redline | hxxps://github[.]com/JokerSoftw/Joker/releases/download/CoinTool/Btc-Tools[.]zip

Analysis

max time kernel
73s
max time network
74s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
21-05-2024 15:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/JokerSoftw/Joker/releases/download/CoinTool/Btc-Tools.zip

Score

10^/10

redline discovery execution infostealer spyware stealer

Malware Config

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1280-183-0x0000000000400000-0x000000000044A000-memory.dmp	family_redline

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exe

pid process

5220 powershell.exe
5684 powershell.exe
3224 powershell.exe
5220 powershell.exe
5684 powershell.exe
3224 powershell.exe
Executes dropped EXE 3 IoCs

Processes:

driver1.exedriver1.exedriver1.exe

pid process

5004 driver1.exe
5832 driver1.exe
2940 driver1.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
5220	powershell.exe
5684	powershell.exe
3224	powershell.exe
5220	powershell.exe
5684	powershell.exe
3224	powershell.exe

pid	process
5004	driver1.exe
5832	driver1.exe
2940	driver1.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

driver1.exedriver1.exedriver1.exe

description	pid	process	target process
PID 5004 set thread context of 1280	5004	driver1.exe	RegAsm.exe
PID 5832 set thread context of 3904	5832	driver1.exe	RegAsm.exe
PID 2940 set thread context of 1428	2940	driver1.exe	RegAsm.exe

Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

5768 schtasks.exe
5116 schtasks.exe
6092 schtasks.exe
3968 schtasks.exe

pid	process
5768	schtasks.exe
5116	schtasks.exe
6092	schtasks.exe
3968	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

GoLang User-Agent 7 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

Processes:

description	flow	ioc
HTTP User-Agent header	67	Go-http-client/1.1
HTTP User-Agent header	68	Go-http-client/1.1
HTTP User-Agent header	73	Go-http-client/1.1
HTTP User-Agent header	74	Go-http-client/1.1
HTTP User-Agent header	82	Go-http-client/1.1
HTTP User-Agent header	83	Go-http-client/1.1
HTTP User-Agent header	66	Go-http-client/1.1

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exepowershell.exeRegAsm.exepowershell.exeRegAsm.exepowershell.exeRegAsm.exe

pid	process
3276	msedge.exe
3276	msedge.exe
3908	msedge.exe
3908	msedge.exe
2888	identity_helper.exe
2888	identity_helper.exe
1212	msedge.exe
1212	msedge.exe
5220	powershell.exe
5220	powershell.exe
5220	powershell.exe
1280	RegAsm.exe
1280	RegAsm.exe
1280	RegAsm.exe
1280	RegAsm.exe
5684	powershell.exe
5684	powershell.exe
5684	powershell.exe
3904	RegAsm.exe
3904	RegAsm.exe
3224	powershell.exe
3224	powershell.exe
3224	powershell.exe
1428	RegAsm.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

Processes:

msedge.exe

pid process

3908 msedge.exe
3908 msedge.exe
3908 msedge.exe
3908 msedge.exe
3908 msedge.exe
3908 msedge.exe
3908 msedge.exe
3908 msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exewmic.exeRegAsm.exepowershell.exewmic.exe

