redline | hxxps://www[.]youtube[.]com/redirect?event=video_description&redir_token=QUFFLUhqbEFDTnVxWEVrVVp3NkNyeDZOcFdYZUtLT3gwQXxBQ3Jtc0trUmk0Q21CNUVTSG1EWGFRSnNOa1RfN3o3MGctczhjTXVoS1I3c0VNTUw0R0pNTGRyUmRMY3dtVkV4Szd6STNBN0tQVlB1OW9SZmVJZ1ZEN1p0Q2Rlam9kVjFETFZ1VGExYmx2ZjNIQkdiLTFyTWhtMA&q=https%3A%2F%2Fwww[.]mediafire[.]com%2Ffolder%2Fy7mocztm8ptx2%2FSoftWare%2BV1[.]12&v=QtS7bPFDN2U

Analysis

max time kernel
364s
max time network
374s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
24-04-2024 13:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.youtube.com/redirect?event=video_description&redir_token=QUFFLUhqbEFDTnVxWEVrVVp3NkNyeDZOcFdYZUtLT3gwQXxBQ3Jtc0trUmk0Q21CNUVTSG1EWGFRSnNOa1RfN3o3MGctczhjTXVoS1I3c0VNTUw0R0pNTGRyUmRMY3dtVkV4Szd6STNBN0tQVlB1OW9SZmVJZ1ZEN1p0Q2Rlam9kVjFETFZ1VGExYmx2ZjNIQkdiLTFyTWhtMA&q=https%3A%2F%2Fwww.mediafire.com%2Ffolder%2Fy7mocztm8ptx2%2FSoftWare%2BV1.12&v=QtS7bPFDN2U

Score

10^/10

redline zgrat discovery infostealer rat spyware stealer

Malware Config

Signatures

Detect ZGRat V1 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3956-167-0x00000000002C0000-0x00000000003E9000-memory.dmp	family_zgrat_v1
behavioral1/memory/948-168-0x0000000000400000-0x000000000044A000-memory.dmp	family_zgrat_v1
behavioral1/memory/3956-174-0x00000000002C0000-0x00000000003E9000-memory.dmp	family_zgrat_v1
behavioral1/memory/3944-188-0x00000000002C0000-0x00000000003E9000-memory.dmp	family_zgrat_v1
behavioral1/memory/3944-191-0x00000000002C0000-0x00000000003E9000-memory.dmp	family_zgrat_v1

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/948-168-0x0000000000400000-0x000000000044A000-memory.dmp	family_redline

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Executes dropped EXE 2 IoCs

Processes:

Software.exeSoftware.exe

pid process

3956 Software.exe
3944 Software.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
3956	Software.exe
3944	Software.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

Software.exeSoftware.exe

description	pid	process	target process
PID 3956 set thread context of 948	3956	Software.exe	RegAsm.exe
PID 3944 set thread context of 3060	3944	Software.exe	RegAsm.exe

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

4908 3956 WerFault.exe Software.exe
3976 3944 WerFault.exe Software.exe

pid	pid_target	process	target process
4908	3956	WerFault.exe	Software.exe
3976	3944	WerFault.exe	Software.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3808065738-1666277613-1125846146-1000\{6A0BB2EC-4E7F-4845-AEF9-1C19C49E965E}	msedge.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

msedge.exeRegAsm.exe

pid	process
872	msedge.exe
872	msedge.exe
948	RegAsm.exe
948	RegAsm.exe
948	RegAsm.exe
948	RegAsm.exe
948	RegAsm.exe
948	RegAsm.exe
948	RegAsm.exe
948	RegAsm.exe
948	RegAsm.exe
948	RegAsm.exe
948	RegAsm.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

7zFM.exe

pid process

4684 7zFM.exe

pid	process
4684	7zFM.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

7zFM.exeRegAsm.exeRegAsm.exe

description	pid	process
Token: SeRestorePrivilege	4684	7zFM.exe
Token: 35	4684	7zFM.exe
Token: SeSecurityPrivilege	4684	7zFM.exe
Token: SeDebugPrivilege	948	RegAsm.exe
Token: SeDebugPrivilege	3060	RegAsm.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

