meduza | hxxps://github[.]com/phenomenon1972/Solara-Executor/releases/download/Download/Setup5[.]0[.]zip

Analysis

max time kernel
68s
max time network
72s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
17-11-2024 19:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/phenomenon1972/Solara-Executor/releases/download/Download/Setup5.0.zip

Score

10^/10

meduza collection discovery stealer

Malware Config

Extracted

Family

meduza

109.107.181.162

Attributes

anti_dbg
true
anti_vm
true
build_name
6
extensions
none
grabber_max_size
1.048576e+06
links
none
port
15666
self_destruct
true

Signatures

Meduza
Meduza is a crypto wallet and info stealer written in C++.
stealer meduza

Meduza Stealer payload 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4816-89-0x0000000140000000-0x000000014013E000-memory.dmp	family_meduza
behavioral1/memory/4816-88-0x0000000140000000-0x000000014013E000-memory.dmp	family_meduza
behavioral1/memory/4816-90-0x0000000140000000-0x000000014013E000-memory.dmp	family_meduza
behavioral1/memory/4816-91-0x0000000140000000-0x000000014013E000-memory.dmp	family_meduza
behavioral1/memory/3308-113-0x0000000140000000-0x000000014013E000-memory.dmp	family_meduza
behavioral1/memory/4816-114-0x0000000140000000-0x000000014013E000-memory.dmp	family_meduza

Meduza family
meduza

Accesses Microsoft Outlook profiles 1 TTPs 5 IoCs

collection

Email Collection

T1114

Processes:

setup7.0.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000\SOFTWARE\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	setup7.0.exe
Key opened	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	setup7.0.exe
Key opened	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	setup7.0.exe
Key opened	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	setup7.0.exe
Key opened	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000\SOFTWARE\Microsoft\Office\12.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	setup7.0.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

5 api.ipify.org
12 api.ipify.org

flow	ioc
5	api.ipify.org
12	api.ipify.org

Suspicious use of SetThreadContext 2 IoCs

Processes:

setup7.0.exesetup7.0.exe

description	pid	process	target process
PID 4712 set thread context of 4816	4712	setup7.0.exe	setup7.0.exe
PID 4064 set thread context of 3308	4064	setup7.0.exe	setup7.0.exe

Drops file in Windows directory 1 IoCs

Processes:

chrome.exe

description ioc process

File opened for modification C:\Windows\SystemTemp chrome.exe
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

description	ioc	process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133763458364256270"	chrome.exe

Modifies registry class 1 IoCs

Processes:

MiniSearchHost.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\MuiCache MiniSearchHost.exe
NTFS ADS 1 IoCs

Processes:

chrome.exe

description ioc process

File opened for modification C:\Users\Admin\Downloads\Setup5.0.zip:Zone.Identifier chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Setup5.0.zip:Zone.Identifier	chrome.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

chrome.exesetup7.0.exe

pid	process
3376	chrome.exe
3376	chrome.exe
4816	setup7.0.exe
4816	setup7.0.exe
4816	setup7.0.exe
4816	setup7.0.exe
4816	setup7.0.exe
4816	setup7.0.exe
4816	setup7.0.exe
4816	setup7.0.exe
4816	setup7.0.exe
4816	setup7.0.exe
4816	setup7.0.exe
4816	setup7.0.exe
4816	setup7.0.exe
4816	setup7.0.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

Processes:

chrome.exe

pid process

3376 chrome.exe
3376 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	3376	chrome.exe
Token: SeCreatePagefilePrivilege	3376	chrome.exe
Token: SeShutdownPrivilege	3376	chrome.exe
Token: SeCreatePagefilePrivilege	3376	chrome.exe
Token: SeShutdownPrivilege	3376	chrome.exe
Token: SeCreatePagefilePrivilege	3376	chrome.exe
Token: SeShutdownPrivilege	3376	chrome.exe
Token: SeCreatePagefilePrivilege	3376	chrome.exe
Token: SeShutdownPrivilege	3376	chrome.exe
Token: SeCreatePagefilePrivilege	3376	chrome.exe
Token: SeShutdownPrivilege	3376	chrome.exe
Token: SeCreatePagefilePrivilege	3376	chrome.exe
Token: SeShutdownPrivilege	3376	chrome.exe
Token: SeCreatePagefilePrivilege	3376	chrome.exe
Token: SeShutdownPrivilege	3376	chrome.exe
Token: SeCreatePagefilePrivilege	3376	chrome.exe
Token: SeShutdownPrivilege	3376	chrome.exe
Token: SeCreatePagefilePrivilege	3376	chrome.exe
Token: SeShutdownPrivilege	3376	chrome.exe
Token: SeCreatePagefilePrivilege	3376	chrome.exe
Token: SeShutdownPrivilege	3376	chrome.exe
Token: SeCreatePagefilePrivilege	3376	chrome.exe
Token: SeShutdownPrivilege	3376	chrome.exe
Token: SeCreatePagefilePrivilege	3376	chrome.exe
Token: SeShutdownPrivilege	3376	chrome.exe
Token: SeCreatePagefilePrivilege	3376	chrome.exe
Token: SeShutdownPrivilege	3376	chrome.exe
Token: SeCreatePagefilePrivilege	3376	chrome.exe
Token: SeShutdownPrivilege	3376	chrome.exe
Token: SeCreatePagefilePrivilege	3376	chrome.exe
Token: SeShutdownPrivilege	3376	chrome.exe
Token: SeCreatePagefilePrivilege	3376	chrome.exe
Token: SeShutdownPrivilege	3376	chrome.exe
Token: SeCreatePagefilePrivilege	3376	chrome.exe
Token: SeShutdownPrivilege	3376	chrome.exe
Token: SeCreatePagefilePrivilege	3376	chrome.exe
Token: SeShutdownPrivilege	3376	chrome.exe
Token: SeCreatePagefilePrivilege	3376	chrome.exe
Token: SeShutdownPrivilege	3376	chrome.exe
Token: SeCreatePagefilePrivilege	3376	chrome.exe
Token: SeShutdownPrivilege	3376	chrome.exe
Token: SeCreatePagefilePrivilege	3376	chrome.exe
Token: SeShutdownPrivilege	3376	chrome.exe
Token: SeCreatePagefilePrivilege	3376	chrome.exe
Token: SeShutdownPrivilege	3376	chrome.exe
Token: SeCreatePagefilePrivilege	3376	chrome.exe
Token: SeShutdownPrivilege	3376	chrome.exe
Token: SeCreatePagefilePrivilege	3376	chrome.exe
Token: SeShutdownPrivilege	3376	chrome.exe
Token: SeCreatePagefilePrivilege	3376	chrome.exe
Token: SeShutdownPrivilege	3376	chrome.exe
Token: SeCreatePagefilePrivilege	3376	chrome.exe
Token: SeShutdownPrivilege	3376	chrome.exe
Token: SeCreatePagefilePrivilege	3376	chrome.exe
Token: SeShutdownPrivilege	3376	chrome.exe
Token: SeCreatePagefilePrivilege	3376	chrome.exe
Token: SeShutdownPrivilege	3376	chrome.exe
Token: SeCreatePagefilePrivilege	3376	chrome.exe
Token: SeShutdownPrivilege	3376	chrome.exe
Token: SeCreatePagefilePrivilege	3376	chrome.exe
Token: SeShutdownPrivilege	3376	chrome.exe
Token: SeCreatePagefilePrivilege	3376	chrome.exe
Token: SeShutdownPrivilege	3376	chrome.exe
Token: SeCreatePagefilePrivilege	3376	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exe

