meduza | hxxps://dar[.]vin/v4update

Analysis

max time kernel
136s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
29-11-2024 14:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://dar.vin/v4update

Score

10^/10

meduza collection discovery spyware stealer

Malware Config

Extracted

Family

meduza

45.130.145.152

Attributes

anti_dbg
true
anti_vm
true
build_name
Oxoxox
extensions
.txt;.doc;.docx;.pdf;.xls;.xlsx;.log;.db;.sqlite
grabber_max_size
3.145728e+06
port
15666
self_destruct
true

Signatures

Meduza
Meduza is a crypto wallet and info stealer written in C++.
stealer meduza

Meduza Stealer payload 41 IoCs

resource	yara_rule
behavioral1/memory/2260-146-0x00000248941E0000-0x00000248943DA000-memory.dmp	family_meduza
behavioral1/memory/2260-145-0x00000248941E0000-0x00000248943DA000-memory.dmp	family_meduza
behavioral1/memory/2260-142-0x00000248941E0000-0x00000248943DA000-memory.dmp	family_meduza
behavioral1/memory/2260-141-0x00000248941E0000-0x00000248943DA000-memory.dmp	family_meduza
behavioral1/memory/2260-140-0x00000248941E0000-0x00000248943DA000-memory.dmp	family_meduza
behavioral1/memory/2260-148-0x00000248941E0000-0x00000248943DA000-memory.dmp	family_meduza
behavioral1/memory/2260-151-0x00000248941E0000-0x00000248943DA000-memory.dmp	family_meduza
behavioral1/memory/2260-147-0x00000248941E0000-0x00000248943DA000-memory.dmp	family_meduza
behavioral1/memory/2260-139-0x00000248941E0000-0x00000248943DA000-memory.dmp	family_meduza
behavioral1/memory/2260-152-0x00000248941E0000-0x00000248943DA000-memory.dmp	family_meduza
behavioral1/memory/2260-161-0x00000248941E0000-0x00000248943DA000-memory.dmp	family_meduza
behavioral1/memory/2260-160-0x00000248941E0000-0x00000248943DA000-memory.dmp	family_meduza
behavioral1/memory/2260-164-0x00000248941E0000-0x00000248943DA000-memory.dmp	family_meduza
behavioral1/memory/2260-170-0x00000248941E0000-0x00000248943DA000-memory.dmp	family_meduza
behavioral1/memory/2260-175-0x00000248941E0000-0x00000248943DA000-memory.dmp	family_meduza
behavioral1/memory/2260-174-0x00000248941E0000-0x00000248943DA000-memory.dmp	family_meduza
behavioral1/memory/2260-171-0x00000248941E0000-0x00000248943DA000-memory.dmp	family_meduza
behavioral1/memory/2260-165-0x00000248941E0000-0x00000248943DA000-memory.dmp	family_meduza
behavioral1/memory/2260-193-0x00000248941E0000-0x00000248943DA000-memory.dmp	family_meduza
behavioral1/memory/2260-199-0x00000248941E0000-0x00000248943DA000-memory.dmp	family_meduza
behavioral1/memory/2260-205-0x00000248941E0000-0x00000248943DA000-memory.dmp	family_meduza
behavioral1/memory/2260-216-0x00000248941E0000-0x00000248943DA000-memory.dmp	family_meduza
behavioral1/memory/2260-217-0x00000248941E0000-0x00000248943DA000-memory.dmp	family_meduza
behavioral1/memory/2260-211-0x00000248941E0000-0x00000248943DA000-memory.dmp	family_meduza
behavioral1/memory/2260-219-0x00000248941E0000-0x00000248943DA000-memory.dmp	family_meduza
behavioral1/memory/2260-223-0x00000248941E0000-0x00000248943DA000-memory.dmp	family_meduza
behavioral1/memory/2260-222-0x00000248941E0000-0x00000248943DA000-memory.dmp	family_meduza
behavioral1/memory/2260-218-0x00000248941E0000-0x00000248943DA000-memory.dmp	family_meduza
behavioral1/memory/2260-210-0x00000248941E0000-0x00000248943DA000-memory.dmp	family_meduza
behavioral1/memory/2260-207-0x00000248941E0000-0x00000248943DA000-memory.dmp	family_meduza
behavioral1/memory/2260-204-0x00000248941E0000-0x00000248943DA000-memory.dmp	family_meduza
behavioral1/memory/2260-198-0x00000248941E0000-0x00000248943DA000-memory.dmp	family_meduza
behavioral1/memory/2260-192-0x00000248941E0000-0x00000248943DA000-memory.dmp	family_meduza
behavioral1/memory/2260-189-0x00000248941E0000-0x00000248943DA000-memory.dmp	family_meduza
behavioral1/memory/2260-187-0x00000248941E0000-0x00000248943DA000-memory.dmp	family_meduza
behavioral1/memory/2260-183-0x00000248941E0000-0x00000248943DA000-memory.dmp	family_meduza
behavioral1/memory/2260-180-0x00000248941E0000-0x00000248943DA000-memory.dmp	family_meduza
behavioral1/memory/2260-177-0x00000248941E0000-0x00000248943DA000-memory.dmp	family_meduza
behavioral1/memory/2260-186-0x00000248941E0000-0x00000248943DA000-memory.dmp	family_meduza
behavioral1/memory/2260-181-0x00000248941E0000-0x00000248943DA000-memory.dmp	family_meduza
behavioral1/memory/2260-176-0x00000248941E0000-0x00000248943DA000-memory.dmp	family_meduza

