meduza | hxxps://www[.]mediafire[.]com/folder/pdvnpt1sbe0w4/Software

Analysis

max time kernel
159s
platform
windows11-21h2_x64
resource
win11-20240802-en
submitted
29-09-2024 07:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.mediafire.com/folder/pdvnpt1sbe0w4/Software

Score

10^/10

meduza collection discovery stealer

Malware Config

Extracted

Family

meduza

109.107.181.162

Attributes

anti_dbg
true
anti_vm
true
build_name
420
extensions
none
grabber_max_size
1.048576e+06
links
none
port
15666
self_destruct
true

Signatures

Meduza
Meduza is a crypto wallet and info stealer written in C++.
stealer meduza

Meduza Stealer payload 2 IoCs

resource	yara_rule
behavioral1/memory/2256-375-0x0000000140000000-0x000000014010F000-memory.dmp	family_meduza
behavioral1/memory/2256-379-0x0000000140000000-0x000000014010F000-memory.dmp	family_meduza

Meduza family
meduza

Loads dropped DLL 1 IoCs

pid	Process
1392	Software v1.24 loader.exe

Accesses Microsoft Outlook profiles 1 TTPs 5 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Software v1.24 loader.exe
Key opened	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000\SOFTWARE\Microsoft\Office\12.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Software v1.24 loader.exe
Key opened	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000\SOFTWARE\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Software v1.24 loader.exe
Key opened	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Software v1.24 loader.exe
Key opened	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Software v1.24 loader.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1392 set thread context of 2256	1392	Software v1.24 loader.exe	104

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
712	PING.EXE
1060	cmd.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\Local Settings	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Software v1.24 loader.zip:Zone.Identifier	msedge.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
712	PING.EXE

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
4580	msedge.exe
4580	msedge.exe
2360	msedge.exe
2360	msedge.exe
4200	msedge.exe
4200	msedge.exe
2620	identity_helper.exe
2620	identity_helper.exe
4924	msedge.exe
4924	msedge.exe
2256	Software v1.24 loader.exe
2256	Software v1.24 loader.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

