redline | 18d2e2fb3c22f506e85bf2c858bb511b032bb373f5e3b5e34cfb0749e3032e3a

Analysis

max time kernel
1711s
max time network
1723s
platform
windows10-2004_x64
resource
win10v2004-en-20220112
submitted
07-03-2022 16:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FilesSetup.exe
Size

350.8MB
MD5

9c6ef6eedc7016c5fba6ba8920255042
SHA1

a0961165ea07828f3bf86a227d85abb8d4b11818
SHA256

18d2e2fb3c22f506e85bf2c858bb511b032bb373f5e3b5e34cfb0749e3032e3a
SHA512

c2234d3d2256036c702cfba0da2327b67ee08580e67e0fe2f76ca181493adfa2a1de0f0d351dfdca90a01f142ad312aae391ef04aa353ced5e497b49979dfacd

Score

10^/10

redline dsf discovery infostealer persistence spyware stealer

Malware Config

Extracted

Family

redline

Botnet

dsf

185.215.113.72:61983

Attributes

auth_value
b821593a97a1337ef8c5a6c45313524a

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 5 IoCs

Processes:

resource	yara_rule
behavioral2/memory/996-130-0x0000000000A50000-0x0000000000E37000-memory.dmp	family_redline
behavioral2/memory/996-132-0x0000000000A50000-0x0000000000E37000-memory.dmp	family_redline
behavioral2/memory/996-134-0x0000000000A50000-0x0000000000E37000-memory.dmp	family_redline
behavioral2/memory/996-137-0x0000000000A50000-0x0000000000E37000-memory.dmp	family_redline
behavioral2/memory/996-139-0x0000000000A50000-0x0000000000E37000-memory.dmp	family_redline

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Adds Run key to start application 2 TTPs 1 IoCs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

FilesSetup.exe

pid process

996 FilesSetup.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe

Drops file in Program Files directory 2 IoCs

Processes:

setup.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\dbdcf536-730f-41b7-ab7a-4a89e9abe199.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20220307174441.pma	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

FilesSetup.exemsedge.exemsedge.exeidentity_helper.exemsedge.exe

pid	process
996	FilesSetup.exe
996	FilesSetup.exe
2520	msedge.exe
2520	msedge.exe
2748	msedge.exe
2748	msedge.exe
4008	identity_helper.exe
4008	identity_helper.exe
3960	msedge.exe
3960	msedge.exe
3960	msedge.exe
3960	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

msedge.exe

pid process

2748 msedge.exe
2748 msedge.exe
2748 msedge.exe
2748 msedge.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

FilesSetup.exe

description pid process

Token: SeDebugPrivilege 996 FilesSetup.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msedge.exe

pid process

2748 msedge.exe
2748 msedge.exe

pid	process
2748	msedge.exe
2748	msedge.exe
2748	msedge.exe
2748	msedge.exe

description	pid	process
Token: SeDebugPrivilege	996	FilesSetup.exe

pid	process
2748	msedge.exe
2748	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

FilesSetup.exemsedge.exe

description	pid	process	target process
PID 996 wrote to memory of 2748	996	FilesSetup.exe	msedge.exe
PID 996 wrote to memory of 2748	996	FilesSetup.exe	msedge.exe
PID 2748 wrote to memory of 1652	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 1652	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 1048	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 1048	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 1048	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 1048	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 1048	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 1048	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 1048	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 1048	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 1048	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 1048	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 1048	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 1048	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 1048	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 1048	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 1048	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 1048	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 1048	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 1048	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 1048	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 1048	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 1048	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 1048	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 1048	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 1048	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 1048	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 1048	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 1048	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 1048	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 1048	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 1048	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 1048	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 1048	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 1048	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 1048	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 1048	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 1048	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 1048	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 1048	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 1048	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 1048	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 2520	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 2520	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 1976	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 1976	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 1976	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 1976	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 1976	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 1976	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 1976	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 1976	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 1976	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 1976	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 1976	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 1976	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 1976	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 1976	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 1976	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 1976	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 1976	2748	msedge.exe	msedge.exe
PID 2748 wrote to memory of 1976	2748	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\FilesSetup.exe
"C:\Users\Admin\AppData\Local\Temp\FilesSetup.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:996

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1bjue7
2⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2748

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffc418846f8,0x7ffc41884708,0x7ffc41884718
3⤵
PID:1652

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,8943206894081295973,765078639614831686,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2
3⤵
PID:1048

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,8943206894081295973,765078639614831686,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2520

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,8943206894081295973,765078639614831686,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2684 /prefetch:8
3⤵
PID:1976

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,8943206894081295973,765078639614831686,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3936 /prefetch:1
3⤵
PID:1520

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,8943206894081295973,765078639614831686,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3948 /prefetch:1
3⤵
PID:652

