meduza | hxxps://github[.]com/fdh54h54h54hg/57547547g/releases/download/Download/Setup7[.]0[.]zip

Analysis

max time kernel
93s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07/10/2024, 15:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/fdh54h54h54hg/57547547g/releases/download/Download/Setup7.0.zip

Score

10^/10

meduza collection discovery spyware stealer

Malware Config

Signatures

Meduza
Meduza is a crypto wallet and info stealer written in C++.
stealer meduza

Meduza Stealer payload 2 IoCs

resource	yara_rule
behavioral1/memory/5008-96-0x0000000140000000-0x000000014013B000-memory.dmp	family_meduza
behavioral1/memory/5008-101-0x0000000140000000-0x000000014013B000-memory.dmp	family_meduza

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	setup7.0.exe

Executes dropped EXE 1 IoCs

pid	Process
5008	setup7.0.exe

Loads dropped DLL 1 IoCs

pid	Process
4532	setup7.0.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 5 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Office\12.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	setup7.0.exe
Key opened	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	setup7.0.exe
Key opened	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	setup7.0.exe
Key opened	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	setup7.0.exe
Key opened	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	setup7.0.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
33	api.ipify.org
34	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4532 set thread context of 5008	4532	setup7.0.exe	107

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3740	PING.EXE
4840	cmd.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Setup7.0\setup7.0.exe:a.dll	setup7.0.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3740	PING.EXE

