meduza | hxxps://github[.]com/hugodq/Wave-executor/releases/tag/Download

Analysis

max time kernel
172s
max time network
164s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
03-01-2025 16:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/hugodq/Wave-executor/releases/tag/Download

Score

10^/10

meduza discovery stealer

Malware Config

Extracted

Family

meduza

109.107.181.162

Attributes

anti_dbg
true
anti_vm
true
build_name
6
extensions
none
grabber_max_size
1.048576e+06
links
none
port
15666
self_destruct
true

Signatures

Meduza
Meduza is a crypto wallet and info stealer written in C++.
stealer meduza

Meduza Stealer payload 3 IoCs

resource	yara_rule
behavioral1/memory/1576-237-0x0000000140000000-0x000000014013E000-memory.dmp	family_meduza
behavioral1/memory/1576-238-0x0000000140000000-0x000000014013E000-memory.dmp	family_meduza
behavioral1/memory/2860-241-0x0000000140000000-0x000000014013E000-memory.dmp	family_meduza

Meduza family
meduza

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2220 set thread context of 1576	2220	setup7.0.exe	118
PID 4384 set thread context of 2860	4384	setup7.0.exe	120

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
1508	msedge.exe
1508	msedge.exe
2888	msedge.exe
2888	msedge.exe
2452	identity_helper.exe
2452	identity_helper.exe
1688	msedge.exe
1688	msedge.exe
1708	msedge.exe
1708	msedge.exe
1708	msedge.exe
1708	msedge.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
2888	msedge.exe
2888	msedge.exe
2888	msedge.exe
2888	msedge.exe
2888	msedge.exe
2888	msedge.exe
2888	msedge.exe
2888	msedge.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	1576	setup7.0.exe
Token: SeImpersonatePrivilege	1576	setup7.0.exe
Token: SeDebugPrivilege	2860	setup7.0.exe
Token: SeImpersonatePrivilege	2860	setup7.0.exe
Token: SeDebugPrivilege	3780	taskmgr.exe
Token: SeSystemProfilePrivilege	3780	taskmgr.exe
Token: SeCreateGlobalPrivilege	3780	taskmgr.exe

Suspicious use of FindShellTrayWindow 58 IoCs

pid	Process
2888	msedge.exe
2888	msedge.exe
2888	msedge.exe
2888	msedge.exe
2888	msedge.exe
2888	msedge.exe
2888	msedge.exe
2888	msedge.exe
2888	msedge.exe
2888	msedge.exe
2888	msedge.exe
2888	msedge.exe
2888	msedge.exe
2888	msedge.exe
2888	msedge.exe
2888	msedge.exe
2888	msedge.exe
2888	msedge.exe
2888	msedge.exe
2888	msedge.exe
2888	msedge.exe
2888	msedge.exe
2888	msedge.exe
2888	msedge.exe
2888	msedge.exe
2888	msedge.exe
2888	msedge.exe
2888	msedge.exe
2888	msedge.exe
2888	msedge.exe
2888	msedge.exe
2888	msedge.exe
2888	msedge.exe
2888	msedge.exe
2888	msedge.exe
2888	msedge.exe
2888	msedge.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe

