meduza | hxxps://dar[.]vin/v4update

Resubmissions

29-11-2024 17:11

241129-vqqx7a1rcn 10

29-11-2024 17:09

241129-vn422a1qen 3

Analysis

max time kernel
163s
max time network
170s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
29-11-2024 17:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://dar.vin/v4update

Score

10^/10

meduza collection discovery spyware stealer

Malware Config

Extracted

Family

meduza

45.130.145.152

Attributes

anti_dbg
true
anti_vm
true
build_name
Oxoxox
extensions
.txt;.doc;.docx;.pdf;.xls;.xlsx;.log;.db;.sqlite
grabber_max_size
3.145728e+06
port
15666
self_destruct
true

Signatures

Meduza
Meduza is a crypto wallet and info stealer written in C++.
stealer meduza

Meduza Stealer payload 41 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1444-143-0x00000290E8260000-0x00000290E845A000-memory.dmp	family_meduza
behavioral1/memory/1444-150-0x00000290E8260000-0x00000290E845A000-memory.dmp	family_meduza
behavioral1/memory/1444-149-0x00000290E8260000-0x00000290E845A000-memory.dmp	family_meduza
behavioral1/memory/1444-146-0x00000290E8260000-0x00000290E845A000-memory.dmp	family_meduza
behavioral1/memory/1444-145-0x00000290E8260000-0x00000290E845A000-memory.dmp	family_meduza
behavioral1/memory/1444-144-0x00000290E8260000-0x00000290E845A000-memory.dmp	family_meduza
behavioral1/memory/1444-155-0x00000290E8260000-0x00000290E845A000-memory.dmp	family_meduza
behavioral1/memory/1444-156-0x00000290E8260000-0x00000290E845A000-memory.dmp	family_meduza
behavioral1/memory/1444-152-0x00000290E8260000-0x00000290E845A000-memory.dmp	family_meduza
behavioral1/memory/1444-151-0x00000290E8260000-0x00000290E845A000-memory.dmp	family_meduza
behavioral1/memory/1444-164-0x00000290E8260000-0x00000290E845A000-memory.dmp	family_meduza
behavioral1/memory/1444-163-0x00000290E8260000-0x00000290E845A000-memory.dmp	family_meduza
behavioral1/memory/1444-167-0x00000290E8260000-0x00000290E845A000-memory.dmp	family_meduza
behavioral1/memory/1444-168-0x00000290E8260000-0x00000290E845A000-memory.dmp	family_meduza
behavioral1/memory/1444-178-0x00000290E8260000-0x00000290E845A000-memory.dmp	family_meduza
behavioral1/memory/1444-177-0x00000290E8260000-0x00000290E845A000-memory.dmp	family_meduza
behavioral1/memory/1444-174-0x00000290E8260000-0x00000290E845A000-memory.dmp	family_meduza
behavioral1/memory/1444-180-0x00000290E8260000-0x00000290E845A000-memory.dmp	family_meduza
behavioral1/memory/1444-220-0x00000290E8260000-0x00000290E845A000-memory.dmp	family_meduza
behavioral1/memory/1444-219-0x00000290E8260000-0x00000290E845A000-memory.dmp	family_meduza
behavioral1/memory/1444-214-0x00000290E8260000-0x00000290E845A000-memory.dmp	family_meduza
behavioral1/memory/1444-213-0x00000290E8260000-0x00000290E845A000-memory.dmp	family_meduza
behavioral1/memory/1444-227-0x00000290E8260000-0x00000290E845A000-memory.dmp	family_meduza
behavioral1/memory/1444-226-0x00000290E8260000-0x00000290E845A000-memory.dmp	family_meduza
behavioral1/memory/1444-223-0x00000290E8260000-0x00000290E845A000-memory.dmp	family_meduza
behavioral1/memory/1444-222-0x00000290E8260000-0x00000290E845A000-memory.dmp	family_meduza
behavioral1/memory/1444-210-0x00000290E8260000-0x00000290E845A000-memory.dmp	family_meduza
behavioral1/memory/1444-208-0x00000290E8260000-0x00000290E845A000-memory.dmp	family_meduza
behavioral1/memory/1444-207-0x00000290E8260000-0x00000290E845A000-memory.dmp	family_meduza
behavioral1/memory/1444-202-0x00000290E8260000-0x00000290E845A000-memory.dmp	family_meduza
behavioral1/memory/1444-201-0x00000290E8260000-0x00000290E845A000-memory.dmp	family_meduza
behavioral1/memory/1444-196-0x00000290E8260000-0x00000290E845A000-memory.dmp	family_meduza
behavioral1/memory/1444-192-0x00000290E8260000-0x00000290E845A000-memory.dmp	family_meduza
behavioral1/memory/1444-190-0x00000290E8260000-0x00000290E845A000-memory.dmp	family_meduza
behavioral1/memory/1444-189-0x00000290E8260000-0x00000290E845A000-memory.dmp	family_meduza
behavioral1/memory/1444-186-0x00000290E8260000-0x00000290E845A000-memory.dmp	family_meduza
behavioral1/memory/1444-184-0x00000290E8260000-0x00000290E845A000-memory.dmp	family_meduza
behavioral1/memory/1444-183-0x00000290E8260000-0x00000290E845A000-memory.dmp	family_meduza
behavioral1/memory/1444-195-0x00000290E8260000-0x00000290E845A000-memory.dmp	family_meduza
behavioral1/memory/1444-179-0x00000290E8260000-0x00000290E845A000-memory.dmp	family_meduza
behavioral1/memory/1444-173-0x00000290E8260000-0x00000290E845A000-memory.dmp	family_meduza

