Analysis Overview
SHA256
ec711f3d9eb360eb08ef30c0b315de37a59da35bd6e332d8f19d18fc480d9a3c
Threat Level: Known bad
The file setup7.0.exe was found to be: Known bad.
Malicious Activity Summary
Metasploit family
Meduza
MetaSploit
Seon family
Meduza Stealer payload
Seon
Meduza family
Renames multiple (114) files with added filename extension
Downloads MZ/PE file
Checks computer location settings
Reads user/profile data of web browsers
Executes dropped EXE
Writes to the Master Boot Record (MBR)
System Binary Proxy Execution: Verclsid
Legitimate hosting services abused for malware hosting/C2
Suspicious use of SetThreadContext
Drops file in Program Files directory
Browser Information Discovery
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of SendNotifyMessage
Suspicious use of FindShellTrayWindow
Modifies data under HKEY_USERS
Suspicious use of WriteProcessMemory
NTFS ADS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Enumerates system info in registry
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-12-13 03:22
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-12-13 03:22
Reported
2024-12-13 03:25
Platform
win10v2004-20241007-en
Max time kernel
164s
Max time network
177s
Command Line
Signatures
Meduza
Meduza Stealer payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Meduza family
MetaSploit
Metasploit family
Seon
Seon family
Renames multiple (114) files with added filename extension
Downloads MZ/PE file
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\setup7.0.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Downloads\GoldenEye.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\GoldenEye.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\GoldenEye.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\{a3aa137c-f466-43cb-b663-d50d14f3a74c}\rekeywiz.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\{c2aa3851-5b4c-4bc5-ba5e-cdfeab54cf63}\certreq.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\{62f0e3d9-0d83-4ed0-807c-f7b564fe1b48}\RdpSa.exe | N/A |
Reads user/profile data of web browsers
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
System Binary Proxy Execution: Verclsid
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\verclsid.exe | N/A |
| N/A | N/A | C:\Windows\system32\verclsid.exe | N/A |
| N/A | N/A | C:\Windows\system32\verclsid.exe | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Roaming\{a3aa137c-f466-43cb-b663-d50d14f3a74c}\rekeywiz.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3900 set thread context of 1196 | N/A | C:\Users\Admin\AppData\Local\Temp\setup7.0.exe | C:\Users\Admin\AppData\Local\Temp\setup7.0.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Crashpad\metadata | C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe | N/A |
| File opened for modification | C:\Program Files\Crashpad\settings.dat | C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe | N/A |
Browser Information Discovery
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\{a3aa137c-f466-43cb-b663-d50d14f3a74c}\rekeywiz.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\{c2aa3851-5b4c-4bc5-ba5e-cdfeab54cf63}\certreq.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\{62f0e3d9-0d83-4ed0-807c-f7b564fe1b48}\RdpSa.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Downloads\GoldenEye.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Downloads\GoldenEye.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Downloads\GoldenEye.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133785338066310800" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\{a3aa137c-f466-43cb-b663-d50d14f3a74c}\rekeywiz.exe\:SmartScreen:$DATA | C:\Users\Admin\Downloads\GoldenEye.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\{c2aa3851-5b4c-4bc5-ba5e-cdfeab54cf63}\certreq.exe\:SmartScreen:$DATA | C:\Users\Admin\Downloads\GoldenEye.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\{62f0e3d9-0d83-4ed0-807c-f7b564fe1b48}\RdpSa.exe\:SmartScreen:$DATA | C:\Users\Admin\Downloads\GoldenEye.exe | N/A |
| File opened for modification | C:\Users\Admin\Downloads\Unconfirmed 608406.crdownload:SmartScreen | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\setup7.0.exe
"C:\Users\Admin\AppData\Local\Temp\setup7.0.exe"
C:\Users\Admin\AppData\Local\Temp\setup7.0.exe