Suspicious use of SendNotifyMessage 45 IoCs

pid	Process
2888	msedge.exe
2888	msedge.exe
2888	msedge.exe
2888	msedge.exe
2888	msedge.exe
2888	msedge.exe
2888	msedge.exe
2888	msedge.exe
2888	msedge.exe
2888	msedge.exe
2888	msedge.exe
2888	msedge.exe
2888	msedge.exe
2888	msedge.exe
2888	msedge.exe
2888	msedge.exe
2888	msedge.exe
2888	msedge.exe
2888	msedge.exe
2888	msedge.exe
2888	msedge.exe
2888	msedge.exe
2888	msedge.exe
2888	msedge.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe
3780	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2888 wrote to memory of 4580	2888	msedge.exe	82
PID 2888 wrote to memory of 4580	2888	msedge.exe	82
PID 2888 wrote to memory of 3108	2888	msedge.exe	84
PID 2888 wrote to memory of 3108	2888	msedge.exe	84
PID 2888 wrote to memory of 3108	2888	msedge.exe	84
PID 2888 wrote to memory of 3108	2888	msedge.exe	84
PID 2888 wrote to memory of 3108	2888	msedge.exe	84
PID 2888 wrote to memory of 3108	2888	msedge.exe	84
PID 2888 wrote to memory of 3108	2888	msedge.exe	84
PID 2888 wrote to memory of 3108	2888	msedge.exe	84
PID 2888 wrote to memory of 3108	2888	msedge.exe	84
PID 2888 wrote to memory of 3108	2888	msedge.exe	84
PID 2888 wrote to memory of 3108	2888	msedge.exe	84
PID 2888 wrote to memory of 3108	2888	msedge.exe	84
PID 2888 wrote to memory of 3108	2888	msedge.exe	84
PID 2888 wrote to memory of 3108	2888	msedge.exe	84
PID 2888 wrote to memory of 3108	2888	msedge.exe	84
PID 2888 wrote to memory of 3108	2888	msedge.exe	84
PID 2888 wrote to memory of 3108	2888	msedge.exe	84
PID 2888 wrote to memory of 3108	2888	msedge.exe	84
PID 2888 wrote to memory of 3108	2888	msedge.exe	84
PID 2888 wrote to memory of 3108	2888	msedge.exe	84
PID 2888 wrote to memory of 3108	2888	msedge.exe	84
PID 2888 wrote to memory of 3108	2888	msedge.exe	84
PID 2888 wrote to memory of 3108	2888	msedge.exe	84
PID 2888 wrote to memory of 3108	2888	msedge.exe	84
PID 2888 wrote to memory of 3108	2888	msedge.exe	84
PID 2888 wrote to memory of 3108	2888	msedge.exe	84
PID 2888 wrote to memory of 3108	2888	msedge.exe	84
PID 2888 wrote to memory of 3108	2888	msedge.exe	84
PID 2888 wrote to memory of 3108	2888	msedge.exe	84
PID 2888 wrote to memory of 3108	2888	msedge.exe	84
PID 2888 wrote to memory of 3108	2888	msedge.exe	84
PID 2888 wrote to memory of 3108	2888	msedge.exe	84
PID 2888 wrote to memory of 3108	2888	msedge.exe	84
PID 2888 wrote to memory of 3108	2888	msedge.exe	84
PID 2888 wrote to memory of 3108	2888	msedge.exe	84
PID 2888 wrote to memory of 3108	2888	msedge.exe	84
PID 2888 wrote to memory of 3108	2888	msedge.exe	84
PID 2888 wrote to memory of 3108	2888	msedge.exe	84
PID 2888 wrote to memory of 3108	2888	msedge.exe	84
PID 2888 wrote to memory of 3108	2888	msedge.exe	84
PID 2888 wrote to memory of 1508	2888	msedge.exe	85
PID 2888 wrote to memory of 1508	2888	msedge.exe	85
PID 2888 wrote to memory of 2756	2888	msedge.exe	86
PID 2888 wrote to memory of 2756	2888	msedge.exe	86
PID 2888 wrote to memory of 2756	2888	msedge.exe	86
PID 2888 wrote to memory of 2756	2888	msedge.exe	86
PID 2888 wrote to memory of 2756	2888	msedge.exe	86
PID 2888 wrote to memory of 2756	2888	msedge.exe	86
PID 2888 wrote to memory of 2756	2888	msedge.exe	86
PID 2888 wrote to memory of 2756	2888	msedge.exe	86
PID 2888 wrote to memory of 2756	2888	msedge.exe	86
PID 2888 wrote to memory of 2756	2888	msedge.exe	86
PID 2888 wrote to memory of 2756	2888	msedge.exe	86
PID 2888 wrote to memory of 2756	2888	msedge.exe	86
PID 2888 wrote to memory of 2756	2888	msedge.exe	86
PID 2888 wrote to memory of 2756	2888	msedge.exe	86
PID 2888 wrote to memory of 2756	2888	msedge.exe	86
PID 2888 wrote to memory of 2756	2888	msedge.exe	86
PID 2888 wrote to memory of 2756	2888	msedge.exe	86
PID 2888 wrote to memory of 2756	2888	msedge.exe	86
PID 2888 wrote to memory of 2756	2888	msedge.exe	86
PID 2888 wrote to memory of 2756	2888	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/hugodq/Wave-executor/releases/tag/Download
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdc45246f8,0x7ffdc4524708,0x7ffdc4524718
  2⤵
  PID:4580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2192,14131658609304846750,12883795682438562285,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2204 /prefetch:2
  2⤵
  PID:3108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2192,14131658609304846750,12883795682438562285,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2256 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2192,14131658609304846750,12883795682438562285,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2816 /prefetch:8
  2⤵
  PID:2756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,14131658609304846750,12883795682438562285,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
  2⤵
  PID:4284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,14131658609304846750,12883795682438562285,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
  2⤵
  PID:3440
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2192,14131658609304846750,12883795682438562285,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5176 /prefetch:8
  2⤵
  PID:2812
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2192,14131658609304846750,12883795682438562285,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5176 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,14131658609304846750,12883795682438562285,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5424 /prefetch:1
  2⤵
  PID:4932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,14131658609304846750,12883795682438562285,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5296 /prefetch:1
  2⤵
  PID:2892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,14131658609304846750,12883795682438562285,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3476 /prefetch:1
  2⤵
  PID:1412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,14131658609304846750,12883795682438562285,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5380 /prefetch:1
  2⤵
  PID:3520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2192,14131658609304846750,12883795682438562285,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5928 /prefetch:8
  2⤵
  PID:1844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,14131658609304846750,12883795682438562285,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5336 /prefetch:1
  2⤵
  PID:5000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,14131658609304846750,12883795682438562285,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5500 /prefetch:1
  2⤵
  PID:1972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2192,14131658609304846750,12883795682438562285,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3504 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2192,14131658609304846750,12883795682438562285,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3076 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1708