Meduza family
meduza
Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	57c5af28-5903-4e13-b06d-2c725c0aee87.exe

Executes dropped EXE 1 IoCs

pid	Process
2260	57c5af28-5903-4e13-b06d-2c725c0aee87.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 5 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	57c5af28-5903-4e13-b06d-2c725c0aee87.exe
Key opened	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Office\12.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	57c5af28-5903-4e13-b06d-2c725c0aee87.exe
Key opened	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	57c5af28-5903-4e13-b06d-2c725c0aee87.exe
Key opened	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	57c5af28-5903-4e13-b06d-2c725c0aee87.exe
Key opened	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	57c5af28-5903-4e13-b06d-2c725c0aee87.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
68	api.ipify.org
69	api.ipify.org

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2704	cmd.exe
1936	PING.EXE

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1936	PING.EXE

Suspicious behavior: EnumeratesProcesses 34 IoCs

pid	Process
4532	msedge.exe
4532	msedge.exe
2992	msedge.exe
2992	msedge.exe
1028	identity_helper.exe
1028	identity_helper.exe
2804	msedge.exe
2804	msedge.exe
2260	57c5af28-5903-4e13-b06d-2c725c0aee87.exe
2260	57c5af28-5903-4e13-b06d-2c725c0aee87.exe
2720	taskmgr.exe
2720	taskmgr.exe
2912	msedge.exe
2912	msedge.exe
2912	msedge.exe
2912	msedge.exe
2720	taskmgr.exe
2720	taskmgr.exe
2720	taskmgr.exe
2720	taskmgr.exe
2720	taskmgr.exe
2720	taskmgr.exe
2720	taskmgr.exe
2720	taskmgr.exe
2720	taskmgr.exe
2720	taskmgr.exe
2720	taskmgr.exe
2720	taskmgr.exe
2720	taskmgr.exe
2720	taskmgr.exe
2720	taskmgr.exe
2720	taskmgr.exe
2720	taskmgr.exe
2720	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	4828	Solara.exe
Token: SeDebugPrivilege	2260	57c5af28-5903-4e13-b06d-2c725c0aee87.exe
Token: SeImpersonatePrivilege	2260	57c5af28-5903-4e13-b06d-2c725c0aee87.exe
Token: SeDebugPrivilege	2720	taskmgr.exe
Token: SeSystemProfilePrivilege	2720	taskmgr.exe
Token: SeCreateGlobalPrivilege	2720	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe

