meduza | hxxps://stickx[.]top/bypass/

Analysis

max time kernel
99s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
29-12-2024 22:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://stickx.top/bypass/

Score

10^/10

meduza discovery stealer

Malware Config

Extracted

Family

meduza

109.107.181.162

Attributes

anti_dbg
true
anti_vm
true
build_name
6
extensions
none
grabber_max_size
1.048576e+06
links
none
port
15666
self_destruct
true

Signatures

Meduza
Meduza is a crypto wallet and info stealer written in C++.
stealer meduza

Meduza Stealer payload 4 IoCs

resource	yara_rule
behavioral1/memory/4040-705-0x0000000140000000-0x000000014013E000-memory.dmp	family_meduza
behavioral1/memory/4040-706-0x0000000140000000-0x000000014013E000-memory.dmp	family_meduza
behavioral1/memory/4236-724-0x0000000140000000-0x000000014013E000-memory.dmp	family_meduza
behavioral1/memory/920-727-0x0000000140000000-0x000000014013E000-memory.dmp	family_meduza

Meduza family
meduza

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
133	camo.githubusercontent.com
134	camo.githubusercontent.com

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 3692 set thread context of 4040	3692	setup7.0.exe	140
PID 3608 set thread context of 4236	3608	setup7.0.exe	142
PID 4272 set thread context of 920	4272	setup7.0.exe	144

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2796	msedge.exe
2796	msedge.exe
1360	msedge.exe
1360	msedge.exe
4304	identity_helper.exe
4304	identity_helper.exe
468	msedge.exe
468	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 22 IoCs