C:\Users\Admin\AppData\Local\Temp\setup7.0.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffb27b4cc40,0x7ffb27b4cc4c,0x7ffb27b4cc58
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1964,i,6608781270075531799,16884870113346067875,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1952 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2000,i,6608781270075531799,16884870113346067875,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2112 /prefetch:3
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2308,i,6608781270075531799,16884870113346067875,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2292 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3156,i,6608781270075531799,16884870113346067875,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3168 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3228,i,6608781270075531799,16884870113346067875,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3460 /prefetch:1
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4608,i,6608781270075531799,16884870113346067875,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4580 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4896,i,6608781270075531799,16884870113346067875,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4912 /prefetch:8
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4940,i,6608781270075531799,16884870113346067875,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4912 /prefetch:8
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --reenable-autoupdates --system-level
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x284,0x288,0x28c,0x260,0x290,0x7ff7f6f54698,0x7ff7f6f546a4,0x7ff7f6f546b0
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4684,i,6608781270075531799,16884870113346067875,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5136 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffb27ed46f8,0x7ffb27ed4708,0x7ffb27ed4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,7563211314966095810,2168856311236910042,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,7563211314966095810,2168856311236910042,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2104,7563211314966095810,2168856311236910042,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2716 /prefetch:8
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,7563211314966095810,2168856311236910042,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3424 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,7563211314966095810,2168856311236910042,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,7563211314966095810,2168856311236910042,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4176 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,7563211314966095810,2168856311236910042,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4508 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,7563211314966095810,2168856311236910042,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3516 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,7563211314966095810,2168856311236910042,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3516 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,7563211314966095810,2168856311236910042,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,7563211314966095810,2168856311236910042,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5328 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,7563211314966095810,2168856311236910042,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5612 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,7563211314966095810,2168856311236910042,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5600 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,7563211314966095810,2168856311236910042,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3504 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,7563211314966095810,2168856311236910042,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5552 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,7563211314966095810,2168856311236910042,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5440 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,7563211314966095810,2168856311236910042,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2692 