Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
93s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
07/10/2024, 15:51
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://github.com/fdh54h54h54hg/57547547g/releases/download/Download/Setup7.0.zip
Resource
win10v2004-20241007-en
General
-
Target
https://github.com/fdh54h54h54hg/57547547g/releases/download/Download/Setup7.0.zip
Malware Config
Signatures
-
Meduza Stealer payload 2 IoCs
resource yara_rule behavioral1/memory/5008-96-0x0000000140000000-0x000000014013B000-memory.dmp family_meduza behavioral1/memory/5008-101-0x0000000140000000-0x000000014013B000-memory.dmp family_meduza -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation setup7.0.exe -
Executes dropped EXE 1 IoCs
pid Process 5008 setup7.0.exe -
Loads dropped DLL 1 IoCs
pid Process 4532 setup7.0.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 5 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Office\12.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 setup7.0.exe Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 setup7.0.exe Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 setup7.0.exe Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 setup7.0.exe Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 setup7.0.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 33 api.ipify.org 34 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4532 set thread context of 5008 4532 setup7.0.exe 107 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 3740 PING.EXE 4840 cmd.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings msedge.exe -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\Setup7.0\setup7.0.exe:a.dll setup7.0.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 3740 PING.EXE -
Suspicious behavior: EnumeratesProcesses 25 IoCs
pid Process 4048 msedge.exe 4048 msedge.exe 408 msedge.exe 408 msedge.exe 3720 identity_helper.exe 3720 identity_helper.exe 3956 msedge.exe 3956 msedge.exe 5008 setup7.0.exe 5008 setup7.0.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
pid Process 408 msedge.exe 408 msedge.exe 408 msedge.exe 408 msedge.exe 408 msedge.exe 408 msedge.exe 408 msedge.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
description pid Process Token: SeDebugPrivilege 5008 setup7.0.exe Token: SeImpersonatePrivilege 5008 setup7.0.exe Token: SeDebugPrivilege 4568 taskmgr.exe Token: SeSystemProfilePrivilege 4568 taskmgr.exe Token: SeCreateGlobalPrivilege 4568 taskmgr.exe Token: 33 4568 taskmgr.exe Token: SeIncBasePriorityPrivilege 4568 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 408 msedge.exe 408 msedge.exe 408 msedge.exe 408 msedge.exe 408 msedge.exe 408 msedge.exe 408 msedge.exe 408 msedge.exe 408 msedge.exe 408 msedge.exe 408 msedge.exe 408 msedge.exe 408 msedge.exe 408 msedge.exe 408 msedge.exe 408 msedge.exe 408 msedge.exe 408 msedge.exe 408 msedge.exe 408 msedge.exe 408 msedge.exe 408 msedge.exe 408 msedge.exe 408 msedge.exe 408 msedge.exe 408 msedge.exe 408 msedge.exe 408 msedge.exe 408 msedge.exe 408 msedge.exe 408 msedge.exe 408 msedge.exe 408 msedge.exe 408 msedge.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 408 msedge.exe 408 msedge.exe 408 msedge.exe 408 msedge.exe 408 msedge.exe 408 msedge.exe 408 msedge.exe 408 msedge.exe 408 msedge.exe 408 msedge.exe 408 msedge.exe 408 msedge.exe 408 msedge.exe 408 msedge.exe 408 msedge.exe 408 msedge.exe 408 msedge.exe 408 msedge.exe 408 msedge.exe 408 msedge.exe 408 msedge.exe 408 msedge.exe 408 msedge.exe 408 msedge.