mystic | 83f9ac8f5c2c168f911f7c15829ee95c60cf3124533493e7d4af8fccd21808c1

Analysis

max time kernel
150s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20240319-en
resource tags

arch:x64arch:x86image:win10v2004-20240319-enlocale:en-usos:windows10-2004-x64system
submitted
02-04-2024 10:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3fa03f784ec205ddfffcf521bd6cdb53b46ad6ed6fd84ec4ecd85c545c8e2edf.exe
Size

876KB
MD5

066bb534adef3007b59a440df554a6c6
SHA1

2bd0c128ee738a1761ada12b9f097b8fa82a49ed
SHA256

3fa03f784ec205ddfffcf521bd6cdb53b46ad6ed6fd84ec4ecd85c545c8e2edf
SHA512

4174a8b175a1ba4aa8fd1d9b0bb51224cf6a9b6d6b00a0d08841716a203b540e02d3df6119d0ba6f99beb26a2704bbb7a61b04cefabe6a2d9efe618c2330a97c
SSDEEP

24576:AykgzpSUtBf1kZd2NqLeHdcOBla4TyouFzZRf3gD:HkWpV1kWHj84eTZR/g

Score

10^/10

mystic redline smokeloader breha backdoor evasion infostealer persistence stealer trojan

Malware Config

Extracted

Family

redline

Botnet

breha

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral1/memory/3612-35-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral1/memory/3612-36-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral1/memory/3612-37-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral1/memory/3612-39-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral1/memory/3748-48-0x0000000000400000-0x000000000043E000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation	5Ln7gt9.exe

Executes dropped EXE 8 IoCs

pid	Process
2504	FI3gq62.exe
4612	db2FL06.exe
3632	Ta8tZ82.exe
1904	1xy55nF7.exe
2264	2Ev9506.exe
4580	3yf84jj.exe
4392	4xl958hh.exe
2832	5Ln7gt9.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	3fa03f784ec205ddfffcf521bd6cdb53b46ad6ed6fd84ec4ecd85c545c8e2edf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	FI3gq62.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	db2FL06.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	Ta8tZ82.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1904 set thread context of 4888	1904	1xy55nF7.exe	100
PID 2264 set thread context of 3612	2264	2Ev9506.exe	114
PID 4580 set thread context of 2540	4580	3yf84jj.exe	121
PID 4392 set thread context of 3748	4392	4xl958hh.exe	132

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 5 IoCs

pid	pid_target	Process	procid_target
2940	1904	WerFault.exe	97
3756	2264	WerFault.exe	105
100	3612	WerFault.exe	114
2588	4580	WerFault.exe	119
1000	4392	WerFault.exe	124