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
4048	msedge.exe
4048	msedge.exe
408	msedge.exe
408	msedge.exe
3720	identity_helper.exe
3720	identity_helper.exe
3956	msedge.exe
3956	msedge.exe
5008	setup7.0.exe
5008	setup7.0.exe
4568	taskmgr.exe
4568	taskmgr.exe
4568	taskmgr.exe
4568	taskmgr.exe
4568	taskmgr.exe
4568	taskmgr.exe
4568	taskmgr.exe
4568	taskmgr.exe
4568	taskmgr.exe
4568	taskmgr.exe
4568	taskmgr.exe
4568	taskmgr.exe
4568	taskmgr.exe
4568	taskmgr.exe
4568	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
408	msedge.exe
408	msedge.exe
408	msedge.exe
408	msedge.exe
408	msedge.exe
408	msedge.exe
408	msedge.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	5008	setup7.0.exe
Token: SeImpersonatePrivilege	5008	setup7.0.exe
Token: SeDebugPrivilege	4568	taskmgr.exe
Token: SeSystemProfilePrivilege	4568	taskmgr.exe
Token: SeCreateGlobalPrivilege	4568	taskmgr.exe
Token: 33	4568	taskmgr.exe
Token: SeIncBasePriorityPrivilege	4568	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
408	msedge.exe
408	msedge.exe
408	msedge.exe
408	msedge.exe
408	msedge.exe
408	msedge.exe
408	msedge.exe
408	msedge.exe
408	msedge.exe
408	msedge.exe
408	msedge.exe
408	msedge.exe
408	msedge.exe
408	msedge.exe
408	msedge.exe
408	msedge.exe
408	msedge.exe
408	msedge.exe
408	msedge.exe
408	msedge.exe
408	msedge.exe
408	msedge.exe
408	msedge.exe
408	msedge.exe
408	msedge.exe
408	msedge.exe
408	msedge.exe
408	msedge.exe
408	msedge.exe
408	msedge.exe
408	msedge.exe
408	msedge.exe
408	msedge.exe
408	msedge.exe
4568	taskmgr.exe
4568	taskmgr.exe
4568	taskmgr.exe
4568	taskmgr.exe
4568	taskmgr.exe
4568	taskmgr.exe
4568	taskmgr.exe
4568	taskmgr.exe
4568	taskmgr.exe
4568	taskmgr.exe
4568	taskmgr.exe
4568	taskmgr.exe
4568	taskmgr.exe
4568	taskmgr.exe
4568	taskmgr.exe
4568	taskmgr.exe
4568	taskmgr.exe
4568	taskmgr.exe
4568	taskmgr.exe
4568	taskmgr.exe
4568	taskmgr.exe
4568	taskmgr.exe
4568	taskmgr.exe
4568	taskmgr.exe
4568	taskmgr.exe
4568	taskmgr.exe
4568	taskmgr.exe
4568	taskmgr.exe
4568	taskmgr.exe
4568	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
408	msedge.exe
408	msedge.exe
408	msedge.exe
408	msedge.exe
408	msedge.exe
408	msedge.exe
408	msedge.exe
408	msedge.exe
408	msedge.exe
408	msedge.exe
408	msedge.exe
408	msedge.exe
408	msedge.exe
408	msedge.exe
408	msedge.exe
408	msedge.exe
408	msedge.exe
408	msedge.exe
408	msedge.exe
408	msedge.exe
408	msedge.exe
408	msedge.exe
408	msedge.exe
408	msedge.exe
4568	taskmgr.exe
4568	taskmgr.exe
4568	taskmgr.exe
4568	taskmgr.exe
4568	taskmgr.exe
4568	taskmgr.exe
4568	taskmgr.exe
4568	taskmgr.exe
4568	taskmgr.exe
4568	taskmgr.exe
4568	taskmgr.exe
4568	taskmgr.exe
4568	taskmgr.exe
4568	taskmgr.exe
4568	taskmgr.exe
4568	taskmgr.exe
4568	taskmgr.exe
4568	taskmgr.exe
4568	taskmgr.exe
4568	taskmgr.exe
4568	taskmgr.exe
4568	taskmgr.exe
4568	taskmgr.exe
4568	taskmgr.exe
4568	taskmgr.exe
4568	taskmgr.exe
4568	taskmgr.exe
4568	taskmgr.exe
4568	taskmgr.exe
4568	taskmgr.exe
4568	taskmgr.exe
4568	taskmgr.exe
4568	taskmgr.exe
4568	taskmgr.exe
4568	taskmgr.exe
4568	taskmgr.exe
4568	taskmgr.exe
4568	taskmgr.exe
4568	taskmgr.exe
4568	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 408 wrote to memory of 3328	408	msedge.exe	81
PID 408 wrote to memory of 3328	408	msedge.exe	81
PID 408 wrote to memory of 4208	408	msedge.exe	83
PID 408 wrote to memory of 4208	408	msedge.exe	83
PID 408 wrote to memory of 4208	408	msedge.exe	83
PID 408 wrote to memory of 4208	408	msedge.exe	83
PID 408 wrote to memory of 4208	408	msedge.exe	83
PID 408 wrote to memory of 4208	408	msedge.exe	83
PID 408 wrote to memory of 4208	408	msedge.exe	83
PID 408 wrote to memory of 4208	408	msedge.exe	83
PID 408 wrote to memory of 4208	408	msedge.exe	83
PID 408 wrote to memory of 4208	408	msedge.exe	83
PID 408 wrote to memory of 4208	408	msedge.exe	83
PID 408 wrote to memory of 4208	408	msedge.exe	83
PID 408 wrote to memory of 4208	408	msedge.exe	83
PID 408 wrote to memory of 4208	408	msedge.exe	83
PID 408 wrote to memory of 4208	408	msedge.exe	83
PID 408 wrote to memory of 4208	408	msedge.exe	83
PID 408 wrote to memory of 4208	408	msedge.exe	83
PID 408 wrote to memory of 4208	408	msedge.exe	83
PID 408 wrote to memory of 4208	408	msedge.exe	83
PID 408 wrote to memory of 4208	408	msedge.exe	83
PID 408 wrote to memory of 4208	408	msedge.exe	83
PID 408 wrote to memory of 4208	408	msedge.exe	83
PID 408 wrote to memory of 4208	408	msedge.exe	83
PID 408 wrote to memory of 4208	408	msedge.exe	83
PID 408 wrote to memory of 4208	408	msedge.exe	83
PID 408 wrote to memory of 4208	408	msedge.exe	83
PID 408 wrote to memory of 4208	408	msedge.exe	83
PID 408 wrote to memory of 4208	408	msedge.exe	83
PID 408 wrote to memory of 4208	408	msedge.exe	83
PID 408 wrote to memory of 4208	408	msedge.exe	83
PID 408 wrote to memory of 4208	408	msedge.exe	83
PID 408 wrote to memory of 4208	408	msedge.exe	83
PID 408 wrote to memory of 4208	408	msedge.exe	83
PID 408 wrote to memory of 4208	408	msedge.exe	83
PID 408 wrote to memory of 4208	408	msedge.exe	83
PID 408 wrote to memory of 4208	408	msedge.exe	83
PID 408 wrote to memory of 4208	408	msedge.exe	83
PID 408 wrote to memory of 4208	408	msedge.exe	83
PID 408 wrote to memory of 4208	408	msedge.exe	83
PID 408 wrote to memory of 4208	408	msedge.exe	83
PID 408 wrote to memory of 4048	408	msedge.exe	84
PID 408 wrote to memory of 4048	408	msedge.exe	84
PID 408 wrote to memory of 3640	408	msedge.exe	85
PID 408 wrote to memory of 3640	408	msedge.exe	85
PID 408 wrote to memory of 3640	408	msedge.exe	85
PID 408 wrote to memory of 3640	408	msedge.exe	85
PID 408 wrote to memory of 3640	408	msedge.exe	85
PID 408 wrote to memory of 3640	408	msedge.exe	85
PID 408 wrote to memory of 3640	408	msedge.exe	85
PID 408 wrote to memory of 3640	408	msedge.exe	85
PID 408 wrote to memory of 3640	408	msedge.exe	85
PID 408 wrote to memory of 3640	408	msedge.exe	85
PID 408 wrote to memory of 3640	408	msedge.exe	85
PID 408 wrote to memory of 3640	408	msedge.exe	85
PID 408 wrote to memory of 3640	408	msedge.exe	85
PID 408 wrote to memory of 3640	408	msedge.exe	85
PID 408 wrote to memory of 3640	408	msedge.exe	85
PID 408 wrote to memory of 3640	408	msedge.exe	85
PID 408 wrote to memory of 3640	408	msedge.exe	85
PID 408 wrote to memory of 3640	408	msedge.exe	85
PID 408 wrote to memory of 3640	408	msedge.exe	85
PID 408 wrote to memory of 3640	408	msedge.exe	85