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,7563211314966095810,2168856311236910042,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5508 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2104,7563211314966095810,2168856311236910042,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5408 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,7563211314966095810,2168856311236910042,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5480 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2104,7563211314966095810,2168856311236910042,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6476 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2104,7563211314966095810,2168856311236910042,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6296 /prefetch:8
C:\Users\Admin\Downloads\GoldenEye.exe
"C:\Users\Admin\Downloads\GoldenEye.exe"
C:\Users\Admin\Downloads\GoldenEye.exe
"C:\Users\Admin\Downloads\GoldenEye.exe"
C:\Users\Admin\Downloads\GoldenEye.exe
"C:\Users\Admin\Downloads\GoldenEye.exe"
C:\Users\Admin\AppData\Roaming\{a3aa137c-f466-43cb-b663-d50d14f3a74c}\rekeywiz.exe
"C:\Users\Admin\AppData\Roaming\{a3aa137c-f466-43cb-b663-d50d14f3a74c}\rekeywiz.exe"
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Users\Admin\AppData\Roaming\{c2aa3851-5b4c-4bc5-ba5e-cdfeab54cf63}\certreq.exe
"C:\Users\Admin\AppData\Roaming\{c2aa3851-5b4c-4bc5-ba5e-cdfeab54cf63}\certreq.exe"
C:\Users\Admin\AppData\Roaming\{62f0e3d9-0d83-4ed0-807c-f7b564fe1b48}\RdpSa.exe
"C:\Users\Admin\AppData\Roaming\{62f0e3d9-0d83-4ed0-807c-f7b564fe1b48}\RdpSa.exe"
C:\Windows\system32\verclsid.exe
"C:\Windows\system32\verclsid.exe" /S /C {374DE290-123F-4565-9164-39C4925E467B} /I {000214E6-0000-0000-C000-000000000046} /X 0x401
C:\Windows\system32\verclsid.exe
"C:\Windows\system32\verclsid.exe" /S /C {3ADD1653-EB32-4CB0-BBD7-DFA0ABB5ACCA} /I {000214E6-0000-0000-C000-000000000046} /X 0x401
C:\Windows\system32\verclsid.exe
"C:\Windows\system32\verclsid.exe" /S /C {A8CDFF1C-4878-43BE-B5FD-F8091C1C60D0} /I {000214E6-0000-0000-C000-000000000046} /X 0x401
Network
| Country | Destination | Domain | Proto |
| DE | 109.107.181.162:15666 | tcp | |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| FR | 172.217.20.164:443 | www.google.com | tcp |
| FR | 172.217.20.164:443 | www.google.com | udp |
| US | 8.8.8.8:53 | 67.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 106.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 164.20.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | clients2.google.com | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| FR | 172.217.20.206:443 | clients2.google.com | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 206.20.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.20.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | content-autofill.googleapis.com | udp |
| FR | 142.250.178.138:443 | content-autofill.googleapis.com | tcp |
| US | 8.8.8.8:53 | 138.178.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 163.20.217.172.in-addr.arpa | udp |
| GB | 95.101.143.219:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 219.143.101.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | r.bing.com | udp |
| US | 8.8.8.8:53 | th.bing.com | udp |
| US | 95.100.195.160:443 | th.bing.com | tcp |
| US | 95.100.195.135:443 | th.bing.com | tcp |
| US | 95.100.195.135:443 | th.bing.com | tcp |
| US | 95.100.195.160:443 | th.bing.com | tcp |
| US | 8.8.8.8:53 | login.microsoftonline.com | udp |
| NL | 40.126.32.68:443 | login.microsoftonline.com | tcp |
| US | 8.8.8.8:53 | 160.195.100.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 135.195.100.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.49.80.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 95.100.195.160:443 | th.bing.com | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | avatars.githubusercontent.com | udp |
| US | 8.8.8.8:53 | github.githubassets.com | udp |
| US | 185.199.108.133:443 | avatars.githubusercontent.com | tcp |
| US | 185.199.109.154:443 | github.githubassets.com | tcp |
| US | 185.199.109.154:443 | github.githubassets.com | tcp |
| US | 185.199.109.154:443 | github.githubassets.com | tcp |
| US | 185.199.109.154:443 | github.githubassets.com | tcp |