pid	Process
2360	msedge.exe
2360	msedge.exe
2360	msedge.exe
2360	msedge.exe
2360	msedge.exe
2360	msedge.exe
2360	msedge.exe
2360	msedge.exe
2360	msedge.exe
2360	msedge.exe
2360	msedge.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2360	msedge.exe
2360	msedge.exe
2360	msedge.exe
2360	msedge.exe
2360	msedge.exe
2360	msedge.exe
2360	msedge.exe
2360	msedge.exe
2360	msedge.exe
2360	msedge.exe
2360	msedge.exe
2360	msedge.exe
2360	msedge.exe
2360	msedge.exe
2360	msedge.exe
2360	msedge.exe
2360	msedge.exe
2360	msedge.exe
2360	msedge.exe
2360	msedge.exe
2360	msedge.exe
2360	msedge.exe
2360	msedge.exe
2360	msedge.exe
2360	msedge.exe
2360	msedge.exe
2360	msedge.exe
2360	msedge.exe
2360	msedge.exe
2360	msedge.exe
2360	msedge.exe
2360	msedge.exe
2360	msedge.exe
2360	msedge.exe
2360	msedge.exe
2360	msedge.exe
2360	msedge.exe
2360	msedge.exe
2360	msedge.exe
2360	msedge.exe
2360	msedge.exe
2360	msedge.exe
2360	msedge.exe
2360	msedge.exe
2360	msedge.exe
2360	msedge.exe
2360	msedge.exe
2360	msedge.exe
2360	msedge.exe
2360	msedge.exe
2360	msedge.exe
2360	msedge.exe
2360	msedge.exe
2360	msedge.exe
2360	msedge.exe
2360	msedge.exe
2360	msedge.exe
2360	msedge.exe
2360	msedge.exe
2360	msedge.exe
2360	msedge.exe
2360	msedge.exe
2360	msedge.exe
2360	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
2360	msedge.exe
2360	msedge.exe
2360	msedge.exe
2360	msedge.exe
2360	msedge.exe
2360	msedge.exe
2360	msedge.exe
2360	msedge.exe
2360	msedge.exe
2360	msedge.exe
2360	msedge.exe
2360	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2360 wrote to memory of 4960	2360	msedge.exe	78
PID 2360 wrote to memory of 4960	2360	msedge.exe	78
PID 2360 wrote to memory of 3084	2360	msedge.exe	79
PID 2360 wrote to memory of 3084	2360	msedge.exe	79
PID 2360 wrote to memory of 3084	2360	msedge.exe	79
PID 2360 wrote to memory of 3084	2360	msedge.exe	79
PID 2360 wrote to memory of 3084	2360	msedge.exe	79
PID 2360 wrote to memory of 3084	2360	msedge.exe	79
PID 2360 wrote to memory of 3084	2360	msedge.exe	79
PID 2360 wrote to memory of 3084	2360	msedge.exe	79
PID 2360 wrote to memory of 3084	2360	msedge.exe	79
PID 2360 wrote to memory of 3084	2360	msedge.exe	79
PID 2360 wrote to memory of 3084	2360	msedge.exe	79
PID 2360 wrote to memory of 3084	2360	msedge.exe	79
PID 2360 wrote to memory of 3084	2360	msedge.exe	79
PID 2360 wrote to memory of 3084	2360	msedge.exe	79
PID 2360 wrote to memory of 3084	2360	msedge.exe	79
PID 2360 wrote to memory of 3084	2360	msedge.exe	79
PID 2360 wrote to memory of 3084	2360	msedge.exe	79
PID 2360 wrote to memory of 3084	2360	msedge.exe	79
PID 2360 wrote to memory of 3084	2360	msedge.exe	79
PID 2360 wrote to memory of 3084	2360	msedge.exe	79
PID 2360 wrote to memory of 3084	2360	msedge.exe	79
PID 2360 wrote to memory of 3084	2360	msedge.exe	79
PID 2360 wrote to memory of 3084	2360	msedge.exe	79
PID 2360 wrote to memory of 3084	2360	msedge.exe	79
PID 2360 wrote to memory of 3084	2360	msedge.exe	79
PID 2360 wrote to memory of 3084	2360	msedge.exe	79
PID 2360 wrote to memory of 3084	2360	msedge.exe	79
PID 2360 wrote to memory of 3084	2360	msedge.exe	79
PID 2360 wrote to memory of 3084	2360	msedge.exe	79
PID 2360 wrote to memory of 3084	2360	msedge.exe	79
PID 2360 wrote to memory of 3084	2360	msedge.exe	79
PID 2360 wrote to memory of 3084	2360	msedge.exe	79
PID 2360 wrote to memory of 3084	2360	msedge.exe	79
PID 2360 wrote to memory of 3084	2360	msedge.exe	79
PID 2360 wrote to memory of 3084	2360	msedge.exe	79
PID 2360 wrote to memory of 3084	2360	msedge.exe	79
PID 2360 wrote to memory of 3084	2360	msedge.exe	79
PID 2360 wrote to memory of 3084	2360	msedge.exe	79
PID 2360 wrote to memory of 3084	2360	msedge.exe	79
PID 2360 wrote to memory of 3084	2360	msedge.exe	79
PID 2360 wrote to memory of 4580	2360	msedge.exe	80
PID 2360 wrote to memory of 4580	2360	msedge.exe	80
PID 2360 wrote to memory of 3104	2360	msedge.exe	81
PID 2360 wrote to memory of 3104	2360	msedge.exe	81
PID 2360 wrote to memory of 3104	2360	msedge.exe	81
PID 2360 wrote to memory of 3104	2360	msedge.exe	81
PID 2360 wrote to memory of 3104	2360	msedge.exe	81
PID 2360 wrote to memory of 3104	2360	msedge.exe	81
PID 2360 wrote to memory of 3104	2360	msedge.exe	81
PID 2360 wrote to memory of 3104	2360	msedge.exe	81
PID 2360 wrote to memory of 3104	2360	msedge.exe	81
PID 2360 wrote to memory of 3104	2360	msedge.exe	81
PID 2360 wrote to memory of 3104	2360	msedge.exe	81
PID 2360 wrote to memory of 3104	2360	msedge.exe	81
PID 2360 wrote to memory of 3104	2360	msedge.exe	81
PID 2360 wrote to memory of 3104	2360	msedge.exe	81
PID 2360 wrote to memory of 3104	2360	msedge.exe	81
PID 2360 wrote to memory of 3104	2360	msedge.exe	81
PID 2360 wrote to memory of 3104	2360	msedge.exe	81
PID 2360 wrote to memory of 3104	2360	msedge.exe	81
PID 2360 wrote to memory of 3104	2360	msedge.exe	81
PID 2360 wrote to memory of 3104	2360	msedge.exe	81