7zFM.exe

pid process

4684 7zFM.exe
4684 7zFM.exe

pid	process
4684	7zFM.exe
4684	7zFM.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 872 wrote to memory of 4948	872	msedge.exe	msedge.exe
PID 872 wrote to memory of 4948	872	msedge.exe	msedge.exe
PID 872 wrote to memory of 2852	872	msedge.exe	msedge.exe
PID 872 wrote to memory of 2852	872	msedge.exe	msedge.exe
PID 872 wrote to memory of 2852	872	msedge.exe	msedge.exe
PID 872 wrote to memory of 2852	872	msedge.exe	msedge.exe
PID 872 wrote to memory of 2852	872	msedge.exe	msedge.exe
PID 872 wrote to memory of 2852	872	msedge.exe	msedge.exe
PID 872 wrote to memory of 2852	872	msedge.exe	msedge.exe
PID 872 wrote to memory of 2852	872	msedge.exe	msedge.exe
PID 872 wrote to memory of 2852	872	msedge.exe	msedge.exe
PID 872 wrote to memory of 2852	872	msedge.exe	msedge.exe
PID 872 wrote to memory of 2852	872	msedge.exe	msedge.exe
PID 872 wrote to memory of 2852	872	msedge.exe	msedge.exe
PID 872 wrote to memory of 2852	872	msedge.exe	msedge.exe
PID 872 wrote to memory of 2852	872	msedge.exe	msedge.exe
PID 872 wrote to memory of 2852	872	msedge.exe	msedge.exe
PID 872 wrote to memory of 2852	872	msedge.exe	msedge.exe
PID 872 wrote to memory of 2852	872	msedge.exe	msedge.exe
PID 872 wrote to memory of 2852	872	msedge.exe	msedge.exe
PID 872 wrote to memory of 2852	872	msedge.exe	msedge.exe
PID 872 wrote to memory of 2852	872	msedge.exe	msedge.exe
PID 872 wrote to memory of 2852	872	msedge.exe	msedge.exe
PID 872 wrote to memory of 2852	872	msedge.exe	msedge.exe
PID 872 wrote to memory of 2852	872	msedge.exe	msedge.exe
PID 872 wrote to memory of 2852	872	msedge.exe	msedge.exe
PID 872 wrote to memory of 2852	872	msedge.exe	msedge.exe
PID 872 wrote to memory of 2852	872	msedge.exe	msedge.exe
PID 872 wrote to memory of 2852	872	msedge.exe	msedge.exe
PID 872 wrote to memory of 2852	872	msedge.exe	msedge.exe
PID 872 wrote to memory of 2852	872	msedge.exe	msedge.exe
PID 872 wrote to memory of 2852	872	msedge.exe	msedge.exe
PID 872 wrote to memory of 2852	872	msedge.exe	msedge.exe
PID 872 wrote to memory of 2852	872	msedge.exe	msedge.exe
PID 872 wrote to memory of 2852	872	msedge.exe	msedge.exe
PID 872 wrote to memory of 2852	872	msedge.exe	msedge.exe
PID 872 wrote to memory of 2852	872	msedge.exe	msedge.exe
PID 872 wrote to memory of 2852	872	msedge.exe	msedge.exe
PID 872 wrote to memory of 2852	872	msedge.exe	msedge.exe
PID 872 wrote to memory of 2852	872	msedge.exe	msedge.exe
PID 872 wrote to memory of 2852	872	msedge.exe	msedge.exe
PID 872 wrote to memory of 2852	872	msedge.exe	msedge.exe
PID 872 wrote to memory of 2852	872	msedge.exe	msedge.exe
PID 872 wrote to memory of 2852	872	msedge.exe	msedge.exe
PID 872 wrote to memory of 2852	872	msedge.exe	msedge.exe
PID 872 wrote to memory of 2852	872	msedge.exe	msedge.exe
PID 872 wrote to memory of 2852	872	msedge.exe	msedge.exe
PID 872 wrote to memory of 2852	872	msedge.exe	msedge.exe
PID 872 wrote to memory of 2852	872	msedge.exe	msedge.exe
PID 872 wrote to memory of 2852	872	msedge.exe	msedge.exe
PID 872 wrote to memory of 2852	872	msedge.exe	msedge.exe
PID 872 wrote to memory of 2852	872	msedge.exe	msedge.exe
PID 872 wrote to memory of 2852	872	msedge.exe	msedge.exe
PID 872 wrote to memory of 4984	872	msedge.exe	msedge.exe
PID 872 wrote to memory of 4984	872	msedge.exe	msedge.exe
PID 872 wrote to memory of 5612	872	msedge.exe	msedge.exe
PID 872 wrote to memory of 5612	872	msedge.exe	msedge.exe
PID 872 wrote to memory of 5612	872	msedge.exe	msedge.exe
PID 872 wrote to memory of 5612	872	msedge.exe	msedge.exe
PID 872 wrote to memory of 5612	872	msedge.exe	msedge.exe
PID 872 wrote to memory of 5612	872	msedge.exe	msedge.exe
PID 872 wrote to memory of 5612	872	msedge.exe	msedge.exe
PID 872 wrote to memory of 5612	872	msedge.exe	msedge.exe
PID 872 wrote to memory of 5612	872	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/redirect?event=video_description&redir_token=QUFFLUhqbEFDTnVxWEVrVVp3NkNyeDZOcFdYZUtLT3gwQXxBQ3Jtc0trUmk0Q21CNUVTSG1EWGFRSnNOa1RfN3o3MGctczhjTXVoS1I3c0VNTUw0R0pNTGRyUmRMY3dtVkV4Szd6STNBN0tQVlB1OW9SZmVJZ1ZEN1p0Q2Rlam9kVjFETFZ1VGExYmx2ZjNIQkdiLTFyTWhtMA&q=https%3A%2F%2Fwww.mediafire.com%2Ffolder%2Fy7mocztm8ptx2%2FSoftWare%2BV1.12&v=QtS7bPFDN2U
1⤵
PID:3876