pid	process
3376	chrome.exe
3376	chrome.exe
3376	chrome.exe
3376	chrome.exe
3376	chrome.exe
3376	chrome.exe
3376	chrome.exe
3376	chrome.exe
3376	chrome.exe
3376	chrome.exe
3376	chrome.exe
3376	chrome.exe
3376	chrome.exe
3376	chrome.exe
3376	chrome.exe
3376	chrome.exe
3376	chrome.exe
3376	chrome.exe
3376	chrome.exe
3376	chrome.exe
3376	chrome.exe
3376	chrome.exe
3376	chrome.exe
3376	chrome.exe
3376	chrome.exe
3376	chrome.exe
3376	chrome.exe
3376	chrome.exe
3376	chrome.exe
3376	chrome.exe
3376	chrome.exe
3376	chrome.exe
3376	chrome.exe
3376	chrome.exe
3376	chrome.exe
3376	chrome.exe
3376	chrome.exe
3376	chrome.exe
3376	chrome.exe
3376	chrome.exe
3376	chrome.exe
3376	chrome.exe
3376	chrome.exe
3376	chrome.exe
3376	chrome.exe
3376	chrome.exe
3376	chrome.exe
3376	chrome.exe
3376	chrome.exe
3376	chrome.exe
3376	chrome.exe
3376	chrome.exe
3376	chrome.exe
3376	chrome.exe
3376	chrome.exe
3376	chrome.exe
3376	chrome.exe
3376	chrome.exe
3376	chrome.exe
3376	chrome.exe
3376	chrome.exe
3376	chrome.exe
3376	chrome.exe
3376	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

Processes:

chrome.exe

pid	process
3376	chrome.exe
3376	chrome.exe
3376	chrome.exe
3376	chrome.exe
3376	chrome.exe
3376	chrome.exe
3376	chrome.exe
3376	chrome.exe
3376	chrome.exe
3376	chrome.exe
3376	chrome.exe
3376	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