| US | 185.199.109.154:443 | github.githubassets.com | tcp |
| US | 185.199.109.154:443 | github.githubassets.com | tcp |
| US | 8.8.8.8:53 | github-cloud.s3.amazonaws.com | udp |
| US | 8.8.8.8:53 | user-images.githubusercontent.com | udp |
| US | 185.199.108.133:443 | user-images.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.109.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | collector.github.com | udp |
| US | 185.199.109.154:443 | github.githubassets.com | tcp |
| US | 8.8.8.8:53 | api.github.com | udp |
| US | 140.82.113.22:443 | collector.github.com | tcp |
| US | 140.82.113.22:443 | collector.github.com | tcp |
| GB | 20.26.156.210:443 | api.github.com | tcp |
| US | 8.8.8.8:53 | 210.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.113.82.140.in-addr.arpa | udp |
| US | 8.8.8.8:53 | aefd.nelreports.net | udp |
| GB | 23.73.137.233:443 | aefd.nelreports.net | tcp |
| US | 8.8.8.8:53 | 233.137.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
Files
memory/1196-0-0x0000000140000000-0x000000014013E000-memory.dmp
memory/1196-1-0x0000000140000000-0x000000014013E000-memory.dmp
memory/1196-2-0x0000000140000000-0x000000014013E000-memory.dmp
memory/1196-3-0x0000000140000000-0x000000014013E000-memory.dmp
memory/924-20-0x00000222F9840000-0x00000222F9850000-memory.dmp
memory/924-4-0x00000222F9740000-0x00000222F9750000-memory.dmp
memory/924-36-0x00000222FDE00000-0x00000222FDE01000-memory.dmp
memory/924-37-0x00000222FDE20000-0x00000222FDE21000-memory.dmp
memory/924-38-0x00000222FDE20000-0x00000222FDE21000-memory.dmp
memory/924-39-0x00000222FDE20000-0x00000222FDE21000-memory.dmp
memory/924-40-0x00000222FDE20000-0x00000222FDE21000-memory.dmp
memory/924-41-0x00000222FDE20000-0x00000222FDE21000-memory.dmp
memory/924-42-0x00000222FDE20000-0x00000222FDE21000-memory.dmp
memory/924-43-0x00000222FDE20000-0x00000222FDE21000-memory.dmp
memory/924-44-0x00000222FDE20000-0x00000222FDE21000-memory.dmp
memory/924-45-0x00000222FDE20000-0x00000222FDE21000-memory.dmp
memory/924-46-0x00000222FDE20000-0x00000222FDE21000-memory.dmp
memory/924-48-0x00000222FDA40000-0x00000222FDA41000-memory.dmp
memory/924-47-0x00000222FDA50000-0x00000222FDA51000-memory.dmp
memory/924-50-0x00000222FDA50000-0x00000222FDA51000-memory.dmp
memory/924-53-0x00000222FDA40000-0x00000222FDA41000-memory.dmp
memory/924-56-0x00000222FD980000-0x00000222FD981000-memory.dmp
memory/924-68-0x00000222FDB80000-0x00000222FDB81000-memory.dmp
memory/924-70-0x00000222FDB90000-0x00000222FDB91000-memory.dmp
memory/924-71-0x00000222FDB90000-0x00000222FDB91000-memory.dmp
memory/924-72-0x00000222FDCA0000-0x00000222FDCA1000-memory.dmp
\??\pipe\crashpad_3044_MATRGOPILLXCGBTK
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
| MD5 | d751713988987e9331980363e24189ce |
| SHA1 | 97d170e1550eee4afc0af065b78cda302a97674c |
| SHA256 | 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945 |
| SHA512 | b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState
| MD5 | 51de2f21eec6bc1995d6955af076cb60 |
| SHA1 | aecdb0975a6eaa27a945525ae3d463b19ffcb23e |
| SHA256 | fe40fd835a8c6c00738dc72a543de57517309787d71726ce926b3ab706c629d8 |
| SHA512 | 8798c95dc484f14eeed6487154d46132a0028486a5a03817bb639a586a2860f7e8cc0d0d70aebf75c6b394f467b85c1c5a49d1e602755d11caa5bdcb88dff9d7 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000005
| MD5 | 2be38925751dc3580e84c3af3a87f98d |
| SHA1 | 8a390d24e6588bef5da1d3db713784c11ca58921 |
| SHA256 | 1412046f2516b688d644ff26b6c7ef2275b6c8f132eb809bd32e118208a4ec1b |
| SHA512 | 1341ffc84f16c1247eb0e9baacd26a70c6b9ee904bc2861e55b092263613c0f09072efd174b3e649a347ef3192ae92d7807cc4f5782f8fd07389703d75c4c4e2 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 15754159972ace562c97941b1a3787c9 |
| SHA1 | 1008661721d81e1488faf97fed57796c05c2397f |
| SHA256 | eb852d3dc20ea5308ec796e8476bcec0fe514eb0918ba3a1dc4bc300e8e42a61 |
| SHA512 | 292c057691a87ff93adb3b4e609ad3521bb8bafefccfe5488fd5ef584da3e85ca6951bec73a56cfdcae2345ff515f37d3ce17efcb9448cd9c0af87d52f03ee4f |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 6d34fba3c51ca56e519924dd0c86d6b3 |
| SHA1 | 339d8397a84afc165d6c6467f9ba081c0864d594 |
| SHA256 | a7b02b4eaa11165d2185368d98a34feaaeabddb67d6f4ff9cad82557e04e8d15 |
