URL:

https://github.com/Viper4K/malware/blob/master/MEMZ/MEMZ.bat

Full analysis: https://app.any.run/tasks/539f37f9-955a-43d2-b02a-39e03f9215f5
Verdict: Malicious activity
Analysis date: July 20, 2024, 23:10:27
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
github
Indicators:
MD5:

9CD14358FFD3D802CC97FAF272A2709C

SHA1:

CCCA4208E597C488FFE672724436F9F547DEC22B

SHA256:

7D587C2551E990553B06F5F6255B3EF875CD439E457FDBBEE0B39984B3E43F97

SSDEEP:

3:N8tEdQqXJJ3vJcTEHB+:2umsJs+k

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • processhacker-2.39-setup.exe (PID: 8792)
      • processhacker-2.39-setup.exe (PID: 8884)
      • processhacker-2.39-setup.tmp (PID: 8912)

    • Gets a file object corresponding to the file in a specified path (SCRIPT)

      • cscript.exe (PID: 8496)

    • Uses base64 encoding (SCRIPT)

      • cscript.exe (PID: 8496)

    • Starts CMD.EXE for commands execution

      • msedge.exe (PID: 8180)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • cookie_exporter.exe (PID: 7212)
      • processhacker-2.39-setup.tmp (PID: 8812)
      • ProcessHacker.exe (PID: 6260)
      • MEMZ.exe (PID: 8976)
      • MEMZ.exe (PID: 8388)

    • Executable content was dropped or overwritten

      • processhacker-2.39-setup.exe (PID: 8792)
      • processhacker-2.39-setup.tmp (PID: 8912)
      • processhacker-2.39-setup.exe (PID: 8884)
      • cscript.exe (PID: 8496)

    • Reads the date of Windows installation

      • processhacker-2.39-setup.tmp (PID: 8812)
      • MEMZ.exe (PID: 8976)
      • MEMZ.exe (PID: 8388)
      • ProcessHacker.exe (PID: 6260)

    • Process drops legitimate windows executable

      • processhacker-2.39-setup.tmp (PID: 8912)

    • Drops a system driver (possible attempt to evade defenses)

      • processhacker-2.39-setup.tmp (PID: 8912)

    • Reads the Windows owner or organization settings

      • processhacker-2.39-setup.tmp (PID: 8912)

    • Checks Windows Trust Settings

      • ProcessHacker.exe (PID: 6260)

    • Creates FileSystem object to access computer's file system (SCRIPT)

      • cscript.exe (PID: 8496)

    • The process executes JS scripts

      • cmd.exe (PID: 5312)

    • Executing commands from a ".bat" file

      • msedge.exe (PID: 8180)

    • Sets XML DOM element text (SCRIPT)

      • cscript.exe (PID: 8496)

    • Script creates XML DOM node (SCRIPT)

      • cscript.exe (PID: 8496)

    • Creates XML DOM element (SCRIPT)

      • cscript.exe (PID: 8496)

    • Creates a Stream, which may work with files, input/output devices, pipes, or TCP/IP sockets (SCRIPT)

      • cscript.exe (PID: 8496)

    • Writes binary data to a Stream object (SCRIPT)

      • cscript.exe (PID: 8496)

    • Saves data to a binary file (SCRIPT)

      • cscript.exe (PID: 8496)

    • Creates a Folder object (SCRIPT)

      • cscript.exe (PID: 8496)

    • The executable file from the user directory is run by the CMD process

      • MEMZ.exe (PID: 8976)
      • MEMZ.exe (PID: 7764)
      • MEMZ.exe (PID: 4424)

    • Application launched itself

      • MEMZ.exe (PID: 8976)
      • ProcessHacker.exe (PID: 6260)

    • Creates file in the systems drive root

      • MEMZ.exe (PID: 8388)
      • notepad.exe (PID: 8924)

    • Start notepad (likely ransomware note)

      • MEMZ.exe (PID: 8388)

  • INFO

    • Application launched itself

      • msedge.exe (PID: 8180)

    • Checks proxy server information

      • cookie_exporter.exe (PID: 7212)
      • ProcessHacker.exe (PID: 6260)