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-817259280-2658881748-983986378-1000\{EE5A2137-C64D-4E27-8A19-297D396B4354}	msedge.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
4888	AppLaunch.exe
4888	AppLaunch.exe
4888	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4888	AppLaunch.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3940 wrote to memory of 2504	3940	3fa03f784ec205ddfffcf521bd6cdb53b46ad6ed6fd84ec4ecd85c545c8e2edf.exe	93
PID 3940 wrote to memory of 2504	3940	3fa03f784ec205ddfffcf521bd6cdb53b46ad6ed6fd84ec4ecd85c545c8e2edf.exe	93
PID 3940 wrote to memory of 2504	3940	3fa03f784ec205ddfffcf521bd6cdb53b46ad6ed6fd84ec4ecd85c545c8e2edf.exe	93
PID 2504 wrote to memory of 4612	2504	FI3gq62.exe	95
PID 2504 wrote to memory of 4612	2504	FI3gq62.exe	95
PID 2504 wrote to memory of 4612	2504	FI3gq62.exe	95
PID 4612 wrote to memory of 3632	4612	db2FL06.exe	96
PID 4612 wrote to memory of 3632	4612	db2FL06.exe	96
PID 4612 wrote to memory of 3632	4612	db2FL06.exe	96
PID 3632 wrote to memory of 1904	3632	Ta8tZ82.exe	97
PID 3632 wrote to memory of 1904	3632	Ta8tZ82.exe	97
PID 3632 wrote to memory of 1904	3632	Ta8tZ82.exe	97
PID 1904 wrote to memory of 4888	1904	1xy55nF7.exe	100
PID 1904 wrote to memory of 4888	1904	1xy55nF7.exe	100
PID 1904 wrote to memory of 4888	1904	1xy55nF7.exe	100
PID 1904 wrote to memory of 4888	1904	1xy55nF7.exe	100
PID 1904 wrote to memory of 4888	1904	1xy55nF7.exe	100
PID 1904 wrote to memory of 4888	1904	1xy55nF7.exe	100
PID 1904 wrote to memory of 4888	1904	1xy55nF7.exe	100
PID 1904 wrote to memory of 4888	1904	1xy55nF7.exe	100
PID 3632 wrote to memory of 2264	3632	Ta8tZ82.exe	105
PID 3632 wrote to memory of 2264	3632	Ta8tZ82.exe	105
PID 3632 wrote to memory of 2264	3632	Ta8tZ82.exe	105
PID 2264 wrote to memory of 4348	2264	2Ev9506.exe	111
PID 2264 wrote to memory of 4348	2264	2Ev9506.exe	111
PID 2264 wrote to memory of 4348	2264	2Ev9506.exe	111
PID 2264 wrote to memory of 2200	2264	2Ev9506.exe	112
PID 2264 wrote to memory of 2200	2264	2Ev9506.exe	112
PID 2264 wrote to memory of 2200	2264	2Ev9506.exe	112
PID 2264 wrote to memory of 2140	2264	2Ev9506.exe	113
PID 2264 wrote to memory of 2140	2264	2Ev9506.exe	113
PID 2264 wrote to memory of 2140	2264	2Ev9506.exe	113
PID 2264 wrote to memory of 3612	2264	2Ev9506.exe	114
PID 2264 wrote to memory of 3612	2264	2Ev9506.exe	114
PID 2264 wrote to memory of 3612	2264	2Ev9506.exe	114
PID 2264 wrote to memory of 3612	2264	2Ev9506.exe	114
PID 2264 wrote to memory of 3612	2264	2Ev9506.exe	114
PID 2264 wrote to memory of 3612	2264	2Ev9506.exe	114
PID 2264 wrote to memory of 3612	2264	2Ev9506.exe	114
PID 2264 wrote to memory of 3612	2264	2Ev9506.exe	114
PID 2264 wrote to memory of 3612	2264	2Ev9506.exe	114
PID 2264 wrote to memory of 3612	2264	2Ev9506.exe	114
PID 4612 wrote to memory of 4580	4612	db2FL06.exe	119
PID 4612 wrote to memory of 4580	4612	db2FL06.exe	119
PID 4612 wrote to memory of 4580	4612	db2FL06.exe	119
PID 4580 wrote to memory of 2540	4580	3yf84jj.exe	121
PID 4580 wrote to memory of 2540	4580	3yf84jj.exe	121
PID 4580 wrote to memory of 2540	4580	3yf84jj.exe	121
PID 4580 wrote to memory of 2540	4580	3yf84jj.exe	121
PID 4580 wrote to memory of 2540	4580	3yf84jj.exe	121
PID 4580 wrote to memory of 2540	4580	3yf84jj.exe	121
PID 2504 wrote to memory of 4392	2504	FI3gq62.exe	124
PID 2504 wrote to memory of 4392	2504	FI3gq62.exe	124
PID 2504 wrote to memory of 4392	2504	FI3gq62.exe	124
PID 4392 wrote to memory of 1876	4392	4xl958hh.exe	130
PID 4392 wrote to memory of 1876	4392	4xl958hh.exe	130
PID 4392 wrote to memory of 1876	4392	4xl958hh.exe	130
PID 4392 wrote to memory of 4256	4392	4xl958hh.exe	131
PID 4392 wrote to memory of 4256	4392	4xl958hh.exe	131
PID 4392 wrote to memory of 4256	4392	4xl958hh.exe	131
PID 4392 wrote to memory of 3748	4392	4xl958hh.exe	132
PID 4392 wrote to memory of 3748	4392	4xl958hh.exe	132
PID 4392 wrote to memory of 3748	4392	4xl958hh.exe	132
PID 4392 wrote to memory of 3748	4392	4xl958hh.exe	132

C:\Users\Admin\AppData\Local\Temp\3fa03f784ec205ddfffcf521bd6cdb53b46ad6ed6fd84ec4ecd85c545c8e2edf.exe
"C:\Users\Admin\AppData\Local\Temp\3fa03f784ec205ddfffcf521bd6cdb53b46ad6ed6fd84ec4ecd85c545c8e2edf.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3940
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\FI3gq62.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\FI3gq62.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2504
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\db2FL06.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\db2FL06.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4612
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ta8tZ82.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ta8tZ82.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3632
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1xy55nF7.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1xy55nF7.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1904
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4888
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1904 -s 556
        6⤵
        Program crash
        
        PID:2940
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Ev9506.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Ev9506.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2264
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:4348
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:2200
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:2140
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3612 -s 544
        7⤵
        Program crash
        
        PID:100
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2264 -s 588
        6⤵
        Program crash
        
        PID:3756
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3yf84jj.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3yf84jj.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:4580
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        Checks SCSI registry key(s)
        
        PID:2540
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4580 -s 136
        5⤵
        Program crash
        