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Software v1.24 loader.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Software v1.24 loader.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.mediafire.com/folder/pdvnpt1sbe0w4/Software
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffe09323cb8,0x7ffe09323cc8,0x7ffe09323cd8
  2⤵
  PID:4960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1904,11418335820558864740,1635245173771511584,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1936 /prefetch:2
  2⤵
  PID:3084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1904,11418335820558864740,1635245173771511584,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2380 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1904,11418335820558864740,1635245173771511584,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2816 /prefetch:8
  2⤵
  PID:3104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,11418335820558864740,1635245173771511584,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
  2⤵
  PID:2544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,11418335820558864740,1635245173771511584,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3468 /prefetch:1
  2⤵
  PID:1960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1904,11418335820558864740,1635245173771511584,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6084 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,11418335820558864740,1635245173771511584,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5632 /prefetch:1
  2⤵
  PID:2516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,11418335820558864740,1635245173771511584,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5684 /prefetch:1
  2⤵
  PID:1264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,11418335820558864740,1635245173771511584,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6540 /prefetch:1
  2⤵
  PID:3656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,11418335820558864740,1635245173771511584,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6568 /prefetch:1
  2⤵
  PID:4908
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1904,11418335820558864740,1635245173771511584,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5272 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,11418335820558864740,1635245173771511584,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6088 /prefetch:1
  2⤵
  PID:1576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,11418335820558864740,1635245173771511584,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5532 /prefetch:1
  2⤵
  PID:2068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,11418335820558864740,1635245173771511584,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5800 /prefetch:1
  2⤵
  PID:4660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,11418335820558864740,1635245173771511584,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5540 /prefetch:1
  2⤵
  PID:3524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,11418335820558864740,1635245173771511584,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:1
  2⤵
  PID:3216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1904,11418335820558864740,1635245173771511584,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4664 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1904,11418335820558864740,1635245173771511584,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6232 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3320

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1268

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4456

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:432

C:\Users\Admin\Downloads\Software v1.24 loader\Software v1.24 loader.exe
"C:\Users\Admin\Downloads\Software v1.24 loader\Software v1.24 loader.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:1392
- C:\Users\Admin\Downloads\Software v1.24 loader\Software v1.24 loader.exe
  "C:\Users\Admin\Downloads\Software v1.24 loader\Software v1.24 loader.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - Suspicious behavior: EnumeratesProcesses
  - outlook_office_path
  - outlook_win_path
  PID:2256
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\Downloads\Software v1.24 loader\Software v1.24 loader.exe"
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:1060
  - - C:\Windows\system32\PING.EXE
      ping 1.1.1.1 -n 1 -w 3000
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:712

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Software v1.24 loader\ReadMe.txt
1⤵
PID:3044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2ee16858e751901224340cabb25e5704

SHA1
24e0d2d301f282fb8e492e9df0b36603b28477b2

SHA256
e9784fcff01f83f4925f23e3a24bce63314ea503c2091f7309c014895fead33c

SHA512
bd9994c2fb4bf097ce7ffea412a2bed97e3af386108ab6aab0df9472a92d4bd94489bb9c36750a92f9818fa3ea6d1756497f5364611e6ebd36de4cd14e9a0fba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ea667b2dedf919487c556b97119cf88a

SHA1
0ee7b1da90be47cc31406f4dba755fd083a29762

SHA256
9e7e47ebf490ba409eab3be0314fa695bf28f4764f4875c7568a54337f2df70f

SHA512
832391afcac34fc6c949dee8120f2a5f83ca68c159ff707751d844b085c7496930f0c8fd8313fd8f10a5f5725138be651953934aa79b087ba3c6dd22eaa49c72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\7821788b-5469-4f1a-8081-6abf967ae5b0.tmp

