meduza | hxxps://github[.]com/hugodq/Wave-executor/releases/tag/Download

Analysis

max time kernel
93s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
26-11-2024 15:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/hugodq/Wave-executor/releases/tag/Download

Score

10^/10

meduza collection discovery stealer

Malware Config

Extracted

Family

meduza

109.107.181.162

Attributes

anti_dbg
true
anti_vm
true
build_name
6
extensions
none
grabber_max_size
1.048576e+06
links
none
port
15666
self_destruct
true

Signatures

Meduza
Meduza is a crypto wallet and info stealer written in C++.
stealer meduza

Meduza Stealer payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/948-263-0x0000000140000000-0x000000014013E000-memory.dmp	family_meduza
behavioral1/memory/948-264-0x0000000140000000-0x000000014013E000-memory.dmp	family_meduza
behavioral1/memory/2044-296-0x0000000140000000-0x000000014013E000-memory.dmp	family_meduza

Meduza family
meduza

Accesses Microsoft Outlook profiles 1 TTPs 10 IoCs

collection

Email Collection

T1114

Processes:

setup7.0.exesetup7.0.exe

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	setup7.0.exe
Key opened	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Office\12.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	setup7.0.exe
Key opened	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	setup7.0.exe
Key opened	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	setup7.0.exe
Key opened	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	setup7.0.exe
Key opened	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	setup7.0.exe
Key opened	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	setup7.0.exe
Key opened	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	setup7.0.exe
Key opened	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	setup7.0.exe
Key opened	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Office\12.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	setup7.0.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
38	api.ipify.org
81	api.ipify.org
89	api.ipify.org

Suspicious use of SetThreadContext 2 IoCs

Processes:

setup7.0.exesetup7.0.exe

description	pid	Process	procid_target
PID 504 set thread context of 948	504	setup7.0.exe	135
PID 1828 set thread context of 2044	1828	setup7.0.exe	142

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

Processes:

cmd.exePING.EXEcmd.exePING.EXE

pid	Process
2504	cmd.exe
3192	PING.EXE
2720	cmd.exe
2264	PING.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 2 IoCs

Processes:

msedge.exeOpenWith.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	OpenWith.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

Processes:

PING.EXEPING.EXE

pid	Process
3192	PING.EXE
2264	PING.EXE

Suspicious behavior: EnumeratesProcesses 15 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exesetup7.0.exesetup7.0.exe

pid	Process
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
396	msedge.exe
396	msedge.exe
3772	identity_helper.exe
3772	identity_helper.exe
3248	msedge.exe
3248	msedge.exe
4344	msedge.exe
4344	msedge.exe
948	setup7.0.exe
948	setup7.0.exe
2044	setup7.0.exe
2044	setup7.0.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

OpenWith.exe

pid	Process
4196	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

Processes:

msedge.exe

pid	Process
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

setup7.0.exesetup7.0.exe

description	pid	Process
Token: SeDebugPrivilege	948	setup7.0.exe
Token: SeImpersonatePrivilege	948	setup7.0.exe
Token: SeDebugPrivilege	2044	setup7.0.exe
Token: SeImpersonatePrivilege	2044	setup7.0.exe

Suspicious use of FindShellTrayWindow 42 IoCs

Processes:

msedge.exe

pid	Process
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	Process
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe

Suspicious use of SetWindowsHookEx 11 IoCs

Processes:

OpenWith.exe

pid	Process
4196	OpenWith.exe
4196	OpenWith.exe
4196	OpenWith.exe
4196	OpenWith.exe
4196	OpenWith.exe
4196	OpenWith.exe
4196	OpenWith.exe
4196	OpenWith.exe
4196	OpenWith.exe
4196	OpenWith.exe
4196	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	Process	procid_target
PID 396 wrote to memory of 1936	396	msedge.exe	83
PID 396 wrote to memory of 1936	396	msedge.exe	83
PID 396 wrote to memory of 4764	396	msedge.exe	84
PID 396 wrote to memory of 4764	396	msedge.exe	84
PID 396 wrote to memory of 4764	396	msedge.exe	84
PID 396 wrote to memory of 4764	396	msedge.exe	84
PID 396 wrote to memory of 4764	396	msedge.exe	84
PID 396 wrote to memory of 4764	396	msedge.exe	84
PID 396 wrote to memory of 4764	396	msedge.exe	84
PID 396 wrote to memory of 4764	396	msedge.exe	84
PID 396 wrote to memory of 4764	396	msedge.exe	84
PID 396 wrote to memory of 4764	396	msedge.exe	84
PID 396 wrote to memory of 4764	396	msedge.exe	84
PID 396 wrote to memory of 4764	396	msedge.exe	84
PID 396 wrote to memory of 4764	396	msedge.exe	84
PID 396 wrote to memory of 4764	396	msedge.exe	84
PID 396 wrote to memory of 4764	396	msedge.exe	84
PID 396 wrote to memory of 4764	396	msedge.exe	84
PID 396 wrote to memory of 4764	396	msedge.exe	84
PID 396 wrote to memory of 4764	396	msedge.exe	84
PID 396 wrote to memory of 4764	396	msedge.exe	84
PID 396 wrote to memory of 4764	396	msedge.exe	84
PID 396 wrote to memory of 4764	396	msedge.exe	84
PID 396 wrote to memory of 4764	396	msedge.exe	84
PID 396 wrote to memory of 4764	396	msedge.exe	84
PID 396 wrote to memory of 4764	396	msedge.exe	84
PID 396 wrote to memory of 4764	396	msedge.exe	84
PID 396 wrote to memory of 4764	396	msedge.exe	84
PID 396 wrote to memory of 4764	396	msedge.exe	84
PID 396 wrote to memory of 4764	396	msedge.exe	84
PID 396 wrote to memory of 4764	396	msedge.exe	84
PID 396 wrote to memory of 4764	396	msedge.exe	84
PID 396 wrote to memory of 4764	396	msedge.exe	84
PID 396 wrote to memory of 4764	396	msedge.exe	84
PID 396 wrote to memory of 4764	396	msedge.exe	84
PID 396 wrote to memory of 4764	396	msedge.exe	84
PID 396 wrote to memory of 4764	396	msedge.exe	84
PID 396 wrote to memory of 4764	396	msedge.exe	84
PID 396 wrote to memory of 4764	396	msedge.exe	84
PID 396 wrote to memory of 4764	396	msedge.exe	84
PID 396 wrote to memory of 4764	396	msedge.exe	84
PID 396 wrote to memory of 4764	396	msedge.exe	84
PID 396 wrote to memory of 4260	396	msedge.exe	85
PID 396 wrote to memory of 4260	396	msedge.exe	85
PID 396 wrote to memory of 860	396	msedge.exe	86
PID 396 wrote to memory of 860	396	msedge.exe	86
PID 396 wrote to memory of 860	396	msedge.exe	86
PID 396 wrote to memory of 860	396	msedge.exe	86
PID 396 wrote to memory of 860	396	msedge.exe	86
PID 396 wrote to memory of 860	396	msedge.exe	86
PID 396 wrote to memory of 860	396	msedge.exe	86
PID 396 wrote to memory of 860	396	msedge.exe	86
PID 396 wrote to memory of 860	396	msedge.exe	86
PID 396 wrote to memory of 860	396	msedge.exe	86
PID 396 wrote to memory of 860	396	msedge.exe	86
PID 396 wrote to memory of 860	396	msedge.exe	86
PID 396 wrote to memory of 860	396	msedge.exe	86
PID 396 wrote to memory of 860	396	msedge.exe	86
PID 396 wrote to memory of 860	396	msedge.exe	86
PID 396 wrote to memory of 860	396	msedge.exe	86
PID 396 wrote to memory of 860	396	msedge.exe	86
PID 396 wrote to memory of 860	396	msedge.exe	86
PID 396 wrote to memory of 860	396	msedge.exe	86
PID 396 wrote to memory of 860	396	msedge.exe	86

outlook_office_path 1 IoCs

Processes:

setup7.0.exe

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	setup7.0.exe

outlook_win_path 1 IoCs

Processes:

setup7.0.exe

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	setup7.0.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/hugodq/Wave-executor/releases/tag/Download
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffec77846f8,0x7ffec7784708,0x7ffec7784718
  2⤵
  PID:1936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2044,2946719797903601839,9520323525876609804,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2052 /prefetch:2
  2⤵
  PID:4764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2044,2946719797903601839,9520323525876609804,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2508 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2044,2946719797903601839,9520323525876609804,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2668 /prefetch:8
  2⤵
  PID:860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,2946719797903601839,9520323525876609804,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
  2⤵
  PID:964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,2946719797903601839,9520323525876609804,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
  2⤵
  PID:4484
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2044,2946719797903601839,9520323525876609804,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4128 /prefetch:8
  2⤵
  PID:4444
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2044,2946719797903601839,9520323525876609804,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4128 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,2946719797903601839,9520323525876609804,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5352 /prefetch:1
  2⤵
  PID:828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,2946719797903601839,9520323525876609804,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5368 /prefetch:1
  2⤵
  PID:3600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,2946719797903601839,9520323525876609804,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
  2⤵
  PID:436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,2946719797903601839,9520323525876609804,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3456 /prefetch:1
  2⤵
  PID:3148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2044,2946719797903601839,9520323525876609804,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5592 /prefetch:8
  2⤵
  PID:1932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,2946719797903601839,9520323525876609804,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5680 /prefetch:1
  2⤵
  PID:3280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2044,2946719797903601839,9520323525876609804,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5376 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,2946719797903601839,9520323525876609804,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5460 /prefetch:1
  2⤵
  PID:3960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2044,2946719797903601839,9520323525876609804,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3416 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4344