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --mojo-platform-channel-handle=3924 --field-trial-handle=2280,i,1836084024518340990,18250262151825427757,262144 --variations-seed-version /prefetch:1
1⤵
PID:4392

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=3688 --field-trial-handle=2280,i,1836084024518340990,18250262151825427757,262144 --variations-seed-version /prefetch:1
1⤵
PID:4596

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4828 --field-trial-handle=2280,i,1836084024518340990,18250262151825427757,262144 --variations-seed-version /prefetch:8
1⤵
PID:2900

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --mojo-platform-channel-handle=3516 --field-trial-handle=2280,i,1836084024518340990,18250262151825427757,262144 --variations-seed-version /prefetch:1
1⤵
PID:2556

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5228 --field-trial-handle=2280,i,1836084024518340990,18250262151825427757,262144 --variations-seed-version /prefetch:8
1⤵
PID:3548

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --mojo-platform-channel-handle=5440 --field-trial-handle=2280,i,1836084024518340990,18250262151825427757,262144 --variations-seed-version /prefetch:1
1⤵
PID:1408

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --mojo-platform-channel-handle=5432 --field-trial-handle=2280,i,1836084024518340990,18250262151825427757,262144 --variations-seed-version /prefetch:8
1⤵
PID:1144

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --mojo-platform-channel-handle=5424 --field-trial-handle=2280,i,1836084024518340990,18250262151825427757,262144 --variations-seed-version /prefetch:1
1⤵
PID:3624

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --mojo-platform-channel-handle=5892 --field-trial-handle=2280,i,1836084024518340990,18250262151825427757,262144 --variations-seed-version /prefetch:1
1⤵
PID:2008

