meduza | hxxps://github[.]com/ordogos2/g575/releases/download/Download/setup[.]7[.]0[.]zip

Analysis

max time kernel
56s
max time network
47s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06-10-2024 17:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/ordogos2/g575/releases/download/Download/setup.7.0.zip

Score

10^/10

meduza collection discovery spyware stealer

Malware Config

Signatures

Meduza
Meduza is a crypto wallet and info stealer written in C++.
stealer meduza

Meduza Stealer payload 2 IoCs

resource	yara_rule
behavioral1/memory/1492-73-0x0000000140000000-0x000000014013B000-memory.dmp	family_meduza
behavioral1/memory/1492-76-0x0000000140000000-0x000000014013B000-memory.dmp	family_meduza

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	setup.7.0.exe

Executes dropped EXE 1 IoCs

pid	Process
1492	setup.7.0.exe

Loads dropped DLL 1 IoCs

pid	Process
3168	setup.7.0.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 5 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	setup.7.0.exe
Key opened	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	setup.7.0.exe
Key opened	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	setup.7.0.exe
Key opened	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Office\12.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	setup.7.0.exe
Key opened	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	setup.7.0.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
45	api.ipify.org
46	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3168 set thread context of 1492	3168	setup.7.0.exe	113

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
8	cmd.exe
3456	PING.EXE

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\setup.7.0\setup.7.0.exe:a.dll	setup.7.0.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3456	PING.EXE

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
820	msedge.exe
820	msedge.exe
3664	msedge.exe
3664	msedge.exe
4176	identity_helper.exe
4176	identity_helper.exe
4536	msedge.exe
4536	msedge.exe
1492	setup.7.0.exe
1492	setup.7.0.exe
3124	taskmgr.exe
3124	taskmgr.exe
3124	taskmgr.exe
3124	taskmgr.exe
3124	taskmgr.exe
3124	taskmgr.exe
3124	taskmgr.exe
3124	taskmgr.exe
3124	taskmgr.exe
3124	taskmgr.exe
3124	taskmgr.exe
3124	taskmgr.exe
3124	taskmgr.exe
3124	taskmgr.exe
3124	taskmgr.exe
3124	taskmgr.exe
3124	taskmgr.exe
3124	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	1492	setup.7.0.exe
Token: SeImpersonatePrivilege	1492	setup.7.0.exe
Token: SeDebugPrivilege	3124	taskmgr.exe
Token: SeSystemProfilePrivilege	3124	taskmgr.exe
Token: SeCreateGlobalPrivilege	3124	taskmgr.exe

Suspicious use of FindShellTrayWindow 63 IoCs

pid	Process
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3124	taskmgr.exe
3124	taskmgr.exe
3124	taskmgr.exe
3124	taskmgr.exe
3124	taskmgr.exe
3124	taskmgr.exe
3124	taskmgr.exe
3124	taskmgr.exe
3124	taskmgr.exe
3124	taskmgr.exe
3124	taskmgr.exe
3124	taskmgr.exe
3124	taskmgr.exe
3124	taskmgr.exe
3124	taskmgr.exe
3124	taskmgr.exe
3124	taskmgr.exe
3124	taskmgr.exe
3124	taskmgr.exe
3124	taskmgr.exe
3124	taskmgr.exe
3124	taskmgr.exe
3124	taskmgr.exe
3124	taskmgr.exe
3124	taskmgr.exe
3124	taskmgr.exe
3124	taskmgr.exe
3124	taskmgr.exe
3124	taskmgr.exe
3124	taskmgr.exe