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 408 wrote to memory of 3328 408 msedge.exe 81 PID 408 wrote to memory of 3328 408 msedge.exe 81 PID 408 wrote to memory of 4208 408 msedge.exe 83 PID 408 wrote to memory of 4208 408 msedge.exe 83 PID 408 wrote to memory of 4208 408 msedge.exe 83 PID 408 wrote to memory of 4208 408 msedge.exe 83 PID 408 wrote to memory of 4208 408 msedge.exe 83 PID 408 wrote to memory of 4208 408 msedge.exe 83 PID 408 wrote to memory of 4208 408 msedge.exe 83 PID 408 wrote to memory of 4208 408 msedge.exe 83 PID 408 wrote to memory of 4208 408 msedge.exe 83 PID 408 wrote to memory of 4208 408 msedge.exe 83 PID 408 wrote to memory of 4208 408 msedge.exe 83 PID 408 wrote to memory of 4208 408 msedge.exe 83 PID 408 wrote to memory of 4208 408 msedge.exe 83 PID 408 wrote to memory of 4208 408 msedge.exe 83 PID 408 wrote to memory of 4208 408 msedge.exe 83 PID 408 wrote to memory of 4208 408 msedge.exe 83 PID 408 wrote to memory of 4208 408 msedge.exe 83 PID 408 wrote to memory of 4208 408 msedge.exe 83 PID 408 wrote to memory of 4208 408 msedge.exe 83 PID 408 wrote to memory of 4208 408 msedge.exe 83 PID 408 wrote to memory of 4208 408 msedge.exe 83 PID 408 wrote to memory of 4208 408 msedge.exe 83 PID 408 wrote to memory of 4208 408 msedge.exe 83 PID 408 wrote to memory of 4208 408 msedge.exe 83 PID 408 wrote to memory of 4208 408 msedge.exe 83 PID 408 wrote to memory of 4208 408 msedge.exe 83 PID 408 wrote to memory of 4208 408 msedge.exe 83 PID 408 wrote to memory of 4208 408 msedge.exe 83 PID 408 wrote to memory of 4208 408 msedge.exe 83 PID 408 wrote to memory of 4208 408 msedge.exe 83 PID 408 wrote to memory of 4208 408 msedge.exe 83 PID 408 wrote to memory of 4208 408 msedge.exe 83 PID 408 wrote to memory of 4208 408 msedge.exe 83 PID 408 wrote to memory of 4208 408 msedge.exe 83 PID 408 wrote to memory of 4208 408 msedge.exe 83 PID 408 wrote to memory of 4208 408 msedge.exe 83 PID 408 wrote to memory of 4208 408 msedge.exe 83 PID 408 wrote to memory of 4208 408 msedge.exe 83 PID 408 wrote to memory of 4208 408 msedge.exe 83 PID 408 wrote to memory of 4208 408 msedge.exe 83 PID 408 wrote to memory of 4048 408 msedge.exe 84 PID 408 wrote to memory of 4048 408 msedge.exe 84 PID 408 wrote to memory of 3640 408 msedge.exe 85 PID 408 wrote to memory of 3640 408 msedge.exe 85 PID 408 wrote to memory of 3640 408 msedge.exe 85 PID 408 wrote to memory of 3640 408 msedge.exe 85 PID 408 wrote to memory of 3640 408 msedge.exe 85 PID 408 wrote to memory of 3640 408 msedge.exe 85 PID 408 wrote to memory of 3640 408 msedge.exe 85 PID 408 wrote to memory of 3640 408 msedge.exe 85 PID 408 wrote to memory of 3640 408 msedge.exe 85 PID 408 wrote to memory of 3640 408 msedge.exe 85 PID 408 wrote to memory of 3640 408 msedge.exe 85 PID 408 wrote to memory of 3640 408 msedge.exe 85 PID 408 wrote to memory of 3640 408 msedge.exe 85 PID 408 wrote to memory of 3640 408 msedge.exe 85 PID 408 wrote to memory of 3640 408 msedge.exe 85 PID 408 wrote to memory of 3640 408 msedge.exe 85 PID 408 wrote to memory of 3640 408 msedge.exe 85 PID 408 wrote to memory of 3640 408 msedge.exe 85 PID 408 wrote to memory of 3640 408 msedge.exe 85 PID 408 wrote to memory of 3640 408 msedge.exe 85 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 setup7.0.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 setup7.0.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/fdh54h54h54hg/57547547g/releases/download/Download/Setup7.0.zip1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:408 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcd55e46f8,0x7ffcd55e4708,0x7ffcd55e47182⤵PID:3328
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,8284837165481635371,18354343226895829267,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:22⤵PID:4208
