meduza | 9312a20e0409ada73ef119b6b26f7dae1c81e8b00a63e7b5e2358ddd8066dd46

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
03-12-2024 18:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Wave.exe
Size

643.7MB
MD5

4eaf2c02540aa2bb4c0b5f76e1a26ce3
SHA1

319ca954b91ed6dec2763ac9794fc51594038859
SHA256

9312a20e0409ada73ef119b6b26f7dae1c81e8b00a63e7b5e2358ddd8066dd46
SHA512

468ab4ba5502e7b2b6804302dab39a722add61873b032b468d82971b9f65ddac16d84a5386d6b9bf8b0899333c3c3e06354833a358f5294faf20595e95fb9eff
SSDEEP

98304:S57FKBSfaYFYL8AnEOp0tTbeLvam4wEn4:g8ofp8EOp0tTSvam4wA4

Score

10^/10

meduza discovery stealer

Malware Config

Extracted

Family

meduza

109.107.181.162

Attributes

anti_dbg
true
anti_vm
true
build_name
6
extensions
none
grabber_max_size
1.048576e+06
links
none
port
15666
self_destruct
true

Signatures

Meduza
Meduza is a crypto wallet and info stealer written in C++.
stealer meduza

Meduza Stealer payload 2 IoCs

resource	yara_rule
behavioral2/memory/4248-883-0x0000000140000000-0x000000014013E000-memory.dmp	family_meduza
behavioral2/memory/4248-884-0x0000000140000000-0x000000014013E000-memory.dmp	family_meduza

Meduza family
meduza

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
91	camo.githubusercontent.com
92	camo.githubusercontent.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4380 set thread context of 4248	4380	setup7.0.exe	129

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
2424	Wave.exe
2556	msedge.exe
2556	msedge.exe
4480	msedge.exe
4480	msedge.exe
1096	identity_helper.exe
1096	identity_helper.exe
4860	msedge.exe
4860	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 17 IoCs