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2136,8943206894081295973,765078639614831686,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5420 /prefetch:8
3⤵
PID:1424

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,8943206894081295973,765078639614831686,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5516 /prefetch:8
3⤵
PID:1832

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
3⤵
- Drops file in Program Files directory
PID:1248

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff643885460,0x7ff643885470,0x7ff643885480
4⤵
PID:1000

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,8943206894081295973,765078639614831686,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5516 /prefetch:8
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4008

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,8943206894081295973,765078639614831686,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4216 /prefetch:1
3⤵
PID:616

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,8943206894081295973,765078639614831686,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2844 /prefetch:1
3⤵
PID:1616

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2136,8943206894081295973,765078639614831686,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5768 /prefetch:8
3⤵
PID:4088

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,8943206894081295973,765078639614831686,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3404 /prefetch:2
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3960

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2136,8943206894081295973,765078639614831686,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5408 /prefetch:8
3⤵
PID:3424

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2136,8943206894081295973,765078639614831686,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5480 /prefetch:8
3⤵
PID:3852

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2136,8943206894081295973,765078639614831686,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3436 /prefetch:8
3⤵
PID:3964

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2136,8943206894081295973,765078639614831686,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3324 /prefetch:8
3⤵
PID:64

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2136,8943206894081295973,765078639614831686,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1728 /prefetch:8
3⤵
PID:384

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2136,8943206894081295973,765078639614831686,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3436 /prefetch:8
3⤵
PID:2488

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2136,8943206894081295973,765078639614831686,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5408 /prefetch:8
3⤵
PID:2180

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4084

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k wusvcs -p
1⤵
PID:2320

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k wsappx -p
1⤵
PID:2852

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Mu\Advertising
MD5
4e9962558e74db5038d8073a5b3431aa

SHA1
3cd097d9dd4b16a69efbb0fd1efe862867822146

SHA256
6f81212bd841eca89aa6f291818b4ad2582d7cdb4e488adea98261494bdcd279

SHA512
fcd76bca998afc517c87de0db6ee54e45aa2263fa7b91653ac3adb34c41f3681fbe19d673ae9b24fdf3d53f5af4e4968e603a1eb557207f8860ac51372026b2e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Mu\Analytics
MD5
fad197d6ffd32d1268b9e7e8d13ab32a

SHA1
b0129887a75965bb2ef56a2c39d3231e5b87265d

SHA256
4e446af739e1a06b48a73607e9441bc4aa34ceafd808ff845864408179a4d2c3

SHA512
01d9f588bfa315e316ff0ff4a15a0a49144fd77ee89960882cd528d7f7a277b086667cea2357c3ca2bd16a2b3f4aeb7fcaf473501b499101be68acbe1e0126cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Mu\CompatExceptions
MD5
900263477e1368869fbf1be99990c878

SHA1
e56e199aa4119f3cc4c4d46f96daea89bbf9685a

SHA256
7f660d9db521646e9c6510d844b6c6ea26716b620c46f34edaf7ce318a9473e4

SHA512
1035b388b4b00c744824d13c5ef48118d88abbb53e9d76896a2d96a2a127a7739c119e781d7d5f0b8d910e10539c0c502c9f937fc2487747c65e7285f4b1e6d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Mu\Content
MD5
94c183b842784d0ae69f8aa57c8ac015

SHA1
c5b1ebc2b5c140ccbb21cd377ca18f3c5d0b80cd

SHA256
aa5c4d50684aa478d5982e509cbf1f8347fbc9cc75cb847d54915c16c3a33d25

SHA512
5808ddb81657acf4712fa845c95aacbab32a414ffda3b9d1218637e2d53bd3e0d6b95c872779ead6eaa13b4d2d563494ad5587337958bd17f1e791fad5d822fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Mu\Cryptomining
MD5
8c31feb9c3faaa9794aa22ce9f48bfbd

SHA1
f5411608a15e803afc97961b310bb21a6a8bd5b6

SHA256
6016fd3685046b33c7a2b1e785ac757df20e7c760abe0c27e1b8b0294222421d

SHA512
ba4b5886c04ba8f7a7dbb87e96d639783a5969a245de181cf620b8f536e3ac95bbd910cd2f1f6aae6c3cd70fc1ef6209dc10d2b083ec51861b51d83f95811baa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Mu\Entities
MD5
0d37c9d98f35f2c6524bd9b874ec93ed

SHA1
87d2d1149db8a1c2d91bc8d2d6e2827d2d8850f5

SHA256
19ce05d2716fae5d0d6e2067a7a624c0fa7f8b02486d9469861fd30cf1c499ac

SHA512
68e73804a144cbe7287c2136ab1986c4e2a97c497d5bfd36ef5db0f1fb1b4a28839d63d83019082ce61af9b42853934888ce05d6b28350742776b97fa310a575