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4304

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2236

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4884

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4196
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Wave-executor-Download\Wave-executor-Download\README.md
  2⤵
  PID:5044

C:\Users\Admin\AppData\Local\Temp\Temp1_Setup5.0.zip\setup7.0\setup7.0.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_Setup5.0.zip\setup7.0\setup7.0.exe"
1⤵
- Suspicious use of SetThreadContext
PID:504
- C:\Users\Admin\AppData\Local\Temp\Temp1_Setup5.0.zip\setup7.0\setup7.0.exe
  C:\Users\Admin\AppData\Local\Temp\Temp1_Setup5.0.zip\setup7.0\setup7.0.exe
  2⤵
  - Accesses Microsoft Outlook profiles
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:948
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\Temp1_Setup5.0.zip\setup7.0\setup7.0.exe"
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:2504
  - - C:\Windows\system32\PING.EXE
      ping 1.1.1.1 -n 1 -w 3000
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:3192

C:\Users\Admin\Downloads\Setup5.0\setup7.0\setup7.0.exe
"C:\Users\Admin\Downloads\Setup5.0\setup7.0\setup7.0.exe"
1⤵
- Suspicious use of SetThreadContext
PID:1828
- C:\Users\Admin\Downloads\Setup5.0\setup7.0\setup7.0.exe
  C:\Users\Admin\Downloads\Setup5.0\setup7.0\setup7.0.exe
  2⤵
  - Accesses Microsoft Outlook profiles
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - outlook_office_path
  - outlook_win_path
  PID:2044
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\Downloads\Setup5.0\setup7.0\setup7.0.exe"
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:2720
  - - C:\Windows\system32\PING.EXE
      ping 1.1.1.1 -n 1 -w 3000
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
1KB

MD5
67e486b2f148a3fca863728242b6273e

SHA1
452a84c183d7ea5b7c015b597e94af8eef66d44a

SHA256
facaf1c3a4bf232abce19a2d534e495b0d3adc7dbe3797d336249aa6f70adcfb

SHA512
d3a37da3bb10a9736dc03e8b2b49baceef5d73c026e2077b8ebc1b786f2c9b2f807e0aa13a5866cf3b3cafd2bc506242ef139c423eaffb050bbb87773e53881e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8

Filesize
436B

MD5
971c514f84bba0785f80aa1c23edfd79

SHA1
732acea710a87530c6b08ecdf32a110d254a54c8

SHA256
f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895

SHA512
43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
174B

MD5
40f6f6c6e57017de2e96bb354a72e50b

SHA1
690afb74cb8625f821907200ffd3d17c86fca5e7

SHA256
06ebc17b6868859bfb57ecd094d72a7e5d1821b343916d77f2c5e2c6bfc23ef9

SHA512
cef31b8e23e0cbeccaa3deac6eb7845952ebdbacb8e31320f608f599f1f8edb94f6202713277057bc6ccb4f0b8b1309c0e2c0af93eda5147ea808632c3b839d9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

Filesize
170B

MD5
e65061de020469bdaed05d0daba5769c

SHA1
a7a42d0dea3fbc3b15db40272f1e3e003c1fd23a

SHA256
1f133e376f6eacf79e71651b1eb9b7d726bdfd460b0930b7b5508ad1d29b0b4a

SHA512
f4cd1f513baa160abb699d97b31908bbeed285c451b778617055f4336b728eadce044669db09b17c37a651c7b1f2d3522f0254f61718e3236d92edfeb7115a7b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e55832d7cd7e868a2c087c4c73678018

SHA1
ed7a2f6d6437e907218ffba9128802eaf414a0eb

SHA256
a4d7777b980ec53de3a70aca8fb25b77e9b53187e7d2f0fa1a729ee9a35da574

SHA512
897fdebf1a9269a1bf1e3a791f6ee9ab7c24c9d75eeff65ac9599764e1c8585784e1837ba5321d90af0b004af121b2206081a6fb1b1ad571a0051ee33d3f5c5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c2d9eeb3fdd75834f0ac3f9767de8d6f