Filesize
5KB

MD5
1599148d4e0f9f09d8712b5de2c47bcb

SHA1
47b2b9e4d58b4f374bfd7dace4896a14e5a1f857

SHA256
e0dfd452c1c4e56aa0dae9865d8509847946ddb6bd029b5c1f60d406927a615a

SHA512
f4eca70aa935400f71769a97816936bd70edda2d25086d703534828a4fa7bda8f42981baf3e66b46cc1e3b487193819519f47e9e4ebbf2d6e03158075a07b82f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
88e631c4dc48e5346d7459d2ee47530e

SHA1
64bd682a1b80c8e33ee37abae715aab30294f20c

SHA256
7ebeaba742da739fd36d75de04bc7bb8bde2390a9d5789988fae9252e5704c6b

SHA512
98b5138ba3e19df026def9ff2cf0d7c6d18ee88b2302d60d7612034236f6188f7402ef531f6dc7c92c594fbfc6cf99a7e2b7c06cc2e2a81899fd643210c4204a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies

Filesize
32KB

MD5
a898f9b709d1a4a2e6ec433f0fad29b7

SHA1
a7ee394281612a4dec2e7ca0fcd2833125d58847

SHA256
a7ce54112c36cf701eced886269e9a4d715df58a72fc701d37d8ac30a8ae4291

SHA512
e193f8dfb1db7fcaaf10b6e1b4b26bee01af1ad722960c16e46c0602ab4a63490f138d9385528c0adbc3b0f12bda7f91bcc917e5f6bdea808a9e247004c697df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
124KB

MD5
83453caaa4040026f35def96451896f4

SHA1
87c657240558efdca4840914a3df81e82519ee42

SHA256
29a38eb43f8bffa812bf912e9b6efe11378d7690f838a1e4a15d4584d2d7263b

SHA512
5a2c3a2defa9418c6f91e417c0c0dcb8172f400c93ca3bac09638d6df0dc25ac1a028179ada447e64e8957430433a68bf5048e1448a4069f3f9739395644a49d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log

Filesize
1KB

MD5
d8c6b2b1a6ff75fd90a37ed744c4dc89

SHA1
d6d97f2c34b52e5ca9564de0cde7ede183a2e5d2

SHA256
3ebf52f376b0e237c47664c0468cb12f52b7a98c5c832087edb5f180102444ba

SHA512
87985441a332155ad2bf489662147d50bebd6d8f4fdbe39ef3ce28c40503441a9d72d980441492c41716d172380dc1663cf1d7b0e80261f8938f500b3b9aa2d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

Filesize
331B

MD5
9af028a857ee209f29771c4e9bc190f4

SHA1
c2c7297491f3c6ef3a4e3e4c866d867e344cc241

SHA256
04045467cf10dd338c1112e16f29515adffa346005847fa60513abb1c331d88b

SHA512
b76f8f58c604696d0d6766711b5bebd14885f4ca861aba4ba78d6e1c3c48cca444d23c1a63588d2668db674805625c6b9ad194c44b5677cd28061157996f4489

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
6KB

MD5
611c2ff619f65bf8f5105d6624a3d4d5

SHA1
f6943ab96b63fca7553d68afa6549cc45062dee3

SHA256
261f8547275ac389a282294e0aea89316cbe4de8b22b08561c958e8ba2ab2aa9

SHA512
f237448c744a0e68c86c79d6be88d7643f01d87edcd8f5e062165aed0b2cc0c888eb352946de0b3cf9842de620149122462a1bbfe5c30ae111bdbd9081c6a38d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
5c19188b4423d32bd507cbe4d8f6663d

SHA1
6ce50dd0a8582059b1556de8f10f12d2636815af

SHA256
81a44cabd0f44bbc6c4398f985f7a1bb8f2fc96d5170b67c5041d73ee2192379

SHA512
5a9cf8e46f8c8e7121bfbab22f6851c33b609948e8f651d0a6da47a0752ed37ca9ac4c6af0b61038ff4446dab40dd7ea2f5563d5733c5953c6d9bdf404936b42