MiniSearchHost.exe

pid process

652 MiniSearchHost.exe

pid	process
652	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 3376 wrote to memory of 4360	3376	chrome.exe	chrome.exe
PID 3376 wrote to memory of 4360	3376	chrome.exe	chrome.exe
PID 3376 wrote to memory of 4404	3376	chrome.exe	chrome.exe
PID 3376 wrote to memory of 4404	3376	chrome.exe	chrome.exe
PID 3376 wrote to memory of 4404	3376	chrome.exe	chrome.exe
PID 3376 wrote to memory of 4404	3376	chrome.exe	chrome.exe
PID 3376 wrote to memory of 4404	3376	chrome.exe	chrome.exe
PID 3376 wrote to memory of 4404	3376	chrome.exe	chrome.exe
PID 3376 wrote to memory of 4404	3376	chrome.exe	chrome.exe
PID 3376 wrote to memory of 4404	3376	chrome.exe	chrome.exe
PID 3376 wrote to memory of 4404	3376	chrome.exe	chrome.exe
PID 3376 wrote to memory of 4404	3376	chrome.exe	chrome.exe
PID 3376 wrote to memory of 4404	3376	chrome.exe	chrome.exe
PID 3376 wrote to memory of 4404	3376	chrome.exe	chrome.exe
PID 3376 wrote to memory of 4404	3376	chrome.exe	chrome.exe
PID 3376 wrote to memory of 4404	3376	chrome.exe	chrome.exe
PID 3376 wrote to memory of 4404	3376	chrome.exe	chrome.exe
PID 3376 wrote to memory of 4404	3376	chrome.exe	chrome.exe
PID 3376 wrote to memory of 4404	3376	chrome.exe	chrome.exe
PID 3376 wrote to memory of 4404	3376	chrome.exe	chrome.exe
PID 3376 wrote to memory of 4404	3376	chrome.exe	chrome.exe
PID 3376 wrote to memory of 4404	3376	chrome.exe	chrome.exe
PID 3376 wrote to memory of 4404	3376	chrome.exe	chrome.exe
PID 3376 wrote to memory of 4404	3376	chrome.exe	chrome.exe
PID 3376 wrote to memory of 4404	3376	chrome.exe	chrome.exe
PID 3376 wrote to memory of 4404	3376	chrome.exe	chrome.exe
PID 3376 wrote to memory of 4404	3376	chrome.exe	chrome.exe
PID 3376 wrote to memory of 4404	3376	chrome.exe	chrome.exe
PID 3376 wrote to memory of 4404	3376	chrome.exe	chrome.exe
PID 3376 wrote to memory of 4404	3376	chrome.exe	chrome.exe
PID 3376 wrote to memory of 4404	3376	chrome.exe	chrome.exe
PID 3376 wrote to memory of 4404	3376	chrome.exe	chrome.exe
PID 3376 wrote to memory of 4984	3376	chrome.exe	chrome.exe
PID 3376 wrote to memory of 4984	3376	chrome.exe	chrome.exe
PID 3376 wrote to memory of 4000	3376	chrome.exe	chrome.exe
PID 3376 wrote to memory of 4000	3376	chrome.exe	chrome.exe
PID 3376 wrote to memory of 4000	3376	chrome.exe	chrome.exe
PID 3376 wrote to memory of 4000	3376	chrome.exe	chrome.exe
PID 3376 wrote to memory of 4000	3376	chrome.exe	chrome.exe
PID 3376 wrote to memory of 4000	3376	chrome.exe	chrome.exe
PID 3376 wrote to memory of 4000	3376	chrome.exe	chrome.exe
PID 3376 wrote to memory of 4000	3376	chrome.exe	chrome.exe
PID 3376 wrote to memory of 4000	3376	chrome.exe	chrome.exe
PID 3376 wrote to memory of 4000	3376	chrome.exe	chrome.exe
PID 3376 wrote to memory of 4000	3376	chrome.exe	chrome.exe
PID 3376 wrote to memory of 4000	3376	chrome.exe	chrome.exe
PID 3376 wrote to memory of 4000	3376	chrome.exe	chrome.exe
PID 3376 wrote to memory of 4000	3376	chrome.exe	chrome.exe
PID 3376 wrote to memory of 4000	3376	chrome.exe	chrome.exe
PID 3376 wrote to memory of 4000	3376	chrome.exe	chrome.exe
PID 3376 wrote to memory of 4000	3376	chrome.exe	chrome.exe
PID 3376 wrote to memory of 4000	3376	chrome.exe	chrome.exe
PID 3376 wrote to memory of 4000	3376	chrome.exe	chrome.exe
PID 3376 wrote to memory of 4000	3376	chrome.exe	chrome.exe
PID 3376 wrote to memory of 4000	3376	chrome.exe	chrome.exe
PID 3376 wrote to memory of 4000	3376	chrome.exe	chrome.exe
PID 3376 wrote to memory of 4000	3376	chrome.exe	chrome.exe
PID 3376 wrote to memory of 4000	3376	chrome.exe	chrome.exe
PID 3376 wrote to memory of 4000	3376	chrome.exe	chrome.exe
PID 3376 wrote to memory of 4000	3376	chrome.exe	chrome.exe
PID 3376 wrote to memory of 4000	3376	chrome.exe	chrome.exe
PID 3376 wrote to memory of 4000	3376	chrome.exe	chrome.exe
PID 3376 wrote to memory of 4000	3376	chrome.exe	chrome.exe
PID 3376 wrote to memory of 4000	3376	chrome.exe	chrome.exe

outlook_office_path 1 IoCs

Processes:

setup7.0.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	setup7.0.exe

outlook_win_path 1 IoCs

Processes:

setup7.0.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	setup7.0.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/phenomenon1972/Solara-Executor/releases/download/Download/Setup5.0.zip
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdc20acc40,0x7ffdc20acc4c,0x7ffdc20acc58
  2⤵
  PID:4360
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1900,i,5396725536055567501,1691355112717553309,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1896 /prefetch:2
  2⤵
  PID:4404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1552,i,5396725536055567501,1691355112717553309,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1944 /prefetch:3
  2⤵
  PID:4984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2168,i,5396725536055567501,1691355112717553309,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2192 /prefetch:8
  2⤵
  PID:4000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3048,i,5396725536055567501,1691355112717553309,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3060 /prefetch:1
  2⤵
  PID:4232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3032,i,5396725536055567501,1691355112717553309,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3088 /prefetch:1
  2⤵
  PID:3036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4664,i,5396725536055567501,1691355112717553309,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4676 /prefetch:8
  2⤵
  PID:72
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4316,i,5396725536055567501,1691355112717553309,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4356 /prefetch:8
  2⤵
  - NTFS ADS
  PID:4744