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	setup7.0.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	setup7.0.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/fdh54h54h54hg/57547547g/releases/download/Download/Setup7.0.zip
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcd55e46f8,0x7ffcd55e4708,0x7ffcd55e4718
  2⤵
  PID:3328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,8284837165481635371,18354343226895829267,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:2
  2⤵
  PID:4208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,8284837165481635371,18354343226895829267,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2340 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,8284837165481635371,18354343226895829267,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2696 /prefetch:8
  2⤵
  PID:3640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,8284837165481635371,18354343226895829267,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
  2⤵
  PID:1824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,8284837165481635371,18354343226895829267,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
  2⤵
  PID:2632
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,8284837165481635371,18354343226895829267,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5080 /prefetch:8
  2⤵
  PID:2616
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,8284837165481635371,18354343226895829267,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5080 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,8284837165481635371,18354343226895829267,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5528 /prefetch:1
  2⤵
  PID:452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,8284837165481635371,18354343226895829267,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5508 /prefetch:1
  2⤵
  PID:4708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2128,8284837165481635371,18354343226895829267,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5420 /prefetch:8
  2⤵
  PID:1076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,8284837165481635371,18354343226895829267,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5432 /prefetch:1
  2⤵
  PID:2204
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2128,8284837165481635371,18354343226895829267,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3336 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,8284837165481635371,18354343226895829267,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6008 /prefetch:1
  2⤵
  PID:1084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,8284837165481635371,18354343226895829267,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
  2⤵
  PID:1160

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2152

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4196

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:880

C:\Users\Admin\Downloads\Setup7.0\setup7.0.exe
"C:\Users\Admin\Downloads\Setup7.0\setup7.0.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- NTFS ADS
PID:4532
- C:\Users\Admin\Downloads\Setup7.0\setup7.0.exe
  "C:\Users\Admin\Downloads\Setup7.0\setup7.0.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Accesses Microsoft Outlook profiles
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - outlook_office_path
  - outlook_win_path
  PID:5008
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\Downloads\Setup7.0\setup7.0.exe"
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:4840
  - - C:\Windows\system32\PING.EXE
      ping 1.1.1.1 -n 1 -w 3000
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:3740

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
fab8d8d865e33fe195732aa7dcb91c30