| SHA512 | bf3711d8c1cc242ccc82cbdd2de2fc7adf89890c36a1ed67ce4fc46273a3b9194d28d63c4c11f09436237f2a84c86e94be4f74a93d0f45e25fb3298f4ab65d0e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | c011e62ed1659a159c460259fb59b064 |
| SHA1 | e95e7becfe6e436349a1e7db1724d392728514ff |
| SHA256 | 3cac6af51ee1b478a115545094118c37fad69b712de6a44c866b7f71293660d1 |
| SHA512 | 2ce85296adf7c14a14ff38051eb383efd66356c36154b60555e7312ee99aba4dd7884db0d02ada8f2e332f417209a0c2bd036a355f4f837a21cfddbb4627fe7a |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
| MD5 | 3badc5af86e7da3bd5cfb797b747c885 |
| SHA1 | 3409040114b91555ccb32706bbdb03b983b7f324 |
| SHA256 | adcd95ded55e7d0129442ea42bc15f1a995fe97086fb617a05d01a1653ffa109 |
| SHA512 | ffcdd54ade46788509a4fd44c8f293d379f13e05925a75d6ccf3faf56cabfb014417e164797d00b1699ee26b8beff4adab96410da190cf9dcc21ef308e24a494 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | f5f2e6de426afdb78d0e506f4ffb1979 |
| SHA1 | 1abb6967aaffc87a46afb0e00f3878e0e944f5c6 |
| SHA256 | 5bc3cc9ba74d77095da872ac68d327f3e2b06a5960ecf9ec16237388aa3b0afa |
| SHA512 | f50789356a0ebeef0f3af236a041741b6856f9f68d77f0ec80cda7fa388b11afce1b6ffce0373c3094a54ab9829fcddfdc4315e533407f29de089b875d1cc5b1 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 3f015ce2b36a0c678471c5f2634e7b4a |
| SHA1 | 38d8de4942bc4d81abf1d26eeb33287a7b8d5820 |
| SHA256 | ac3905d3dc49abe52c27b56e732c01277c7c3d77852599f949dd7ab64b19f522 |
| SHA512 | f2f9982eaa4e61b34275b0a20327497dee456026296b286f52cddb76b27c0b3c89a730afb3e8ab5e265a7a0f279729c18faea40ee55308e152f01044a408ea9c |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | eceea655fa1cf6b339fd1c9f2f81060f |
| SHA1 | fd08ebfccf51f53f273cf548971a3133614b882c |
| SHA256 | 6a8e97835296137dab057924aaf0de5c3e9a1caf107a934e8be67f305d1451ec |
| SHA512 | 74398213fd3e213f241ef80027e526e40c537ad722817b30e947f82d360c717270b1a5c4b96c19cee4dc3f3bbc0bff5bb26aeac0b7c939cba349be4925f81f87 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 542311ec754c861fd44a63e4530b4c69 |
| SHA1 | 88d1c853ef05b89965bd8e723983597976af9e9d |
| SHA256 | 9087cb785b73a80858e56cdfa414ff3bb661d4038452c32829b5e259572cf889 |
| SHA512 | 279c9737fec38cf9c67fd2a051043daa19905ff315954a8643a40b7e1d814301869e5db67dd85a27899178d5af58055a02081dc4f3fb4530fcd63df3c44f7d95 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | a5e147e859f854e64e740cd32247ad60 |
| SHA1 | 3092cc898d16ddc356dbeb9d8541250dc68b900c |
| SHA256 | b5038f246dd93ae79ae288b34ede5d6d37c757aae09c8666ea5b923da8c84c8d |
| SHA512 | 10a821be5fc02bbc939edccdb06b3c45dc83799d905db70ac39e26ac6ed9530a6e1351d493077c614a36ac9dbccbdd1ab0f9a8e2cabab80e4e762844c7a96940 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\1920a506-1afd-4fa3-949d-61a572521271.tmp
| MD5 | 0004092dfb1129ecbdb8dc64278af8bb |
| SHA1 | 2c9c078e7765943c7f8e86cccb37c8b9afdb73b9 |
| SHA256 | 051ea75357af6bfd98f71736fd6aa85a8a7a1d0635e990b1db9d96222e2e2f44 |
| SHA512 | 285d8e0368653fff3989ee51c8cbe6845c724f74f866211df1787be733e5f18d8a61b8e8000772b44073c7d3d9e9e7115ee43f253b89de727a7b9eddf45e3b45 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1
| MD5 | abf4ccceab3902cdfc96ec26747471b6 |
| SHA1 | f4dcf0d9673915515a3e8554fe4300b2e1b1cf6c |
| SHA256 | 3bb9314a86308fe67753226285ecbd9b8f5fe6aacf6209ab0516f1fa45f436ea |
| SHA512 | b1b0dcf42e8ad9ff759817772b50b9f6b82c2784f8c64a34b7df4e744faad8b2474d5fb598a18d0858a8bbb6e72f671bbec8b120aff581fddb5359c7dc702839 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | d22073dea53e79d9b824f27ac5e9813e |
| SHA1 | 6d8a7281241248431a1571e6ddc55798b01fa961 |
| SHA256 | 86713962c3bb287964678b148ee08ea83fb83483dff8be91c8a6085ca560b2a6 |
| SHA512 | 97152091ee24b6e713b8ec8123cb62511f8a7e8a6c6c3f2f6727d0a60497be28814613b476009b853575d4931e5df950e28a41afbf6707cb672206f1219c4413 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | bffcefacce25cd03f3d5c9446ddb903d |
| SHA1 | 8923f84aa86db316d2f5c122fe3874bbe26f3bab |
| SHA256 | 23e7cbbf64c81122c3cb30a0933c10a320e254447771737a326ce37a0694d405 |
| SHA512 | 761dae5315b35ec0b2fe68019881397f5d2eadba3963aba79a89f8953a0cd705012d7faf3a204a5f36008926b9f614980e333351596b06ce7058d744345ce2e7 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 83741b84e9a8eee2b5301ee86f9ec5c3 |
| SHA1 | 348559c29ef533150f7c31557071956ce3b190d6 |