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,8284837165481635371,18354343226895829267,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2340 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:4048
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,8284837165481635371,18354343226895829267,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2696 /prefetch:82⤵PID:3640
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,8284837165481635371,18354343226895829267,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:12⤵PID:1824
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,8284837165481635371,18354343226895829267,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:12⤵PID:2632
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,8284837165481635371,18354343226895829267,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5080 /prefetch:82⤵PID:2616
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,8284837165481635371,18354343226895829267,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5080 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3720
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,8284837165481635371,18354343226895829267,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5528 /prefetch:12⤵PID:452
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,8284837165481635371,18354343226895829267,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5508 /prefetch:12⤵PID:4708
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2128,8284837165481635371,18354343226895829267,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5420 /prefetch:82⤵PID:1076
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,8284837165481635371,18354343226895829267,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5432 /prefetch:12⤵PID:2204
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2128,8284837165481635371,18354343226895829267,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3336 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3956
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,8284837165481635371,18354343226895829267,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6008 /prefetch:12⤵PID:1084
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,8284837165481635371,18354343226895829267,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:12⤵PID:1160
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2152
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4196
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:880
-
C:\Users\Admin\Downloads\Setup7.0\setup7.0.exe"C:\Users\Admin\Downloads\Setup7.0\setup7.0.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- NTFS ADS
PID:4532 -
C:\Users\Admin\Downloads\Setup7.0\setup7.0.exe"C:\Users\Admin\Downloads\Setup7.0\setup7.0.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:5008 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\Downloads\Setup7.0\setup7.0.exe"3⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:4840 -
C:\Windows\system32\PING.EXEping 1.1.1.1 -n 1 -w 30004⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3740
-
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4568
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5fab8d8d865e33fe195732aa7dcb91c30
SHA12637e832f38acc70af3e511f5eba80fbd7461f2c
SHA2561b034ffe38e534e2b7a21be7c1f207ff84a1d5f3893207d0b4bb1a509b4185ea
SHA51239a3d43ef7e28fea2cb247a5d09576a4904a43680db8c32139f22a03d80f6ede98708a2452f3f82232b868501340f79c0b3f810f597bcaf5267c3ccfb1704b43
-
Filesize
152B
MD536988ca14952e1848e81a959880ea217
SHA1a0482ef725657760502c2d1a5abe0bb37aebaadb
SHA256d7e96088b37cec1bde202ae8ec2d2f3c3aafc368b6ebd91b3e2985846facf2e6
SHA512d04b2f5afec92eb3d9f9cdc148a3eddd1b615e0dfb270566a7969576f50881d1f8572bccb8b9fd7993724bdfe36fc7633a33381d43e0b96c4e9bbd53fc010173