pid	Process
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	4040	setup7.0.exe
Token: SeImpersonatePrivilege	4040	setup7.0.exe
Token: SeDebugPrivilege	4236	setup7.0.exe
Token: SeImpersonatePrivilege	4236	setup7.0.exe
Token: SeDebugPrivilege	920	setup7.0.exe
Token: SeImpersonatePrivilege	920	setup7.0.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1360 wrote to memory of 3412	1360	msedge.exe	84
PID 1360 wrote to memory of 3412	1360	msedge.exe	84
PID 1360 wrote to memory of 3024	1360	msedge.exe	85
PID 1360 wrote to memory of 3024	1360	msedge.exe	85
PID 1360 wrote to memory of 3024	1360	msedge.exe	85
PID 1360 wrote to memory of 3024	1360	msedge.exe	85
PID 1360 wrote to memory of 3024	1360	msedge.exe	85
PID 1360 wrote to memory of 3024	1360	msedge.exe	85
PID 1360 wrote to memory of 3024	1360	msedge.exe	85
PID 1360 wrote to memory of 3024	1360	msedge.exe	85
PID 1360 wrote to memory of 3024	1360	msedge.exe	85
PID 1360 wrote to memory of 3024	1360	msedge.exe	85
PID 1360 wrote to memory of 3024	1360	msedge.exe	85
PID 1360 wrote to memory of 3024	1360	msedge.exe	85
PID 1360 wrote to memory of 3024	1360	msedge.exe	85
PID 1360 wrote to memory of 3024	1360	msedge.exe	85
PID 1360 wrote to memory of 3024	1360	msedge.exe	85
PID 1360 wrote to memory of 3024	1360	msedge.exe	85
PID 1360 wrote to memory of 3024	1360	msedge.exe	85
PID 1360 wrote to memory of 3024	1360	msedge.exe	85
PID 1360 wrote to memory of 3024	1360	msedge.exe	85
PID 1360 wrote to memory of 3024	1360	msedge.exe	85
PID 1360 wrote to memory of 3024	1360	msedge.exe	85
PID 1360 wrote to memory of 3024	1360	msedge.exe	85
PID 1360 wrote to memory of 3024	1360	msedge.exe	85
PID 1360 wrote to memory of 3024	1360	msedge.exe	85
PID 1360 wrote to memory of 3024	1360	msedge.exe	85
PID 1360 wrote to memory of 3024	1360	msedge.exe	85
PID 1360 wrote to memory of 3024	1360	msedge.exe	85
PID 1360 wrote to memory of 3024	1360	msedge.exe	85
PID 1360 wrote to memory of 3024	1360	msedge.exe	85
PID 1360 wrote to memory of 3024	1360	msedge.exe	85
PID 1360 wrote to memory of 3024	1360	msedge.exe	85
PID 1360 wrote to memory of 3024	1360	msedge.exe	85
PID 1360 wrote to memory of 3024	1360	msedge.exe	85
PID 1360 wrote to memory of 3024	1360	msedge.exe	85
PID 1360 wrote to memory of 3024	1360	msedge.exe	85
PID 1360 wrote to memory of 3024	1360	msedge.exe	85
PID 1360 wrote to memory of 3024	1360	msedge.exe	85
PID 1360 wrote to memory of 3024	1360	msedge.exe	85
PID 1360 wrote to memory of 3024	1360	msedge.exe	85
PID 1360 wrote to memory of 3024	1360	msedge.exe	85
PID 1360 wrote to memory of 2796	1360	msedge.exe	86
PID 1360 wrote to memory of 2796	1360	msedge.exe	86
PID 1360 wrote to memory of 1676	1360	msedge.exe	87
PID 1360 wrote to memory of 1676	1360	msedge.exe	87
PID 1360 wrote to memory of 1676	1360	msedge.exe	87
PID 1360 wrote to memory of 1676	1360	msedge.exe	87
PID 1360 wrote to memory of 1676	1360	msedge.exe	87
PID 1360 wrote to memory of 1676	1360	msedge.exe	87
PID 1360 wrote to memory of 1676	1360	msedge.exe	87
PID 1360 wrote to memory of 1676	1360	msedge.exe	87
PID 1360 wrote to memory of 1676	1360	msedge.exe	87
PID 1360 wrote to memory of 1676	1360	msedge.exe	87
PID 1360 wrote to memory of 1676	1360	msedge.exe	87
PID 1360 wrote to memory of 1676	1360	msedge.exe	87
PID 1360 wrote to memory of 1676	1360	msedge.exe	87
PID 1360 wrote to memory of 1676	1360	msedge.exe	87
PID 1360 wrote to memory of 1676	1360	msedge.exe	87
PID 1360 wrote to memory of 1676	1360	msedge.exe	87
PID 1360 wrote to memory of 1676	1360	msedge.exe	87
PID 1360 wrote to memory of 1676	1360	msedge.exe	87
PID 1360 wrote to memory of 1676	1360	msedge.exe	87
PID 1360 wrote to memory of 1676	1360	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://stickx.top/bypass/
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdac5c46f8,0x7ffdac5c4708,0x7ffdac5c4718
  2⤵
  PID:3412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,8323034248445658816,8758444430993498563,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:2
  2⤵
  PID:3024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,8323034248445658816,8758444430993498563,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,8323034248445658816,8758444430993498563,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2820 /prefetch:8
  2⤵
  PID:1676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,8323034248445658816,8758444430993498563,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
  2⤵
  PID:1428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,8323034248445658816,8758444430993498563,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
  2⤵
  PID:1772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,8323034248445658816,8758444430993498563,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4584 /prefetch:1
  2⤵
  PID:1800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,8323034248445658816,8758444430993498563,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4820 /prefetch:1
  2⤵
  PID:688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,8323034248445658816,8758444430993498563,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4816 /prefetch:1
  2⤵
  PID:4356
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,8323034248445658816,8758444430993498563,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5664 /prefetch:8
  2⤵
  PID:2176
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,8323034248445658816,8758444430993498563,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5664 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,8323034248445658816,8758444430993498563,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5900 /prefetch:1
  2⤵
  PID:3668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,8323034248445658816,8758444430993498563,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5148 /prefetch:1
  2⤵
  PID:1040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,8323034248445658816,8758444430993498563,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5004 /prefetch:1
  2⤵
  PID:4600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,8323034248445658816,8758444430993498563,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5984 /prefetch:1
  2⤵
  PID:3660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,8323034248445658816,8758444430993498563,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5028 /prefetch:1
  2⤵
  PID:4952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,8323034248445658816,8758444430993498563,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
  2⤵
  PID:2092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,8323034248445658816,8758444430993498563,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5212 /prefetch:1
  2⤵
  PID:1636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,8323034248445658816,8758444430993498563,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1
  2⤵
  PID:264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,8323034248445658816,8758444430993498563,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6028 /prefetch:1
  2⤵
  PID:2392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,8323034248445658816,8758444430993498563,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6568 /prefetch:1
  2⤵
  PID:4528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,8323034248445658816,8758444430993498563,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5324 /prefetch:1
  2⤵
  PID:4840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,8323034248445658816,8758444430993498563,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6588 /prefetch:1
  2⤵
  PID:4004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,8323034248445658816,8758444430993498563,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5392 /prefetch:1
  2⤵
  PID:3404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,8323034248445658816,8758444430993498563,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6724 /prefetch:1
  2⤵
  PID:452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,8323034248445658816,8758444430993498563,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4992 /prefetch:1
  2⤵
  PID:4144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,8323034248445658816,8758444430993498563,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6192 /prefetch:1
  2⤵
  PID:4104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2124,8323034248445658816,8758444430993498563,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=7000 /prefetch:8
  2⤵
  PID:3984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,8323034248445658816,8758444430993498563,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6292 /prefetch:1
  2⤵
  PID:1104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2124,8323034248445658816,8758444430993498563,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6296 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:468