| SHA256 | e21cd53b1b999790a39480b57a7fdc02e9de0d1077c95ab22ae885d971ce9c38 |
| SHA512 | f94973c3d43defa461aa8d0e4e3c0d61d7696957e3750f42c33c60bcbaa5d6442175cd67f075cb1d4adc610acf6b4a97ee493466a1231fdc98a4070e107f0e59 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | aa174cbbbaa644b6fc64f25a2fecac4d |
| SHA1 | f6da205013e8a2fcbd400c38e6dcb737fae065c2 |
| SHA256 | 5141d75832d648c384e562964bc1590942955e4dcbc4189834d182f5890656ca |
| SHA512 | 47625964f3808b5640ce34a8bacfd35c1c2110ba5208bc4ab0e9184134884474dfc8bc0f3535666ffdcfe8c7fee045347067e9afbcafa8f04bb297d0bc7d7e13 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 71cca35a78e17e90a87098229b748931 |
| SHA1 | a3056f7dee3f35414f84187c3a7866ec9bba8433 |
| SHA256 | 209ca45aa4c6323805a35fc20d5f71dfb84d2776b6742cbfb25ba5e165abf7be |
| SHA512 | 06f5fb075033cda61c717629879a23189c3bc11662f2ae3c1a3fe5ff387d191be096001db854e477bc5274141613486a72caf1ad540a60d8fd6895a0bc777fc7 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002
| MD5 | d4db8e09c45049ff25b0c75170df6102 |
| SHA1 | 6d1f07d1556a132a4a794e29df8455cc271f05a3 |
| SHA256 | 381473cd4e59e55dbacd388d552dcf27ebb82e7c8ddf315262a558fb25b3f742 |
| SHA512 | f78a68b51982e6f2cf25b12b3e24195a003f9c2d8ea84f7b5ab0ed3a70a5f2c7ed97932bcf5b30be57db7f6133c9b8f1744f801ee2bf4351b6fba5527cc1b51f |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004
| MD5 | c813a1b87f1651d642cdcad5fca7a7d8 |
| SHA1 | 0e6628997674a7dfbeb321b59a6e829d0c2f4478 |
| SHA256 | df670e09f278fea1d0684afdcd0392a83d7041585ba5996f7b527974d7d98ec3 |
| SHA512 | af0d024ba1faafbd6f950c67977ed126827180a47cea9758ee51a95d13436f753eb5a7aa12a9090048a70328f6e779634c612aebde89b06740ffd770751e1c5b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005
| MD5 | b275fa8d2d2d768231289d114f48e35f |
| SHA1 | bb96003ff86bd9dedbd2976b1916d87ac6402073 |
| SHA256 | 1b36ed5c122ad5b79b8cc8455e434ce481e2c0faab6a82726910e60807f178a1 |
| SHA512 | d28918346e3fda06cd1e1c5c43d81805b66188a83e8ffcab7c8b19fe695c9ca5e05c7b9808599966df3c4cd81e73728189a131789c94df93c5b2500ce8ec8811 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006
| MD5 | 226541550a51911c375216f718493f65 |
| SHA1 | f6e608468401f9384cabdef45ca19e2afacc84bd |
| SHA256 | caecff4179910ce0ff470f9fa9eb4349e8fb717fa1432cf19987450a4e1ef4a5 |
| SHA512 | 2947b309f15e0e321beb9506861883fde8391c6f6140178c7e6ee7750d6418266360c335477cae0b067a6a6d86935ec5f7acdfdacc9edffa8b04ec71be210516 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007
| MD5 | 1bd4ae71ef8e69ad4b5ffd8dc7d2dcb5 |
| SHA1 | 6dd8803e59949c985d6a9df2f26c833041a5178c |
| SHA256 | af18b3681e8e2a1e8dc34c2aa60530dc8d8a9258c4d562cbe20c898d5de98725 |
| SHA512 | b3ff083b669aca75549396250e05344ba2f1c021468589f2bd6f1b977b7f11df00f958bbbd22f07708b5d30d0260f39d8de57e75382b3ab8e78a2c41ef428863 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 7243b0bffe4f7343cb826e822efca0ec |
| SHA1 | ea7a52d666d7120fba16275c5ad3fd963ca9ff62 |
| SHA256 | 57eda6c6bb0adf36d8b5249a08d2b3f3c07790bd69cd74327dec1a01e7e23ceb |
| SHA512 | 500463b04f3e7763dbe971f24b3697d8f2b6aa719038d3f282fe1f27cc912e76839b9b0fdf567b6c522d937042d9e4898f99af71d5ec68106f8ed4bc4d40a97f |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 4d32531bdcf5c2d3de1f651af16ee1c5 |
| SHA1 | 150d2b99d67a132c0c685395ad36c2526c313103 |
| SHA256 | fbd8ca4e0d2d438346f22382fca62d1a1ad59e92abdd7da836309a4cb8b0c576 |
| SHA512 | c5eea33e87e268f36702c1ef762ff61ae5f486784bc9295a7d2beb418240256156dd9bae88976d232d677d2240d07e1dc607a738eacaf619aef68cc61b413a4b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe593f90.TMP
| MD5 | 2d11d70872e553e5ded2bfaaede4136e |
| SHA1 | 05248a037491220ecc8f47d4aea91111fe21b6d9 |
| SHA256 | 7e326d6c196698561ed2b286071e2b29af4953086f298615e476322aee617b4f |
| SHA512 | 81abbfe30ccbe6255c290d4dbd4f814514bf0be01e85151f49ea874e47fecde06051d3f807182212c79fd6d665a4eed8c79d17f9ec7c151d04148a825bc23f87 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 9bf40c2e250f7b98f2e64e09b3c9eacc |
| SHA1 | b2de41cc7d6e2b3e74d9b16b3fd18bbb7fdfd3f6 |
| SHA256 | c6ce8589e303081c9f5d284c86bbd78dffa11f3f131f64369fb9dc226abd84a1 |
| SHA512 | bee97555b92111f78bf467abc45482a2c96ce74648ddbab53171928ec4c3f1ca173743104a547bf2cfa8daec3f876f8fe145e0a39d77ff256362c846f602a259 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 6d417d85f2034d47072b2867954cb393 |