Meduza family
meduza

Executes dropped EXE 1 IoCs

Processes:

f236d4a5-c32e-4fec-95fe-9ed602b73b73.exe

pid	Process
1444	f236d4a5-c32e-4fec-95fe-9ed602b73b73.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 5 IoCs

collection

Email Collection

T1114

Processes:

f236d4a5-c32e-4fec-95fe-9ed602b73b73.exe

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	f236d4a5-c32e-4fec-95fe-9ed602b73b73.exe
Key opened	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\SOFTWARE\Microsoft\Office\12.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	f236d4a5-c32e-4fec-95fe-9ed602b73b73.exe
Key opened	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\SOFTWARE\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	f236d4a5-c32e-4fec-95fe-9ed602b73b73.exe
Key opened	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	f236d4a5-c32e-4fec-95fe-9ed602b73b73.exe
Key opened	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	f236d4a5-c32e-4fec-95fe-9ed602b73b73.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
2	api.ipify.org
30	api.ipify.org

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

Processes:

cmd.exePING.EXE

pid	Process
4508	cmd.exe
3316	PING.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings	msedge.exe

NTFS ADS 1 IoCs

Processes:

msedge.exe

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\UpdateV4.zip:Zone.Identifier	msedge.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

Processes:

PING.EXE

pid	Process
3316	PING.EXE

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exef236d4a5-c32e-4fec-95fe-9ed602b73b73.exe

pid	Process
2792	msedge.exe
2792	msedge.exe
5000	msedge.exe
5000	msedge.exe
4496	identity_helper.exe
4496	identity_helper.exe
1044	msedge.exe
1044	msedge.exe
1924	msedge.exe
1924	msedge.exe
2912	msedge.exe
2912	msedge.exe
2912	msedge.exe
2912	msedge.exe
1444	f236d4a5-c32e-4fec-95fe-9ed602b73b73.exe
1444	f236d4a5-c32e-4fec-95fe-9ed602b73b73.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

msedge.exe

pid	Process
5000	msedge.exe
5000	msedge.exe
5000	msedge.exe
5000	msedge.exe
5000	msedge.exe
5000	msedge.exe
5000	msedge.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