SHA1
2637e832f38acc70af3e511f5eba80fbd7461f2c

SHA256
1b034ffe38e534e2b7a21be7c1f207ff84a1d5f3893207d0b4bb1a509b4185ea

SHA512
39a3d43ef7e28fea2cb247a5d09576a4904a43680db8c32139f22a03d80f6ede98708a2452f3f82232b868501340f79c0b3f810f597bcaf5267c3ccfb1704b43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
36988ca14952e1848e81a959880ea217

SHA1
a0482ef725657760502c2d1a5abe0bb37aebaadb

SHA256
d7e96088b37cec1bde202ae8ec2d2f3c3aafc368b6ebd91b3e2985846facf2e6

SHA512
d04b2f5afec92eb3d9f9cdc148a3eddd1b615e0dfb270566a7969576f50881d1f8572bccb8b9fd7993724bdfe36fc7633a33381d43e0b96c4e9bbd53fc010173

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
124KB

MD5
1bba4a4c34113876603a97c067936191

SHA1
c2b6b85a6a67063f548095e7f10e2c4f7269e6b3

SHA256
9eda103b99db06d9e243fe70ee18730bf8e9747be06eb9df44e1d7f844d16029

SHA512
cb849a927106fd633ad268e3c2b0102503dbb5589ad7c87eeb41ddc2aaae967676d2c444aa97274a0da72e12cc8b4336fb7ad6f82659152d76c8afbc998ea04b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

Filesize
331B

MD5
2c2d91e2f140ad156e691403be4759e2

SHA1
8c810c58ed4bf081662b5f6b92287a8f36559302

SHA256
50affc101d5696aaddd2e7440ce218879203ec97c8dd7efaa5e5faa599472a81

SHA512
b94676c047ce708be2b37588855cad7a526e10bd41eb074a9108797d328eccaf1ecbbefa146624fc5668018ca889494242894d35e5eb7d4f209e5a59f420d53c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
265B

MD5
f5cd008cf465804d0e6f39a8d81f9a2d

SHA1
6b2907356472ed4a719e5675cc08969f30adc855

SHA256
fcea95cc39dc6c2a925f5aed739dbedaa405ee4ce127f535fcf1c751b2b8fb5d

SHA512
dc97034546a4c94bdaa6f644b5cfd1e477209de9a03a5b02a360c254a406c1d647d6f90860f385e27387b35631c41f0886cb543ede9116436941b9af6cd3285d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
931ef2dc65718cef42767046764eae9e

SHA1
3d74042ea59374c071872696febce836b7a437e0

SHA256
89deb8fbaec6da0cb15ddc68c8457c70a64139973b93245558e465201f81df48

SHA512
7ee03abd67b2355d91f170527d4dab7cf060cd7c2a448530e2ccfee4e7909cfd9e9be50587e6c119f2bf8d36c10b7ccc1073314c1afd418516064db5d87363ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6f8c6a322eb9496303cf8f28127faf8c

SHA1
3e9fbb87415d3403f35afe7f17edf65e42a9d0d4

SHA256
9670e47061b4ef9b7960af89ddc799643d52a709069ae6cdee5d902560e71bf5

SHA512
16fa681d96deef1199f50ede70ccdd48fcdf5f9e444bc4b0ceafd9b43d6ee2feba59bdebec6760d7fd1e8688310f782e295acd9b113bcf4f3a15eeea333be8fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9aa6b7708cf790a07b4f8ccdde820b0d

SHA1
411b6b352a3d055c80acf98f3771cb42a1da3fdb

SHA256
babcb296f89c079bad60c802f04722be9f868e0405c2adc2af13386dfbdbead6

SHA512
ecd97da6c8cd208a518683a7cb69c46f7290d6d9f84d0d86804793c3f9c9ee7e4d2970a2523153d9231d8a868eafa56ecfdf8fa116e335bdcea8af68f1bf1852

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
885d07cb1af243ade33df7ff14bc4a2c

SHA1
20a99833253d8d969cd676b3d388e6ac495245a0

SHA256
04424923cb04edacdc623d34edec1f7f5d88ad30a8dd9e417b9412e041c1cde7

SHA512
829aee7e7282096ef26c981f1fc4a3be793628229e8999389b60a34a9a9e463eeb8f8ba372dc24f421708a7474e0f219d1349dae98f678182582f34dee5a3456

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
2b047083226ed112fa5a51ac5a1e3f4e