pid	Process
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeDebugPrivilege	2424	Wave.exe
Token: SeIncreaseQuotaPrivilege	2424	Wave.exe
Token: SeSecurityPrivilege	2424	Wave.exe
Token: SeTakeOwnershipPrivilege	2424	Wave.exe
Token: SeLoadDriverPrivilege	2424	Wave.exe
Token: SeSystemProfilePrivilege	2424	Wave.exe
Token: SeSystemtimePrivilege	2424	Wave.exe
Token: SeProfSingleProcessPrivilege	2424	Wave.exe
Token: SeIncBasePriorityPrivilege	2424	Wave.exe
Token: SeCreatePagefilePrivilege	2424	Wave.exe
Token: SeBackupPrivilege	2424	Wave.exe
Token: SeRestorePrivilege	2424	Wave.exe
Token: SeShutdownPrivilege	2424	Wave.exe
Token: SeDebugPrivilege	2424	Wave.exe
Token: SeSystemEnvironmentPrivilege	2424	Wave.exe
Token: SeRemoteShutdownPrivilege	2424	Wave.exe
Token: SeUndockPrivilege	2424	Wave.exe
Token: SeManageVolumePrivilege	2424	Wave.exe
Token: 33	2424	Wave.exe
Token: 34	2424	Wave.exe
Token: 35	2424	Wave.exe
Token: 36	2424	Wave.exe
Token: SeDebugPrivilege	4248	setup7.0.exe
Token: SeImpersonatePrivilege	4248	setup7.0.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4480 wrote to memory of 2608	4480	msedge.exe	94
PID 4480 wrote to memory of 2608	4480	msedge.exe	94
PID 4480 wrote to memory of 380	4480	msedge.exe	95
PID 4480 wrote to memory of 380	4480	msedge.exe	95
PID 4480 wrote to memory of 380	4480	msedge.exe	95
PID 4480 wrote to memory of 380	4480	msedge.exe	95
PID 4480 wrote to memory of 380	4480	msedge.exe	95
PID 4480 wrote to memory of 380	4480	msedge.exe	95
PID 4480 wrote to memory of 380	4480	msedge.exe	95
PID 4480 wrote to memory of 380	4480	msedge.exe	95
PID 4480 wrote to memory of 380	4480	msedge.exe	95
PID 4480 wrote to memory of 380	4480	msedge.exe	95
PID 4480 wrote to memory of 380	4480	msedge.exe	95
PID 4480 wrote to memory of 380	4480	msedge.exe	95
PID 4480 wrote to memory of 380	4480	msedge.exe	95
PID 4480 wrote to memory of 380	4480	msedge.exe	95
PID 4480 wrote to memory of 380	4480	msedge.exe	95
PID 4480 wrote to memory of 380	4480	msedge.exe	95
PID 4480 wrote to memory of 380	4480	msedge.exe	95
PID 4480 wrote to memory of 380	4480	msedge.exe	95
PID 4480 wrote to memory of 380	4480	msedge.exe	95
PID 4480 wrote to memory of 380	4480	msedge.exe	95
PID 4480 wrote to memory of 380	4480	msedge.exe	95
PID 4480 wrote to memory of 380	4480	msedge.exe	95
PID 4480 wrote to memory of 380	4480	msedge.exe	95
PID 4480 wrote to memory of 380	4480	msedge.exe	95
PID 4480 wrote to memory of 380	4480	msedge.exe	95
PID 4480 wrote to memory of 380	4480	msedge.exe	95
PID 4480 wrote to memory of 380	4480	msedge.exe	95
PID 4480 wrote to memory of 380	4480	msedge.exe	95
PID 4480 wrote to memory of 380	4480	msedge.exe	95
PID 4480 wrote to memory of 380	4480	msedge.exe	95
PID 4480 wrote to memory of 380	4480	msedge.exe	95
PID 4480 wrote to memory of 380	4480	msedge.exe	95
PID 4480 wrote to memory of 380	4480	msedge.exe	95
PID 4480 wrote to memory of 380	4480	msedge.exe	95
PID 4480 wrote to memory of 380	4480	msedge.exe	95
PID 4480 wrote to memory of 380	4480	msedge.exe	95
PID 4480 wrote to memory of 380	4480	msedge.exe	95
PID 4480 wrote to memory of 380	4480	msedge.exe	95
PID 4480 wrote to memory of 380	4480	msedge.exe	95
PID 4480 wrote to memory of 380	4480	msedge.exe	95
PID 4480 wrote to memory of 2556	4480	msedge.exe	96
PID 4480 wrote to memory of 2556	4480	msedge.exe	96
PID 4480 wrote to memory of 4040	4480	msedge.exe	97
PID 4480 wrote to memory of 4040	4480	msedge.exe	97
PID 4480 wrote to memory of 4040	4480	msedge.exe	97
PID 4480 wrote to memory of 4040	4480	msedge.exe	97
PID 4480 wrote to memory of 4040	4480	msedge.exe	97
PID 4480 wrote to memory of 4040	4480	msedge.exe	97
PID 4480 wrote to memory of 4040	4480	msedge.exe	97
PID 4480 wrote to memory of 4040	4480	msedge.exe	97
PID 4480 wrote to memory of 4040	4480	msedge.exe	97
PID 4480 wrote to memory of 4040	4480	msedge.exe	97
PID 4480 wrote to memory of 4040	4480	msedge.exe	97
PID 4480 wrote to memory of 4040	4480	msedge.exe	97
PID 4480 wrote to memory of 4040	4480	msedge.exe	97
PID 4480 wrote to memory of 4040	4480	msedge.exe	97
PID 4480 wrote to memory of 4040	4480	msedge.exe	97
PID 4480 wrote to memory of 4040	4480	msedge.exe	97
PID 4480 wrote to memory of 4040	4480	msedge.exe	97
PID 4480 wrote to memory of 4040	4480	msedge.exe	97
PID 4480 wrote to memory of 4040	4480	msedge.exe	97
PID 4480 wrote to memory of 4040	4480	msedge.exe	97

C:\Users\Admin\AppData\Local\Temp\Wave.exe
"C:\Users\Admin\AppData\Local\Temp\Wave.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2424