Solara.exef236d4a5-c32e-4fec-95fe-9ed602b73b73.exe

description	pid	Process
Token: SeDebugPrivilege	1188	Solara.exe
Token: SeDebugPrivilege	1444	f236d4a5-c32e-4fec-95fe-9ed602b73b73.exe
Token: SeImpersonatePrivilege	1444	f236d4a5-c32e-4fec-95fe-9ed602b73b73.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

msedge.exe

pid	Process
5000	msedge.exe
5000	msedge.exe
5000	msedge.exe
5000	msedge.exe
5000	msedge.exe
5000	msedge.exe
5000	msedge.exe
5000	msedge.exe
5000	msedge.exe
5000	msedge.exe
5000	msedge.exe
5000	msedge.exe
5000	msedge.exe
5000	msedge.exe
5000	msedge.exe
5000	msedge.exe
5000	msedge.exe
5000	msedge.exe
5000	msedge.exe
5000	msedge.exe
5000	msedge.exe
5000	msedge.exe
5000	msedge.exe
5000	msedge.exe
5000	msedge.exe
5000	msedge.exe
5000	msedge.exe
5000	msedge.exe
5000	msedge.exe
5000	msedge.exe
5000	msedge.exe
5000	msedge.exe
5000	msedge.exe
5000	msedge.exe
5000	msedge.exe
5000	msedge.exe
5000	msedge.exe
5000	msedge.exe
5000	msedge.exe
5000	msedge.exe
5000	msedge.exe
5000	msedge.exe
5000	msedge.exe
5000	msedge.exe
5000	msedge.exe
5000	msedge.exe
5000	msedge.exe
5000	msedge.exe
5000	msedge.exe
5000	msedge.exe
5000	msedge.exe
5000	msedge.exe
5000	msedge.exe
5000	msedge.exe
5000	msedge.exe
5000	msedge.exe
5000	msedge.exe
5000	msedge.exe
5000	msedge.exe
5000	msedge.exe
5000	msedge.exe
5000	msedge.exe
5000	msedge.exe
5000	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

Processes:

msedge.exe

pid	Process
5000	msedge.exe
5000	msedge.exe
5000	msedge.exe
5000	msedge.exe
5000	msedge.exe
5000	msedge.exe
5000	msedge.exe
5000	msedge.exe
5000	msedge.exe
5000	msedge.exe
5000	msedge.exe
5000	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