SHA1
3f0d0605af84517fba619ff34b3930dff7458c6e

SHA256
dcf45cf967318efb7214065bd140c2e39cda0d8f696c24391de531e8dd111e43

SHA512
b7ddbadece75d0ed195681117b5c18fa1bc420a7892516cc3545baec9142049fafdd99cc41f0a163398167c93adb9b4fcd8b4e055c833869162bdabbf2ea88ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
51120272f892f5dbbebcf98cd3a91e19

SHA1
74d7503880eabcc7c43d6a7df8420339f5de0d49

SHA256
bc3423e454ab47c6a54dc10a94e4d3626e7a8e2aa2e9e0d4221686d8a0b603e8

SHA512
4cbc4fa2ef3f248ad2361b005656feb5f42dd7b6204637062556395eb03d29365ca7cee8da7b9142b4fe098d437f4a94571f54e5f123917974f270229dca1c51

Download Submit
C:\Users\Admin\Downloads\Setup7.0.zip

Filesize
1.3MB

MD5
caf07843d0eec5fd5d9b131256361752

SHA1
1ce0acf5f2b521752440ce6d1c108a365a1dca50

SHA256
abdc12b4bb4b9a7309bc067be6b097a4e11b0dccbf19494edb971b510303c923

SHA512
b72e81797f4d3264b12675e2d35c56d76ec9110c3814776068d23a51c5de20ed3bd0dd414fb3f0564633b408dc040eaf8407c5e319df7014c9249e5fbaea2839

Download Submit
C:\Users\Admin\Downloads\Setup7.0\setup7.0.exe

Filesize
1.7MB

MD5
2c685fc5572fee6107d76c17fa873a45

SHA1
05436164ce59ab80e0bcae7aa779b2426866446e

SHA256
f585f729ebcdaf7a70e16690398cca0036d1dd4c398b4044004e7ab0ccc6bf56

SHA512
6bd9fbf04c75c0a6a07846233e5cb31f7f8373f3bd2fc62f70f27c34d37d640d80647ca980530ba99d77586a954c73899a257e1dc2e422279a0c46f69e2107e3

Download Submit
C:\Users\Admin\Downloads\Setup7.0\setup7.0.exe:a.dll

Filesize
1.4MB

MD5
d9a74092beacfbf63708895c03774dce

SHA1
44b28f038e8aabd1718b904ebc58a91b7f8be103

SHA256
6abbad8087891836e562bdf0420ce019471b649574caf68a938e300e9c546793

SHA512
4dec51a48b700ec4585bef9edd6d329dca1b562eae7e0609dd05462b4810f457e94fbefcd25e2853f27f36c4b8707676f34075cfe1ce2f00830d23a4a3a32f2e

Download Submit
memory/4532-100-0x00007FFCC29A0000-0x00007FFCC2B04000-memory.dmp

Filesize
1.4MB

Download
memory/4532-98-0x00007FF658C40000-0x00007FF658DF5000-memory.dmp

Filesize
1.7MB

Download
memory/4568-135-0x0000017105420000-0x0000017105421000-memory.dmp

Filesize
4KB

Download
memory/4568-127-0x0000017105420000-0x0000017105421000-memory.dmp

Filesize
4KB

Download
memory/4568-138-0x0000017105420000-0x0000017105421000-memory.dmp

Filesize
4KB

Download
memory/4568-137-0x0000017105420000-0x0000017105421000-memory.dmp

Filesize
4KB

Download
memory/4568-136-0x0000017105420000-0x0000017105421000-memory.dmp

Filesize
4KB

Download
memory/4568-126-0x0000017105420000-0x0000017105421000-memory.dmp

Filesize
4KB

Download
memory/4568-134-0x0000017105420000-0x0000017105421000-memory.dmp

Filesize
4KB

Download
memory/4568-133-0x0000017105420000-0x0000017105421000-memory.dmp

Filesize
4KB

Download
memory/4568-132-0x0000017105420000-0x0000017105421000-memory.dmp

Filesize
4KB

Download
memory/4568-128-0x0000017105420000-0x0000017105421000-memory.dmp

Filesize
4KB

Download
memory/5008-101-0x0000000140000000-0x000000014013B000-memory.dmp

Filesize
1.2MB

Download
memory/5008-96-0x0000000140000000-0x000000014013B000-memory.dmp

Filesize
1.2MB

Download