redline | 03752193cdcfed264b430381b7634c2a27cce45e3c3fc0b85470017afbdb54d8

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20220331-en
submitted
11-04-2022 02:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8.exe
Size

1.4MB
MD5

d1a30dcdf2bc6b49b6472ca8bd35751b
SHA1

874e9436d4f9fb6e752b5937f032186501bf16aa
SHA256

03752193cdcfed264b430381b7634c2a27cce45e3c3fc0b85470017afbdb54d8
SHA512

b3eeef39477c6776ad78ee14c08fff7173ae8ad7ca1caea77ae5602dd122dddfa02837d5d062eb687aa211ddc931b3d9d1c8c3725d30e684f84057aed5ee28aa

Score

10^/10

redline infostealer persistence spyware

Malware Config

Extracted

Family

redline

104.244.76.137:4487

Attributes

auth_value
67c42657a2dc51f3323efd90a04a2b03

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 1 IoCs

resource	yara_rule
behavioral2/memory/1656-197-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline

Executes dropped EXE 2 IoCs

pid	Process
5080	s.exe
4192	setup.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000\Control Panel\International\Geo\Nation	8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000\Control Panel\International\Geo\Nation	setup.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lol.bat	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lol.bat	cmd.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 5080 set thread context of 1656	5080	s.exe	124

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\ff8df2c8-c88a-4fd7-98bb-3f22fc2f04d9.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20220411045900.pma	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2980	4192	WerFault.exe	85

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4872	schtasks.exe
2872	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
4192	setup.exe
4192	setup.exe
4192	setup.exe
4192	setup.exe
4192	setup.exe
4192	setup.exe
4192	setup.exe
4192	setup.exe
4192	setup.exe
4192	setup.exe
2248	powershell.exe
2248	powershell.exe
4192	setup.exe
4192	setup.exe
4976	powershell.exe
4192	setup.exe
4192	setup.exe
4192	setup.exe
4192	setup.exe
4192	setup.exe
4976	powershell.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
3272	identity_helper.exe
3272	identity_helper.exe
1656	AppLaunch.exe
1656	AppLaunch.exe
5464	msedge.exe
5464	msedge.exe
5464	msedge.exe
5464	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	4192	setup.exe
Token: SeDebugPrivilege	2248	powershell.exe
Token: SeDebugPrivilege	4976	powershell.exe
Token: SeDebugPrivilege	1656	AppLaunch.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 540 wrote to memory of 5080	540	8.exe	82
PID 540 wrote to memory of 5080	540	8.exe	82
PID 540 wrote to memory of 5080	540	8.exe	82
PID 540 wrote to memory of 4192	540	8.exe	85
PID 540 wrote to memory of 4192	540	8.exe	85
PID 540 wrote to memory of 580	540	8.exe	86
PID 540 wrote to memory of 580	540	8.exe	86
PID 540 wrote to memory of 580	540	8.exe	86
PID 540 wrote to memory of 2296	540	8.exe	88
PID 540 wrote to memory of 2296	540	8.exe	88
PID 540 wrote to memory of 2296	540	8.exe	88
PID 5080 wrote to memory of 1964	5080	s.exe	89
PID 5080 wrote to memory of 1964	5080	s.exe	89
PID 5080 wrote to memory of 1964	5080	s.exe	89
PID 1964 wrote to memory of 4976	1964	cmd.exe	92
PID 1964 wrote to memory of 4976	1964	cmd.exe	92
PID 1964 wrote to memory of 4976	1964	cmd.exe	92
PID 4192 wrote to memory of 3104	4192	setup.exe	93
PID 4192 wrote to memory of 3104	4192	setup.exe	93
PID 4192 wrote to memory of 3104	4192	setup.exe	93
PID 4192 wrote to memory of 3620	4192	setup.exe	94
PID 4192 wrote to memory of 3620	4192	setup.exe	94
PID 4192 wrote to memory of 4872	4192	setup.exe	96
PID 4192 wrote to memory of 4872	4192	setup.exe	96
PID 4192 wrote to memory of 2872	4192	setup.exe	98
PID 4192 wrote to memory of 2872	4192	setup.exe	98
PID 4192 wrote to memory of 2248	4192	setup.exe	100
PID 4192 wrote to memory of 2248	4192	setup.exe	100
PID 2296 wrote to memory of 4432	2296	cmd.exe	102
PID 2296 wrote to memory of 4432	2296	cmd.exe	102
PID 4432 wrote to memory of 3032	4432	msedge.exe	103
PID 4432 wrote to memory of 3032	4432	msedge.exe	103
PID 4432 wrote to memory of 3816	4432	msedge.exe	109
PID 4432 wrote to memory of 3816	4432	msedge.exe	109
PID 4432 wrote to memory of 3816	4432	msedge.exe	109
PID 4432 wrote to memory of 3816	4432	msedge.exe	109
PID 4432 wrote to memory of 3816	4432	msedge.exe	109
PID 4432 wrote to memory of 3816	4432	msedge.exe	109
PID 4432 wrote to memory of 3816	4432	msedge.exe	109
PID 4432 wrote to memory of 3816	4432	msedge.exe	109
PID 4432 wrote to memory of 3816	4432	msedge.exe	109
PID 4432 wrote to memory of 3816	4432	msedge.exe	109
PID 4432 wrote to memory of 3816	4432	msedge.exe	109
PID 4432 wrote to memory of 3816	4432	msedge.exe	109
PID 4432 wrote to memory of 3816	4432	msedge.exe	109
PID 4432 wrote to memory of 3816	4432	msedge.exe	109
PID 4432 wrote to memory of 3816	4432	msedge.exe	109
PID 4432 wrote to memory of 3816	4432	msedge.exe	109
PID 4432 wrote to memory of 3816	4432	msedge.exe	109
PID 4432 wrote to memory of 3816	4432	msedge.exe	109
PID 4432 wrote to memory of 3816	4432	msedge.exe	109
PID 4432 wrote to memory of 3816	4432	msedge.exe	109
PID 4432 wrote to memory of 3816	4432	msedge.exe	109
PID 4432 wrote to memory of 3816	4432	msedge.exe	109
PID 4432 wrote to memory of 3816	4432	msedge.exe	109
PID 4432 wrote to memory of 3816	4432	msedge.exe	109
PID 4432 wrote to memory of 3816	4432	msedge.exe	109
PID 4432 wrote to memory of 3816	4432	msedge.exe	109
PID 4432 wrote to memory of 3816	4432	msedge.exe	109
PID 4432 wrote to memory of 3816	4432	msedge.exe	109
PID 4432 wrote to memory of 3816	4432	msedge.exe	109
PID 4432 wrote to memory of 3816	4432	msedge.exe	109
PID 4432 wrote to memory of 3816	4432	msedge.exe	109
PID 4432 wrote to memory of 3816	4432	msedge.exe	109