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
a192b5b1520d758d59d819c2acb16274

SHA1
352efb8c0efdf86c8bfd7caa7f09325d37248154

SHA256
16e73e6b60521eda61a41d55f34f8cb211d96b147f7f4645e384cb70761446c2

SHA512
97e5594c34cb27df62af51bdee6ef2f155ed11afd55d96c694070ede40df7b70f620f8fc0f2c4dc8e1381206e49462f9f0c5c7e01a1f481bb6e6c04523f8ca03

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
02c53df5d71640494bc73072fa7ba9e6

SHA1
a088e5e338d7fdb1cc0cbc8a7a8e8179bb282bba

SHA256
bdffd4fccd1319be86b734aa881fa26e2a0589fec55c91aede19cadac1f8d8c1

SHA512
b2a3d2ea4534e33111aa9fe3c8fbda1227b4ce4bb06f66454324e2300faf1c317dc2e40ef0e098343ab3120fdc191a6d2f47f154c7879bc083e2a08f5b4e5e1a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57e2de.TMP

Filesize
1KB

MD5
b0dec45b0ee29a6bce0723da5d73fc4d

SHA1
2caec3039bddd6739b3dc71a35ba14220f50060f

SHA256
8e190539ebe05b27be70bef63b7c6d1b69a86abec3abf18d6543aad141bd6e10

SHA512
175cc8cc40c91c9dde1702a2d10d8238dc0f4bfa446b5bea65813aca577519aa5b5d3b82b3a822623b1802339f90185a6ef970c2e4f45cee92c8331841cd317c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
fa669aeb6016f1246da1969ffab40cf0

SHA1
44c2d6b78f64d1395e09ffa9592dc3b8aec53ef3

SHA256
49e10dc95f03510e05dc3d6b9185987798455a48c238483886ee0223896e502a

SHA512
5fb616cabdc152492eacc612e7fadc3f83138184dd271ab32766335a7eed8dfab8a19fe534a452edf496ca83fbf09dc17df50a569e443bd194d78c5786e0390b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
708f0dc7468fd359863de51cef1a63de

SHA1
d45ff2624c3c0287ad9109c7191e170cf61f058d

SHA256
46d2b871d66256719a44632eafc4cbaa63324b1926ec6c809a97bcbb0f18f134

SHA512
fd39aa8bfa45bb8e4b3c6a20368cacf9a682a453851e287f5b0ec094f158ffe26c937ee73dfe7104db4fabac941847784fb7fa6f14b3f6127cf97c64f9cdfc87

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
632eb8cca054bc16be9c8b323b9c1f82

SHA1
95f7974d101432215a41b85888111f0c0842b47e

SHA256
ac711609465a97fd1acc81cfaea515286a41aa3a875b709f42237d07aeb070f3

SHA512
4a0bbcc773414b425644302eb85c1021ce403b41161b0854154402714a997f138f358e6ebf31da5209f39e70e61fbdcd02074d413b2ec8372fb58d29797ef2f8

Download Submit
C:\Users\Admin\Downloads\Software v1.24 loader.zip:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\Software v1.24 loader\a.dll

Filesize
1.2MB

MD5
2e618003b3f5eb21ef13ed43269c5718

SHA1
ae4975ba4b20cb328e36ae8f2b4f8e9d23b6a283

SHA256
2fd2f92b9a9dc68f447fa8c08cd5ec22dd35008fee79693f84d3014dc7207af1

SHA512
b0c0f0549f413b28d67b616af683d91bc54af9e72fb4831f9b4fd1974ff3b3ad869f974ee2bc2f2eb1c9b427ca09945f98c40191a48b264f796885c2d0c64719

Download Submit
memory/1392-378-0x00007FFDF64C0000-0x00007FFDF65F7000-memory.dmp

Filesize
1.2MB

Download
memory/1392-377-0x00007FF6E99E0000-0x00007FF6E9C56000-memory.dmp

Filesize
2.5MB

Download
memory/2256-375-0x0000000140000000-0x000000014010F000-memory.dmp

Filesize
1.1MB

Download
memory/2256-379-0x0000000140000000-0x000000014010F000-memory.dmp

Filesize
1.1MB

Download