Suspicious use of SendNotifyMessage 54 IoCs

pid	Process
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3124	taskmgr.exe
3124	taskmgr.exe
3124	taskmgr.exe
3124	taskmgr.exe
3124	taskmgr.exe
3124	taskmgr.exe
3124	taskmgr.exe
3124	taskmgr.exe
3124	taskmgr.exe
3124	taskmgr.exe
3124	taskmgr.exe
3124	taskmgr.exe
3124	taskmgr.exe
3124	taskmgr.exe
3124	taskmgr.exe
3124	taskmgr.exe
3124	taskmgr.exe
3124	taskmgr.exe
3124	taskmgr.exe
3124	taskmgr.exe
3124	taskmgr.exe
3124	taskmgr.exe
3124	taskmgr.exe
3124	taskmgr.exe
3124	taskmgr.exe
3124	taskmgr.exe
3124	taskmgr.exe
3124	taskmgr.exe
3124	taskmgr.exe
3124	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3664 wrote to memory of 3088	3664	msedge.exe	82
PID 3664 wrote to memory of 3088	3664	msedge.exe	82
PID 3664 wrote to memory of 2612	3664	msedge.exe	83
PID 3664 wrote to memory of 2612	3664	msedge.exe	83
PID 3664 wrote to memory of 2612	3664	msedge.exe	83
PID 3664 wrote to memory of 2612	3664	msedge.exe	83
PID 3664 wrote to memory of 2612	3664	msedge.exe	83
PID 3664 wrote to memory of 2612	3664	msedge.exe	83
PID 3664 wrote to memory of 2612	3664	msedge.exe	83
PID 3664 wrote to memory of 2612	3664	msedge.exe	83
PID 3664 wrote to memory of 2612	3664	msedge.exe	83
PID 3664 wrote to memory of 2612	3664	msedge.exe	83
PID 3664 wrote to memory of 2612	3664	msedge.exe	83
PID 3664 wrote to memory of 2612	3664	msedge.exe	83
PID 3664 wrote to memory of 2612	3664	msedge.exe	83
PID 3664 wrote to memory of 2612	3664	msedge.exe	83
PID 3664 wrote to memory of 2612	3664	msedge.exe	83
PID 3664 wrote to memory of 2612	3664	msedge.exe	83
PID 3664 wrote to memory of 2612	3664	msedge.exe	83
PID 3664 wrote to memory of 2612	3664	msedge.exe	83
PID 3664 wrote to memory of 2612	3664	msedge.exe	83
PID 3664 wrote to memory of 2612	3664	msedge.exe	83
PID 3664 wrote to memory of 2612	3664	msedge.exe	83
PID 3664 wrote to memory of 2612	3664	msedge.exe	83
PID 3664 wrote to memory of 2612	3664	msedge.exe	83
PID 3664 wrote to memory of 2612	3664	msedge.exe	83
PID 3664 wrote to memory of 2612	3664	msedge.exe	83
PID 3664 wrote to memory of 2612	3664	msedge.exe	83
PID 3664 wrote to memory of 2612	3664	msedge.exe	83
PID 3664 wrote to memory of 2612	3664	msedge.exe	83
PID 3664 wrote to memory of 2612	3664	msedge.exe	83
PID 3664 wrote to memory of 2612	3664	msedge.exe	83
PID 3664 wrote to memory of 2612	3664	msedge.exe	83
PID 3664 wrote to memory of 2612	3664	msedge.exe	83
PID 3664 wrote to memory of 2612	3664	msedge.exe	83
PID 3664 wrote to memory of 2612	3664	msedge.exe	83
PID 3664 wrote to memory of 2612	3664	msedge.exe	83
PID 3664 wrote to memory of 2612	3664	msedge.exe	83
PID 3664 wrote to memory of 2612	3664	msedge.exe	83
PID 3664 wrote to memory of 2612	3664	msedge.exe	83
PID 3664 wrote to memory of 2612	3664	msedge.exe	83
PID 3664 wrote to memory of 2612	3664	msedge.exe	83
PID 3664 wrote to memory of 820	3664	msedge.exe	84
PID 3664 wrote to memory of 820	3664	msedge.exe	84
PID 3664 wrote to memory of 1016	3664	msedge.exe	85
PID 3664 wrote to memory of 1016	3664	msedge.exe	85
PID 3664 wrote to memory of 1016	3664	msedge.exe	85
PID 3664 wrote to memory of 1016	3664	msedge.exe	85
PID 3664 wrote to memory of 1016	3664	msedge.exe	85
PID 3664 wrote to memory of 1016	3664	msedge.exe	85
PID 3664 wrote to memory of 1016	3664	msedge.exe	85
PID 3664 wrote to memory of 1016	3664	msedge.exe	85
PID 3664 wrote to memory of 1016	3664	msedge.exe	85
PID 3664 wrote to memory of 1016	3664	msedge.exe	85
PID 3664 wrote to memory of 1016	3664	msedge.exe	85
PID 3664 wrote to memory of 1016	3664	msedge.exe	85
PID 3664 wrote to memory of 1016	3664	msedge.exe	85
PID 3664 wrote to memory of 1016	3664	msedge.exe	85
PID 3664 wrote to memory of 1016	3664	msedge.exe	85
PID 3664 wrote to memory of 1016	3664	msedge.exe	85
PID 3664 wrote to memory of 1016	3664	msedge.exe	85
PID 3664 wrote to memory of 1016	3664	msedge.exe	85
PID 3664 wrote to memory of 1016	3664	msedge.exe	85
PID 3664 wrote to memory of 1016	3664	msedge.exe	85