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7fffc79b46f8,0x7fffc79b4708,0x7fffc79b4718
  2⤵
  PID:2608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,11820005271923279518,2529527119867687358,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2
  2⤵
  PID:380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,11820005271923279518,2529527119867687358,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2312 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,11820005271923279518,2529527119867687358,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2852 /prefetch:8
  2⤵
  PID:4040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,11820005271923279518,2529527119867687358,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
  2⤵
  PID:3316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,11820005271923279518,2529527119867687358,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1
  2⤵
  PID:4540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,11820005271923279518,2529527119867687358,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5076 /prefetch:1
  2⤵
  PID:1256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,11820005271923279518,2529527119867687358,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5124 /prefetch:1
  2⤵
  PID:3712
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,11820005271923279518,2529527119867687358,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3476 /prefetch:8
  2⤵
  PID:3136
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,11820005271923279518,2529527119867687358,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3476 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,11820005271923279518,2529527119867687358,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3524 /prefetch:1
  2⤵
  PID:220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,11820005271923279518,2529527119867687358,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5096 /prefetch:1
  2⤵
  PID:2856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,11820005271923279518,2529527119867687358,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5124 /prefetch:1
  2⤵
  PID:4856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,11820005271923279518,2529527119867687358,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5628 /prefetch:1
  2⤵
  PID:3332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,11820005271923279518,2529527119867687358,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6004 /prefetch:1
  2⤵
  PID:1900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,11820005271923279518,2529527119867687358,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5740 /prefetch:1
  2⤵
  PID:4580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,11820005271923279518,2529527119867687358,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5972 /prefetch:1
  2⤵
  PID:3152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,11820005271923279518,2529527119867687358,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4380 /prefetch:1
  2⤵
  PID:3404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,11820005271923279518,2529527119867687358,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5692 /prefetch:1
  2⤵
  PID:1084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,11820005271923279518,2529527119867687358,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1788 /prefetch:1
  2⤵
  PID:1952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,11820005271923279518,2529527119867687358,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5624 /prefetch:1
  2⤵
  PID:4144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,11820005271923279518,2529527119867687358,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5488 /prefetch:1
  2⤵
  PID:848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2136,11820005271923279518,2529527119867687358,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6260 /prefetch:8
  2⤵
  PID:3980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,11820005271923279518,2529527119867687358,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2696 /prefetch:1
  2⤵
  PID:3732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2136,11820005271923279518,2529527119867687358,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6488 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4860

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1280

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2000

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4084

C:\Users\Admin\Desktop\setup7.0\setup7.0.exe
"C:\Users\Admin\Desktop\setup7.0\setup7.0.exe"
1⤵
- Suspicious use of SetThreadContext
PID:4380
- C:\Users\Admin\Desktop\setup7.0\setup7.0.exe
  C:\Users\Admin\Desktop\setup7.0\setup7.0.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4248

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ba6ef346187b40694d493da98d5da979

SHA1
643c15bec043f8673943885199bb06cd1652ee37

SHA256
d86eec91f295dfda8ed1c5fa99de426f2fe359282c7ebf67e3a40be739475d73

SHA512
2e6cc97330be8868d4b9c53be7e12c558f6eb1ac2c4080a611ba6c43561d0c5bb4791b8a11a8c2371599f0ba73ed1d9a7a2ea6dee2ae6a080f1912e0cb1f656c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b8880802fc2bb880a7a869faa01315b0

SHA1
51d1a3fa2c272f094515675d82150bfce08ee8d3

SHA256
467b8cd4aacac66557712f9843023dcedefcc26efc746f3e44157bc8dac73812

SHA512
e1c6dba2579357ba70de58968b167d2c529534d24bff70568144270c48ac18a48ee2af2d58d78ae741e5a36958fa78a57955bd2456f1df00b781fc1002e123d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

Filesize
47KB

MD5
0d89f546ebdd5c3eaa275ff1f898174a

SHA1
339ab928a1a5699b3b0c74087baa3ea08ecd59f5

SHA256
939eb90252495d3af66d9ec34c799a5f1b0fc10422a150cf57fc0cd302865a3e

SHA512
26edc1659325b1c5cf6e3f3cd9a38cd696f67c4a7c2d91a5839e8dcbb64c4f8e9ce3222e0f69d860d088c4be01b69da676bdc4517de141f8b551774909c30690