Suspicious use of SendNotifyMessage 54 IoCs

pid	Process
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2720	taskmgr.exe
2720	taskmgr.exe
2720	taskmgr.exe
2720	taskmgr.exe
2720	taskmgr.exe
2720	taskmgr.exe
2720	taskmgr.exe
2720	taskmgr.exe
2720	taskmgr.exe
2720	taskmgr.exe
2720	taskmgr.exe
2720	taskmgr.exe
2720	taskmgr.exe
2720	taskmgr.exe
2720	taskmgr.exe
2720	taskmgr.exe
2720	taskmgr.exe
2720	taskmgr.exe
2720	taskmgr.exe
2720	taskmgr.exe
2720	taskmgr.exe
2720	taskmgr.exe
2720	taskmgr.exe
2720	taskmgr.exe
2720	taskmgr.exe
2720	taskmgr.exe
2720	taskmgr.exe
2720	taskmgr.exe
2720	taskmgr.exe
2720	taskmgr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2260	57c5af28-5903-4e13-b06d-2c725c0aee87.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2992 wrote to memory of 2908	2992	msedge.exe	83
PID 2992 wrote to memory of 2908	2992	msedge.exe	83
PID 2992 wrote to memory of 3540	2992	msedge.exe	84
PID 2992 wrote to memory of 3540	2992	msedge.exe	84
PID 2992 wrote to memory of 3540	2992	msedge.exe	84
PID 2992 wrote to memory of 3540	2992	msedge.exe	84
PID 2992 wrote to memory of 3540	2992	msedge.exe	84
PID 2992 wrote to memory of 3540	2992	msedge.exe	84
PID 2992 wrote to memory of 3540	2992	msedge.exe	84
PID 2992 wrote to memory of 3540	2992	msedge.exe	84
PID 2992 wrote to memory of 3540	2992	msedge.exe	84
PID 2992 wrote to memory of 3540	2992	msedge.exe	84
PID 2992 wrote to memory of 3540	2992	msedge.exe	84
PID 2992 wrote to memory of 3540	2992	msedge.exe	84
PID 2992 wrote to memory of 3540	2992	msedge.exe	84
PID 2992 wrote to memory of 3540	2992	msedge.exe	84
PID 2992 wrote to memory of 3540	2992	msedge.exe	84
PID 2992 wrote to memory of 3540	2992	msedge.exe	84
PID 2992 wrote to memory of 3540	2992	msedge.exe	84
PID 2992 wrote to memory of 3540	2992	msedge.exe	84
PID 2992 wrote to memory of 3540	2992	msedge.exe	84
PID 2992 wrote to memory of 3540	2992	msedge.exe	84
PID 2992 wrote to memory of 3540	2992	msedge.exe	84
PID 2992 wrote to memory of 3540	2992	msedge.exe	84
PID 2992 wrote to memory of 3540	2992	msedge.exe	84
PID 2992 wrote to memory of 3540	2992	msedge.exe	84
PID 2992 wrote to memory of 3540	2992	msedge.exe	84
PID 2992 wrote to memory of 3540	2992	msedge.exe	84
PID 2992 wrote to memory of 3540	2992	msedge.exe	84
PID 2992 wrote to memory of 3540	2992	msedge.exe	84
PID 2992 wrote to memory of 3540	2992	msedge.exe	84
PID 2992 wrote to memory of 3540	2992	msedge.exe	84
PID 2992 wrote to memory of 3540	2992	msedge.exe	84
PID 2992 wrote to memory of 3540	2992	msedge.exe	84
PID 2992 wrote to memory of 3540	2992	msedge.exe	84
PID 2992 wrote to memory of 3540	2992	msedge.exe	84
PID 2992 wrote to memory of 3540	2992	msedge.exe	84
PID 2992 wrote to memory of 3540	2992	msedge.exe	84
PID 2992 wrote to memory of 3540	2992	msedge.exe	84
PID 2992 wrote to memory of 3540	2992	msedge.exe	84
PID 2992 wrote to memory of 3540	2992	msedge.exe	84
PID 2992 wrote to memory of 3540	2992	msedge.exe	84
PID 2992 wrote to memory of 4532	2992	msedge.exe	85
PID 2992 wrote to memory of 4532	2992	msedge.exe	85
PID 2992 wrote to memory of 4032	2992	msedge.exe	86
PID 2992 wrote to memory of 4032	2992	msedge.exe	86
PID 2992 wrote to memory of 4032	2992	msedge.exe	86
PID 2992 wrote to memory of 4032	2992	msedge.exe	86
PID 2992 wrote to memory of 4032	2992	msedge.exe	86
PID 2992 wrote to memory of 4032	2992	msedge.exe	86
PID 2992 wrote to memory of 4032	2992	msedge.exe	86
PID 2992 wrote to memory of 4032	2992	msedge.exe	86
PID 2992 wrote to memory of 4032	2992	msedge.exe	86
PID 2992 wrote to memory of 4032	2992	msedge.exe	86
PID 2992 wrote to memory of 4032	2992	msedge.exe	86
PID 2992 wrote to memory of 4032	2992	msedge.exe	86
PID 2992 wrote to memory of 4032	2992	msedge.exe	86
PID 2992 wrote to memory of 4032	2992	msedge.exe	86
PID 2992 wrote to memory of 4032	2992	msedge.exe	86
PID 2992 wrote to memory of 4032	2992	msedge.exe	86
PID 2992 wrote to memory of 4032	2992	msedge.exe	86
PID 2992 wrote to memory of 4032	2992	msedge.exe	86
PID 2992 wrote to memory of 4032	2992	msedge.exe	86
PID 2992 wrote to memory of 4032	2992	msedge.exe	86