f236d4a5-c32e-4fec-95fe-9ed602b73b73.exe

pid	Process
1444	f236d4a5-c32e-4fec-95fe-9ed602b73b73.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	Process	procid_target
PID 5000 wrote to memory of 2492	5000	msedge.exe	77
PID 5000 wrote to memory of 2492	5000	msedge.exe	77
PID 5000 wrote to memory of 2116	5000	msedge.exe	78
PID 5000 wrote to memory of 2116	5000	msedge.exe	78
PID 5000 wrote to memory of 2116	5000	msedge.exe	78
PID 5000 wrote to memory of 2116	5000	msedge.exe	78
PID 5000 wrote to memory of 2116	5000	msedge.exe	78
PID 5000 wrote to memory of 2116	5000	msedge.exe	78
PID 5000 wrote to memory of 2116	5000	msedge.exe	78
PID 5000 wrote to memory of 2116	5000	msedge.exe	78
PID 5000 wrote to memory of 2116	5000	msedge.exe	78
PID 5000 wrote to memory of 2116	5000	msedge.exe	78
PID 5000 wrote to memory of 2116	5000	msedge.exe	78
PID 5000 wrote to memory of 2116	5000	msedge.exe	78
PID 5000 wrote to memory of 2116	5000	msedge.exe	78
PID 5000 wrote to memory of 2116	5000	msedge.exe	78
PID 5000 wrote to memory of 2116	5000	msedge.exe	78
PID 5000 wrote to memory of 2116	5000	msedge.exe	78
PID 5000 wrote to memory of 2116	5000	msedge.exe	78
PID 5000 wrote to memory of 2116	5000	msedge.exe	78
PID 5000 wrote to memory of 2116	5000	msedge.exe	78
PID 5000 wrote to memory of 2116	5000	msedge.exe	78
PID 5000 wrote to memory of 2116	5000	msedge.exe	78
PID 5000 wrote to memory of 2116	5000	msedge.exe	78
PID 5000 wrote to memory of 2116	5000	msedge.exe	78
PID 5000 wrote to memory of 2116	5000	msedge.exe	78
PID 5000 wrote to memory of 2116	5000	msedge.exe	78
PID 5000 wrote to memory of 2116	5000	msedge.exe	78
PID 5000 wrote to memory of 2116	5000	msedge.exe	78
PID 5000 wrote to memory of 2116	5000	msedge.exe	78
PID 5000 wrote to memory of 2116	5000	msedge.exe	78
PID 5000 wrote to memory of 2116	5000	msedge.exe	78
PID 5000 wrote to memory of 2116	5000	msedge.exe	78
PID 5000 wrote to memory of 2116	5000	msedge.exe	78
PID 5000 wrote to memory of 2116	5000	msedge.exe	78
PID 5000 wrote to memory of 2116	5000	msedge.exe	78
PID 5000 wrote to memory of 2116	5000	msedge.exe	78
PID 5000 wrote to memory of 2116	5000	msedge.exe	78
PID 5000 wrote to memory of 2116	5000	msedge.exe	78
PID 5000 wrote to memory of 2116	5000	msedge.exe	78
PID 5000 wrote to memory of 2116	5000	msedge.exe	78
PID 5000 wrote to memory of 2116	5000	msedge.exe	78
PID 5000 wrote to memory of 2792	5000	msedge.exe	79
PID 5000 wrote to memory of 2792	5000	msedge.exe	79
PID 5000 wrote to memory of 3556	5000	msedge.exe	80
PID 5000 wrote to memory of 3556	5000	msedge.exe	80
PID 5000 wrote to memory of 3556	5000	msedge.exe	80
PID 5000 wrote to memory of 3556	5000	msedge.exe	80
PID 5000 wrote to memory of 3556	5000	msedge.exe	80
PID 5000 wrote to memory of 3556	5000	msedge.exe	80
PID 5000 wrote to memory of 3556	5000	msedge.exe	80
PID 5000 wrote to memory of 3556	5000	msedge.exe	80
PID 5000 wrote to memory of 3556	5000	msedge.exe	80
PID 5000 wrote to memory of 3556	5000	msedge.exe	80
PID 5000 wrote to memory of 3556	5000	msedge.exe	80
PID 5000 wrote to memory of 3556	5000	msedge.exe	80
PID 5000 wrote to memory of 3556	5000	msedge.exe	80
PID 5000 wrote to memory of 3556	5000	msedge.exe	80
PID 5000 wrote to memory of 3556	5000	msedge.exe	80
PID 5000 wrote to memory of 3556	5000	msedge.exe	80
PID 5000 wrote to memory of 3556	5000	msedge.exe	80
PID 5000 wrote to memory of 3556	5000	msedge.exe	80
PID 5000 wrote to memory of 3556	5000	msedge.exe	80
PID 5000 wrote to memory of 3556	5000	msedge.exe	80

outlook_office_path 1 IoCs

Processes:

f236d4a5-c32e-4fec-95fe-9ed602b73b73.exe

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	f236d4a5-c32e-4fec-95fe-9ed602b73b73.exe

outlook_win_path 1 IoCs

Processes:

f236d4a5-c32e-4fec-95fe-9ed602b73b73.exe

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	f236d4a5-c32e-4fec-95fe-9ed602b73b73.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://dar.vin/v4update
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xe4,0x10c,0x7ffb56823cb8,0x7ffb56823cc8,0x7ffb56823cd8
  2⤵
  PID:2492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1916,5147363894091368420,3549516551135309565,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1892 /prefetch:2
  2⤵
  PID:2116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1916,5147363894091368420,3549516551135309565,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2284 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1916,5147363894091368420,3549516551135309565,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2640 /prefetch:8
  2⤵
  PID:3556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,5147363894091368420,3549516551135309565,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1
  2⤵
  PID:412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,5147363894091368420,3549516551135309565,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1
  2⤵
  PID:956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,5147363894091368420,3549516551135309565,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5092 /prefetch:1
  2⤵
  PID:1248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,5147363894091368420,3549516551135309565,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5128 /prefetch:1
  2⤵
  PID:4528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,5147363894091368420,3549516551135309565,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5628 /prefetch:1
  2⤵
  PID:2312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,5147363894091368420,3549516551135309565,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4944 /prefetch:1
  2⤵
  PID:5044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,5147363894091368420,3549516551135309565,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4852 /prefetch:1
  2⤵
  PID:3896
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1916,5147363894091368420,3549516551135309565,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5776 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1916,5147363894091368420,3549516551135309565,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5404 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1916,5147363894091368420,3549516551135309565,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2948 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:1924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1916,5147363894091368420,3549516551135309565,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6240 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2912

