Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220331-en -
submitted
11-04-2022 02:57
Static task
static1
Behavioral task
behavioral1
Sample
8.exe
Resource
win7-20220311-en
Behavioral task
behavioral2
Sample
8.exe
Resource
win10v2004-20220331-en
General
-
Target
8.exe
-
Size
1.4MB
-
MD5
d1a30dcdf2bc6b49b6472ca8bd35751b
-
SHA1
874e9436d4f9fb6e752b5937f032186501bf16aa
-
SHA256
03752193cdcfed264b430381b7634c2a27cce45e3c3fc0b85470017afbdb54d8
-
SHA512
b3eeef39477c6776ad78ee14c08fff7173ae8ad7ca1caea77ae5602dd122dddfa02837d5d062eb687aa211ddc931b3d9d1c8c3725d30e684f84057aed5ee28aa
Malware Config
Extracted
redline
104.244.76.137:4487
-
auth_value
67c42657a2dc51f3323efd90a04a2b03
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 1 IoCs
resource yara_rule behavioral2/memory/1656-197-0x0000000000400000-0x0000000000420000-memory.dmp family_redline -
Executes dropped EXE 2 IoCs
pid Process 5080 s.exe 4192 setup.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000\Control Panel\International\Geo\Nation 8.exe Key value queried \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000\Control Panel\International\Geo\Nation setup.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lol.bat cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lol.bat cmd.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 5080 set thread context of 1656 5080 s.exe 124 -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\ff8df2c8-c88a-4fd7-98bb-3f22fc2f04d9.tmp setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20220411045900.pma setup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 2980 4192 WerFault.exe 85 -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4872 schtasks.exe 2872 schtasks.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe -
Suspicious behavior: EnumeratesProcesses 32 IoCs
pid Process 4192 setup.exe 4192 setup.exe 4192 setup.exe 4192 setup.exe 4192 setup.exe 4192 setup.exe 4192 setup.exe 4192 setup.exe 4192 setup.exe 4192 setup.exe 2248 powershell.exe 2248 powershell.exe 4192 setup.exe 4192 setup.exe 4976 powershell.exe 4192 setup.exe 4192 setup.exe 4192 setup.exe 4192 setup.exe 4192 setup.exe 4976 powershell.exe 4432 msedge.exe 4432 msedge.exe 4432 msedge.exe 3272 identity_helper.exe 3272 identity_helper.exe 1656 AppLaunch.exe 1656 AppLaunch.exe 5464 msedge.exe 5464 msedge.exe 5464 msedge.exe 5464 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
pid Process 4432 msedge.exe 4432 msedge.exe 4432 msedge.exe 4432 msedge.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 4192 setup.exe Token: SeDebugPrivilege 2248 powershell.exe Token: SeDebugPrivilege 4976 powershell.exe Token: SeDebugPrivilege 1656 AppLaunch.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 4432 msedge.exe 4432 msedge.exe 4432 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 540 wrote to memory of 5080 540 8.exe 82 PID 540 wrote to memory of 5080 540 8.exe 82 PID 540 wrote to memory of 5080 540 8.exe 82 PID 540 wrote to memory of 4192 540 8.exe 85 PID 540 wrote to memory of 4192 540 8.exe 85 PID 540 wrote to memory of 580 540 8.exe 86 PID 540 wrote to memory of 580 540 8.exe 86 PID 540 wrote to memory of 580 540 8.exe 86 PID 540 wrote to memory of 2296 540 8.exe 88 PID 540 wrote to memory of 2296 540 8.exe 88 PID 540 wrote to memory of 2296 540 8.exe 88 PID 5080 wrote to memory of 1964 5080 s.exe 89 PID 5080 wrote to memory of 1964 5080 s.exe 89 PID 5080 wrote to memory of 1964 5080 s.exe 89 PID 1964 wrote to memory of 4976 1964 cmd.exe 92 PID 1964 wrote to memory of 4976 1964 cmd.exe 92 PID 1964 wrote to memory of 4976 1964 cmd.exe 92 PID 4192 wrote to memory of 3104 4192 setup.exe 93 PID 4192 wrote to memory of 3104 4192 setup.exe 93 PID 4192 wrote to memory of 3104 4192 setup.exe 93 PID 4192 wrote to memory of 3620 4192 setup.exe 94 PID 4192 wrote to memory of 3620 4192 setup.exe 94 PID 4192 wrote to memory of 4872 4192 setup.exe 96 PID 4192 wrote to memory of 4872 4192 setup.exe 96 PID 4192 wrote to memory of 2872 4192 setup.exe 98 PID 4192 wrote to memory of 2872 4192 setup.exe 98 PID 4192 wrote to memory of 2248 4192 setup.exe 100 PID 4192 wrote to memory of 2248 4192 setup.exe 100 PID 2296 wrote to memory of 4432 2296 cmd.exe 102 PID 2296 wrote to memory of 4432 2296 cmd.exe 102 PID 4432 wrote to memory of 3032 4432 msedge.exe 103 PID 4432 wrote to memory of 3032 4432 msedge.exe 103 PID 4432 wrote to memory of 3816 4432 msedge.exe 109 PID 4432 wrote to memory of 3816 4432 msedge.exe 109 PID 4432 wrote to memory of 3816 4432 msedge.exe 109 PID 4432 wrote to memory of 3816 4432 msedge.exe 109 PID 4432 wrote to memory of 3816 4432 