| SHA1 | 8252f10b1dff6997bb089fb820242520cd10162c |
| SHA256 | f7591d349cff1dd5c8d58613450573959f8194eb5e1a27e4f5a560e263e4fe84 |
| SHA512 | b5ed5b9789aeca63c5da6a3e9330a5b294c858037b5a632a331d16a1b6d886f2c409825b21d0be6e1bea2415e90b447355b0d62a1d5c414905eb12b75fd380e5 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | cb2fe141be981150e8511afd1249e383 |
| SHA1 | cc4c7615793fb527dded859552f38cf77c88a68b |
| SHA256 | af81e1401bca4536d61c410ee1c18087b0babde3d95d7deada35fc6d791c8752 |
| SHA512 | 2ea0d408b1934b7189e0921d3215664c46db6ac8311fe3d517b742a5261fa4e7f7e796c6a1c5cdb927ccaf1e83788872636b3632faab7df3c6ba2f72d30aedeb |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 6896fa18ab6679e98fb90326d6dd29b0 |
| SHA1 | 109f934f1bea6b4a06d36871d0b09cfac5854e7b |
| SHA256 | 1413881a10438fe4b6125e39c0932787fe43ef0780bdd52d60d4dc9a3dda3e73 |
| SHA512 | fe3ff6eb373fb385d41ce59dbd0ef8aedc240bf89088c88336ac0ede70a1d1098352d706a9fdaee7c205c1ce6a219939f6c9cc51b5ae3c855aa67cccdf546196 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 8345ed49d6e1e64e71353a947a17bb60 |
| SHA1 | f40128d3f0b7206615dadfb089fdcf73f28b0db7 |
| SHA256 | 1c39035ece0c9810965c1131417762168832e5075f3a1925a2ad64967aa355ef |
| SHA512 | 90dc7e5b02d4eeca1ccccd45a2c9f5681d734923c64a7e731229bd53753344904b122426f6365063a2abf292168aa7b842f4d7183e012e7dab232e3ec23a0566 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | f3f3fa30cfe93ffb52100e4dabc5725f |
| SHA1 | 46809ccfe7c81990491d037335a899f191bde951 |
| SHA256 | b1b9c66369f321183ce65b5f98b602bfa211c3ed61d4eb24dbde3eef25f9eb5d |
| SHA512 | b6dd1562b972023b7e4f58ac2b1652873f7d0939bb0054819696ca3001d2725278a0fdbf487851d0d9873adfc14a12b26fd67e736c2a9c3b533ecff6acfaebbd |
C:\Users\Admin\Downloads\Unconfirmed 608406.crdownload
| MD5 | e3b7d39be5e821b59636d0fe7c2944cc |
| SHA1 | 00479a97e415e9b6a5dfb5d04f5d9244bc8fbe88 |
| SHA256 | 389a7d395492c2da6f8abf5a8a7c49c3482f7844f77fe681808c71e961bcae97 |
| SHA512 | 8f977c60658063051968049245512b6aea68dd89005d0eefde26e4b2757210e9e95aabcef9aee173f57614b52cfbac924d36516b7bc7d3a5cc67daae4dee3ad5 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | bb971e3ec51a2fda548409b8c81d2a71 |
| SHA1 | d37048a831d0e436db0b0661560e3b4e9d986a55 |
| SHA256 | ab47781404d7af4166c3e5058d4e2d81e38d5c944d8f8b67aaed4648e5fbd689 |
| SHA512 | bf114ccd790b662dfc0cb37a58dc9536fdc03f9d36eb86b8e91f43cc19dfb8f27ea22a4b7254fe2e874d0eafd504e405efc387ade093bac692ef7e8356e7acd9 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 06bb8aa05b2c8f7bc2dad70ebad6bbe7 |
| SHA1 | e00437cfbf9e8fac2fa04ce12b075530d24142ed |
| SHA256 | e4d9545f8e3e5915a7a40edf6324fb046b052c91b9624f829249207ef35e3a1b |
| SHA512 | f1066e3df7815e5f01e8d93e15678c9fae696295c7058f64aeec90462bb32d97a7b6c33856f5195dfa0ddad7fc5be512f62032bb9e8ce6942b8280d235a71c15 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 33d6def2cfb741da0218e6e621818cf8 |
| SHA1 | 75eb855dda219201e84f708a90a175ac80399158 |
| SHA256 | d3aaf4b9dd245dd880269ec9727607d81e6c74b3a9e5cece615febdde7c6d7fd |
| SHA512 | 1bb4d54cc2bd6fcb562885d492a7a1faa695d6a3f9ea8561975ce8f983028172386675323f40a193465c84c79123483a28c02eafe3d409919a7f626d360df849 |
C:\Users\Public\YOUR_FILES_ARE_ENCRYPTED.TXT
| MD5 | 797187a51acaea8a180fdff7ebf38c32 |
| SHA1 | 2be81d63f648e58fbef7070dc74a93f5246d87b1 |
| SHA256 | 98feedf9a97bb9b8549f57ef2758874ddd7982d309b043c3b9db4527780d3835 |
| SHA512 | ccf1ff7b4e4548bb988e649a92ac94c1a5485089c61310fbfd62757a61457bbdb8c6a5a673ee0e1177206b8d6787277a0ef7021f7a0f3f6387ea6e32caeac102 |
memory/1676-1050-0x00000000007F0000-0x000000000080A000-memory.dmp
C:\Users\Admin\AppData\Local\Packages\NcsiUwpApp_8wekyb3d8bbwe\Settings\settings.dat
| MD5 | cb006ce5c28a78bfdffdc1ceda76609e |
| SHA1 | 6f1114e0c64b3fc5f82ef104fccec134c28071b1 |
| SHA256 | be7f5db2ce7018b06d75c18a7c513b50bbf5711cd57859ee6336f3e70e7a5b0b |
| SHA512 | 2b444d0b8d8a2dfde04b736ccb474f403d32777ebc5b4ae635f0a794bfda35ece31c6d4f5f04d3b8a3a6375b313c067b4d07c17d483fd06d0e5959c0926cac16 |
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727661992394667.txt
| MD5 | 5f3bf9505d48774e0e25d515f86f868e |
| SHA1 | b2b006eb189e7f9065d58f2095db1ce828b0ace7 |
| SHA256 | 6767593cbc8fe7d3f67d3bdd859e754fbfab7dbec8190692d5a260bb8b80a708 |