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1144

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4216

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2512

C:\Users\Admin\Downloads\setup7.0\setup7.0.exe
"C:\Users\Admin\Downloads\setup7.0\setup7.0.exe"
1⤵
- Suspicious use of SetThreadContext
PID:2220
- C:\Users\Admin\Downloads\setup7.0\setup7.0.exe
  C:\Users\Admin\Downloads\setup7.0\setup7.0.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1576

C:\Users\Admin\Downloads\setup7.0\setup7.0.exe
"C:\Users\Admin\Downloads\setup7.0\setup7.0.exe"
1⤵
- Suspicious use of SetThreadContext
PID:4384
- C:\Users\Admin\Downloads\setup7.0\setup7.0.exe
  C:\Users\Admin\Downloads\setup7.0\setup7.0.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2860

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\New Text Document.txt
1⤵
PID:4552

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
fab8d8d865e33fe195732aa7dcb91c30

SHA1
2637e832f38acc70af3e511f5eba80fbd7461f2c

SHA256
1b034ffe38e534e2b7a21be7c1f207ff84a1d5f3893207d0b4bb1a509b4185ea

SHA512
39a3d43ef7e28fea2cb247a5d09576a4904a43680db8c32139f22a03d80f6ede98708a2452f3f82232b868501340f79c0b3f810f597bcaf5267c3ccfb1704b43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
36988ca14952e1848e81a959880ea217

SHA1
a0482ef725657760502c2d1a5abe0bb37aebaadb

SHA256
d7e96088b37cec1bde202ae8ec2d2f3c3aafc368b6ebd91b3e2985846facf2e6

SHA512
d04b2f5afec92eb3d9f9cdc148a3eddd1b615e0dfb270566a7969576f50881d1f8572bccb8b9fd7993724bdfe36fc7633a33381d43e0b96c4e9bbd53fc010173

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
7f8cb1277e2a82b8bfff37275b978993

SHA1
17b9e5e0c09c26c6e0b3327f119a447a8250182a

SHA256
cb8b71742afce1e27c4f976147c3a61d06a2b85e3726882da719b88511fc53f4

SHA512
d0540b7bca9ea8c4ef855659efc816e8ef38f751b90930afb602986a21722af60814a8163277677d3df3f8eba7ce8ad9a5b6776b144f5a6344c5e8f54345e968