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	setup.7.0.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	setup.7.0.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/ordogos2/g575/releases/download/Download/setup.7.0.zip
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa2e9046f8,0x7ffa2e904708,0x7ffa2e904718
  2⤵
  PID:3088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,6759699248571263069,835298561851952501,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:2
  2⤵
  PID:2612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,6759699248571263069,835298561851952501,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2256 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2084,6759699248571263069,835298561851952501,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2876 /prefetch:8
  2⤵
  PID:1016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,6759699248571263069,835298561851952501,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
  2⤵
  PID:1388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,6759699248571263069,835298561851952501,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
  2⤵
  PID:2368
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,6759699248571263069,835298561851952501,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5184 /prefetch:8
  2⤵
  PID:1948
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,6759699248571263069,835298561851952501,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5184 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,6759699248571263069,835298561851952501,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4696 /prefetch:1
  2⤵
  PID:3040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,6759699248571263069,835298561851952501,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5276 /prefetch:1
  2⤵
  PID:2184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,6759699248571263069,835298561851952501,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4004 /prefetch:1
  2⤵
  PID:3448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,6759699248571263069,835298561851952501,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5404 /prefetch:1
  2⤵
  PID:2872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2084,6759699248571263069,835298561851952501,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5748 /prefetch:8
  2⤵
  PID:4340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,6759699248571263069,835298561851952501,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5356 /prefetch:1
  2⤵
  PID:3624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2084,6759699248571263069,835298561851952501,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5920 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4536

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3876

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4416

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4132

C:\Users\Admin\Downloads\setup.7.0\setup.7.0.exe
"C:\Users\Admin\Downloads\setup.7.0\setup.7.0.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- NTFS ADS
PID:3168
- C:\Users\Admin\Downloads\setup.7.0\setup.7.0.exe
  "C:\Users\Admin\Downloads\setup.7.0\setup.7.0.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Accesses Microsoft Outlook profiles
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - outlook_office_path
  - outlook_win_path
  PID:1492
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\Downloads\setup.7.0\setup.7.0.exe"
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:8
  - - C:\Windows\system32\PING.EXE
      ping 1.1.1.1 -n 1 -w 3000
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:3456

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f9664c896e19205022c094d725f820b6

SHA1
f8f1baf648df755ba64b412d512446baf88c0184

SHA256
7121d84202a850791c2320385eb59eda4d697310dc51b1fcd4d51264aba2434e

SHA512
3fa5d2c68a9e70e4a25eaac2095171d87c741eec2624c314c6a56f4fa390d6319633bf4c48b1a4af7e9a0451f346beced9693da88cfc7bcba8dfe209cbd1b3ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
847d47008dbea51cb1732d54861ba9c9

SHA1
f2099242027dccb88d6f05760b57f7c89d926c0d

SHA256
10292fa05d896a2952c1d602a72d761d34bc776b44d6a7df87e49b5b613a8ac1

SHA512
bd1526aa1cc1c016d95dfcc53a78b45b09dde4ce67357fc275ab835dbe1bb5b053ca386239f50cde95ad243a9c1bbb12f7505818577589beecc6084f7b94e83f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
124KB

MD5
1a4ddf41a0d8209a86568e056b612b31

SHA1
9f7d87f80886f4f5ae4836761ffac00ac08cf138

SHA256
8c33da07285870143760b2ec7ae39726175e3e34a2253f520c0989a2ccc0259f

SHA512
7790221b94bb0a0c69b1c4fb1ab069e85a5c42039cf6bb3af702b7a9174366b4680123e36dcfce93453d174c5d399d381daa468b9424baac581ff1942ced47cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

Filesize
331B

MD5
3f0366484fc84249c7cd28234e1afd12

SHA1
f9245020e2b90e16738516aa2b5be7c2069d99fd

SHA256
291e3958e5c4ec638f5a7f7ba3f21d85bf19059d42353607c6d503b2dbe940d2

SHA512
c7e10afd824e5eb41fbc4674769a7ec0154f68bcbc49789b8e1fb0de1b602fc921a9bb275fe7f50a2c20e94670cccede80188cd61004c296017f99f9316d288a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
012484f69ee65cdc5d31541c78b20c27

SHA1
504dbf2c47a83d6b2b28b33f0b1f7f43ffaa1483

SHA256
90314f6064f90aead18b47e0a4eb1d851f4b41f6af43bee0b26e676e0d6cecc1

SHA512
4338cab707275a7fdec2ed4d1d9466629ea23ce29566bcf08c0f77b228cf1e11097981099d6221149e966dd9a25c0fb97c4b14b10f602fc4eaa9d3abd5d413a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e7f8b56e0cdb2c3f1a3835a0289cc713

SHA1
cf15658851d606864418c82fabc2a7d6d5b8ddde

SHA256
dba6b7cf9f3bf4b5337cff3bd015d32febf09d296e94859c71fd34bb554a144e

SHA512
3c3710f6c887b6f814b162fc61ebdf192eb7ebaedeb08b93412ba64d1f599cb211a6d5a4e22f7b1dcf00e50b6a5d09126962e52064b300be4b12c39f8c90ec1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
884088cd6da0791f133ea8459e3c3fea