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:676

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2776

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2020

C:\Users\Admin\Downloads\Setup5.0\setup7.0\setup7.0.exe
"C:\Users\Admin\Downloads\Setup5.0\setup7.0\setup7.0.exe"
1⤵
- Suspicious use of SetThreadContext
PID:4712
- C:\Users\Admin\Downloads\Setup5.0\setup7.0\setup7.0.exe
  C:\Users\Admin\Downloads\Setup5.0\setup7.0\setup7.0.exe
  2⤵
  - Accesses Microsoft Outlook profiles
  - Suspicious behavior: EnumeratesProcesses
  - outlook_office_path
  - outlook_win_path
  PID:4816

C:\Users\Admin\Downloads\Setup5.0\setup7.0\setup7.0.exe
"C:\Users\Admin\Downloads\Setup5.0\setup7.0\setup7.0.exe"
1⤵
- Suspicious use of SetThreadContext
PID:4064
- C:\Users\Admin\Downloads\Setup5.0\setup7.0\setup7.0.exe
  C:\Users\Admin\Downloads\Setup5.0\setup7.0\setup7.0.exe
  2⤵
  PID:3308

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
3c1b2875508aa5bd2b09930f743402c8

SHA1
e9d07def035dec8a16b5800f74c163049b711a99

SHA256
fb91b721ced42b0c3a556a8d4b5dacbc9e735ae4b560a40e14514e7b8dc1f491

SHA512
9abfeca5bdb323c543f503ad5338d7a49657794c5f978f1a6a7430b7a6ba509d9fc7f4224f42a83adad7f4449282499b403b523315cb5a6f4cf556bac7a56453

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\History

Filesize
160KB

MD5
71bc6c452b724a0a9a2fb7453d1d686e

SHA1
730162bfce634030eedbec1a5d4afdc9b0168700

SHA256
9b2d4fd1fa1400ea3a2433741f40240ab13d50286b4a666a8e89fd9323632f04

SHA512
833e7da2f02a185d6ee71c4016f182ac8665d0fa4e8d156ac8ed85631440627de7215d174f15c257ae09be65e041884aea9513bea89367277b5b493cdf99d925

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG

Filesize
332B

MD5
090b2ce7c65f351c1e59519d36af4b75

SHA1
d589cebcb66f494bf0db466d1454ec8ab47e75bc

SHA256
6e45ba9c99a9cbeab6917319b1809b34a177957536dab8e86a2452c40e754a99

SHA512
a00bdad75f055911dab3c64e6c472477185442084cd407891685488d47cb4d2ae600c6f988b0631f10f906f93ab984dccf633f09dd68a3204bc038b66a8a8fc9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\52d17b22-af61-486d-99b2-3027931514b5.tmp

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
76ab698ae1f369a38c5c16577fc74866

SHA1
494fb80b0830fa6bd6cd0c6943cbce9d1a8cfc73

SHA256
b3c216084e039a529ed69aec01ec5dbf0abbf68f0710297c9a3d72a584a1c0db

SHA512
b13494d1014b7d71265ae51e5c8c9d09c15f9d9d8e0cc0ff3d93c25967dcdfa7a35e073b0ac5c7413f731d56ecc9728ef325f71541d22420df95e44436cde044

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
523B

MD5
a4ba79d7e822ef1993e6dc215e68d835

SHA1
fb4ea4c6af6a2c27679c13a2bee736ab4a856425

SHA256
78d08da2773cfd72535fa5da42169ac2b04b130c0d2e5eb69289349d2f9b2b06

SHA512
34e9877e91a66845f5cde35c9a106b4d734d58a2351630ba6e224595527c6604b5c169e53a52468d3910014e7a39d179f882e9e854a74a2f4a4e4ac93b54ccc5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
49a6d4b42f1522ef290cb7a29244b079