    • Checks supported languages

      • cookie_exporter.exe (PID: 7212)
      • identity_helper.exe (PID: 7744)
      • processhacker-2.39-setup.exe (PID: 8792)
      • processhacker-2.39-setup.tmp (PID: 8812)
      • processhacker-2.39-setup.exe (PID: 8884)
      • processhacker-2.39-setup.tmp (PID: 8912)
      • ProcessHacker.exe (PID: 6260)
      • identity_helper.exe (PID: 8560)
      • MEMZ.exe (PID: 7876)
      • MEMZ.exe (PID: 8976)
      • MEMZ.exe (PID: 7224)
      • MEMZ.exe (PID: 8916)
      • MEMZ.exe (PID: 8388)
      • ProcessHacker.exe (PID: 8624)
      • MEMZ.exe (PID: 6232)
      • MEMZ.exe (PID: 8332)

    • Reads the computer name

      • cookie_exporter.exe (PID: 7212)
      • identity_helper.exe (PID: 7744)
      • processhacker-2.39-setup.tmp (PID: 8812)
      • processhacker-2.39-setup.tmp (PID: 8912)
      • ProcessHacker.exe (PID: 6260)
      • identity_helper.exe (PID: 8560)
      • MEMZ.exe (PID: 8976)
      • MEMZ.exe (PID: 8388)
      • ProcessHacker.exe (PID: 8624)

    • The process uses the downloaded file

      • msedge.exe (PID: 6304)
      • msedge.exe (PID: 8648)
      • msedge.exe (PID: 8180)

    • Executable content was dropped or overwritten

      • msedge.exe (PID: 8180)
      • msedge.exe (PID: 7076)

    • Reads Microsoft Office registry keys

      • msedge.exe (PID: 8180)

    • Drops the executable file immediately after the start

      • msedge.exe (PID: 8180)
      • msedge.exe (PID: 7076)
      • cscript.exe (PID: 8496)

    • Create files in a temporary directory

      • processhacker-2.39-setup.exe (PID: 8792)
      • processhacker-2.39-setup.tmp (PID: 8912)
      • processhacker-2.39-setup.exe (PID: 8884)

    • Process checks computer location settings

      • processhacker-2.39-setup.tmp (PID: 8812)
      • MEMZ.exe (PID: 8388)
      • ProcessHacker.exe (PID: 6260)
      • MEMZ.exe (PID: 8976)

    • Creates files in the program directory

      • processhacker-2.39-setup.tmp (PID: 8912)

    • Creates a software uninstall entry

      • processhacker-2.39-setup.tmp (PID: 8912)

    • Reads the machine GUID from the registry

      • ProcessHacker.exe (PID: 6260)

    • Reads Environment values

      • ProcessHacker.exe (PID: 6260)

    • Reads security settings of Internet Explorer

      • cscript.exe (PID: 8496)
      • notepad.exe (PID: 8924)

    • Reads the software policy settings

      • ProcessHacker.exe (PID: 6260)

    • Creates files or folders in the user directory

      • cscript.exe (PID: 8496)
      • ProcessHacker.exe (PID: 6260)

    • Reads CPU info

      • ProcessHacker.exe (PID: 8624)

    • Reads the time zone

      • ProcessHacker.exe (PID: 8624)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
232
Monitored processes
85
Malicious processes
10
Suspicious processes
1

Behavior graph

Click at the process to see the details
start iexplore.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs cookie_exporter.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs slui.exe no specs slui.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs processhacker-2.39-setup.exe processhacker-2.39-setup.tmp no specs processhacker-2.39-setup.exe processhacker-2.39-setup.tmp msedge.exe no specs msedge.exe no specs processhacker.exe identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs cmd.exe no specs conhost.exe no specs cscript.exe memz.exe no specs memz.exe no specs memz.exe msedge.exe no specs msedge.exe no specs memz.exe no specs memz.exe no specs memz.exe no specs memz.exe no specs memz.exe no specs memz.exe no specs notepad.exe no specs processhacker.exe msedge.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
68"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4956 --field-trial-handle=2372,i,14350803702288117847,85138565459493527,262144 --variations-seed-version /prefetch:1C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
116"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=7320 --field-trial-handle=2372,i,14350803702288117847,85138565459493527,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1540"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6096 --field-trial-handle=2372,i,14350803702288117847,85138565459493527,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2056C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
2068"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=55 --mojo-platform-channel-handle=6184 --field-trial-handle=2372,i,14350803702288117847,85138565459493527,262144 --variations-seed-version /prefetch:1C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2112"C:\Program Files\Internet Explorer\iexplore.exe" "https://github.com/Viper4K/malware/blob/master/MEMZ/MEMZ.bat"C:\Program Files\Internet Explorer\iexplore.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
11.00.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
2868"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5504 --field-trial-handle=2372,i,14350803702288117847,85138565459493527,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3108"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=42 --mojo-platform-channel-handle=8344 --field-trial-handle=2372,i,14350803702288117847,85138565459493527,262144 --variations-seed-version /prefetch:1C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3360"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5308 --field-trial-handle=2372,i,14350803702288117847,85138565459493527,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3624"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6588 --field-trial-handle=2372,i,14350803702288117847,85138565459493527,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
41 461
Read events
41 235
Write events
215
Delete events
11