description	pid	process
Token: SeDebugPrivilege	5220	powershell.exe
Token: SeIncreaseQuotaPrivilege	4916	wmic.exe
Token: SeSecurityPrivilege	4916	wmic.exe
Token: SeTakeOwnershipPrivilege	4916	wmic.exe
Token: SeLoadDriverPrivilege	4916	wmic.exe
Token: SeSystemProfilePrivilege	4916	wmic.exe
Token: SeSystemtimePrivilege	4916	wmic.exe
Token: SeProfSingleProcessPrivilege	4916	wmic.exe
Token: SeIncBasePriorityPrivilege	4916	wmic.exe
Token: SeCreatePagefilePrivilege	4916	wmic.exe
Token: SeBackupPrivilege	4916	wmic.exe
Token: SeRestorePrivilege	4916	wmic.exe
Token: SeShutdownPrivilege	4916	wmic.exe
Token: SeDebugPrivilege	4916	wmic.exe
Token: SeSystemEnvironmentPrivilege	4916	wmic.exe
Token: SeRemoteShutdownPrivilege	4916	wmic.exe
Token: SeUndockPrivilege	4916	wmic.exe
Token: SeManageVolumePrivilege	4916	wmic.exe
Token: 33	4916	wmic.exe
Token: 34	4916	wmic.exe
Token: 35	4916	wmic.exe
Token: 36	4916	wmic.exe
Token: SeIncreaseQuotaPrivilege	4916	wmic.exe
Token: SeSecurityPrivilege	4916	wmic.exe
Token: SeTakeOwnershipPrivilege	4916	wmic.exe
Token: SeLoadDriverPrivilege	4916	wmic.exe
Token: SeSystemProfilePrivilege	4916	wmic.exe
Token: SeSystemtimePrivilege	4916	wmic.exe
Token: SeProfSingleProcessPrivilege	4916	wmic.exe
Token: SeIncBasePriorityPrivilege	4916	wmic.exe
Token: SeCreatePagefilePrivilege	4916	wmic.exe
Token: SeBackupPrivilege	4916	wmic.exe
Token: SeRestorePrivilege	4916	wmic.exe
Token: SeShutdownPrivilege	4916	wmic.exe
Token: SeDebugPrivilege	4916	wmic.exe
Token: SeSystemEnvironmentPrivilege	4916	wmic.exe
Token: SeRemoteShutdownPrivilege	4916	wmic.exe
Token: SeUndockPrivilege	4916	wmic.exe
Token: SeManageVolumePrivilege	4916	wmic.exe
Token: 33	4916	wmic.exe
Token: 34	4916	wmic.exe
Token: 35	4916	wmic.exe
Token: 36	4916	wmic.exe
Token: SeDebugPrivilege	1280	RegAsm.exe
Token: SeDebugPrivilege	5684	powershell.exe
Token: SeIncreaseQuotaPrivilege	4508	wmic.exe
Token: SeSecurityPrivilege	4508	wmic.exe
Token: SeTakeOwnershipPrivilege	4508	wmic.exe
Token: SeLoadDriverPrivilege	4508	wmic.exe
Token: SeSystemProfilePrivilege	4508	wmic.exe
Token: SeSystemtimePrivilege	4508	wmic.exe
Token: SeProfSingleProcessPrivilege	4508	wmic.exe
Token: SeIncBasePriorityPrivilege	4508	wmic.exe
Token: SeCreatePagefilePrivilege	4508	wmic.exe
Token: SeBackupPrivilege	4508	wmic.exe
Token: SeRestorePrivilege	4508	wmic.exe
Token: SeShutdownPrivilege	4508	wmic.exe
Token: SeDebugPrivilege	4508	wmic.exe
Token: SeSystemEnvironmentPrivilege	4508	wmic.exe
Token: SeRemoteShutdownPrivilege	4508	wmic.exe
Token: SeUndockPrivilege	4508	wmic.exe
Token: SeManageVolumePrivilege	4508	wmic.exe
Token: 33	4508	wmic.exe
Token: 34	4508	wmic.exe

Suspicious use of FindShellTrayWindow 51 IoCs

Processes:

msedge.exe

pid	process
3908	msedge.exe
3908	msedge.exe
3908	msedge.exe
3908	msedge.exe
3908	msedge.exe
3908	msedge.exe
3908	msedge.exe
3908	msedge.exe
3908	msedge.exe
3908	msedge.exe
3908	msedge.exe
3908	msedge.exe
3908	msedge.exe
3908	msedge.exe
3908	msedge.exe
3908	msedge.exe
3908	msedge.exe
3908	msedge.exe
3908	msedge.exe
3908	msedge.exe
3908	msedge.exe
3908	msedge.exe
3908	msedge.exe
3908	msedge.exe
3908	msedge.exe
3908	msedge.exe
3908	msedge.exe
3908	msedge.exe
3908	msedge.exe
3908	msedge.exe
3908	msedge.exe
3908	msedge.exe
3908	msedge.exe
3908	msedge.exe
3908	msedge.exe
3908	msedge.exe
3908	msedge.exe
3908	msedge.exe
3908	msedge.exe
3908	msedge.exe
3908	msedge.exe
3908	msedge.exe
3908	msedge.exe
3908	msedge.exe
3908	msedge.exe
3908	msedge.exe
3908	msedge.exe
3908	msedge.exe
3908	msedge.exe
3908	msedge.exe
3908	msedge.exe

Suspicious use of SendNotifyMessage 28 IoCs

Processes:

msedge.exe

pid	process
3908	msedge.exe
3908	msedge.exe
3908	msedge.exe
3908	msedge.exe
3908	msedge.exe
3908	msedge.exe
3908	msedge.exe
3908	msedge.exe
3908	msedge.exe
3908	msedge.exe
3908	msedge.exe
3908	msedge.exe
3908	msedge.exe
3908	msedge.exe
3908	msedge.exe
3908	msedge.exe
3908	msedge.exe
3908	msedge.exe
3908	msedge.exe
3908	msedge.exe
3908	msedge.exe
3908	msedge.exe
3908	msedge.exe
3908	msedge.exe
3908	msedge.exe
3908	msedge.exe
3908	msedge.exe
3908	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 3908 wrote to memory of 2500	3908	msedge.exe	msedge.exe
PID 3908 wrote to memory of 2500	3908	msedge.exe	msedge.exe
PID 3908 wrote to memory of 2964	3908	msedge.exe	msedge.exe
PID 3908 wrote to memory of 2964	3908	msedge.exe	msedge.exe
PID 3908 wrote to memory of 2964	3908	msedge.exe	msedge.exe
PID 3908 wrote to memory of 2964	3908	msedge.exe	msedge.exe
PID 3908 wrote to memory of 2964	3908	msedge.exe	msedge.exe
PID 3908 wrote to memory of 2964	3908	msedge.exe	msedge.exe
PID 3908 wrote to memory of 2964	3908	msedge.exe	msedge.exe
PID 3908 wrote to memory of 2964	3908	msedge.exe	msedge.exe
PID 3908 wrote to memory of 2964	3908	msedge.exe	msedge.exe
PID 3908 wrote to memory of 2964	3908	msedge.exe	msedge.exe
PID 3908 wrote to memory of 2964	3908	msedge.exe	msedge.exe
PID 3908 wrote to memory of 2964	3908	msedge.exe	msedge.exe
PID 3908 wrote to memory of 2964	3908	msedge.exe	msedge.exe
PID 3908 wrote to memory of 2964	3908	msedge.exe	msedge.exe
PID 3908 wrote to memory of 2964	3908	msedge.exe	msedge.exe
PID 3908 wrote to memory of 2964	3908	msedge.exe	msedge.exe
PID 3908 wrote to memory of 2964	3908	msedge.exe	msedge.exe
PID 3908 wrote to memory of 2964	3908	msedge.exe	msedge.exe
PID 3908 wrote to memory of 2964	3908	msedge.exe	msedge.exe
PID 3908 wrote to memory of 2964	3908	msedge.exe	msedge.exe