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Mu\Fingerprinting
MD5
b51076d21461e00fcbf3dbd2c9e96b2b

SHA1
31311536cf570f2f9c88d21f03a935ac6e233231

SHA256
21a8d3e85d76761a1aab9dca765efef5dfa08d49db037befd91833e4639dd993

SHA512
3e193220ddddc47ecea32a2f777e55faa12c7a8052323455c8d7a89c01048155c77ae009fd0f5bebea89f1fae4a88b6b3ceca4e808064f474ea5b3a9497598cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Mu\Other
MD5
cd0395742b85e2b669eaec1d5f15b65b

SHA1
43c81d1c62fc7ff94f9364639c9a46a0747d122e

SHA256
2b4a47b82cbe70e34407c7df126a24007aff8b45d5716db384d27cc1f3b30707

SHA512
4df2ce734e2f7bc5f02bb7845ea801b57dcf649565dd94b1b71f578b453ba0a17c61ccee73e7cff8f23cdd6aa37e55be5cb15f4767ff88a9a06de3623604fbf0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Mu\Social
MD5
152b745da17397ed5a2f3059bb157600

SHA1
47bf4e575ba1acf47dcc99f1800f753b4cc65ef6

SHA256
ef994058a637f7b1b47c31c8670977084d1f86cc21a196920aa87f8ed31e98e8

SHA512
4984a8a46eb452b3c62f2c2ca8c9d999de37c39895ad9a9ed91d12a7731b1cd227f335829f7a6927f19cd8bf4dd7d6749fc853461a46fc97853d5b9e23171d31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Sigma\Advertising
MD5
d024831cae8599f0edee70275d99e843

SHA1
69e08b543802b130da5305cbb0140bda5601079c

SHA256
0b75817b9ce2164f52e537c66bbff0fe53024bf9a00fb193efd63fe48f34a978

SHA512
ee1096446f6a17bc3fde9aadb418ca4b2db5132cdde1e429300487aaf4d8b9865a3bbc95d3a3198cde137a6395f69c035b74a72f74edc22a490bccc3320b0b03

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Sigma\Analytics
MD5
4cefbb980962973a354915a49d1b0f4d

SHA1
1d20148cab5cdadb85fad6041262584a12c2745d

SHA256
66de8db363de02974a1471153112e51f014bb05936ce870c433fd9a85b34455a

SHA512
6a088bbc6c40454165ddee3183667d2997dca5fcc8312f69e3c2397e61255e49b5146b24c2c64cd3c8867289e3abfdf1155e47722fdd8276f96d51e8f311d4b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Sigma\Content
MD5
7f077f40c2d1ce8e95faa8fdb23ed8b4

SHA1
2c329e3e20ea559974ddcaabc2c7c22de81e7ad2

SHA256
bda08f8b53c121bbc03da1f5c870c016b06fa620a2c02375988555dd12889cdf

SHA512
c1fb5d40491ae22a155a9bd115c32cbe9dbcba615545af2f1a252475f9d59844763cd7c177f08277d8ef59e873b7d885fda17f2a504d9ec2c181d0f793cb542b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Sigma\Cryptomining
MD5
4ec1eda0e8a06238ff5bf88569964d59

SHA1
a2e78944fcac34d89385487ccbbfa4d8f078d612

SHA256
696e930706b5d391eb8778f73b0627ffc2be7f6c9a3e7659170d9d37fc4a97b5

SHA512
c9b1ed7b61f26d94d7f5eded2d42d40f3e4300eee2319fe28e04b25cdb6dd92daf67828bff453bf5fc8d7b6ceb58cab319fc0daac9b0050e27a89efe74d2734e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Sigma\Entities
MD5
ba60431b366f83677a5bf1a2e4601799

SHA1
83f828c27de5429e25c38c36ba77e069d5c7b2de

SHA256
ab895ef5f75efd49dbb4fcdf7529e50ca622d13433e067bcf8a1f1127a944da3

SHA512
aa9ff0374fb3d4bff7ee5a78dd5ace340da4af1a844f453a40b2723a91b32e6e3f4bd736fb3f3cb210b016109660a7b5cc8440901c6bb410e61530286a4e0200

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Sigma\Fingerprinting
MD5
a004023825237dadc8f934758ff9eaf2

SHA1
c981a900b5ce63884635cedfe5ba722416021cb2

SHA256
3c4e82aae615a7bed985b4544afecb774b728df1cc9f7561ea25b97482119ef7

SHA512
e49667fca51a6497ccae9b881d679b857c025f2945ab93c9a6769b1c0a632329993daefab6eda9ed70a32a75630d7b3d93dda5acda8ff87ffe5f090ca7b35e4f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Sigma\Other
MD5
c6c7f3ee1e17acbff6ac22aa89b02e4e