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4416

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4776

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1412

C:\Users\Admin\Documents\New_Update\Solara.exe
"C:\Users\Admin\Documents\New_Update\Solara.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1188
- C:\Users\Admin\AppData\Local\Temp\786ccb35-8cf2-46e7-9233-9ec37dfcdf13\f236d4a5-c32e-4fec-95fe-9ed602b73b73.exe
  "C:\Users\Admin\AppData\Local\Temp\786ccb35-8cf2-46e7-9233-9ec37dfcdf13\f236d4a5-c32e-4fec-95fe-9ed602b73b73.exe"
  2⤵
  - Executes dropped EXE
  - Accesses Microsoft Outlook profiles
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - outlook_office_path
  - outlook_win_path
  PID:1444
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\786ccb35-8cf2-46e7-9233-9ec37dfcdf13\f236d4a5-c32e-4fec-95fe-9ed602b73b73.exe"
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:4508
  - - C:\Windows\system32\PING.EXE
      ping 1.1.1.1 -n 1 -w 3000
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:3316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c0a1774f8079fe496e694f35dfdcf8bc

SHA1
da3b4b9fca9a3f81b6be5b0cd6dd700603d448d3

SHA256
c041da0b90a5343ede7364ccf0428852103832c4efa8065a0cd1e8ce1ff181cb

SHA512
60d9e87f8383fe3afa2c8935f0e5a842624bb24b03b2d8057e0da342b08df18cf70bf55e41fa3ae54f73bc40a274cf6393d79ae01f6a1784273a25fa2761728b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e11c77d0fa99af6b1b282a22dcb1cf4a

SHA1
2593a41a6a63143d837700d01aa27b1817d17a4d

SHA256
d96f9bfcc81ba66db49a3385266a631899a919ed802835e6fb6b9f7759476ea0

SHA512
c8f69f503ab070a758e8e3ae57945c0172ead1894fdbfa2d853e5bb976ed3817ecc8f188eefd5092481effd4ef650788c8ff9a8d9a5ee4526f090952d7c859f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies

Filesize
20KB

MD5
1a1e12ead9f43b27dea314140456ab55

SHA1
f6855fe2b8e4c224e9b4c9fd04d5ec089c9a75d3

SHA256
6b84acb0aafcd2a60b43a4c5d067314bb208cddaf610531be59e596b2a6605d7

SHA512
59f0e95468cb8803b5ff30653f7beff44144dab53499bbea81813d9c2e4a40ee91a097b90ea2c503aff2cc670b6faf397cd270e761cc7521bb6e479af0a86ddd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
116KB

MD5
3586f9fd77095cd63bb9ba0d13af4472

SHA1
8eaf5cbc9ea67a54c3790d7aebbb50afb3c8e906

SHA256
74808384a6bfdb261328a49e1a22f6bcf9e00496e14940ab4b1df345b943fa1e

SHA512
a10d30e8867a70420ce72e7ad739551ec677bc90ccc9638fdbef35cc41581f08a0db17298af2b7abd6dc28791548cdc6b43f9a5d6b506a199c0b9aff58dd92a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

Filesize
334B

MD5
667f03a357ce3e938bb3e9fd8d065996

SHA1
69fb19c133977a8d9d144fa19819e6eae263d552

SHA256
07d2accebbf50bfd0c55359f451636f2b35395c46417f058de73bfa8fde4d0ed

SHA512
7a1721c94f0cf7841ae3a42d0b94613e28c17a29627077d90a33a705188bcdcc605206bee28246249d1d0589172380005084c61d73d823a76178f4fdeab6a3b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
330B

MD5
65e6b3aa7b7020bbc70877e5a7c5a862

SHA1
83d2a59848570458bc9484833ee2ac30436b92ce

SHA256
b2d050fc35aa581ba8d776bbff9b3985920058f79c9c133b21d6aa56640a98f8

SHA512
70b03e4d1d0d26d81a8f037c8146f9600bd9ffac973d983f510b4f22e47630cb4d27a3349c6c6644617354a19246e102402fb5331e10fcd9614ebebd39150f62