C:\Users\Admin\AppData\Local\Temp\8.exe
"C:\Users\Admin\AppData\Local\Temp\8.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:540
- C:\Windows\Temp\s.exe
  "C:\Windows\Temp\s.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:5080
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell.exe -windowstyle hidden Sleep 5
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1964
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -windowstyle hidden Sleep 5
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4976
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1656
- C:\Windows\Temp\setup.exe
  "C:\Windows\Temp\setup.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4192
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:3104
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /delete /tn WindowsService /f
    3⤵
    PID:3620
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /tn WindowsService /tr "C:\Users\Admin\AppData\Roaming\Windows Folder\Windows Service.exe" /sc onlogon /rl highest
    3⤵
    - Creates scheduled task(s)
    PID:4872
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn WindowsServiceUpload /tr "C:\Users\Admin\AppData\Roaming\Windows Folder\Windows Service.exe" /f /rl highest
    3⤵
    - Creates scheduled task(s)
    PID:2872
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Windows Folder'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2248
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 4192 -s 2140
    3⤵
    - Program crash
    PID:2980
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Windows\Temp\run.bat" "
  2⤵
  - Drops startup file
  PID:580
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Windows\Temp\lol.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2296
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://methodmedia.biz/?p=gmzgcobuge5gi3bpgu4dkmbz
    3⤵
    - Adds Run key to start application
    - Enumerates system info in registry
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:4432
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xf8,0x108,0x7ffed40e46f8,0x7ffed40e4708,0x7ffed40e4718
      4⤵
      PID:3032
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,222311100425206110,18205354862516717614,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2
      4⤵
      PID:3816
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,222311100425206110,18205354862516717614,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:3
      4⤵
      PID:5076
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2092,222311100425206110,18205354862516717614,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2680 /prefetch:8
      4⤵
      PID:4360
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,222311100425206110,18205354862516717614,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
      4⤵
      PID:3160
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,222311100425206110,18205354862516717614,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
      4⤵
      PID:3752
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2092,222311100425206110,18205354862516717614,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5376 /prefetch:8
      4⤵
      PID:1924
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2092,222311100425206110,18205354862516717614,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5580 /prefetch:8
      4⤵
      PID:4984
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,222311100425206110,18205354862516717614,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5768 /prefetch:1
      4⤵
      PID:628
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,222311100425206110,18205354862516717614,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5824 /prefetch:1
      4⤵
      PID:3872
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,222311100425206110,18205354862516717614,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5140 /prefetch:8
      4⤵
      PID:2340
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
      4⤵
      Drops file in Program Files directory
      PID:4068
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x110,0x114,0x10c,0x230,0x108,0x7ff622c85460,0x7ff622c85470,0x7ff622c85480
        5⤵
        