SHA1
4d16a7e82190f8490a00008bd53d85fb92e379b0

SHA256
1e5efb5f1d78a4cc269cb116307e9d767fc5ad8a18e6cf95c81c61d7b1da5c66

SHA512
d92f995f9e096ecc0a7b8b4aca336aeef0e7b919fe7fe008169f0b87da84d018971ba5728141557d42a0fc562a25191bd85e0d7354c401b09e8b62cdc44b6dcd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
a51c97bceebdd138fffcd2b0fc69149c

SHA1
69f7b95037c09b067e01aec60f24374ea54ad427

SHA256
80eef1a7288f9f05222e345a4e458ae2b0a0298df9219ecce8844ce4de3df8fe

SHA512
d956a7f92a0892925155207ffb0d488b839fd3a0306956478db5c8ae13d1dad8ee953f4e6b474edbf15b396cd82b07bf8c511bbf233ff7b6f3943dadfb24ba18

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies

Filesize
20KB

MD5
51b771da629d0208a08699aa2ef7b275

SHA1
d1c45b90897cb73f37f310672f97c010717ab2ef

SHA256
010f641b2c897cb3d720e29e9b39f562abe798610603acfe46db87ee1f63e301

SHA512
eed4f655fb07f7df9884b0b6d26b8b9567bd76316c6db0537a872741e924d85cb33482c8cf268eb9d0f6e8db24086a53911a45716285d93f57f39c7c018854f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
124KB

MD5
5699454a0dd68f885d4a5fab07c4188e

SHA1
ef32cac97128eef982a10f7b0302a2dffa311138

SHA256
e47ce8ce110c2d1433c9aa22e093debba84fee2d62b4e868528a7371e68c94cc

SHA512
0a34dcf5fc3bba4c3a2449233e40ade85e05d545acd2d3f373291cbdeb28a4255289718914de901a58ee57bd3d0aa046962f19bc04dff7cbed07ca43e1f94662

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log

Filesize
10KB

MD5
13f43bad6ebbcbf4d3be40b4827332f1

SHA1
84b69cfcc7abf6900fea6da6d232d46517b35553

SHA256
5bc86f2320171114af28da622ce098d300f952bc7b5fd423d77aa69c3b72c339

SHA512
eecc4adc7aae79e3a1da4af27a112b78cf1a39bc0cd536e8f33b00a2dca7e9ef4a4478dae124c91a7159a83fed10e7ad60f9fb1ce027631a0cde475359f058d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

Filesize
331B

MD5
c170aa581205e1c1f55522e45c4c361a

SHA1
86d1aa2e9d9692579ae20b585cea917d6940de5d

SHA256
ffa725868942dbd29948310127675d92dc8cb354ac4fa10885fa4d312f249cdd

SHA512
eff5cacae71b897a69820b05bae80317f1d3cf936c8c425d182031d3d1a07bd032e7066f4dd2f35637ad76b62a1c0c20e9eb900d14da3de880875c86bce085e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
573B

MD5
55aa07e96cfb59c6e7da87fde094e15d

SHA1
ff075d47acb930a0b7e873fb5c3c2d6e67b19b70

SHA256
1e82264c9003ee40964fcef09f908a71042da00e51bdb30036446dd09d7dda85

SHA512
cb4691a7d26a36cfb60820cad6929f5ad77b27ae25b9d5f975e7e02791686bcf9e46c0648084346ae078fc3b1aba0685ff2d78a560c308016e29f537eccc526d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
48461e313b610edbd2b2de36010b809e

SHA1
e7a7f617ea5585e259cc3faed6b36d5bac4011bf

SHA256
c470fc13538b83c78c57474c71bfe41d9aa7b8d23e7a0729d668424d3a172ec4

SHA512
edb3095c8e94337302bc3280a3cee819c467d8de470a3f5807e00bd6e75699601ca79d675a7b6d4e53e2fb2ad43a569b275df05bc864afd3f5df190c07383b61

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
1a9c6367e25346f090a1cf0682c6ce31

SHA1
3c8dd75d5730e7064c5b794afb9910be49fd8a15

SHA256
35f8bbdaaa43cb0853b57e1ea0c821e447da5fb59fd1cb593b4dc3580adbd175

SHA512
593321f6e8f227c1a98da08835ba0e0b68874b4367a4b4234a38b0e22b276823f9de379abeed5079779430adcb9c4759655a3cfa7414564d3cacb4a8ee867049

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
91a30ab26a71f741066cabb1a128d329