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --mojo-platform-channel-handle=5576 --field-trial-handle=2280,i,1836084024518340990,18250262151825427757,262144 --variations-seed-version /prefetch:1
1⤵
PID:5184

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --mojo-platform-channel-handle=6248 --field-trial-handle=2280,i,1836084024518340990,18250262151825427757,262144 --variations-seed-version /prefetch:1
1⤵
PID:4288

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --mojo-platform-channel-handle=6504 --field-trial-handle=2280,i,1836084024518340990,18250262151825427757,262144 --variations-seed-version /prefetch:1
1⤵
PID:2932

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --mojo-platform-channel-handle=6768 --field-trial-handle=2280,i,1836084024518340990,18250262151825427757,262144 --variations-seed-version /prefetch:1
1⤵
PID:4672

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --mojo-platform-channel-handle=6828 --field-trial-handle=2280,i,1836084024518340990,18250262151825427757,262144 --variations-seed-version /prefetch:1
1⤵
PID:3952

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=31 --mojo-platform-channel-handle=7056 --field-trial-handle=2280,i,1836084024518340990,18250262151825427757,262144 --variations-seed-version /prefetch:1
1⤵
PID:6048

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=32 --mojo-platform-channel-handle=7000 --field-trial-handle=2280,i,1836084024518340990,18250262151825427757,262144 --variations-seed-version /prefetch:1
1⤵
PID:404

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --no-appcompat-clear --mojo-platform-channel-handle=7588 --field-trial-handle=2280,i,1836084024518340990,18250262151825427757,262144 --variations-seed-version /prefetch:8
1⤵
PID:4376

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=34 --mojo-platform-channel-handle=7612 --field-trial-handle=2280,i,1836084024518340990,18250262151825427757,262144 --variations-seed-version /prefetch:1
1⤵
PID:4372

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=35 --mojo-platform-channel-handle=7896 --field-trial-handle=2280,i,1836084024518340990,18250262151825427757,262144 --variations-seed-version /prefetch:1
1⤵
PID:4968

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=36 --mojo-platform-channel-handle=7932 --field-trial-handle=2280,i,1836084024518340990,18250262151825427757,262144 --variations-seed-version /prefetch:1
1⤵
PID:5316

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=7520 --field-trial-handle=2280,i,1836084024518340990,18250262151825427757,262144 --variations-seed-version /prefetch:8
1⤵
PID:1484

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=5800 --field-trial-handle=2280,i,1836084024518340990,18250262151825427757,262144 --variations-seed-version /prefetch:8
1⤵
PID:1960

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3520

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:872

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.52 --initial-client-data=0x238,0x23c,0x240,0x234,0x25c,0x7ffd7c282e98,0x7ffd7c282ea4,0x7ffd7c282eb0
2⤵
PID:4948

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2264 --field-trial-handle=2260,i,2363458859654624889,8335689358054605369,262144 --variations-seed-version /prefetch:2
2⤵
PID:2852

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=2296 --field-trial-handle=2260,i,2363458859654624889,8335689358054605369,262144 --variations-seed-version /prefetch:3
2⤵
PID:4984

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=2556 --field-trial-handle=2260,i,2363458859654624889,8335689358054605369,262144 --variations-seed-version /prefetch:8
2⤵
PID:5612

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=4412 --field-trial-handle=2260,i,2363458859654624889,8335689358054605369,262144 --variations-seed-version /prefetch:8
2⤵
PID:2960

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=4412 --field-trial-handle=2260,i,2363458859654624889,8335689358054605369,262144 --variations-seed-version /prefetch:8
2⤵
PID:4448

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=560 --field-trial-handle=2260,i,2363458859654624889,8335689358054605369,262144 --variations-seed-version /prefetch:8
2⤵
PID:3772

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=4168 --field-trial-handle=2260,i,2363458859654624889,8335689358054605369,262144 --variations-seed-version /prefetch:8
2⤵
PID:2956

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=4412 --field-trial-handle=2260,i,2363458859654624889,8335689358054605369,262144 --variations-seed-version /prefetch:8
2⤵
PID:5600