        PID:4164
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,222311100425206110,18205354862516717614,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5140 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3272
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2092,222311100425206110,18205354862516717614,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3384 /prefetch:8
      4⤵
      PID:4528
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2092,222311100425206110,18205354862516717614,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4932 /prefetch:8
      4⤵
      PID:2092
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2092,222311100425206110,18205354862516717614,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7156 /prefetch:8
      4⤵
      PID:5664
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2092,222311100425206110,18205354862516717614,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7092 /prefetch:8
      4⤵
      PID:5372
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,222311100425206110,18205354862516717614,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4904 /prefetch:2
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5464
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2092,222311100425206110,18205354862516717614,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1348 /prefetch:8
      4⤵
      PID:5756
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2092,222311100425206110,18205354862516717614,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5804 /prefetch:8
      4⤵
      PID:5804

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 404 -p 4192 -ip 4192
1⤵
PID:4880

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:612

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
1⤵
PID:2248

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Web Data

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
9KB

MD5
1e14ce5f8c9c2a8689b29b76e919f929

SHA1
827ababe4f7d2bf2717496541a400fdb0369f00a

SHA256
0006d38094e94cd0ee533517e365e5c5371d6dd73d3b85416696695e6c89ce73

SHA512
2f1d121fc61f45f030e4d67041805bcaa95c3f0acfffd53291243c34baf12688de57f80fc8704bd7b4b65ef82ff9a47e1d06e7f49e0fbc3fa267a675696d0cc3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Windows\Temp\lol.bat

Filesize
62B

MD5
f95588de9545bb2369f424377a4c0289

SHA1
9e8e0876df2171cbca169e90965442f106cb0600

SHA256
70915616ff58efa0206685c04e9c3a1a02fc0a0e8a5396509552b1903d9c8097

SHA512
56d82f43863d181af70ce5b943ed9f23b1a18523cfc322cebce17a7f823ebf97420a2d38478fd4839bbcb1f9f659ad9bde965f7891e192b17dc4610e02b5b6f4

Download Submit
C:\Windows\Temp\run.bat

Filesize
98B

MD5
731afe244b2414169a5f630d52646e56

SHA1
e3771ccdccd8c306ee5fc4f264cfc3310690458c

SHA256
6c24e5b6a9aaced68f9f93581913bdea4cc1077060827d5d59d6680859e4e552

SHA512
84e0dc44ae3eadf6d31484119294126f5a056add94733fea2ba5597b6a302fc107117f5c5029d4ce0ff8e5c859c4de9c456aa5f01d420f25a3d56dc569801ff1

Download Submit
C:\Windows\Temp\s.exe

Filesize
614KB

MD5
26e7d1de60933536b0fe88155a58724e

SHA1
6f2d643aa280b99fe8e40dcfb8d799c73c840256

SHA256
d0dc93ebcbc2f3e24319777c569ddf1bffb5fea53246d0ab89c5ae1bfc7b8372

SHA512
aa086b456b8c7e2f1327e25eeef11bd7af897808ed552fe02ee53bc4407c702a53a3faf2ed33541de35b4c42c0490afb5a1323c15dff32bcc845b0225c4ab1fb

Download Submit
C:\Windows\Temp\setup.exe

Filesize
878KB

MD5
7ca028a19309e87b89273d2e90b07bea

SHA1
44d849174cd79f41dc16bd13b6c5d653d88a514d

SHA256
de2cee0578738c0809aff541e0b93d7371b0ffdaa5c467dbee4e9d1a4f26955d

SHA512
f302de5f37ddbbfc6edd36e7af915fe46125b11858148f28392108e2f5520c587baa213d31eeb35acb297c830cbeb95eb44926327eaa2585b81301a8b184a3c0

Download Submit
C:\Windows\Temp\setup.exe

Filesize
878KB

MD5
7ca028a19309e87b89273d2e90b07bea

SHA1
44d849174cd79f41dc16bd13b6c5d653d88a514d

SHA256
de2cee0578738c0809aff541e0b93d7371b0ffdaa5c467dbee4e9d1a4f26955d

SHA512
f302de5f37ddbbfc6edd36e7af915fe46125b11858148f28392108e2f5520c587baa213d31eeb35acb297c830cbeb95eb44926327eaa2585b81301a8b184a3c0