SHA1
bdbd0220e54b80b3d2ffbbddadc89bfbb8e64a8b

SHA256
a2f9f27d6938a74979d34484bced535412969c2533dc694bfa667fe81d66d7d4

SHA512
86ed28ffdd00b4a397a20968792fcd30dd4a891a187a7789c00c88b64689b334a11fa087eb54ccee813c181cf891b43184dde7af9a6f33caed2a71e2c445a7b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Sigma\Social
MD5
976b1cf7e3442f88cd8ba26d3f0965bb

SHA1
b75438dc71de4ac761d94a215ddbffadcd1225b0

SHA256
decde67630f29fc003cb1f2ccbd7371a05079985a9cce93ec93c4fadd8dc5541

SHA512
d0472fed72e1eb0a7747a693a0e654fbe92dd028db3cc42377810d90474dd4099ac981cca333eb52c18e75ed04a1f1f79f3bf5957fe8b16086f1252b3454b8d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.21\Sigma\Staging
MD5
9ca5eb41a53645be63d247ad8a9a7869

SHA1
2e98b04b5a2efb04d20bc7fe51b05c4e4841205b

SHA256
f67c58a61ddef715b01debc66ddc0e3c365295ac9870328f6b8bdbcb02a6b8c9

SHA512
7dd7d295ccce957490f025eef124b22c809f140a96003126b801bbbdd94eb2115ee59e7d16dd1f020b1d6eaaff66853b9de2cbf7092c1692f40dbe21ab346fd8

Download Submit
\??\pipe\LOCAL\crashpad_2748_OXEOUQYUVMNLPIQK
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/996-141-0x0000000076340000-0x00000000768F3000-memory.dmp

Filesize
5.7MB

Download
memory/996-143-0x00000000051D0000-0x00000000051E2000-memory.dmp

Filesize
72KB

Download
memory/996-151-0x00000000061E0000-0x0000000006256000-memory.dmp

Filesize
472KB

Download
memory/996-152-0x00000000062E0000-0x00000000062FE000-memory.dmp

Filesize
120KB

Download
memory/996-153-0x0000000006D80000-0x0000000006F42000-memory.dmp

Filesize
1.8MB

Download
memory/996-154-0x0000000007480000-0x00000000079AC000-memory.dmp

Filesize
5.2MB

Download
memory/996-131-0x0000000000A20000-0x0000000000A21000-memory.dmp

Filesize
4KB

Download
memory/996-149-0x0000000006600000-0x0000000006BA4000-memory.dmp

Filesize
5.6MB

Download
memory/996-148-0x0000000005560000-0x00000000055C6000-memory.dmp

Filesize
408KB

Download
memory/996-147-0x0000000005110000-0x0000000005728000-memory.dmp

Filesize
6.1MB

Download
memory/996-146-0x000000006E4C0000-0x000000006E50C000-memory.dmp

Filesize
304KB

Download
memory/996-145-0x0000000005250000-0x000000000528C000-memory.dmp

Filesize
240KB

Download
memory/996-144-0x0000000005300000-0x000000000540A000-memory.dmp

Filesize
1.0MB

Download
memory/996-150-0x0000000006140000-0x00000000061D2000-memory.dmp

Filesize
584KB

Download
memory/996-142-0x0000000005730000-0x0000000005D48000-memory.dmp

Filesize
6.1MB

Download
memory/996-130-0x0000000000A50000-0x0000000000E37000-memory.dmp

Filesize
3.9MB

Download
memory/996-140-0x0000000072CB0000-0x0000000072D39000-memory.dmp

Filesize
548KB

Download
memory/996-139-0x0000000000A50000-0x0000000000E37000-memory.dmp

Filesize
3.9MB

Download
memory/996-138-0x0000000074220000-0x00000000749D0000-memory.dmp

Filesize
7.7MB

Download
memory/996-137-0x0000000000A50000-0x0000000000E37000-memory.dmp

Filesize
3.9MB

Download
memory/996-136-0x0000000002780000-0x0000000002781000-memory.dmp

Filesize
4KB

Download
memory/996-135-0x0000000076DD0000-0x0000000076FE5000-memory.dmp

Filesize
2.1MB

Download
memory/996-134-0x0000000000A50000-0x0000000000E37000-memory.dmp

Filesize
3.9MB

Download
memory/996-133-0x0000000002720000-0x0000000002766000-memory.dmp

Filesize
280KB

Download
memory/996-132-0x0000000000A50000-0x0000000000E37000-memory.dmp

Filesize
3.9MB

Download
memory/1976-163-0x00007FFC4F840000-0x00007FFC4F841000-memory.dmp

Filesize
4KB

Download