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\SoftWare V1.12.rar"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4684

C:\Users\Admin\Desktop\lmao\Software.exe
"C:\Users\Admin\Desktop\lmao\Software.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3956

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:5460

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3956 -s 344
2⤵
- Program crash
PID:4908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3956 -ip 3956
1⤵
PID:5688

C:\Users\Admin\Desktop\lmao\Software.exe
"C:\Users\Admin\Desktop\lmao\Software.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3944

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3944 -s 284
2⤵
- Program crash
PID:3976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3944 -ip 3944
1⤵
PID:3236

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
280B

MD5
ea0095358d24ec3f40fafb3bd04d54b5

SHA1
7b9ca8e2c46e50de873922d4886773d845e96565

SHA256
85de92df83c6c66867417cefdc987e2dbc1a0c873125f39d00d55ed2b99bc8cc

SHA512
222707042587a8b99c5529656da0d318cacc5289a1650b42f9e7e2d0425cc9ecec37a9b14c2c3833ae79d828cb943a0c4578a49fdfc13b7fe3adc0fce162c533

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State
Filesize
13KB

MD5
aff70fa07dc3b3ebc757bf244c9e3275

SHA1
b7dbe6a9709179e05363a92a52f61d1d60d21e07

SHA256
f3a787600061e5c797512cd849341243cd2b96f1769b0ce5241530da7d758f85

SHA512
b2410090b47cc71ec276300553bfde2f522e22348f26fa9c81a33092c66e46a345a0e0cbe97a906863b281a2c428f562ed87dc649acb454667060ae544dcf9f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries
Filesize
40B

MD5
20d4b8fa017a12a108c87f540836e250

SHA1
1ac617fac131262b6d3ce1f52f5907e31d5f6f00

SHA256
6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

SHA512
507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
16KB

MD5
90133f468f54434ba4e4c541f97a22e2

SHA1
e68bc7ca452f2d0daf65bf34397767fa338a1378

SHA256
3f3d09b41beba7b9d64a040bf2712682e64bbb437cd8fb5e80f77c89d67a7174

SHA512
9ddcf6bb4aabe1ab2aa9eb109ee45c52123ba193b41194285e5b358cda18ea7842ee7b53615b745cd35aa84f6d6fb8ddd74d2af7e739ffe9beab9615f8d229ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
Filesize
30KB

MD5
83c4f68b891a311a19d444435df6f797

SHA1
0b78958f1397db498a133e689ad16f9c75e615d6

SHA256
4cbb65a4faefdee10ad73787b11732b6f4c8b85efce46d4e36d93b16278d9240

SHA512
171458358b83733be0967c7c1c3aaeed1893670ea1d17ded26b8f88f2ed05ccb85cc007b01e5ec2f0a2cf3ff7ed66bc8f54faa6e664de0ab135d37b39d1f9047

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
83KB

MD5
8694b275d2b62baeee6b5f15ecbe582f

SHA1
6a66a4cfbdf575111b0a079dea880c23a156ad6d

SHA256
380839c1a98cf8c72bcdde91165dc1ec1fc53acc94f8c433b2143fac8b10d9cd

SHA512
487131732bb69a0e936094077c0a684ebb9ba70c834035f2de67040872abb2e7623b42e56d7fc2441ccd8ac0d4fa7024ddf8f6297d7c861e98b075002c500754

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
46KB

MD5
1de898ec1cf6476ab2a5f5cb3bc24e9b

SHA1
7796b0eab424fb78b09a0b260312d4a621ab0ceb

SHA256
ffd6b7182cdc18bb0f3500ccbcabf004f6e2873e96ad77e12a44f0be50b3dea7

SHA512
8cbf17a17fce7c9b474100d43c6caf4b56c44d45946623e6d55405d7674f9c37eb666b55b023a484370b58ee536be6945f0e697af264cf131278c96f3c56ea7e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
94KB