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:968

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4240

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1672

C:\Users\Admin\Downloads\Setup5.0\setup7.0\setup7.0.exe
"C:\Users\Admin\Downloads\Setup5.0\setup7.0\setup7.0.exe"
1⤵
- Suspicious use of SetThreadContext
PID:3692
- C:\Users\Admin\Downloads\Setup5.0\setup7.0\setup7.0.exe
  C:\Users\Admin\Downloads\Setup5.0\setup7.0\setup7.0.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4040

C:\Users\Admin\Downloads\Setup5.0\setup7.0\setup7.0.exe
"C:\Users\Admin\Downloads\Setup5.0\setup7.0\setup7.0.exe"
1⤵
- Suspicious use of SetThreadContext
PID:3608
- C:\Users\Admin\Downloads\Setup5.0\setup7.0\setup7.0.exe
  C:\Users\Admin\Downloads\Setup5.0\setup7.0\setup7.0.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4236

C:\Users\Admin\Downloads\Setup5.0\setup7.0\setup7.0.exe
"C:\Users\Admin\Downloads\Setup5.0\setup7.0\setup7.0.exe"
1⤵
- Suspicious use of SetThreadContext
PID:4272
- C:\Users\Admin\Downloads\Setup5.0\setup7.0\setup7.0.exe
  C:\Users\Admin\Downloads\Setup5.0\setup7.0\setup7.0.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e55832d7cd7e868a2c087c4c73678018

SHA1
ed7a2f6d6437e907218ffba9128802eaf414a0eb

SHA256
a4d7777b980ec53de3a70aca8fb25b77e9b53187e7d2f0fa1a729ee9a35da574

SHA512
897fdebf1a9269a1bf1e3a791f6ee9ab7c24c9d75eeff65ac9599764e1c8585784e1837ba5321d90af0b004af121b2206081a6fb1b1ad571a0051ee33d3f5c5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c2d9eeb3fdd75834f0ac3f9767de8d6f

SHA1
4d16a7e82190f8490a00008bd53d85fb92e379b0

SHA256
1e5efb5f1d78a4cc269cb116307e9d767fc5ad8a18e6cf95c81c61d7b1da5c66

SHA512
d92f995f9e096ecc0a7b8b4aca336aeef0e7b919fe7fe008169f0b87da84d018971ba5728141557d42a0fc562a25191bd85e0d7354c401b09e8b62cdc44b6dcd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
67KB

MD5
69df804d05f8b29a88278b7d582dd279

SHA1
d9560905612cf656d5dd0e741172fb4cd9c60688

SHA256
b885987a52236f56ce7a5ca18b18533e64f62ab64eb14050ede93c93b5bd5608

SHA512
0ef49eeeeb463da832f7d5b11f6418baa65963de62c00e71d847183e0035be03e63c097103d30329582fe806d246e3c0e3ecab8b2498799abbb21d8b7febdc0e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008

Filesize
62KB

MD5
c813a1b87f1651d642cdcad5fca7a7d8

SHA1
0e6628997674a7dfbeb321b59a6e829d0c2f4478

SHA256
df670e09f278fea1d0684afdcd0392a83d7041585ba5996f7b527974d7d98ec3

SHA512
af0d024ba1faafbd6f950c67977ed126827180a47cea9758ee51a95d13436f753eb5a7aa12a9090048a70328f6e779634c612aebde89b06740ffd770751e1c5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000009