Download Submit
memory/1656-207-0x00000000066B0000-0x0000000006C54000-memory.dmp

Filesize
5.6MB

Download
memory/1656-212-0x0000000007930000-0x0000000007E5C000-memory.dmp

Filesize
5.2MB

Download
memory/1656-211-0x0000000007230000-0x00000000073F2000-memory.dmp

Filesize
1.8MB

Download
memory/1656-210-0x0000000006320000-0x000000000633E000-memory.dmp

Filesize
120KB

Download
memory/1656-203-0x0000000005550000-0x0000000005562000-memory.dmp

Filesize
72KB

Download
memory/1656-209-0x0000000006100000-0x0000000006176000-memory.dmp

Filesize
472KB

Download
memory/1656-202-0x0000000005AE0000-0x00000000060F8000-memory.dmp

Filesize
6.1MB

Download
memory/1656-215-0x0000000007130000-0x0000000007180000-memory.dmp

Filesize
320KB

Download
memory/1656-208-0x0000000005A20000-0x0000000005AB2000-memory.dmp

Filesize
584KB

Download
memory/1656-204-0x0000000005680000-0x000000000578A000-memory.dmp

Filesize
1.0MB

Download
memory/1656-197-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1656-205-0x00000000055B0000-0x00000000055EC000-memory.dmp

Filesize
240KB

Download
memory/2248-152-0x000001CFA1B43000-0x000001CFA1B45000-memory.dmp

Filesize
8KB

Download
memory/2248-151-0x000001CFA1B40000-0x000001CFA1B42000-memory.dmp

Filesize
8KB

Download
memory/2248-150-0x00007FFED9410000-0x00007FFED9ED1000-memory.dmp

Filesize
10.8MB

Download
memory/2248-156-0x000001CFA2700000-0x000001CFA2722000-memory.dmp

Filesize
136KB

Download
memory/3816-168-0x00007FFEF6A70000-0x00007FFEF6A71000-memory.dmp

Filesize
4KB

Download
memory/4192-144-0x00000217CCAD0000-0x00000217CCADA000-memory.dmp

Filesize
40KB

Download
memory/4192-154-0x00000217CBDE9000-0x00000217CBDEF000-memory.dmp

Filesize
24KB

Download
memory/4192-148-0x00000217CBDE7000-0x00000217CBDE9000-memory.dmp

Filesize
8KB

Download
memory/4192-163-0x00000217CCC27000-0x00000217CCC2C000-memory.dmp

Filesize
20KB

Download
memory/4192-129-0x00000217B1930000-0x00000217B1938000-memory.dmp

Filesize
32KB

Download
memory/4192-133-0x00007FFED9410000-0x00007FFED9ED1000-memory.dmp

Filesize
10.8MB

Download
memory/4192-162-0x00000217CCC2C000-0x00000217CCC31000-memory.dmp

Filesize
20KB

Download
memory/4192-135-0x00000217CBDE0000-0x00000217CBDE2000-memory.dmp

Filesize
8KB

Download
memory/4192-153-0x00000217CCC24000-0x00000217CCC27000-memory.dmp

Filesize
12KB

Download
memory/4192-155-0x00000217CCC20000-0x00000217CCC24000-memory.dmp

Filesize
16KB

Download
memory/4192-147-0x00000217CBDE5000-0x00000217CBDE7000-memory.dmp

Filesize
8KB

Download
memory/4192-145-0x00000217CBDE3000-0x00000217CBDE5000-memory.dmp

Filesize
8KB

Download
memory/4976-161-0x0000000005660000-0x00000000056C6000-memory.dmp

Filesize
408KB

Download
memory/4976-181-0x0000000006190000-0x00000000061AA000-memory.dmp

Filesize
104KB

Download
memory/4976-158-0x0000000004CF0000-0x0000000004D12000-memory.dmp

Filesize
136KB

Download
memory/4976-146-0x0000000000F10000-0x0000000000F46000-memory.dmp

Filesize
216KB

Download
memory/4976-165-0x0000000005CB0000-0x0000000005CCE000-memory.dmp

Filesize
120KB

Download
memory/4976-160-0x00000000055F0000-0x0000000005656000-memory.dmp

Filesize
408KB

Download
memory/4976-180-0x00000000072F0000-0x000000000796A000-memory.dmp

Filesize
6.5MB

Download
memory/4976-149-0x0000000004D90000-0x00000000053B8000-memory.dmp

Filesize
6.2MB

Download
memory/5080-138-0x0000000003320000-0x0000000003420000-memory.dmp

Filesize
1024KB

Download
memory/5080-134-0x0000000002100000-0x0000000002160000-memory.dmp

Filesize
384KB

Download