MD5
bd86c60b165c2477fca6b9a4581ae0c6

SHA1
97f9ce0c71d23396eb7131b920f37a2112e198ae

SHA256
c6b3b3fa6b8c588d3efb740d8fc59e5e1331220f5acedc5724b59aaedbef0d8c

SHA512
b299de4ce74ccae5f581ae3fabb4d4c6be7dd6a4b343350de065c1e44cd1448b1b1f1bb8e2c2b43ba41a43041a9e1fe6cebd6900624f8fa64e7940a01b02342f

Download Submit
C:\Users\Admin\Desktop\lmao\Software.exe
Filesize
1.2MB

MD5
4c61e48f683dd00cb21cfcdadf915ad5

SHA1
013413299ceb4692a075cfc12802034e091beeb8

SHA256
ad47993928727bd24355a2be4f3ab00709e89e2c0cf01c9e865265b26ea5880d

SHA512
032ae6ebe49cca8d397c19ab902557c3f75d57a9dfb6f605a582e004fc3492607b4b162961bc0aa8a30673b8f2487e7acb0499e4a3e6d5b3b1bf7a29d4157cdb

Download Submit
\??\pipe\crashpad_872_IAUUKVJVFXTGUAIU
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/948-183-0x0000000009060000-0x0000000009222000-memory.dmp

Filesize
1.8MB

Download
memory/948-184-0x0000000009760000-0x0000000009C8C000-memory.dmp

Filesize
5.2MB

Download
memory/948-170-0x0000000005D40000-0x00000000062E4000-memory.dmp

Filesize
5.6MB

Download
memory/948-171-0x0000000005830000-0x00000000058C2000-memory.dmp

Filesize
584KB

Download
memory/948-172-0x00000000059E0000-0x00000000059F0000-memory.dmp

Filesize
64KB

Download
memory/948-173-0x0000000005B20000-0x0000000005B2A000-memory.dmp

Filesize
40KB

Download
memory/948-193-0x00000000059E0000-0x00000000059F0000-memory.dmp

Filesize
64KB

Download
memory/948-175-0x0000000006FA0000-0x00000000075B8000-memory.dmp

Filesize
6.1MB

Download
memory/948-176-0x0000000006B00000-0x0000000006C0A000-memory.dmp

Filesize
1.0MB

Download
memory/948-177-0x0000000006A30000-0x0000000006A42000-memory.dmp

Filesize
72KB

Download
memory/948-178-0x0000000006A90000-0x0000000006ACC000-memory.dmp

Filesize
240KB

Download
memory/948-179-0x0000000006C10000-0x0000000006C5C000-memory.dmp

Filesize
304KB

Download
memory/948-180-0x0000000006D10000-0x0000000006D76000-memory.dmp

Filesize
408KB

Download
memory/948-181-0x00000000076C0000-0x0000000007736000-memory.dmp

Filesize
472KB

Download
memory/948-182-0x0000000006EE0000-0x0000000006EFE000-memory.dmp

Filesize
120KB

Download
memory/948-168-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/948-169-0x0000000074660000-0x0000000074E10000-memory.dmp

Filesize
7.7MB

Download
memory/948-192-0x0000000074660000-0x0000000074E10000-memory.dmp

Filesize
7.7MB

Download
memory/3060-189-0x0000000074660000-0x0000000074E10000-memory.dmp

Filesize
7.7MB

Download
memory/3060-190-0x0000000005630000-0x0000000005640000-memory.dmp

Filesize
64KB

Download
memory/3944-188-0x00000000002C0000-0x00000000003E9000-memory.dmp

Filesize
1.2MB

Download
memory/3944-191-0x00000000002C0000-0x00000000003E9000-memory.dmp

Filesize
1.2MB

Download
memory/3956-167-0x00000000002C0000-0x00000000003E9000-memory.dmp

Filesize
1.2MB

Download
memory/3956-174-0x00000000002C0000-0x00000000003E9000-memory.dmp

Filesize
1.2MB

Download