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
7258eb523ade3ffebb42720f73bf24ba

SHA1
02b33b8dca819ff6c444f5d97e54b251e29478dd

SHA256
f76b9fed56b204a69680559be13f4eb1318f87ebb7070fecba455d7771bb6350

SHA512
d58573c5e93956f1d9dc7d34442a422558c501295d0927014fb1daa74475257444249f4d86ad799797a91e8a8ff57562abcedaca60030b26ff6c7bc17cfad1f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
7f1468983f598b929bb599fc9ba65986

SHA1
3ea6a00d9a837b4f6ca41dca5c3bbe2cd09bee9a

SHA256
46b204f5f67d86c8790270d3e91cccff179ec98ce6f83050319c8357ad1fb38f

SHA512
aeedbda5dd3df541283beef6e164a8076da18edf27945d50d4a72d7e32d55b44b26ab783e905e1948510bcf71641c9efc279e44b53fedf38049fc091c473efa8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
4b2ef5032a1d9a0bb5f868a40f8eb1e4

SHA1
f266bf45a9024b3e9c207c929216b04bf6dd2eda

SHA256
d63d259cffcfc81824f651992369f909dbb0d40319a9a3e8d424bc7f4230bfd3

SHA512
646fbbe520f056da734364c0be878d74108f928d2acbf8a1abf070d6439a7f485a625a0ef89f590e4867d101f7c8e9f64117437b0334b56db975f36d740c8285

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
cd52882ca918ab067eb0dfcadf32f55f

SHA1
e301a995580314477e125aeb2c91339035c61246

SHA256
81a0414aac17aa31487730f1ea2a1763e54ea40806d9396cddc5f96c7585568c

SHA512
ccf2b94fc4903466a035b938f4bebdba3f60af49441a4ab6fa67e75985d89a6349bbe8d4e7e1c33979baaafbbe8b533b06add062a18de317abd134510c0e5d1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\786ccb35-8cf2-46e7-9233-9ec37dfcdf13\f236d4a5-c32e-4fec-95fe-9ed602b73b73.exe

Filesize
3.2MB

MD5
b70619f58c714eed8049ef98017fded2

SHA1
12b7feec33c78ddec2fc1911e75352d9fa1d51db

SHA256
b3de734dba8b62d2967ceb30c2390614c5f71a079798f2dbace9bd01f497604c

SHA512
44fb1cfe83a8eb550bc90f77ae0467c17d8da30599bb484a4cbe08ef6ec7b15471aeac4520739ee2031da0522d6b11f739c9635bc0030848e45a3473998d7052

Download Submit
C:\Users\Admin\Downloads\UpdateV4.zip:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
\??\pipe\LOCAL\crashpad_5000_VRDIFVZFLLRCRDLT

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1188-127-0x000001B0D0C10000-0x000001B0D1C10000-memory.dmp