msedge.exe 109 PID 4432 wrote to memory of 3816 4432 msedge.exe 109 PID 4432 wrote to memory of 3816 4432 msedge.exe 109 PID 4432 wrote to memory of 3816 4432 msedge.exe 109 PID 4432 wrote to memory of 3816 4432 msedge.exe 109 PID 4432 wrote to memory of 3816 4432 msedge.exe 109 PID 4432 wrote to memory of 3816 4432 msedge.exe 109 PID 4432 wrote to memory of 3816 4432 msedge.exe 109 PID 4432 wrote to memory of 3816 4432 msedge.exe 109 PID 4432 wrote to memory of 3816 4432 msedge.exe 109 PID 4432 wrote to memory of 3816 4432 msedge.exe 109 PID 4432 wrote to memory of 3816 4432 msedge.exe 109 PID 4432 wrote to memory of 3816 4432 msedge.exe 109 PID 4432 wrote to memory of 3816 4432 msedge.exe 109 PID 4432 wrote to memory of 3816 4432 msedge.exe 109 PID 4432 wrote to memory of 3816 4432 msedge.exe 109 PID 4432 wrote to memory of 3816 4432 msedge.exe 109 PID 4432 wrote to memory of 3816 4432 msedge.exe 109 PID 4432 wrote to memory of 3816 4432 msedge.exe 109 PID 4432 wrote to memory of 3816 4432 msedge.exe 109 PID 4432 wrote to memory of 3816 4432 msedge.exe 109 PID 4432 wrote to memory of 3816 4432 msedge.exe 109 PID 4432 wrote to memory of 3816 4432 msedge.exe 109 PID 4432 wrote to memory of 3816 4432 msedge.exe 109 PID 4432 wrote to memory of 3816 4432 msedge.exe 109 PID 4432 wrote to memory of 3816 4432 msedge.exe 109 PID 4432 wrote to memory of 3816 4432 msedge.exe 109 PID 4432 wrote to memory of 3816 4432 msedge.exe 109
Processes
-
C:\Users\Admin\AppData\Local\Temp\8.exe"C:\Users\Admin\AppData\Local\Temp\8.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:540 -
C:\Windows\Temp\s.exe"C:\Windows\Temp\s.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5080 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe -windowstyle hidden Sleep 53⤵
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -windowstyle hidden Sleep 54⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4976
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1656
-
-
-
C:\Windows\Temp\setup.exe"C:\Windows\Temp\setup.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4192 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵PID:3104
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /delete /tn WindowsService /f3⤵PID:3620
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /tn WindowsService /tr "C:\Users\Admin\AppData\Roaming\Windows Folder\Windows Service.exe" /sc onlogon /rl highest3⤵
- Creates scheduled task(s)
PID:4872
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn WindowsServiceUpload /tr "C:\Users\Admin\AppData\Roaming\Windows Folder\Windows Service.exe" /f /rl highest3⤵
- Creates scheduled task(s)
PID:2872
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Windows Folder'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2248
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4192 -s 21403⤵
- Program crash
PID:2980
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Windows\Temp\run.bat" "2⤵
- Drops startup file
PID:580
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Windows\Temp\lol.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://methodmedia.biz/?p=gmzgcobuge5gi3bpgu4dkmbz3⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4432 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xf8,0x108,0x7ffed40e46f8,0x7ffed40e4708,0x7ffed40e47184⤵PID:3032
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,222311100425206110,18205354862516717614,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:24⤵PID:3816
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,222311100425206110,18205354862516717614,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:34⤵PID:5076
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2092,222311100425206110,18205354862516717614,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2680 /prefetch:84⤵PID:4360
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,222311100425206110,18205354862516717614,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:14⤵PID:3160
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,222311100425206110,18205354862516717614,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:14⤵PID:3752
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2092,222311100425206110,18205354862516717614,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5376 /prefetch:84⤵PID:1924
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2092,222311100425206110,18205354862516717614,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5580 /prefetch:84⤵PID:4984
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,222311100425206110,18205354862516717614,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5768 /prefetch:14⤵PID:628
