dce86e2d041620c8f01f684f

SHA512
cb22aafd47d76565aed22c0a0052d774f8126a6d7510e32db8541c2a8e8f0e7ba9db1f7ffdb15984dd59dac10d8add25ac21b9e3ea0896bfa105bb6c7ef500ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
98f8c62dbed534ac5f3c8483137007c5

SHA1
51b25454ee2e9fe6f6762377d13c7660610c2231

SHA256
53ec1ceeb1558178c43f32403829a85d61cb6bf195d4158a1f739777ec096750

SHA512
9f752bbab8f1ea1c264543e1be27e6d73d79ed7310394ae646d6188d92ffa689f09af14b28eedc569496ec4bc03c33b35d5c84528c3f09399d69bc94c561b06c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5837e4.TMP

Filesize
204B

MD5
dc83850b9fd3ce8c52f1022c66b4b253

SHA1
9416d4596780317cb89e7b8295212c9908a931a7

SHA256
d9e5bd27589eb1ff42985d81118c6eba49c4bd5e28720762f6f95b0b651816fd

SHA512
b9b760716713dfd9ec4e44a0799aca3d019a88879ed12b2486c6154196750c12bc2a6eadca6018209d88bc6ca0535686c0259cdbcce7dc0b6f2aae53d0c72903

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
064d357ac8212375e7a19e8e451a5a85

SHA1
32ba54e230857915d04a59c5574b64cf3b33abd4

SHA256
e27c61261520650811a73f89fa1386f4fc58e23bbcf7572dd675248e2b566955

SHA512
1f41e749875d0aa37af7bd27e2852ae14e8cf2721077ce8d3c6ba7e4966fc30b7e6a6977aeff48fc6486a69c28d19da5feb620472ae82b2c1eaeca8ae31ffe63

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
887c1f2e086f7ced845eec7a2ee9e1d7

SHA1
02f0530e8e4c57bbf7904c5cbe84def1ff9291fe

SHA256
38ca6d7e679cbf7917ee92090cc38cf9436107457baaa9eb37b569f266f9bf1b

SHA512
42ce30fd1f6e224069e296fdd2d14ec8f363e2210ae8b19733f673dc6b4f260362e55d203db43de952c67118b7c49431259327e9484bab2190ac7d499f108a73

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
2814cee9ebc1451843a4d67d0862a188

SHA1
227bcf4afb7c344c9936392f0153ff10d5de809c

SHA256
6f82c52c1e809573a180204e7122467545e6f7acb6bc12c2aabbfbca230b21ca

SHA512
15b86e0d22ab7176e2bc5bc9c5aa67a1ded995e4e2ae8bd68db64c4e42d2ba250b2178cbc40a3900e9c08a0b25e02e1aef0df5452ddb6ff06607c3f4a43c23d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-7T8F9.tmp\memz-trojan_1Z-PTV1.tmp

Filesize
3.1MB

MD5
02b1d8ff84bcd4ebcb01156636269b99

SHA1
15ba86430b90264da7d9f2c05be57c56640d4ba9

SHA256
a6497ddddd577caefe5a39958a604f9ee4bfe93e9da285b147ba6fc6788e75ca

SHA512
640227915b78fb8e0fd8e6a6ca883e4ed4e3fa45524fca5a9344c067840b3fc11c7b98fd05351eabaee3d4afa21711dc0999175cbc154d13b02135706ef5b47a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-AE2N9.tmp\Helper.dll

Filesize
2.0MB

MD5
4eb0347e66fa465f602e52c03e5c0b4b

SHA1
fdfedb72614d10766565b7f12ab87f1fdca3ea81

SHA256
c73e53cbb7b98feafe27cc7de8fdad51df438e2235e91891461c5123888f73cc

SHA512
4c909a451059628119f92b2f0c8bcd67b31f63b57d5339b6ce8fd930be5c9baf261339fdd9da820321be497df8889ce7594b7bfaadbaa43c694156651bf6c1fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-AE2N9.tmp\RAV_Cross.png

Filesize
74KB

MD5
cd09f361286d1ad2622ba8a57b7613bd

SHA1
4cd3e5d4063b3517a950b9d030841f51f3c5f1b1

SHA256
b92a31d4853d1b2c4e5b9d9624f40b439856d0c6a517e100978cbde8d3c47dc8

SHA512
f73d60c92644e0478107e0402d1c7b4dfa1674f69b41856f74f937a7b57ceaa2b3be9242f2b59f1fcf71063aac6cbe16c594618d1a8cdd181510de3240f31dff

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-AE2N9.tmp\mainlogo.png

Filesize
6KB

MD5
cd7f1e004d919724c4c5c5f377a4e2c5

SHA1
8ad9ff0daafa6ace17748cd6d2682993a95df073

SHA256
cb91c579311001831206cd0d044e8e50dfe2283920d952e510c1611a3f136483

SHA512
2ce555c46c5066b0e92964d3f88d94b5ba0ae5cf687401d2025ac10b77fdd46936b0302de4951bd9dc4fbbea59121d079d645caefc8ca40f2c1dc259abafd3d1

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 347366.crdownload

Filesize
2.4MB

MD5
bff06775461065b057ccdbff79fc2819

SHA1
3976ef48c5e71635f7de8147105f55291b7e04c1

SHA256
51f9879646e8b8f3ee49f7f0e250cf2c93b2ab9ee76e3f79778bbfbd3659f86f

SHA512
6e43fbdf8103b72350130f894a72bf3fa2e7def61ed9a2d1d38c6b8745f97e5b45a195da818edb2c453c1305d1e036c41a5da0d617d8f18130a123e77d764359

Download Submit
C:\Users\Admin\Downloads\memz-trojan.zip

Filesize
47KB

MD5
c31e52bf196d6936910fa3dff6b6031e

SHA1
405a89972d416d292b247fd70bbc080c3003b5e6

SHA256
8b47e773a782361209f8adacc8d6aeefb595e1c13ae6813df7de01c20a15c91e

SHA512
a5335c7d3beafdefa6cb1a459736615ca0151fa2e64dafb78de65aa4b924068ad0dc55c70a5317be19edeb899f94ea02e2e54279933b87828ebe86ef95f13291

Download Submit
memory/4692-876-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/4692-824-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/4692-929-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/5100-853-0x0000000004C00000-0x0000000004D40000-memory.dmp

Filesize
1.2MB

Download
memory/5100-928-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/5100-889-0x0000000004C00000-0x0000000004D40000-memory.dmp

Filesize
1.2MB

Download
memory/5100-877-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/5100-866-0x0000000004C00000-0x0000000004D40000-memory.dmp

Filesize
1.2MB

Download