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	57c5af28-5903-4e13-b06d-2c725c0aee87.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	57c5af28-5903-4e13-b06d-2c725c0aee87.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://dar.vin/v4update
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa3a0946f8,0x7ffa3a094708,0x7ffa3a094718
  2⤵
  PID:2908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1972,10935523287200167663,6486381935224491058,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2
  2⤵
  PID:3540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1972,10935523287200167663,6486381935224491058,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2352 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1972,10935523287200167663,6486381935224491058,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2864 /prefetch:8
  2⤵
  PID:4032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,10935523287200167663,6486381935224491058,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
  2⤵
  PID:1756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,10935523287200167663,6486381935224491058,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1
  2⤵
  PID:1500
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1972,10935523287200167663,6486381935224491058,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5216 /prefetch:8
  2⤵
  PID:2912
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1972,10935523287200167663,6486381935224491058,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5216 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,10935523287200167663,6486381935224491058,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5288 /prefetch:1
  2⤵
  PID:1404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,10935523287200167663,6486381935224491058,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5304 /prefetch:1
  2⤵
  PID:1576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,10935523287200167663,6486381935224491058,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4108 /prefetch:1
  2⤵
  PID:2180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,10935523287200167663,6486381935224491058,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5492 /prefetch:1
  2⤵
  PID:2384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1972,10935523287200167663,6486381935224491058,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5740 /prefetch:8
  2⤵
  PID:4216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,10935523287200167663,6486381935224491058,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5400 /prefetch:1
  2⤵
  PID:1696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1972,10935523287200167663,6486381935224491058,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1740 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1972,10935523287200167663,6486381935224491058,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4924 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2912

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4000

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1820

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1232

C:\Users\Admin\Downloads\UpdateV4\New_Update\Solara.exe
"C:\Users\Admin\Downloads\UpdateV4\New_Update\Solara.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4828
- C:\Users\Admin\AppData\Local\Temp\a5022b00-de28-450d-b189-971299e3e8f6\57c5af28-5903-4e13-b06d-2c725c0aee87.exe
  "C:\Users\Admin\AppData\Local\Temp\a5022b00-de28-450d-b189-971299e3e8f6\57c5af28-5903-4e13-b06d-2c725c0aee87.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Accesses Microsoft Outlook profiles
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - outlook_office_path
  - outlook_win_path
  PID:2260
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\a5022b00-de28-450d-b189-971299e3e8f6\57c5af28-5903-4e13-b06d-2c725c0aee87.exe"
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:2704
  - - C:\Windows\system32\PING.EXE
      ping 1.1.1.1 -n 1 -w 3000
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1936