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
496B

MD5
1b92794633aaa7d8ca83e408ef516a36

SHA1
4ae0678d6cf8abedb3e9819fc9d7d715d3f72bb6

SHA256
0ff76dc871bd6e59abe386781ef988b4c8d734bca726a4d1eb556d3d78f1e7e0

SHA512
698bb4adf1932dd48fbffb344b0053b9dc753b97a92d88a26341e0c3b0fa2e03481c5193bd2b4a1caaa2aa2f00e41eae73c53aaadc1ac6bb8be17d0f229a61bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c605af4218042e3f6a9173a39b9d7f84

SHA1
de5fe19ca1a6cc40025c2cbfe69e28c50cea91de

SHA256
a82c0600b48612b31768b56115c5216206df664dbc8f4463ca21531cf17e48c9

SHA512
9e78703282dcc242ccd2260bfb8bbe403d63a2fac9c8e6e68438e9409b058957797377f022f0029a98f28b5a4d60e48f2eb8a573214f62c956d6831dbbef3b96

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4831fa4f1bab860864ac06ce9c4c5347

SHA1
7a07f4ad26232338716f1eb56c279e1831717d1c

SHA256
6dda8ee9573a1270bb4886da09e80b82e600f51ee7ee935e535b185998f98ebf

SHA512
5be02b0124245d24f33b3277aff89f695c79207f0f5bbde37dec693b829a6e02bd665729d2785548e700df40652fbffc517fbeb2cdb14017b0606e3d80dd3ae6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
98f12192f94ba5cd00e236e12dfb5eff

SHA1
ff105610cdfeab4c87767027329e5b958f48b0ce

SHA256
12543a8170b69a990e3dd8c24ad84db923fee431cb9021aab5746903f3db39ec

SHA512
dcd2793ef0acb93f6441e8b59d19606a83326ba20ab54a743f6fb4e87afe98ab5a9ee7a0563a3ee014d6f53d1efd37f14e2ac6e9943de8f446e211a9826bb4e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
65cb96e16c0c347742e8c56dfad7743b

SHA1
3cd9a3558e40e659fb73a4efd96836c54b0b26d4

SHA256
7c4a7af32f36b89f5fb18e40069ede6f39af13e87949590b593e8641b904a674

SHA512
c767e799d8d4467f6c828e1d7a06ab3984fa8ab60f87f20042bae6597f893f55a42051e72eced8318ca687c556e667ba287457ba6a7527df934935a0c2a6ea55

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
3791c0bdc1176416c26ae28da71563b4

SHA1
8bc2a32d12d4e1f77601f240962c1eb5408981ba

SHA256
741339f722a89bc6c78989dd8ce7c4d94d8e98b9b0dbb246c120662352fa58fd

SHA512
e137ae6be85f37a0c463ec3ea8ef1bd26e9e8be78f39d185923197f03d32caf33739984b753d17ded2811d07d71253398df813218bb3f6c55bb97c20a3920cd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
874B

MD5
ff2de8ed4d3a7389b995d059bc38c26e

SHA1
9c8338aaa75a6e0f69f6fcc3f6681eaee57c638e

SHA256
921c3fcf8b11dd13df27064bb1a80b4b7cec7bf458c8334324221388d793aa39

SHA512
d568635bd4856d0f459ffd37d68561b1ea5c9f18615c9ef37399a80c4e998a1434c59624fb34fa25661c1e2dcd2082bd22768d8db36da5c1ca25a99e692f50e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
874B

MD5
7c8791560c7a80bf8fdcc412f31008aa

SHA1
1a77cc23191432c94845f7fdf7c37e648864318c

SHA256
a45d137d56872bd02b69a36ac68172d0484eaa8ba33ade48a07da7dcc897c6bd

SHA512
cb31291e51d79ad47501b0b438b9b1f008355501d833019c36ce7db44df7a7b676742bdb1f860a78a1bae68d46580b967aab65b8ad2f7681dc2f0cab408b195c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57f453.TMP