PID 3908 wrote to memory of 2964	3908	msedge.exe	msedge.exe
PID 3908 wrote to memory of 2964	3908	msedge.exe	msedge.exe
PID 3908 wrote to memory of 2964	3908	msedge.exe	msedge.exe
PID 3908 wrote to memory of 2964	3908	msedge.exe	msedge.exe
PID 3908 wrote to memory of 2964	3908	msedge.exe	msedge.exe
PID 3908 wrote to memory of 2964	3908	msedge.exe	msedge.exe
PID 3908 wrote to memory of 2964	3908	msedge.exe	msedge.exe
PID 3908 wrote to memory of 2964	3908	msedge.exe	msedge.exe
PID 3908 wrote to memory of 2964	3908	msedge.exe	msedge.exe
PID 3908 wrote to memory of 2964	3908	msedge.exe	msedge.exe
PID 3908 wrote to memory of 2964	3908	msedge.exe	msedge.exe
PID 3908 wrote to memory of 2964	3908	msedge.exe	msedge.exe
PID 3908 wrote to memory of 2964	3908	msedge.exe	msedge.exe
PID 3908 wrote to memory of 2964	3908	msedge.exe	msedge.exe
PID 3908 wrote to memory of 2964	3908	msedge.exe	msedge.exe
PID 3908 wrote to memory of 2964	3908	msedge.exe	msedge.exe
PID 3908 wrote to memory of 2964	3908	msedge.exe	msedge.exe
PID 3908 wrote to memory of 2964	3908	msedge.exe	msedge.exe
PID 3908 wrote to memory of 2964	3908	msedge.exe	msedge.exe
PID 3908 wrote to memory of 2964	3908	msedge.exe	msedge.exe
PID 3908 wrote to memory of 3276	3908	msedge.exe	msedge.exe
PID 3908 wrote to memory of 3276	3908	msedge.exe	msedge.exe
PID 3908 wrote to memory of 1400	3908	msedge.exe	msedge.exe
PID 3908 wrote to memory of 1400	3908	msedge.exe	msedge.exe
PID 3908 wrote to memory of 1400	3908	msedge.exe	msedge.exe
PID 3908 wrote to memory of 1400	3908	msedge.exe	msedge.exe
PID 3908 wrote to memory of 1400	3908	msedge.exe	msedge.exe
PID 3908 wrote to memory of 1400	3908	msedge.exe	msedge.exe
PID 3908 wrote to memory of 1400	3908	msedge.exe	msedge.exe
PID 3908 wrote to memory of 1400	3908	msedge.exe	msedge.exe
PID 3908 wrote to memory of 1400	3908	msedge.exe	msedge.exe
PID 3908 wrote to memory of 1400	3908	msedge.exe	msedge.exe
PID 3908 wrote to memory of 1400	3908	msedge.exe	msedge.exe
PID 3908 wrote to memory of 1400	3908	msedge.exe	msedge.exe
PID 3908 wrote to memory of 1400	3908	msedge.exe	msedge.exe
PID 3908 wrote to memory of 1400	3908	msedge.exe	msedge.exe
PID 3908 wrote to memory of 1400	3908	msedge.exe	msedge.exe
PID 3908 wrote to memory of 1400	3908	msedge.exe	msedge.exe
PID 3908 wrote to memory of 1400	3908	msedge.exe	msedge.exe
PID 3908 wrote to memory of 1400	3908	msedge.exe	msedge.exe
PID 3908 wrote to memory of 1400	3908	msedge.exe	msedge.exe
PID 3908 wrote to memory of 1400	3908	msedge.exe	msedge.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/JokerSoftw/Joker/releases/download/CoinTool/Btc-Tools.zip
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3908