Modification events

(PID) Process:(2112) iexplore.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\UrlBlock
Operation:writeName:L1WatermarkLowPart
Value:
0
(PID) Process:(2112) iexplore.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\UrlBlock
Operation:writeName:L1WatermarkHighPart
Value:
0
(PID) Process:(2112) iexplore.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\UrlBlock
Operation:writeName:NextCheckForUpdateLowDateTime
Value:
0
(PID) Process:(2112) iexplore.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\UrlBlock
Operation:writeName:NextCheckForUpdateHighDateTime
Value:
0
(PID) Process:(2112) iexplore.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\UrlBlock
Operation:writeName:NextCheckForUpdateLowDateTime
Value:
376168655
(PID) Process:(2112) iexplore.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\UrlBlock
Operation:writeName:NextCheckForUpdateHighDateTime
Value:
31120122
(PID) Process:(2112) iexplore.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(2112) iexplore.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(2112) iexplore.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(2112) iexplore.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
Executable files
58
Suspicious files
663
Text files
160
Unknown types
2

Dropped files

PID
Process
Filename
Type
8180msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\BrowserMetrics\BrowserMetrics-669C43E7-1FF4.pma
MD5:
SHA256:
8180msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old~RF428c9f.TMP
MD5:
SHA256:
8180msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old
MD5:
SHA256:
8180msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old~RF428c9f.TMP
MD5:
SHA256:
8180msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old
MD5:
SHA256:
8180msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old~RF428cae.TMP
MD5:
SHA256:
8180msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old
MD5:
SHA256:
8180msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old~RF428cae.TMP
MD5:
SHA256:
8180msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old
MD5:
SHA256:
8180msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\LOG.old~RF428cdd.TMP
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
21
TCP/UDP connections
253
DNS requests
242
Threats
4