        PID:2588
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4xl958hh.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4xl958hh.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:4392
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:1876
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:4256
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:3748
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4392 -s 580
      4⤵
      Program crash
      PID:1000
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5Ln7gt9.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5Ln7gt9.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:2832
- - C:\Windows\system32\cmd.exe
    "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\2565.tmp\2566.tmp\2567.bat C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5Ln7gt9.exe"
    3⤵
    PID:100
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
      4⤵
      PID:2232
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/
      4⤵
      PID:4284
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
      4⤵
      PID:2024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1904 -ip 1904
1⤵
PID:1328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2264 -ip 2264
1⤵
PID:1428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3612 -ip 3612
1⤵
PID:5040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4580 -ip 4580
1⤵
PID:3168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4392 -ip 4392
1⤵
PID:2288

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --mojo-platform-channel-handle=4172 --field-trial-handle=2148,i,1752153415760610784,11376271161549019716,262144 --variations-seed-version /prefetch:1
1⤵
PID:4968

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=3664 --field-trial-handle=2148,i,1752153415760610784,11376271161549019716,262144 --variations-seed-version /prefetch:1
1⤵
PID:4780

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --mojo-platform-channel-handle=5288 --field-trial-handle=2148,i,1752153415760610784,11376271161549019716,262144 --variations-seed-version /prefetch:1
1⤵
PID:4652

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --mojo-platform-channel-handle=4976 --field-trial-handle=2148,i,1752153415760610784,11376271161549019716,262144 --variations-seed-version /prefetch:1
1⤵
PID:3200

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4968 --field-trial-handle=2148,i,1752153415760610784,11376271161549019716,262144 --variations-seed-version /prefetch:8
1⤵
PID:4304

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --mojo-platform-channel-handle=5492 --field-trial-handle=2148,i,1752153415760610784,11376271161549019716,262144 --variations-seed-version /prefetch:1
1⤵
PID:4548

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6260 --field-trial-handle=2148,i,1752153415760610784,11376271161549019716,262144 --variations-seed-version /prefetch:8
1⤵
PID:1308

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --mojo-platform-channel-handle=6508 --field-trial-handle=2148,i,1752153415760610784,11376271161549019716,262144 --variations-seed-version /prefetch:8
1⤵
PID:600

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=6680 --field-trial-handle=2148,i,1752153415760610784,11376271161549019716,262144 --variations-seed-version /prefetch:8
1⤵
- Modifies registry class
PID:2216

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6392 --field-trial-handle=2148,i,1752153415760610784,11376271161549019716,262144 --variations-seed-version /prefetch:8
1⤵
PID:2488

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --mojo-platform-channel-handle=6160 --field-trial-handle=2148,i,1752153415760610784,11376271161549019716,262144 --variations-seed-version /prefetch:8
1⤵
PID:924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log

Filesize
226B

MD5
916851e072fbabc4796d8916c5131092

SHA1
d48a602229a690c512d5fdaf4c8d77547a88e7a2

SHA256
7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

SHA512
07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

Download Submit
C:\Users\Admin\AppData\Local\Temp\2565.tmp\2566.tmp\2567.bat

Filesize
124B

MD5
dec89e5682445d71376896eac0d62d8b

SHA1
c5ae3197d3c2faf3dea137719c804ab215022ea6

SHA256
c3dea90ca98985007f0de66bf0197fdcd2d4a35e365135bf37a18a4895d81668

SHA512
b746b79120d2ff8a9f3327b0bed99c70339155ea831c1eb9f412056fc8de36a0e3005378ba9102bd25ce6cc24fe1171f1a9c8453f33a9bcd6dd59e9ad0f8e186

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5Ln7gt9.exe

Filesize
87KB

MD5
c7f3fd22f3865b6770fc7560515ad2b1

SHA1
124a75b572209da7f39959ad82ca4738917cf631

SHA256
34d9c803544fe8b7d82027b68237413e6137b0479d068bbb392cb1dded25b37f

SHA512
2cf27f86a6e47ec158a3c47b537c1727c033b5148d39b2ffef00168a46072e982c58425a7cc5d30ff65c9de6f9194002b848a72761d77aca7c06fd39a9c045b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\FI3gq62.exe

Filesize
737KB

MD5
eb38e31f85aed830e5417be5e66c3332

SHA1
1109e1aed9f7e5f2dde0a01f4ad2c34e34124e61

SHA256
abed45fcf32b29e53a86caa1af2a3e4110a2a601365b5eb7f3b4860e5d1f134a

SHA512
d3a1229968298fce3ee9bd1d73a048771542a451ae1baf704584357da5b56e2f11191088bb2ace5801489041312f3183afde580d5ff2678a4df91cce7b9eb6a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4xl958hh.exe