-
Filesize
124KB
MD51bba4a4c34113876603a97c067936191
SHA1c2b6b85a6a67063f548095e7f10e2c4f7269e6b3
SHA2569eda103b99db06d9e243fe70ee18730bf8e9747be06eb9df44e1d7f844d16029
SHA512cb849a927106fd633ad268e3c2b0102503dbb5589ad7c87eeb41ddc2aaae967676d2c444aa97274a0da72e12cc8b4336fb7ad6f82659152d76c8afbc998ea04b
-
Filesize
331B
MD52c2d91e2f140ad156e691403be4759e2
SHA18c810c58ed4bf081662b5f6b92287a8f36559302
SHA25650affc101d5696aaddd2e7440ce218879203ec97c8dd7efaa5e5faa599472a81
SHA512b94676c047ce708be2b37588855cad7a526e10bd41eb074a9108797d328eccaf1ecbbefa146624fc5668018ca889494242894d35e5eb7d4f209e5a59f420d53c
-
Filesize
265B
MD5f5cd008cf465804d0e6f39a8d81f9a2d
SHA16b2907356472ed4a719e5675cc08969f30adc855
SHA256fcea95cc39dc6c2a925f5aed739dbedaa405ee4ce127f535fcf1c751b2b8fb5d
SHA512dc97034546a4c94bdaa6f644b5cfd1e477209de9a03a5b02a360c254a406c1d647d6f90860f385e27387b35631c41f0886cb543ede9116436941b9af6cd3285d
-
Filesize
6KB
MD5931ef2dc65718cef42767046764eae9e
SHA13d74042ea59374c071872696febce836b7a437e0
SHA25689deb8fbaec6da0cb15ddc68c8457c70a64139973b93245558e465201f81df48
SHA5127ee03abd67b2355d91f170527d4dab7cf060cd7c2a448530e2ccfee4e7909cfd9e9be50587e6c119f2bf8d36c10b7ccc1073314c1afd418516064db5d87363ad
-
Filesize
6KB
MD56f8c6a322eb9496303cf8f28127faf8c
SHA13e9fbb87415d3403f35afe7f17edf65e42a9d0d4
SHA2569670e47061b4ef9b7960af89ddc799643d52a709069ae6cdee5d902560e71bf5
SHA51216fa681d96deef1199f50ede70ccdd48fcdf5f9e444bc4b0ceafd9b43d6ee2feba59bdebec6760d7fd1e8688310f782e295acd9b113bcf4f3a15eeea333be8fb
-
Filesize
6KB
MD59aa6b7708cf790a07b4f8ccdde820b0d
SHA1411b6b352a3d055c80acf98f3771cb42a1da3fdb
SHA256babcb296f89c079bad60c802f04722be9f868e0405c2adc2af13386dfbdbead6
SHA512ecd97da6c8cd208a518683a7cb69c46f7290d6d9f84d0d86804793c3f9c9ee7e4d2970a2523153d9231d8a868eafa56ecfdf8fa116e335bdcea8af68f1bf1852
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
10KB
MD5885d07cb1af243ade33df7ff14bc4a2c
SHA120a99833253d8d969cd676b3d388e6ac495245a0
SHA25604424923cb04edacdc623d34edec1f7f5d88ad30a8dd9e417b9412e041c1cde7
SHA512829aee7e7282096ef26c981f1fc4a3be793628229e8999389b60a34a9a9e463eeb8f8ba372dc24f421708a7474e0f219d1349dae98f678182582f34dee5a3456
-
Filesize
10KB
MD52b047083226ed112fa5a51ac5a1e3f4e
SHA13f0d0605af84517fba619ff34b3930dff7458c6e
SHA256dcf45cf967318efb7214065bd140c2e39cda0d8f696c24391de531e8dd111e43
SHA512b7ddbadece75d0ed195681117b5c18fa1bc420a7892516cc3545baec9142049fafdd99cc41f0a163398167c93adb9b4fcd8b4e055c833869162bdabbf2ea88ed
-
Filesize
11KB
MD551120272f892f5dbbebcf98cd3a91e19
SHA174d7503880eabcc7c43d6a7df8420339f5de0d49
SHA256bc3423e454ab47c6a54dc10a94e4d3626e7a8e2aa2e9e0d4221686d8a0b603e8
SHA5124cbc4fa2ef3f248ad2361b005656feb5f42dd7b6204637062556395eb03d29365ca7cee8da7b9142b4fe098d437f4a94571f54e5f123917974f270229dca1c51
-
Filesize
1.3MB
MD5caf07843d0eec5fd5d9b131256361752
SHA11ce0acf5f2b521752440ce6d1c108a365a1dca50
SHA256abdc12b4bb4b9a7309bc067be6b097a4e11b0dccbf19494edb971b510303c923
SHA512b72e81797f4d3264b12675e2d35c56d76ec9110c3814776068d23a51c5de20ed3bd0dd414fb3f0564633b408dc040eaf8407c5e319df7014c9249e5fbaea2839
-
Filesize
1.7MB
MD52c685fc5572fee6107d76c17fa873a45
SHA105436164ce59ab80e0bcae7aa779b2426866446e
SHA256f585f729ebcdaf7a70e16690398cca0036d1dd4c398b4044004e7ab0ccc6bf56
SHA5126bd9fbf04c75c0a6a07846233e5cb31f7f8373f3bd2fc62f70f27c34d37d640d80647ca980530ba99d77586a954c73899a257e1dc2e422279a0c46f69e2107e3
-
Filesize
1.4MB
MD5d9a74092beacfbf63708895c03774dce
SHA144b28f038e8aabd1718b904ebc58a91b7f8be103
SHA2566abbad8087891836e562bdf0420ce019471b649574caf68a938e300e9c546793
SHA5124dec51a48b700ec4585bef9edd6d329dca1b562eae7e0609dd05462b4810f457e94fbefcd25e2853f27f36c4b8707676f34075cfe1ce2f00830d23a4a3a32f2e