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
8180
msedge.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEALE0eWKSmgMVo2jBH5%2BTV8%3D
unknown
whitelisted
8180
msedge.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRm%2FrYSaqNr0YBIv29H4pMHhv2XmQQUl0gD6xUIa7myWCPMlC7xxmXSZI4CEA%2Fx72a9Yhxlt0tN5BQlcX8%3D
unknown
whitelisted
9100
svchost.exe
HEAD
200
152.199.19.161:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/6e6d05a2-47e8-42b8-85a0-e8b7ee48333a?P1=1722029678&P2=404&P3=2&P4=Y4pLmG2r2omwimRsI0PDPWBBZbTuEpQ5MpbIkTXSND9gopYhwOR70taRRSAUSYNsh3Hr29cpNBEDBLOttEC8Ug%3d%3d
unknown
whitelisted
9100
svchost.exe
GET
206
152.199.19.161:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/6e6d05a2-47e8-42b8-85a0-e8b7ee48333a?P1=1722029678&P2=404&P3=2&P4=Y4pLmG2r2omwimRsI0PDPWBBZbTuEpQ5MpbIkTXSND9gopYhwOR70taRRSAUSYNsh3Hr29cpNBEDBLOttEC8Ug%3d%3d
unknown
whitelisted
9100
svchost.exe
GET
206
152.199.19.161:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/6e6d05a2-47e8-42b8-85a0-e8b7ee48333a?P1=1722029678&P2=404&P3=2&P4=Y4pLmG2r2omwimRsI0PDPWBBZbTuEpQ5MpbIkTXSND9gopYhwOR70taRRSAUSYNsh3Hr29cpNBEDBLOttEC8Ug%3d%3d
unknown
whitelisted
9100
svchost.exe
GET
206
152.199.19.161:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/6e6d05a2-47e8-42b8-85a0-e8b7ee48333a?P1=1722029678&P2=404&P3=2&P4=Y4pLmG2r2omwimRsI0PDPWBBZbTuEpQ5MpbIkTXSND9gopYhwOR70taRRSAUSYNsh3Hr29cpNBEDBLOttEC8Ug%3d%3d
unknown
whitelisted
9100
svchost.exe
GET
206
152.199.19.161:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/6e6d05a2-47e8-42b8-85a0-e8b7ee48333a?P1=1722029678&P2=404&P3=2&P4=Y4pLmG2r2omwimRsI0PDPWBBZbTuEpQ5MpbIkTXSND9gopYhwOR70taRRSAUSYNsh3Hr29cpNBEDBLOttEC8Ug%3d%3d
unknown
whitelisted
9100
svchost.exe
GET
206
152.199.19.161:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/6e6d05a2-47e8-42b8-85a0-e8b7ee48333a?P1=1722029678&P2=404&P3=2&P4=Y4pLmG2r2omwimRsI0PDPWBBZbTuEpQ5MpbIkTXSND9gopYhwOR70taRRSAUSYNsh3Hr29cpNBEDBLOttEC8Ug%3d%3d
unknown
whitelisted
9100
svchost.exe
HEAD
200
152.199.19.161:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/63790111-8455-46c9-a54a-83249ebbe39a?P1=1722067048&P2=404&P3=2&P4=YC0DlQAoJ8uZ8g7NwQ322BB%2bKMeEF7wDdzJC6vrGShMgQ7rfm7A3XTKm1unEVdy5y%2flwuVhMcVgxkvmMEACw5Q%3d%3d
unknown
whitelisted
9100
svchost.exe
GET
206
152.199.19.161:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/6e6d05a2-47e8-42b8-85a0-e8b7ee48333a?P1=1722029678&P2=404&P3=2&P4=Y4pLmG2r2omwimRsI0PDPWBBZbTuEpQ5MpbIkTXSND9gopYhwOR70taRRSAUSYNsh3Hr29cpNBEDBLOttEC8Ug%3d%3d
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
5620
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4716
svchost.exe
20.190.159.23:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
7856
svchost.exe
4.209.32.198:443
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
4032
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:138
whitelisted
7076
msedge.exe
140.82.121.4:443
github.com
GITHUB
US
unknown
8180
msedge.exe
239.255.255.250:1900
whitelisted
7076
msedge.exe
13.107.42.16:443
config.edge.skype.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7076
msedge.exe
204.79.197.239:443
edge.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 40.127.240.158
whitelisted
login.live.com
  • 20.190.159.23
  • 40.126.31.69
  • 40.126.31.67
  • 40.126.31.71
  • 20.190.159.73
  • 20.190.159.0
  • 40.126.31.73
  • 20.190.159.75
  • 20.190.160.20
  • 40.126.32.133
  • 20.190.160.22
  • 20.190.160.17
  • 40.126.32.76
  • 40.126.32.134
  • 40.126.32.74
  • 40.126.32.140
whitelisted
google.com
  • 142.250.185.206
whitelisted
github.com
  • 140.82.121.4
shared
config.edge.skype.com
  • 13.107.42.16
whitelisted
edge.microsoft.com
  • 204.79.197.239
  • 13.107.21.239
whitelisted
business.bing.com
  • 13.107.6.158
whitelisted
edge-mobile-static.azureedge.net
  • 13.107.246.45
whitelisted
bzib.nelreports.net
  • 23.48.23.26
  • 23.48.23.51
whitelisted
github.githubassets.com
  • 185.199.108.154
  • 185.199.111.154
  • 185.199.109.154
  • 185.199.110.154
whitelisted

Threats

PID
Process
Class
Message
7076
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Attempting to access raw user content on GitHub
7076
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Attempting to access raw user content on GitHub
7076
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Cloudflare content delivery network (cdnjs .cloudflare .com)
7076
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] An application monitoring request to newrelic .com
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://github.com/Viper4K/malware/blob/master/MEMZ/MEMZ.bat