| SHA512 | 0b79f221a4c619feab9e1e06568c91d1c169803457cae98417105ac3dbf78d67c97d142af85d2820401f54af29ffb214d76bef6291ba78e0984b6dd36e56f6c6 |
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727662487357744.txt
| MD5 | b6c831d314403d989888c0ba0ee69571 |
| SHA1 | 766a0fcad39a988d21658fc0a28cf3df045a5171 |
| SHA256 | 08d23cceaa792bc9b1cf13d79d1ebd6840d27c74cdd5d5dcd12676770bde700a |
| SHA512 | 6b3a7ff00ecfdc2a6fc55f4fe69182886972d222e774f404b1f5bcbf5c4c633d98c74bd752760a3247ba290a2df61acd2d74e9cbe007c1146ac566e15f1394c1 |
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727667722373689.txt
| MD5 | f7f5fbce87b741e3fd7032b3bfd2ec4c |
| SHA1 | f43c9872e36fdaf4692cbfbf5b3f14c0ba96b329 |
| SHA256 | 3ba3ee38f95091af4356d65ff1cf78c18ffc5a1c7ee6a20f92474a966b5d4ea4 |
| SHA512 | f1fe3d356a19b51c3c366c9323f02747cc06ce40a8aa07799853a01cf16c3d4f8d37e227fb32499ca82a498f634aed672c1fb68289846d516bdf6226a3a027f3 |
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727670771168387.txt
| MD5 | d0ccb4319a3423b0950d1564eebaab27 |
| SHA1 | f77ada663b909c5567b244a9c1d7ef584855139a |
| SHA256 | 75ae85316a6ac819f16da360fbee791c5d4db329c13e733fe36f5b05c8330d85 |
| SHA512 | a2bc6946da70ea1607d9028682e30741cded94e7c556a5463b438311f0423005b2d5bb78eadf1345e1419d819f17d9865f5b80c4bf12e67af5d897201fbd4978 |
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{5808aa44-cfcd-4434-93ba-c99287f8eccf}\0.1.filtertrie.intermediate.txt
| MD5 | 0502cb887fa0178cc3a03b09b7c14108 |
| SHA1 | fd45e8ce4940f7ab71edc7329116211f9684c420 |
| SHA256 | 60f7b585e886c7b00c926e19d598048148aebe540a3ef961ee7d209dc275a1e5 |
| SHA512 | f4b03fad2ba049e50f709f1a3e6c3c732a5ba99f0e323f3d05f483254cb8960d8b1f49c793dc1123ff04eaa9d8f890b922dbe0e7b89fa6729cc57fe02456fc5f |
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{5808aa44-cfcd-4434-93ba-c99287f8eccf}\0.2.filtertrie.intermediate.txt
| MD5 | 2a999fc1662935be19777c0fabbf701d |
| SHA1 | e803cca3b18284bf839a0224ded2742baa1aa169 |
| SHA256 | 4c2ecf6f3cbeb645a05b0e39c12162f623010bd70f94e1e9dedd6aded17baf58 |
| SHA512 | 8eb40d76d9d798004415eb1675d4bf6bba10258bb1f3475fe55f6e371de03063f0a1fc3875a6ebf1f7e049c8f25e2b38bbfb298af0c268090016063263715bad |
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\INetCache\container.dat
| MD5 | 964beb469569586a1028b02f58bdbb40 |
| SHA1 | 6844b37226297c481c2b03a94eb3734faf69c4cc |
| SHA256 | 7e5b2c0b02510cfafb7abc76318bab53fb2c9c113bbacfcb27ff06c63bcf4abe |
| SHA512 | 5fec4ad84fabc0e8e170d430dab0463ecfb05586192613af3c25883f12727543f2e244a2a07e45fbadbc32fe37d5674baf3fde28dc80fb7528f0c700f782c2ad |
Analysis: behavioral1
Detonation Overview
Submitted
2024-12-13 03:22
Reported
2024-12-13 03:25
Platform
win7-20241010-en
Max time kernel
120s
Max time network
126s
Command Line
Signatures
Meduza
Meduza Stealer payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Meduza family
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\setup7.0.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3012 set thread context of 2860 | N/A | C:\Users\Admin\AppData\Local\Temp\setup7.0.exe | C:\Users\Admin\AppData\Local\Temp\setup7.0.exe |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\setup7.0.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\setup7.0.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\setup7.0.exe
"C:\Users\Admin\AppData\Local\Temp\setup7.0.exe"
C:\Users\Admin\AppData\Local\Temp\setup7.0.exe
C:\Users\Admin\AppData\Local\Temp\setup7.0.exe
Network
| Country | Destination | Domain | Proto |
| DE | 109.107.181.162:15666 | tcp |
Files
memory/2860-0-0x0000000140000000-0x000000014013E000-memory.dmp
memory/2860-8-0x0000000140000000-0x000000014013E000-memory.dmp
memory/2860-10-0x0000000140000000-0x000000014013E000-memory.dmp
memory/2860-11-0x0000000140000000-0x000000014013E000-memory.dmp
memory/2860-7-0x000007FFFFFD6000-0x000007FFFFFD7000-memory.dmp
memory/2860-6-0x0000000140000000-0x000000014013E000-memory.dmp
memory/2860-5-0x0000000140000000-0x000000014013E000-memory.dmp
memory/2860-4-0x0000000140000000-0x000000014013E000-memory.dmp
memory/2860-3-0x0000000140000000-0x000000014013E000-memory.dmp
memory/2860-1-0x0000000140000000-0x000000014013E000-memory.dmp
memory/2860-2-0x0000000140000000-0x000000014013E000-memory.dmp