SHA1
1625d09b629cc5e8b7608f7240fe0e3c4dc00acc

SHA256
631f1f8e38bbcac037ed54d87ec5af4edfee805193e10b46409079f15ee12f8d

SHA512
49e08eb0e990de36e884fb1c04f2436850d71cec5384c28d0352cd0ea748e4e69209e6dcce048959ab0c8adb24c7db56305d8ee0f4e94435ea538d40002617ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\c0d57e64-51eb-4ee7-82fe-b4464571ac02.tmp

Filesize
10KB

MD5
7ed50f89fef445d86cc249e8a94b778e

SHA1
11e917f4b963e5c919f0088a7515eb97df6ec287

SHA256
4406313c07f091d93dd3de57ec48b1b38c742b86a4b0deb2c4bd7e624474e35a

SHA512
af71821c75e043216089e08ca0f292d2dcf265a7ddf22198717c6d9a1c4ab09b32ef298eed96bdfb37257f24cfa5c0b8fc8cf03692c9b450769e4cd6dcdd3b0d

Download Submit
C:\Users\Admin\Downloads\setup.7.0.zip

Filesize
1.3MB

MD5
32711b39d30ad158f10dca650dcf20bc

SHA1
28024ef92736dedc70aaf7e558062d8878b2d6d5

SHA256
38f09edc87d2d94f3e8fe2e6119be2285e2e0afd64d0c4a53f7d62c9d8f9cbf3

SHA512
7964210fe6832d333b0b61a46ccd974d751d2a4501159c67763efcd245f57e36820bcede7bdca088ddc9c2274eb4db8d56f62cfa3cb0df8830ffad8d1fb11ed2

Download Submit
C:\Users\Admin\Downloads\setup.7.0\setup.7.0.exe

Filesize
1.7MB

MD5
994bb906f5c652d50b21a45c76c530c1

SHA1
ad90263d8b82f065a56efc728f6e226a60196792

SHA256
1a471d692acc84510b6af7c3ca4953823177bd4af8b569480a7e0862f88587e0

SHA512
6a99872d9884a1d609f984038fb661ac4e44608591d14cdb76741ecbb9bd5bfb6d1edb9f07c45865837502bc6b5dee74947179dd1eb38a4d7c1f7b2a30ca139c

Download Submit
C:\Users\Admin\Downloads\setup.7.0\setup.7.0.exe:a.dll

Filesize
1.4MB

MD5
7174024be7da44564fb982f235475e91

SHA1
e85017e81251e3b4463c63657af78c4fd6166032

SHA256
68c07fa0a1704dc6465f6eac11c24b9c018a7c4c9a182613c69c29f70ead91bb

SHA512
e03535c0b22c1ab80f2a6463dbdfe7d34d5e6fbb3a865436c93abc5046faefc1f227a7280315825331d6b237e9bf3a1134339689599e6577530f87bf0a013b3a

Download Submit
memory/1492-73-0x0000000140000000-0x000000014013B000-memory.dmp

Filesize
1.2MB

Download
memory/1492-76-0x0000000140000000-0x000000014013B000-memory.dmp

Filesize
1.2MB

Download
memory/3124-109-0x0000013F84230000-0x0000013F84231000-memory.dmp

Filesize
4KB

Download
memory/3124-108-0x0000013F84230000-0x0000013F84231000-memory.dmp

Filesize
4KB

Download
memory/3124-110-0x0000013F84230000-0x0000013F84231000-memory.dmp

Filesize
4KB

Download
memory/3124-114-0x0000013F84230000-0x0000013F84231000-memory.dmp

Filesize
4KB

Download
memory/3124-115-0x0000013F84230000-0x0000013F84231000-memory.dmp

Filesize
4KB

Download
memory/3124-120-0x0000013F84230000-0x0000013F84231000-memory.dmp

Filesize
4KB

Download
memory/3124-119-0x0000013F84230000-0x0000013F84231000-memory.dmp

Filesize
4KB

Download
memory/3124-118-0x0000013F84230000-0x0000013F84231000-memory.dmp

Filesize
4KB

Download
memory/3124-117-0x0000013F84230000-0x0000013F84231000-memory.dmp

Filesize
4KB

Download
memory/3124-116-0x0000013F84230000-0x0000013F84231000-memory.dmp

Filesize
4KB

Download
memory/3168-78-0x00007FFA1AD00000-0x00007FFA1AE64000-memory.dmp

Filesize
1.4MB

Download
memory/3168-77-0x00007FF714C00000-0x00007FF714DB5000-memory.dmp

Filesize
1.7MB

Download