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,222311100425206110,18205354862516717614,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5824 /prefetch:14⤵PID:3872
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,222311100425206110,18205354862516717614,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5140 /prefetch:84⤵PID:2340
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings4⤵
- Drops file in Program Files directory
PID:4068 -
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x110,0x114,0x10c,0x230,0x108,0x7ff622c85460,0x7ff622c85470,0x7ff622c854805⤵PID:4164
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,222311100425206110,18205354862516717614,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5140 /prefetch:84⤵
- Suspicious behavior: EnumeratesProcesses
PID:3272
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2092,222311100425206110,18205354862516717614,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3384 /prefetch:84⤵PID:4528
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2092,222311100425206110,18205354862516717614,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4932 /prefetch:84⤵PID:2092
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2092,222311100425206110,18205354862516717614,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7156 /prefetch:84⤵PID:5664
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2092,222311100425206110,18205354862516717614,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7092 /prefetch:84⤵PID:5372
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,222311100425206110,18205354862516717614,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4904 /prefetch:24⤵
- Suspicious behavior: EnumeratesProcesses
PID:5464
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2092,222311100425206110,18205354862516717614,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1348 /prefetch:84⤵PID:5756
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2092,222311100425206110,18205354862516717614,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5804 /prefetch:84⤵PID:5804
-
-
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 404 -p 4192 -ip 41921⤵PID:4880
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:612
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s camsvc1⤵PID:2248
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
116KB
MD5f70aa3fa04f0536280f872ad17973c3d
SHA150a7b889329a92de1b272d0ecf5fce87395d3123
SHA2568d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA51230675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84
-
Filesize
9KB
MD51e14ce5f8c9c2a8689b29b76e919f929
SHA1827ababe4f7d2bf2717496541a400fdb0369f00a
SHA2560006d38094e94cd0ee533517e365e5c5371d6dd73d3b85416696695e6c89ce73
SHA5122f1d121fc61f45f030e4d67041805bcaa95c3f0acfffd53291243c34baf12688de57f80fc8704bd7b4b65ef82ff9a47e1d06e7f49e0fbc3fa267a675696d0cc3
-
Filesize
944B
MD5cadef9abd087803c630df65264a6c81c
SHA1babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA5127278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085
-
Filesize
62B
MD5f95588de9545bb2369f424377a4c0289
SHA19e8e0876df2171cbca169e90965442f106cb0600
SHA25670915616ff58efa0206685c04e9c3a1a02fc0a0e8a5396509552b1903d9c8097
SHA51256d82f43863d181af70ce5b943ed9f23b1a18523cfc322cebce17a7f823ebf97420a2d38478fd4839bbcb1f9f659ad9bde965f7891e192b17dc4610e02b5b6f4
-
Filesize
98B
MD5731afe244b2414169a5f630d52646e56
SHA1e3771ccdccd8c306ee5fc4f264cfc3310690458c
SHA2566c24e5b6a9aaced68f9f93581913bdea4cc1077060827d5d59d6680859e4e552
SHA51284e0dc44ae3eadf6d31484119294126f5a056add94733fea2ba5597b6a302fc107117f5c5029d4ce0ff8e5c859c4de9c456aa5f01d420f25a3d56dc569801ff1
-
Filesize
614KB
MD526e7d1de60933536b0fe88155a58724e
SHA16f2d643aa280b99fe8e40dcfb8d799c73c840256
SHA256d0dc93ebcbc2f3e24319777c569ddf1bffb5fea53246d0ab89c5ae1bfc7b8372
SHA512aa086b456b8c7e2f1327e25eeef11bd7af897808ed552fe02ee53bc4407c702a53a3faf2ed33541de35b4c42c0490afb5a1323c15dff32bcc845b0225c4ab1fb
-
Filesize
878KB
MD57ca028a19309e87b89273d2e90b07bea
SHA144d849174cd79f41dc16bd13b6c5d653d88a514d
SHA256de2cee0578738c0809aff541e0b93d7371b0ffdaa5c467dbee4e9d1a4f26955d
SHA512f302de5f37ddbbfc6edd36e7af915fe46125b11858148f28392108e2f5520c587baa213d31eeb35acb297c830cbeb95eb44926327eaa2585b81301a8b184a3c0
-
Filesize
878KB
MD57ca028a19309e87b89273d2e90b07bea
SHA144d849174cd79f41dc16bd13b6c5d653d88a514d
SHA256de2cee0578738c0809aff541e0b93d7371b0ffdaa5c467dbee4e9d1a4f26955d
SHA512f302de5f37ddbbfc6edd36e7af915fe46125b11858148f28392108e2f5520c587baa213d31eeb35acb297c830cbeb95eb44926327eaa2585b81301a8b184a3c0