Filesize
16.0MB

Download
memory/1444-168-0x00000290E8260000-0x00000290E845A000-memory.dmp

Filesize
2.0MB

Download
memory/1444-227-0x00000290E8260000-0x00000290E845A000-memory.dmp

Filesize
2.0MB

Download
memory/1444-140-0x00007FFB654C0000-0x00007FFB656C9000-memory.dmp

Filesize
2.0MB

Download
memory/1444-141-0x00000290E81E0000-0x00000290E81E1000-memory.dmp

Filesize
4KB

Download
memory/1444-155-0x00000290E8260000-0x00000290E845A000-memory.dmp

Filesize
2.0MB

Download
memory/1444-156-0x00000290E8260000-0x00000290E845A000-memory.dmp

Filesize
2.0MB

Download
memory/1444-152-0x00000290E8260000-0x00000290E845A000-memory.dmp

Filesize
2.0MB

Download
memory/1444-151-0x00000290E8260000-0x00000290E845A000-memory.dmp

Filesize
2.0MB

Download
memory/1444-164-0x00000290E8260000-0x00000290E845A000-memory.dmp

Filesize
2.0MB

Download
memory/1444-163-0x00000290E8260000-0x00000290E845A000-memory.dmp

Filesize
2.0MB

Download
memory/1444-167-0x00000290E8260000-0x00000290E845A000-memory.dmp

Filesize
2.0MB

Download
memory/1444-145-0x00000290E8260000-0x00000290E845A000-memory.dmp

Filesize
2.0MB

Download
memory/1444-146-0x00000290E8260000-0x00000290E845A000-memory.dmp

Filesize
2.0MB

Download
memory/1444-178-0x00000290E8260000-0x00000290E845A000-memory.dmp

Filesize
2.0MB

Download
memory/1444-177-0x00000290E8260000-0x00000290E845A000-memory.dmp

Filesize
2.0MB

Download
memory/1444-174-0x00000290E8260000-0x00000290E845A000-memory.dmp

Filesize
2.0MB

Download
memory/1444-180-0x00000290E8260000-0x00000290E845A000-memory.dmp

Filesize
2.0MB

Download
memory/1444-220-0x00000290E8260000-0x00000290E845A000-memory.dmp

Filesize
2.0MB

Download
memory/1444-219-0x00000290E8260000-0x00000290E845A000-memory.dmp

Filesize
2.0MB

Download
memory/1444-214-0x00000290E8260000-0x00000290E845A000-memory.dmp

Filesize
2.0MB

Download
memory/1444-213-0x00000290E8260000-0x00000290E845A000-memory.dmp

Filesize
2.0MB

Download
memory/1444-144-0x00000290E8260000-0x00000290E845A000-memory.dmp

Filesize
2.0MB

Download
memory/1444-226-0x00000290E8260000-0x00000290E845A000-memory.dmp

Filesize
2.0MB

Download
memory/1444-223-0x00000290E8260000-0x00000290E845A000-memory.dmp

Filesize
2.0MB

Download
memory/1444-222-0x00000290E8260000-0x00000290E845A000-memory.dmp

Filesize
2.0MB

Download
memory/1444-210-0x00000290E8260000-0x00000290E845A000-memory.dmp

Filesize
2.0MB

Download
memory/1444-208-0x00000290E8260000-0x00000290E845A000-memory.dmp

Filesize
2.0MB

Download
memory/1444-207-0x00000290E8260000-0x00000290E845A000-memory.dmp

Filesize
2.0MB

Download
memory/1444-202-0x00000290E8260000-0x00000290E845A000-memory.dmp

Filesize
2.0MB

Download
memory/1444-201-0x00000290E8260000-0x00000290E845A000-memory.dmp

Filesize
2.0MB

Download
memory/1444-196-0x00000290E8260000-0x00000290E845A000-memory.dmp

Filesize
2.0MB

Download
memory/1444-192-0x00000290E8260000-0x00000290E845A000-memory.dmp

Filesize
2.0MB

Download
memory/1444-190-0x00000290E8260000-0x00000290E845A000-memory.dmp

Filesize
2.0MB

Download
memory/1444-189-0x00000290E8260000-0x00000290E845A000-memory.dmp

Filesize
2.0MB

Download
memory/1444-186-0x00000290E8260000-0x00000290E845A000-memory.dmp

Filesize
2.0MB

Download
memory/1444-184-0x00000290E8260000-0x00000290E845A000-memory.dmp

Filesize
2.0MB

Download
memory/1444-183-0x00000290E8260000-0x00000290E845A000-memory.dmp

Filesize
2.0MB

Download
memory/1444-195-0x00000290E8260000-0x00000290E845A000-memory.dmp

Filesize
2.0MB

Download
memory/1444-179-0x00000290E8260000-0x00000290E845A000-memory.dmp

Filesize
2.0MB

Download
memory/1444-173-0x00000290E8260000-0x00000290E845A000-memory.dmp

Filesize
2.0MB

Download
memory/1444-149-0x00000290E8260000-0x00000290E845A000-memory.dmp

Filesize
2.0MB

Download
memory/1444-150-0x00000290E8260000-0x00000290E845A000-memory.dmp

Filesize
2.0MB

Download
memory/1444-143-0x00000290E8260000-0x00000290E845A000-memory.dmp

Filesize
2.0MB

Download