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
PID:2720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e55832d7cd7e868a2c087c4c73678018

SHA1
ed7a2f6d6437e907218ffba9128802eaf414a0eb

SHA256
a4d7777b980ec53de3a70aca8fb25b77e9b53187e7d2f0fa1a729ee9a35da574

SHA512
897fdebf1a9269a1bf1e3a791f6ee9ab7c24c9d75eeff65ac9599764e1c8585784e1837ba5321d90af0b004af121b2206081a6fb1b1ad571a0051ee33d3f5c5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c2d9eeb3fdd75834f0ac3f9767de8d6f

SHA1
4d16a7e82190f8490a00008bd53d85fb92e379b0

SHA256
1e5efb5f1d78a4cc269cb116307e9d767fc5ad8a18e6cf95c81c61d7b1da5c66

SHA512
d92f995f9e096ecc0a7b8b4aca336aeef0e7b919fe7fe008169f0b87da84d018971ba5728141557d42a0fc562a25191bd85e0d7354c401b09e8b62cdc44b6dcd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies

Filesize
20KB

MD5
351d6d0883793e59f71be2d0d604fa56

SHA1
3afe512c39a11851525abef730b636be45eca161

SHA256
8347f18daf7c32b0eb84ff8f1ee52f0b90dbfb6adac6c9a3d2170afd78412792

SHA512
136fcc5c4a89913204d9b166e62a7ed0e22124cf5b9043ccb32af4828a3334a92fd6b479ab23bb829e8a722df8181b95665a50d5ef9da79770fd8bb2a588cb7f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
124KB

MD5
8a8939e9105086661f4a5fbf862ab220

SHA1
d35da92e766e06ea29a687c15d836654f0cba5c7

SHA256
46c5d3d322511be0ca5af8582e919cb2cf58e10355a5b585f85b6158636ed459

SHA512
30b2253afa78321a52dbe4e40b7b7b4d852934577181eb2ce7a536eb8624a3cbd2670d4417aa06339be0a4bf49c8ff78149b5582050ab19b3dc4974aba097098

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

Filesize
331B

MD5
f47e84a9473cea904c769b4c4dab7f35

SHA1
c15aefc2b54e8f87cd4b4f00fe69e68fdeb50d24

SHA256
96b5860022bb1aed2398ef7e71fe12681fa5be0b38084021e5bcf7f33c874314

SHA512
467a2bb6345c67bcb9f8df43ab7a5569cdf9ab7178a2601faba90b9c59a4e6f1881fe63a41d16f5bcb02dfad4b770149dc69c6c9258028a0b923ba6b9bb34b2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
330B

MD5
65e6b3aa7b7020bbc70877e5a7c5a862

SHA1
83d2a59848570458bc9484833ee2ac30436b92ce

SHA256
b2d050fc35aa581ba8d776bbff9b3985920058f79c9c133b21d6aa56640a98f8

SHA512
70b03e4d1d0d26d81a8f037c8146f9600bd9ffac973d983f510b4f22e47630cb4d27a3349c6c6644617354a19246e102402fb5331e10fcd9614ebebd39150f62

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
a4c0c9568fa3687fd6c947eea767674a

SHA1
dfcadf4cec9bba62e0b79edf90278a8521c0491b

SHA256
8edecbcd891c04c045bbe1a063a9fa60e21165cbb581086a52adceeeb006f7b6

SHA512
0b86f5602d792bb31b7e267e010f11aa1c61962474ecdac7201b368670bd025143f1ccecfbae0d244cd851abac03342a92a4ec4bed62503261257a033c6d3d18