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffceba246f8,0x7ffceba24708,0x7ffceba24718
2⤵
PID:2500

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2188,10865399046777445363,5082919939330649323,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2260 /prefetch:2
2⤵
PID:2964

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2188,10865399046777445363,5082919939330649323,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2316 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3276

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2188,10865399046777445363,5082919939330649323,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2440 /prefetch:8
2⤵
PID:1400

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,10865399046777445363,5082919939330649323,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
2⤵
PID:4664

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,10865399046777445363,5082919939330649323,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
2⤵
PID:4412

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2188,10865399046777445363,5082919939330649323,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5356 /prefetch:8
2⤵
PID:2224

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2188,10865399046777445363,5082919939330649323,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5356 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2888

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,10865399046777445363,5082919939330649323,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5428 /prefetch:1
2⤵
PID:3312

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,10865399046777445363,5082919939330649323,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5432 /prefetch:1
2⤵
PID:1888

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2188,10865399046777445363,5082919939330649323,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5692 /prefetch:8
2⤵
PID:3056

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,10865399046777445363,5082919939330649323,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5656 /prefetch:1
2⤵
PID:4384

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,10865399046777445363,5082919939330649323,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6000 /prefetch:1
2⤵
PID:2852

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,10865399046777445363,5082919939330649323,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6020 /prefetch:1
2⤵
PID:1960

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2188,10865399046777445363,5082919939330649323,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5952 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1212

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,10865399046777445363,5082919939330649323,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4120 /prefetch:1
2⤵
PID:1360

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:808

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2164

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5872

C:\Users\Admin\Desktop\Btc-Tools\Loader.exe
"C:\Users\Admin\Desktop\Btc-Tools\Loader.exe"
1⤵
PID:6128

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath \"C:\ProgramData\""
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5220

C:\Windows\System32\Wbem\wmic.exe
wmic csproduct get uuid
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4916

C:\ProgramData\driver1.exe
C:\ProgramData\driver1.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5004

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1280

C:\Windows\system32\schtasks.exe
schtasks /create /tn WinDriver /tr C:\ProgramData\Microsoft\WinDriver.cmd /sc onstart /ru SYSTEM
2⤵
- Creates scheduled task(s)
PID:3968

C:\Windows\system32\schtasks.exe
schtasks /create /tn WinDriver /tr C:\ProgramData\Microsoft\WinDriver.cmd /sc onstart /ru SYSTEM
2⤵
- Creates scheduled task(s)
PID:5768

C:\Users\Admin\Desktop\Btc-Tools\Loader.exe
"C:\Users\Admin\Desktop\Btc-Tools\Loader.exe"
1⤵
PID:5584

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath \"C:\ProgramData\""
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5684

C:\Windows\System32\Wbem\wmic.exe
wmic csproduct get uuid
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4508

C:\ProgramData\driver1.exe
C:\ProgramData\driver1.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5832

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3904

C:\Windows\system32\schtasks.exe
schtasks /create /tn WinDriver /tr C:\ProgramData\Microsoft\WinDriver.cmd /sc onstart /ru SYSTEM
2⤵
- Creates scheduled task(s)
PID:5116

C:\Users\Admin\Desktop\Btc-Tools\Loader.exe
"C:\Users\Admin\Desktop\Btc-Tools\Loader.exe"
1⤵
PID:1964

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath \"C:\ProgramData\""
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:3224

C:\Windows\System32\Wbem\wmic.exe
wmic csproduct get uuid
2⤵
PID:5908

C:\ProgramData\driver1.exe
C:\ProgramData\driver1.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2940

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1428

C:\Windows\system32\schtasks.exe
schtasks /create /tn WinDriver /tr C:\ProgramData\Microsoft\WinDriver.cmd /sc onstart /ru SYSTEM
2⤵
- Creates scheduled task(s)
PID:6092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\driver1.exe

Filesize
438KB

MD5
9741a170f0346e838f54bc0d573cb5f0

SHA1
222af98afb6f96861a1c412ad0929f35aaf48990

SHA256
17558b2703f0b74bf078792b34d2da9b9a21a5995a61b6469ec534ef0a530502

SHA512
f197d3a3bddaea81fbf0161546bf98765c8558f9125b2c6f769c58ec0312c8e9889c5c979a33b1f67e93eb145f811ea17f3eca110457801ff82a1c0fcaebd3d2

Download Submit
C:\ProgramData\driver1.rar

Filesize
350KB

MD5
d7879ccd13dcbbd29ac415b36f9f99e7

SHA1
2bc61a979927654309aa444b661cebbaa0f3c331

SHA256
37ca63246af667e88b76b4c5fce589a8c2ea3a9d98593e3c6dee0baba1529f9e

SHA512
f15aa04573d395346555b56dcc001ea4f7f0a01b4ebcbd9697bb4649545055b0b339388275105079f7ac9657d2a2313bb0e22312d802fc539f18b7e240c49151