Filesize
874B

MD5
b4b550faf8b58cc46181a8703a8f0e87

SHA1
46b63158957c2082e373f2d05e41cc9d21177b92

SHA256
87482f36dcfe366cff73cb064bfefc5e9a0e0e67b62bc0dd333565abed9afeb4

SHA512
16186697b354b6adf0231ecf2daebfae5c04face2e5fe6aef6670d8818f3a6cd57a1083bf02e0f1ce2deaf19128630e86a334daf1e6af6c8872ef59b29a76ea3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
6af4f55884886b10604ff8be46b684b5

SHA1
44925e17998ea4aa2898a52f4a51091a88501258

SHA256
63c80c34b923392cfb1fb849561354cb5ea9447ee840dc2078ead5f63282c373

SHA512
6084c7ffc4750d29846af4480644e3f112423b020818eec860a0b6c84df13e7fee895ef185fbc3865e371a21b821852ae0107a86102b2a0db8ee5654b73838ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
3fb8aa5c262f1c940de1c5bec529a40a

SHA1
a02bff9ea5018289c09696564e4f23da98db3cc7

SHA256
d181a7bca4c3c1a6fa92193b63777b3d39a0683fd0a87140a0a983e2ee5d9c67

SHA512
75df09fa4c56bce387bc2a124ea6644f99015666bb3b909effab81ec924230ef6ce82f5711956f465a13060b2f823daa44563c1e3b328926d44ee80885f90f7d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
ed9093d8f70af88ebd31314ae8162c7a

SHA1
ae1eddf03a9a16496f20f6a0b70c9763050e3d25

SHA256
bdde410e3420e2807be023c2477dae10695a839508e83338e77fa8d6eafeeb9b

SHA512
e52fdf3d08a09a063c09318f0106438abb338f54eb9d4d5c07c02e11a19a10a5a7a900c8676d40dd7efea5d156bc2b00999d073cd5655756249110796cdd19cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
01652030f07ed75258c537d120fe55bc

SHA1
e41b31ea8f5d1515856b7c15204d742d7009a015

SHA256
ac09d296e643a3a273c02aa1da596f683571b05f9422dd724fd2e77229c32696

SHA512
ee1a17661d6b3bc353b1e12ab6162068944df2590bcbe21a3813b84d08f87dd2406d595f8f3fabf745ae2fb40421ae33aaba57cf08b5b54ef979d812d04c0916

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 273877.crdownload

Filesize
2.3MB

MD5
d7d4d1c2aa4cbda1118cd1a9ba8c8092

SHA1
0935cb34d76369f11ec09c1af2f0320699687bec

SHA256
3a82d1297c523205405817a019d3923c8f6c8b4802e4e4676d562b17973b21ea

SHA512
d96d6769afc7af04b80a863895009cd79c8c1f9f68d8631829484611dfce7d4f1c75fc9b54157482975c6968a46e635e533d0cad687ef856ddc81ab3444bb553

Download Submit
memory/1576-238-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download
memory/1576-237-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download
memory/2860-241-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download
memory/3780-317-0x00000191BC930000-0x00000191BC931000-memory.dmp

Filesize
4KB

Download
memory/3780-319-0x00000191BC930000-0x00000191BC931000-memory.dmp

Filesize
4KB

Download
memory/3780-318-0x00000191BC930000-0x00000191BC931000-memory.dmp

Filesize
4KB

Download
memory/3780-323-0x00000191BC930000-0x00000191BC931000-memory.dmp

Filesize
4KB

Download
memory/3780-326-0x00000191BC930000-0x00000191BC931000-memory.dmp

Filesize
4KB

Download
memory/3780-329-0x00000191BC930000-0x00000191BC931000-memory.dmp

Filesize
4KB

Download
memory/3780-328-0x00000191BC930000-0x00000191BC931000-memory.dmp

Filesize
4KB

Download
memory/3780-327-0x00000191BC930000-0x00000191BC931000-memory.dmp

Filesize
4KB

Download
memory/3780-325-0x00000191BC930000-0x00000191BC931000-memory.dmp

Filesize
4KB

Download
memory/3780-324-0x00000191BC930000-0x00000191BC931000-memory.dmp

Filesize
4KB

Download