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8bbdf465c25ceeb66ef9eb588a9ff520

SHA1
b01286de69f2372310b2850b85f1c248072b622c

SHA256
8c87080d26830625a359a202d4d5264a4ad7d4f3fb5726624627b7e9ccf08b28

SHA512
d178ab19b327a4e8a3dfa1783fe88dacb1166e16a9a7474e8f3abdce4ff48318b91a75c8e327278ae2f981309aff63688fecf1c0447daaf042db5b74a60bbcac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
061323cbbcaa503ea8915ffe24b7f6e8

SHA1
5e70c01136e253af481c68599e8a98ef614501f7

SHA256
3ebc47978dd283f99b47518d987bb8e5a9a443ea69e4451515e4c43071b001d6

SHA512
bff372f32ea44ce4979d3413916a869e5224d85af369aafdda7c0160eda73752c1b3d0d56554e37fd427f5c7c912f53f498d057d65ca6deb913943938a0811dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
06a338ed545b3cda1a6414adfd13e309

SHA1
c79dbe744c5b7cc510a135bed7de996276beab63

SHA256
ca18439912cc109fc8d588a2ebb760be1a4182f2ce9ca319f77b805821b5d76f

SHA512
6daf273eebb4b731f77f34829a91bcf0b38878f239ecaf6445a423bb304c3d26b97d2581dde7f0e436451755c105ae62712ce469dccf0d77435b3880562a576c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
6e7eb2b4a68294cdc1771efc75a97f20

SHA1
3669e0a902243a1fbec9287686ef219064376ae8

SHA256
531436998b699c9e13bfcf3ba39a1f9bc0010a18890bc629a3c7c12b1931816f

SHA512
d9c6f3864203d9763c643994fcb67c1000add9075aa36657bdbfc0e8c3bd682d4973edf18c0ae31ffc1d5778e05072c3fa1707df207f11fecb870c4c4f67aeb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\a5022b00-de28-450d-b189-971299e3e8f6\57c5af28-5903-4e13-b06d-2c725c0aee87.exe

Filesize
3.2MB

MD5
b70619f58c714eed8049ef98017fded2

SHA1
12b7feec33c78ddec2fc1911e75352d9fa1d51db

SHA256
b3de734dba8b62d2967ceb30c2390614c5f71a079798f2dbace9bd01f497604c

SHA512
44fb1cfe83a8eb550bc90f77ae0467c17d8da30599bb484a4cbe08ef6ec7b15471aeac4520739ee2031da0522d6b11f739c9635bc0030848e45a3473998d7052