Filesize
19KB

MD5
1bd4ae71ef8e69ad4b5ffd8dc7d2dcb5

SHA1
6dd8803e59949c985d6a9df2f26c833041a5178c

SHA256
af18b3681e8e2a1e8dc34c2aa60530dc8d8a9258c4d562cbe20c898d5de98725

SHA512
b3ff083b669aca75549396250e05344ba2f1c021468589f2bd6f1b977b7f11df00f958bbbd22f07708b5d30d0260f39d8de57e75382b3ab8e78a2c41ef428863

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000a

Filesize
63KB

MD5
226541550a51911c375216f718493f65

SHA1
f6e608468401f9384cabdef45ca19e2afacc84bd

SHA256
caecff4179910ce0ff470f9fa9eb4349e8fb717fa1432cf19987450a4e1ef4a5

SHA512
2947b309f15e0e321beb9506861883fde8391c6f6140178c7e6ee7750d6418266360c335477cae0b067a6a6d86935ec5f7acdfdacc9edffa8b04ec71be210516

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
a1a50c4b477dfa9c399b12b3beff6616

SHA1
d09af03f42128db2f61b470d614bded3dd4c93b0

SHA256
bbe8979698d2fc3fd21b657fb99f276f0596fb4d2224bf8b947588d7789eedb2

SHA512
137ed90845571d3e4cbb9894a6bd3f664e215e37a0572bf95c051fcf84dcd1252e06672e014e3eeb88693059e2f5a1c092573c5e193edda56053889c4bb754a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
50305bf5080ec89a6ee43c3f84aa0717

SHA1
b9588ca57aebc51bc827efd99c43f58d55258696

SHA256
f6a8099c20e56c83898e76c47131130a1362af641afdf0418d5383a1ece47e0e

SHA512
650c45b9fa095f1724ee483c245e9c2f1e14dd63e494963e8cf9846d1b5e63ce296716ac28c68e203f61b9c0a22a9bc8d61521b5b99d9d197735bf3771aefe31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
f8f8fba861f69b92265d59692cd05339

SHA1
2929574e67a137fb705ab87fc015086c9ba811f3

SHA256
36a7491fef0602ee42d5f021b896e6af1cc389dcf88726e6980526f28f2306a3

SHA512
a9b24af8182faba138888c3114bdbddfc64cecbddd4bc6f3db3dbff448596e62bf81666f7fd831bf1ee9a7c77b17fa22e9f174477b1c7122fd913da820444983

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
4c1d83752c8870587ab912af85e18ae3

SHA1
c8bff15c5434dc65cc9ada132e65afae1b45dccb

SHA256
69c1ec72fd4bdc436c70f1dc297d15e6c05a1379060b04d35a354cbfc30cc3ee

SHA512
bb973214a51420102f5e692dedca0b12c7d96b4bd709b175b883ecffe06d8fea658ae51bbea645774f7c432c48840c868f113eb49be0200803280fa92c6d3190

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1e89521c84cc7a34cb22074c7aaff569

SHA1
d08cf62eaa2eae99099bf7ab09962edd746b12cd

SHA256
e59dba2791e4dde6cd13b0c52219b16cadba7b616b234640f240868b0305c7f9

SHA512
070f5128c26af482de7e9cd8057aec7ce4a27a11b330656d2ef80888eb24fb18dee923f059a863eb1742ccdddf85a10d2590becd3108e7f4a073871a1a4a209d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
807237c7236ae076776569e79fbae156

SHA1
a02db66d2ba4686e8c70b749e82936f894df4b76

SHA256
046e9c153a169d7908faa528d9b0c9866fe0108ea7078f0786afa94e3b1b3f84

SHA512
67edc1848901614ebf3b926ab6b42086bd9d60b17ded068bcf82e9c9ef42887817531582b90b8becf3cf8f2972c6b2baa89ab764732e4af8d2a99baa6cde4874

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
adf79e1a8d63cf8c30f63f7a2ca42915

SHA1
238535a3ec1aa8fcfaaee2fbd1c8b61decded167

SHA256
39119bc2d2957f5e66af8234d53afdf39a25861de51e44d5c4104976bb94d145

SHA512
2b8f41ae693c03aa0cfb56c16b532384c0ff1ed2d50a502ee5ba9fc51c926ab9b69d58594796340069df5719f2e3d61aaf7d0f7913969087bf35263b14cf27aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
44ce1cc4aa9fcf924daaab0cf2469f95