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
67KB

MD5
b275fa8d2d2d768231289d114f48e35f

SHA1
bb96003ff86bd9dedbd2976b1916d87ac6402073

SHA256
1b36ed5c122ad5b79b8cc8455e434ce481e2c0faab6a82726910e60807f178a1

SHA512
d28918346e3fda06cd1e1c5c43d81805b66188a83e8ffcab7c8b19fe695c9ca5e05c7b9808599966df3c4cd81e73728189a131789c94df93c5b2500ce8ec8811

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
62KB

MD5
c813a1b87f1651d642cdcad5fca7a7d8

SHA1
0e6628997674a7dfbeb321b59a6e829d0c2f4478

SHA256
df670e09f278fea1d0684afdcd0392a83d7041585ba5996f7b527974d7d98ec3

SHA512
af0d024ba1faafbd6f950c67977ed126827180a47cea9758ee51a95d13436f753eb5a7aa12a9090048a70328f6e779634c612aebde89b06740ffd770751e1c5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
19KB

MD5
2e86a72f4e82614cd4842950d2e0a716

SHA1
d7b4ee0c9af735d098bff474632fc2c0113e0b9c

SHA256
c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f

SHA512
7a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
65KB

MD5
56d57bc655526551f217536f19195495

SHA1
28b430886d1220855a805d78dc5d6414aeee6995

SHA256
f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4

SHA512
7814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
25KB

MD5
e29b448723134a2db688bf1a3bf70b37

SHA1
3c8eba27ac947808101fa09bfe83723f2ab8d6b0

SHA256
349cc041df29f65fd7ffe2944a8872f66b62653bbfbd1f38ce8e6b7947f99a69

SHA512
4ce801111cb1144cfd903a94fb9630354bf91a5d46bbbe46e820c98949f57d96ec243b655f2edeb252a4ec6a80167be106d71a4b56b402be264c13cc208f3e2c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
e3bea0b2a4c5b1ce66e91cab5a0595c5

SHA1
892b39c09fae207df4c49eb8a22fb3a2ddcbcbff

SHA256
917535e312ab5f201dbe97e4c33363fda7b4dff2238a0bc8be0e52b62d8f3330

SHA512
14415ecb0390a8d6da120aff0a69b6829a76b69ec5be8f165b77b0601bfe58720cf9cc0eef1d6474e5cc203a65a733009d914967f831895ccae94e60947c780e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
3d5e659984cdcf3f5ed5d2f504d315df

SHA1
62602716090de89041a34a4cbb332613d6724238

SHA256
3beb6fd2f3bef8620ee852848c424ac974551522410e9f1f81ed92a514d50464

SHA512
dcc89fb8259ad5c55b4e79f410753d0cf53353fdf389ec633755e75df3b87165a86b7b9af92aa309128dc80275df798bcc6353a34009d2fe9cce1ca505bafc22

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
3eba831392bb4f9ff2c1c240d9bf9a7c

SHA1
37a97b57d07bd0dfb2bd7d2227b373d009cce76e

SHA256
467c5bb58d2080046a79bf2c34416ac66adda50c7cf0586a1cac4506f4fe1c84

SHA512
ad7411c75a3496bf0b3cc5e209fc4b7911b96cbb97e44e466359b66f4b5def20efcb527aebb1406dcd77fae9e03b5fc9919a95516f1667b3dcc98c7fe76b64aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8c05395dbf2b933f6409a638f438339a

SHA1
4a3c4e51760803d3a63683e4d03bd43791c38189

SHA256
f7db0d5d46f092ef6c6f0432c1924523f5a3b45e8bcaa3e3f6adbe7480618c0f

SHA512
07309636d797e06503d40d23bbe21cde4bbe5e90dca7bcb413653a796efbbdd5ad2297ad9957a74647c77d22c7158129220ff06bb7a193149623c2fa940e073d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
98e468eb3e45c808f20268a44ae0a2cf

SHA1
dc1a533c831c4a55e3cbac23909f9a58ba63c139

SHA256
e168aa0fd5e0d167c244a8fc860efea5a286c99075aa0d7e06d26f0dad946e4c

SHA512
478cd7b8b17dbd7d5f2547801c709b01dfc3eeff5e7fbe4ed41a8d2951ab6e5e78e3dcae15d3ab93986caf0bffb7d8c3637d9528312b857655ea6e793403249e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
0971315cc811439bf11ee9c452c3bcaa