Download Submit
memory/2260-175-0x00000248941E0000-0x00000248943DA000-memory.dmp

Filesize
2.0MB

Download
memory/2260-199-0x00000248941E0000-0x00000248943DA000-memory.dmp

Filesize
2.0MB

Download
memory/2260-140-0x00000248941E0000-0x00000248943DA000-memory.dmp

Filesize
2.0MB

Download
memory/2260-136-0x00007FFA57950000-0x00007FFA57B45000-memory.dmp

Filesize
2.0MB

Download
memory/2260-148-0x00000248941E0000-0x00000248943DA000-memory.dmp

Filesize
2.0MB

Download
memory/2260-151-0x00000248941E0000-0x00000248943DA000-memory.dmp

Filesize
2.0MB

Download
memory/2260-147-0x00000248941E0000-0x00000248943DA000-memory.dmp

Filesize
2.0MB

Download
memory/2260-139-0x00000248941E0000-0x00000248943DA000-memory.dmp

Filesize
2.0MB

Download
memory/2260-152-0x00000248941E0000-0x00000248943DA000-memory.dmp

Filesize
2.0MB

Download
memory/2260-161-0x00000248941E0000-0x00000248943DA000-memory.dmp

Filesize
2.0MB

Download
memory/2260-160-0x00000248941E0000-0x00000248943DA000-memory.dmp

Filesize
2.0MB

Download
memory/2260-142-0x00000248941E0000-0x00000248943DA000-memory.dmp

Filesize
2.0MB

Download
memory/2260-164-0x00000248941E0000-0x00000248943DA000-memory.dmp

Filesize
2.0MB

Download
memory/2260-170-0x00000248941E0000-0x00000248943DA000-memory.dmp

Filesize
2.0MB

Download
memory/2260-145-0x00000248941E0000-0x00000248943DA000-memory.dmp

Filesize
2.0MB

Download
memory/2260-174-0x00000248941E0000-0x00000248943DA000-memory.dmp

Filesize
2.0MB

Download
memory/2260-171-0x00000248941E0000-0x00000248943DA000-memory.dmp

Filesize
2.0MB

Download
memory/2260-165-0x00000248941E0000-0x00000248943DA000-memory.dmp

Filesize
2.0MB

Download
memory/2260-146-0x00000248941E0000-0x00000248943DA000-memory.dmp

Filesize
2.0MB

Download
memory/2260-137-0x0000024894190000-0x0000024894191000-memory.dmp

Filesize
4KB

Download
memory/2260-193-0x00000248941E0000-0x00000248943DA000-memory.dmp

Filesize
2.0MB

Download
memory/2260-141-0x00000248941E0000-0x00000248943DA000-memory.dmp

Filesize
2.0MB

Download
memory/2260-205-0x00000248941E0000-0x00000248943DA000-memory.dmp

Filesize
2.0MB

Download
memory/2260-216-0x00000248941E0000-0x00000248943DA000-memory.dmp

Filesize
2.0MB

Download
memory/2260-217-0x00000248941E0000-0x00000248943DA000-memory.dmp

Filesize
2.0MB

Download
memory/2260-211-0x00000248941E0000-0x00000248943DA000-memory.dmp

Filesize
2.0MB

Download
memory/2260-219-0x00000248941E0000-0x00000248943DA000-memory.dmp

Filesize
2.0MB

Download
memory/2260-223-0x00000248941E0000-0x00000248943DA000-memory.dmp

Filesize
2.0MB

Download
memory/2260-222-0x00000248941E0000-0x00000248943DA000-memory.dmp

Filesize
2.0MB

Download
memory/2260-218-0x00000248941E0000-0x00000248943DA000-memory.dmp

Filesize
2.0MB

Download
memory/2260-210-0x00000248941E0000-0x00000248943DA000-memory.dmp

Filesize
2.0MB

Download
memory/2260-207-0x00000248941E0000-0x00000248943DA000-memory.dmp

Filesize
2.0MB

Download
memory/2260-204-0x00000248941E0000-0x00000248943DA000-memory.dmp

Filesize
2.0MB

Download
memory/2260-198-0x00000248941E0000-0x00000248943DA000-memory.dmp

Filesize
2.0MB

Download
memory/2260-192-0x00000248941E0000-0x00000248943DA000-memory.dmp

Filesize
2.0MB

Download
memory/2260-189-0x00000248941E0000-0x00000248943DA000-memory.dmp

Filesize
2.0MB

Download
memory/2260-187-0x00000248941E0000-0x00000248943DA000-memory.dmp

Filesize
2.0MB

Download
memory/2260-183-0x00000248941E0000-0x00000248943DA000-memory.dmp

Filesize
2.0MB

Download
memory/2260-180-0x00000248941E0000-0x00000248943DA000-memory.dmp

Filesize
2.0MB

Download
memory/2260-177-0x00000248941E0000-0x00000248943DA000-memory.dmp

Filesize
2.0MB

Download
memory/2260-186-0x00000248941E0000-0x00000248943DA000-memory.dmp

Filesize
2.0MB

Download
memory/2260-181-0x00000248941E0000-0x00000248943DA000-memory.dmp

Filesize
2.0MB

Download
memory/2260-176-0x00000248941E0000-0x00000248943DA000-memory.dmp

Filesize
2.0MB

Download
memory/4828-125-0x0000023B6AE40000-0x0000023B6BE40000-memory.dmp

Filesize
16.0MB

Download