SHA1
4180fca3332695e1cf2017d139b44113f351644f

SHA256
3ffaeb8c79f18dbb56253937b8fd515506bda593b0ef2a00e56ad03e2008297d

SHA512
4755db99878f169c8aef0b0213fe1fe1c9db611eee35fcc85f9171aad1d58d86d36cedba1d31c60a94ddcd52669dcaeb97530859656c16e25403be067bb1fb00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
9d07dfb3f1e9dea08356bc11abfa9c0c

SHA1
14a3a892e19800cf9994cd450ea190ce9c87ba60

SHA256
42dc46f72952c449fd3ba75b236434bdc1316ed23c8b5a3eae6a8c91ce8f8965

SHA512
723731b825e2eb295535706c5246f271eb60eda56c72303cd4a69f2b71e349044d8e297d6ea1214471c80b796ab98dc2173d8b0e7f089cbb448c5986b2c8dd31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
647a4798a70640866fb5a48d68ef36d6

SHA1
3e19662226cfdba6ae2d3015c9c4c83db34cde84

SHA256
03afd227b8b3270258e1502b4ddbf475f72d378f1806043d5d316fe7f32eeed9

SHA512
ef7934f0c5d5227ced528273bcdbafdb1def50de34478e133aa380c4a4c3bcc65e39405b8a9fbb83998b61b5aa13b33722f69b7e8bf799a08aceb53981c58bdd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
6f18dfdbaf4e6fda26d2331404e148f7

SHA1
25ebe80d4e8465d37d4cabfca460a769efb5678b

SHA256
4f77a97dc222f44e85b9899e1a16468301045caae547fa91dbedee447669eaca

SHA512
4a5ebeb27ed79b513fb7121f9dee28bdf73fdfff23d7730420b568b1658d1339058147ad558f6a6d5f0d1390263e2a5855c180fc5dcfb4007274cead7d8f46d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
0aa56f151606847d17656a560b28314b

SHA1
e4f92e05d3783667b20ca42bd45d0a75bf408d3d

SHA256
040604fdcea55652a81e1df940e87b345f33052e9fd35d967b2a63b9ada068e9

SHA512
bd8649b3180b080a37921dc35fefca18b9f83ffbcb455faa349631abfef2a6c724b0696a0bca0f18172305e59969b3c5c4efeccb1414b59942ca67c9d146e1d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe581d57.TMP

Filesize
1KB

MD5
1b5aba7e8a427a4eb75946db4bb29fbb

SHA1
787ec76ae5a691bbb6a4c8a7954fc18130468179

SHA256
56b6926df7d036399e61777b2ec297142b94d84f248281b2919b20362879bdab

SHA512
832ad1532f0c1027027e4bcc8fa694c63668c70393344eff2f0de947edbad19693c4a13d83f9efec375ed7675f67f7e176e44ee9639ae9a59f281b2dd5cde033

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
af785f2f21befcde08ecf51a6b733dd4

SHA1
6c75c7401bc544d9a7d27bf7468b3851e63890c8

SHA256
3033e8447633e8d2f688e44ebc194a35619ff594b8017f1884eb97a96b7a150e

SHA512
81439906df3284170215ecdc3e15ced4a63fa2cdabe017970aa3cc275598cc5d340e7873c9dbb1d064fe59763978bf354451a8caa4bba9a1a67df99da169304f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
151a76792e9cb775d5d943792ed099f7

SHA1
8f19dc46aad400e2c860f6f2393590aef41a8721

SHA256
c742f7616ef5391c5aa2edcc1edb246cdc0e1f0019d3f8239a18faf4d755af85

SHA512
72f26b49d6d29a36648a26e0b62af234362c46f2468fbfb24c3da69b6e9c0fef61a8f2be7ff8f88990da9d93fb7bdf1b87b73e448fb6a6f0ad618f3428bbfc97

Download Submit
C:\Users\Admin\Downloads\Setup5.0.zip

Filesize
2.3MB

MD5
d7d4d1c2aa4cbda1118cd1a9ba8c8092

SHA1
0935cb34d76369f11ec09c1af2f0320699687bec

SHA256
3a82d1297c523205405817a019d3923c8f6c8b4802e4e4676d562b17973b21ea

SHA512
d96d6769afc7af04b80a863895009cd79c8c1f9f68d8631829484611dfce7d4f1c75fc9b54157482975c6968a46e635e533d0cad687ef856ddc81ab3444bb553

Download Submit
memory/920-727-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download
memory/4040-705-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download
memory/4040-706-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download
memory/4236-724-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download