SHA1
0df25780cc3c4d134a6ed545b0312089c1e9b069

SHA256
09ea34ec3ad21b58f2e02500a04ca2d2eadca17a7d86b9d89f0933b5c8838ad6

SHA512
6a770341c65f01fcd20797ff18439dfb56ea9b2eddb08bfe611cfc28eb4cf5a0ca974e769460b6f364d938a319773d90382e2f7641b6c0a719b73705aacefd2d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
3ddb244e0f747b17ac5b2b6d3147aecc

SHA1
680b268a9051edaf24f1199c119738c54abde639

SHA256
25c7d3492537cb2758d9328fb058c8d1f525fa63d3319336d1eb14b1c4da0444

SHA512
1390641bf689b6e1e1155b6e3ee78cfdb43f8c63f6ecbeb3a8b26e3b5ba9e601b2154130ee600e54f597582982b4d0f58f3d3e940aaee7eff3e8205ed6fa6713

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
c9f1a5fe73cf8eb74006d92686f85ab6

SHA1
208a1482f60ae1193fe9018a7c947b7d19309a59

SHA256
a765b915065f6926034455f5caa410204cbb5f4476e3e97b324574507443b085

SHA512
d783de4853f73afbb15f79aef95a87e4c61f09ce966d1512cdba833519242463ec3e3e770d1fec16564a9d2fc4db8ff1e6ae0b2c403cd638af0571bcd41d7111

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe580867.TMP

Filesize
874B

MD5
5f34b8b55f13e22457fea56c1486310d

SHA1
fa9f99581a582118609982c33ef1efba75cc8e21

SHA256
adda5aac58b4a29578fc015e11657be3ce998e9e3321c8df41fe315098424fc2

SHA512
606538aa5e1820fdd3a227aaf316716dbb236e90403a547c9fe79870363f57076541d61e6291a296acb7d6a2d91b76c237c6033a063688dfacb1b10cf53e256d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
f7dd745485796bf91026a4cd36d7488d

SHA1
36e3fdb01654866afe346b469f01d38b53fef527

SHA256
3f9a54fb1e9f0674fe4ed4d8f29e5bec40e489a7bdb1682233a276becce92811

SHA512
71a45b2329b3909a8ee15edaad9d6598b1791bfca29f49b98acd99f0bff9587fedd01d5d4b6305241945c6b287ba782c254b2674234c78a5199261c041b35447

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
85b266a7e8a680ef66510db961676b6b

SHA1
1a8d79176b3ad9cdf7a649df4bde6f2cbf16adbc

SHA256
26f0833ff5e1cb6895ec9113eb0a66e3d826381396577f6e09d889def8a63f48

SHA512
78a97ca3e040877c05876d7c5392c81ce66eae0277a6532f4b1064f1772722c73d1a8d383cbca0a54451c23313aae0f89cf05df80a9a07e46d3fa8d5e4530a97

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
a665f08a854c352275ed2fd8485a51c2

SHA1
d5d20594986b6bdbee77d70e022daad2cd53cc72

SHA256
4fff7913d1b8feb9818bfd477b077b10d8c915f56372c1307e1160e4e273ca29

SHA512
6aa141419ccaf4342731b2fbb50845b205e7c214b4f37e9df2b1a6caad6ea45510afb98e8d0018bf687e30f34d63878f67f1ba9fa0f484b2a96d6afffe6233ea

Download Submit
C:\Users\Admin\Downloads\Setup5.0.zip

Filesize
2.3MB

MD5
d7d4d1c2aa4cbda1118cd1a9ba8c8092

SHA1
0935cb34d76369f11ec09c1af2f0320699687bec

SHA256
3a82d1297c523205405817a019d3923c8f6c8b4802e4e4676d562b17973b21ea

SHA512
d96d6769afc7af04b80a863895009cd79c8c1f9f68d8631829484611dfce7d4f1c75fc9b54157482975c6968a46e635e533d0cad687ef856ddc81ab3444bb553

Download Submit
C:\Users\Admin\Downloads\Wave-executor-Download.zip

Filesize
375B

MD5
46a772f6dbd1c205df7cfaef4c0f5579

SHA1
6fb5621729167ec9a1e148c896f5ab84e8ca6e90

SHA256
5b162f6f1ef7c00ca7f48f29b9acfe192b751191cf934a2506b98fb9df925ed9

SHA512
47c09f4cb5d81e01d6123d8f3b39ee3a3919895d88734cdf493dd4b7bdc20c9bff795f69572bc6745ba8684f4ce5363bab1a9bc459aee748b2ee70b3d0923748

Download Submit
\??\pipe\LOCAL\crashpad_396_OTZZCNBHAZOSAEAO

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/948-264-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download
memory/948-263-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download
memory/2044-296-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download