SHA1
9ad8b0ef1b72754210e856cc80e62f3140cdef4c

SHA256
c1999870cfbb9ef08e9a7add3699e0f42bb5c05ac5f8bcce29733b0cbd8cbcac

SHA512
21fea10b79f259d5cd6a8ef139efc44e64ff1d35e4105928b9fd5c5a683aa9a55d714ae2992b78e502eb5f110cb41326c62a06ebaaaccd053c2d61dc44d4a4fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
cb65a5f4e04fe878752e63a48bff55d1

SHA1
56cce00592d5ba9143c7fbfa98f9cae124669730

SHA256
fcd77d635168e80f2517174b397956470dbc8f7a0bb59805e2de382a47b4df5a

SHA512
646aaa3f4038518db8d875769f92e37b2f051e4cab0208a9ecbaa835d17f03f3e8e1f2ce793cd7adfb43802ee98a170bc92d00a6dc30633499f64f645bb80942

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
452e67f303a3cceefedfd1325f826c55

SHA1
cbcaf570a9054c979119f9d35343ee3a95f96615

SHA256
219a35dd6f6f0e9ed75a88989e2c21ee404ab1cbb7813691832b9f6dc501a244

SHA512
d14b5e43555041670368bd3fe33276d3636a040effb377446d5793e4672a51952bb60ef2c3359684e681f1327137167d05d770a89f70c77a530f818e59423dfd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
bd0cfccba312645840c89af88bdf608d

SHA1
0facacec3887447da165435750c2dc14640cdda2

SHA256
54f636884623431f3097635b808eea3c62492023a67efad8b92f0e931682955f

SHA512
2fc912814b629bac9c13df9ceee45287aba7b3253e33ac72f4887e5d38a04df9dd088da49f94635b555446091bbc17a482a36fbdd4062a70f9d3405baf21ec4b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
69abb1499a7f157fe608f517810530bb

SHA1
a1ffe862cc8ff1f0ea6a7c6c6690f68e40005905

SHA256
5468b49c89d753d505c9f42e3ba736688befa4544929c301bfe3ab096af6fe20

SHA512
67845a04f8a79f8ee2379e53111f12713dd136ca005295aaea4a4be2c72d29d95d3cc1c2754ecdd3ebf2746f2c5db7308caa904fcdd41b6f1a04715e32b158cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
985ce370334798cc2acf15bb3e4706c2

SHA1
d9914952b616756d256cb4e4fa70c4d740896b2c

SHA256
cfd61ba6cb96f1dfb1125fccd993f451c578b89593713c8913972062bdfe8278

SHA512
0bfabf3c3f7788cb0f1d04c82d3828965f31958605407e5a788cea576f36e6b345364f534927e8fe7ba048c0b848805108941c80f954350b7229f674e86d2a73

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
a74f479297833097fa266e9821b113ec

SHA1
76ca4cb01a121cce5da2bccd911e20e2f96163b6

SHA256
39fbf5d92f5e2ee2082996c67a393bec49f9ba8c09da3548e056c44987649322

SHA512
61ad5f00c1b011b6cf9e6d01ef51e9abf6c80bc2c99a4e70f6ac40f33ad17317655700efec7232b7fec2c571d766f718ebfd01c4af8425aba7d8924fdc5e9ddd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
cff52edacdf666b8c10c3380b12eef19

SHA1
e71f962d5ffb9fa0b2b52125bfc1068ad23283dd

SHA256
f16c5c32fc3d84bf731dd2d191b9fe59de89939f36a3a1b5f40d9b04c0ab952c

SHA512
1e65737b44d92b47e294fab5e4ad15cbdf05596d570932ce70488c638c361f9010f0141fdaa0d2af730717f4782cf933a43dcab07d4697a6be2a8fa7ff77df7a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
789084fe171b42f4d0e3523c6f84d37f