Filesize
339KB

MD5
ceab6d7b32ee2f321c1b5a6ff5974bc1

SHA1
088471024b97d9e6a0745c04988f56d63ace564b

SHA256
7a32fc8a5ae6b56f78a2428df6502d88c69de9e54c26e4235f3a86814a55ae5b

SHA512
0a392fef62deae104c25491859c555f542a19ad4ecc621ae833515bb218562771487b48a051cb7fcc2e8e0f5d05cb6382de6fdff696098d52e47d4d5b65523b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\db2FL06.exe

Filesize
502KB

MD5
fc22e38ab629c20ddf2f3b9c7be5b033

SHA1
7aa8c002df5b16521884daccc13338e2c382d932

SHA256
386bc59396ea12ee20709565e4e2f8b51d6be38d84637668064882d78c1fb477

SHA512
38b0fe7f36ec58cf1b00d31ac03c15ee8c6ca7841502ca596c5c40ba96f1b2a938f883fbb4ffbacb27e336fa14cab55496735518afa3434e6bfe29d133ee0563

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3yf84jj.exe

Filesize
148KB

MD5
4eb3061e5a50c086c05cb65b56f62b0c

SHA1
32321fd1ab6ae4de709d8510e17e84fe901e9e96

SHA256
e4376ea14db956de0e3bf7fbb625dbe787f9f959b959f74efc27ae603b053f99

SHA512
49c3bbb69c0c4b80e8f0a56f9d1753b8856544d8e84e3b803f15640b5578d73b82276d1f529f74e2e8ca51b3e99ce87105d5b3d4eca49436abb6b25fe0770559

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ta8tZ82.exe

Filesize
317KB

MD5
6f3e9b8927e76edce253f4019f44015d

SHA1
5405db793ee440e1b2d31d39dd7f12e572f73acf

SHA256
741f2c012c1489a7563d9f332eb8cfadd7673983d59006d09dec5a86a49ef5ca

SHA512
c59244d024a37487ff592970e2339043c410b40f217d3d5d1f2d7ace159feda0daf2bc68ab4ccb51ec14f43e1e16e3b42dab7530c49e81d9f0f6ba29c5576738

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1xy55nF7.exe

Filesize
129KB

MD5
4ed940ea493451635145489ffbdec386

SHA1
4b5d0ba229b8ac04f753864c1170da0070673e35

SHA256
b736077e8eccf72bc48e2a28576bb47d59bdaa335baa2dc333fb3701becfacaa

SHA512
8feea024e7bb279f401e144d80c20bd6022249ebe381e1ed36b7e19a382e1e7edd3a2b1e4f74e54a5e6dbe6bfe6ff3b27fb44fd0c2407551b1a33fbea9be229c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Ev9506.exe

Filesize
298KB

MD5
2fa1d252aebab8694d7acac396e39a11

SHA1
8b546f55e262002d2feadc9e608145ecb8bb3b45

SHA256
0923a6fb53240bd2c207fb8f4994d0424d7554cf1ad6991d76807eee8d2185e7

SHA512
9551dc943ac781cebedf7c11e6671d234b66c1f907b87024307c00a88433c1ecec75e2afcc0d5b4bcd374cf9771c8a2daa2c11b9ab4bc08aa88ccb881bd96e51

Download Submit
memory/2540-43-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2540-44-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3612-35-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3612-36-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3612-37-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3612-39-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3748-48-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3748-64-0x0000000007E60000-0x0000000007EAC000-memory.dmp

Filesize
304KB

Download
memory/3748-50-0x00000000737D0000-0x0000000073F80000-memory.dmp

Filesize
7.7MB

Download
memory/3748-51-0x00000000077A0000-0x0000000007D44000-memory.dmp

Filesize
5.6MB

Download
memory/3748-52-0x00000000072A0000-0x0000000007332000-memory.dmp

Filesize
584KB

Download
memory/3748-53-0x00000000073F0000-0x0000000007400000-memory.dmp

Filesize
64KB

Download
memory/3748-57-0x00000000073A0000-0x00000000073AA000-memory.dmp

Filesize
40KB

Download
memory/3748-66-0x00000000073F0000-0x0000000007400000-memory.dmp

Filesize
64KB

Download
memory/3748-59-0x0000000008370000-0x0000000008988000-memory.dmp

Filesize
6.1MB

Download
memory/3748-60-0x0000000007D50000-0x0000000007E5A000-memory.dmp

Filesize
1.0MB

Download
memory/3748-65-0x00000000737D0000-0x0000000073F80000-memory.dmp

Filesize
7.7MB

Download
memory/3748-61-0x00000000076C0000-0x00000000076D2000-memory.dmp

Filesize
72KB

Download
memory/3748-63-0x0000000007720000-0x000000000775C000-memory.dmp

Filesize
240KB

Download
memory/4888-29-0x0000000073C60000-0x0000000074410000-memory.dmp

Filesize
7.7MB

Download
memory/4888-28-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4888-34-0x0000000073C60000-0x0000000074410000-memory.dmp

Filesize
7.7MB

Download