SHA1
ab2b3eaa3fe9a54ae5422f98a34f869d369dd678

SHA256
f3125c1a5f1c7528ce51b2a509e56248fcf4edd5e2f3528d00c94ecdd6d550f2

SHA512
5c7cb2b09ccd824bb001726e989664d6045f9a58ff7a3506c88b3e0f4e08329d452f5ffccdfe9e49780e40feab92fb53e77e71c9d064a95cf6aeafeab5da2322

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
d3f3631c146997248e309807940ff9cb

SHA1
ed26ca53f1d6d33492f547ee754c581a631e2704

SHA256
6a03e49551ea481761aadbd9fe280a7244ccba795778f9fa2203c0ca2c10803e

SHA512
83188a55a9f821d250a0145dd40ce575da11589ed150f840ca6ce1ec2ce10bd7374e4e67fc185eb72e4a0214eb6e0a061567d0773e97cde96d098d1325e5031b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
5c190b6b86350b7b516b1f64ce28bdad

SHA1
e9209cd8759970a5423a8410ed3f94fd84951c86

SHA256
91168663a6edf4b784fd644aec7851b27d801f79ffb5efa9b1570d40c8a2c31a

SHA512
536133e08e4ab2fa8e28741649dcf55d270a3e344b9f3287872d74f1ef195233651267283469a2482c06af1d8b9a9d9fcf0e02b8570d5741e4a7874f08990393

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f5c0dc890bf4fa480037c1d931cfda32

SHA1
307a19fc10b2af36b2cbd049ef96d5c5bfeef975

SHA256
df49b4406c866f2afe8715138ef9d30ee1520aaf1dd6da768e75d7f5d70be53f

SHA512
4399418c4bf7fe6e35cf45451d400703073634d4e7ed117c13d3ec6c26a60596c797938713e38a12588493a6756787f10f33972339aa4f75c7bcb8db2e44e9b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
228KB

MD5
d16edff631957f8d4113388965ec5bd1

SHA1
8c1b30d1ecb84ec2aa4f9cda067ce31e249b4652

SHA256
ee765be05dd48fbc02a8fe16080ee96f004b9df01d83347b29a01110d02b7aa0

SHA512
a0990a8fef00d0e49f4793a5b23d6a67a318cb0c23acd5e0445414a06b03cda5876dca07bd193acf48b1ec29653985e415ad6e0ad00573f43a86c38e3c284587

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
228KB

MD5
fa2e6e214c7217b5a827e0bd946d893e

SHA1
715819370997ae100825449ea5bf371bfeca6f23

SHA256
ffff845abdcac2d0017f8b10d48a5394cf81c38a5649c768dc62387845fc1245

SHA512
1f47d28e6d56bf042e71cfaaa69e1e57d4fdffd25a51dbbdf85c27a213262c3ceeaec349f7e4d307ea13370ccbe2e1e3fb361eed8672b14f498d7907ae7f43af

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
96329c73cc49cd960e2485210d01c4d2

SHA1
a496b98ad2f2bbf26687b5b7794a26aa4470148e

SHA256
4c159cab6c9ef5ff39e6141b0ccb5b8c6251a3d637520609dfbdd852fa94d466

SHA512
e98736a879cad24c693d6c5939654b2fd25bf9d348f738668624214f22d541a9b781c967201ab2d43cbac9207946824a0299d482485f4b63c48d5d2a839e5baf

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
847a64ce22adca83e091e5403ef844ed

SHA1
f2cf8559f0eba3d237cee1162b811613d2a0c308

SHA256
1db255895b125edbed50b5296edafaf303dde2b93a600313b6a1aa61f9ec2b88

SHA512
94abff56e498bfd7af0e72a652a0b03d29cbe7d0322f43cb8fa4182cfa829ec6d608c5bb3f6deaaf1dcaae764c90036beedb503109c8080999dfaf2d6a2e9de6

Download Submit
C:\Users\Admin\Downloads\Setup5.0.zip:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
\??\pipe\crashpad_3376_ROMYUWTYFDVLKJAC

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/3308-113-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download
memory/4816-89-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download
memory/4816-91-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download
memory/4816-114-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download
memory/4816-90-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download
memory/4816-88-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download