SHA1
cea92fa4b7462b872aebafa7913ecb6b1880f78e

SHA256
ddaafaf5d486797dc293771b61d20003171d36b6e29b68c986fe89b52dcf00cb

SHA512
3eaa7035a0777cd06c6b4888365b2b6192c066562228c08734d2b415c7b17bba0799cabaa49ee79b85396893e55118734f182d23c49eec5f435aab708cf3f45a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58cea5.TMP

Filesize
538B

MD5
b298e29b78d05757984a193765f0eb2b

SHA1
955abfbc8c211ea179e725f2eba9f2a08ad69ea2

SHA256
f6bdf976d1530d48daa9d95a4e90c7c24d476f66eedf9954edbe9daef2ba95e6

SHA512
6dcb7c0f071cf6aeb3a0181331336108c9e850fc19648a09e81869694c39ac7ccb27ac8ef4c23d727c21e098639b630c024e2297cef529e2627a3fd87cef006d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
b9d1d100c5d0b4ead099b99433e6c89b

SHA1
0ccdbc19eaf2a65c19f13c88e5ed2970e8e313bb

SHA256
19b854006d9ee35b01127a580518cae68e5560b19a575d94ffc7646c1da23dea

SHA512
e6ef54f6ea9b035883a3f6dc120c9cac964b8527bef8bcd79ea50d1eafbe948ce48f49ed2274781fb1a186b96b570e9c6b554484f2be0abc8eb9af2161d30afa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
d24a749a8df38ad201cd39652af8ec08

SHA1
3fb4b8ae669c2432f2f2090e943bd8dc06c4bcae

SHA256
d368bf49b956906ce78d1898abbfcfaf4486609a8bea528d4b1e80f2e1524e66

SHA512
c1816908bbba01a2006ae10a40bc4b21b69cca58e5ab6da93f972dd8d0ad007ec4fd3fdc08e8f57082fec7c34ead451ad67d983597ce4e5ee362500faa776368

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pok5bn25.g32.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Downloads\Setup5.0.zip

Filesize
2.3MB

MD5
d7d4d1c2aa4cbda1118cd1a9ba8c8092

SHA1
0935cb34d76369f11ec09c1af2f0320699687bec

SHA256
3a82d1297c523205405817a019d3923c8f6c8b4802e4e4676d562b17973b21ea

SHA512
d96d6769afc7af04b80a863895009cd79c8c1f9f68d8631829484611dfce7d4f1c75fc9b54157482975c6968a46e635e533d0cad687ef856ddc81ab3444bb553

Download Submit
memory/2424-7-0x00007FFFD1D80000-0x00007FFFD2841000-memory.dmp

Filesize
10.8MB

Download
memory/2424-4-0x00007FFFD1D83000-0x00007FFFD1D85000-memory.dmp

Filesize
8KB

Download
memory/2424-5-0x00007FFFD1D80000-0x00007FFFD2841000-memory.dmp

Filesize
10.8MB

Download
memory/2424-0-0x00007FFFD1D83000-0x00007FFFD1D85000-memory.dmp

Filesize
8KB

Download
memory/2424-21-0x00007FFFD1D80000-0x00007FFFD2841000-memory.dmp

Filesize
10.8MB

Download
memory/2424-17-0x00000245EB1F0000-0x00000245EB212000-memory.dmp

Filesize
136KB

Download
memory/2424-3-0x000002459A320000-0x000002459A4C9000-memory.dmp

Filesize
1.7MB

Download
memory/2424-2-0x00007FFFD1D80000-0x00007FFFD2841000-memory.dmp

Filesize
10.8MB

Download
memory/2424-18-0x00007FFFD1D80000-0x00007FFFD2841000-memory.dmp

Filesize
10.8MB

Download
memory/2424-1-0x0000024600000000-0x0000024601000000-memory.dmp

Filesize
16.0MB

Download
memory/2424-19-0x000002459A320000-0x000002459A4C9000-memory.dmp

Filesize
1.7MB

Download
memory/2424-54-0x000002459A320000-0x000002459A4C9000-memory.dmp

Filesize
1.7MB

Download
memory/2424-20-0x00007FFFD1D80000-0x00007FFFD2841000-memory.dmp

Filesize
10.8MB

Download
memory/4248-883-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download
memory/4248-884-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download