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log

Filesize
2KB

MD5
60ad21e008a8447fc1130a9c9c155148

SHA1
5dfa21d14dc33de3cc93a463688fe1d640b01730

SHA256
bb65e24fd8681e7af464e115fba42ff7713e933683cbd654a124c0e564530bb9

SHA512
42a2753f717a4984967907fa69200e8a464068a6d4a226803cf9503ffb7fee540ffc611b4c905cc84f3623639a6aa93003b390f9c38e601b59f171a9e90bd9b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ae54e9db2e89f2c54da8cc0bfcbd26bd

SHA1
a88af6c673609ecbc51a1a60dfbc8577830d2b5d

SHA256
5009d3c953de63cfd14a7d911156c514e179ff07d2b94382d9caac6040cb72af

SHA512
e3b70e5eb7321b9deca6f6a17424a15b9fd5c4008bd3789bd01099fd13cb2f4a2f37fe4b920fb51c50517745b576c1f94df83efd1a7e75949551163985599998

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f53207a5ca2ef5c7e976cbb3cb26d870

SHA1
49a8cc44f53da77bb3dfb36fc7676ed54675db43

SHA256
19ab4e3c9da6d9cedda7461efdba9a2085e743513ab89f1dd0fd5a8f9486ad23

SHA512
be734c7e8afda19f445912aef0d78f9941add29baebd4a812bff27f10a1d78b52aeb11c551468c8644443c86e1a2a6b2e4aead3d7f81d39925e3c20406ac1499

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\76194e17-3d37-4b5b-a0ba-dc32f8c2c01d.tmp

Filesize
6KB

MD5
51d499d11d23fc84dbc6c2a6cefb696d

SHA1
069c55a06ba73875148dc7776aa44661be83dd90

SHA256
1a8139de7b3b45186b65d86485ac75659433e193b10a8884dece93a8bfcdd64d

SHA512
fe6838fd89570290be4003e1d96b68216f249dcb705375751d5ccb55e2d8dc0b98c9d081e8353d140246ed9fb2625788588d6b7e4a1461e343fd584edc1ff487

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
265B

MD5
f5cd008cf465804d0e6f39a8d81f9a2d

SHA1
6b2907356472ed4a719e5675cc08969f30adc855

SHA256
fcea95cc39dc6c2a925f5aed739dbedaa405ee4ce127f535fcf1c751b2b8fb5d

SHA512
dc97034546a4c94bdaa6f644b5cfd1e477209de9a03a5b02a360c254a406c1d647d6f90860f385e27387b35631c41f0886cb543ede9116436941b9af6cd3285d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
85ba2c89fc2ac1faf0c48d6b7473e71a

SHA1
1c6c36a85aecbaeb256790c89d124fcba120fb8b

SHA256
660a40f72863ae272041f9146493b41f52dedcf04666a863408090221d58e94f

SHA512
49fe337b3992e28440a277a36db94c9c80f2c8595ba11a8511d52d7d7f9765b1bd73bd92775b6d7f63dfd2484621b6cc35d5b66039012e1c71c9e3ee142e4cb8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
276ae895a86a7fa343f56b2cf3b9b7ef

SHA1
d33cd670172b45edf1cf7395c5df7397c3ef7356

SHA256
7bfb48c12d42b2d5520bc02487df9d7a8f10f08556a67d5436dfdcd926e925d8

SHA512
8ae02569170a609c934c7b323df41fd37ab1dc790096e24dfdeb7fc366f9a9eec742b91bb61d8b687c7d92e033e152b234876953a1037283253515bd7a35c0b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
8f76a0c17f259f176ea9ea873564e848

SHA1
2d3269e1e981a1f12324cc24995667d35b7b7cf1

SHA256
47d3864ecd58318939333bb5c1572b9291492ff6ddcd98bd3ff1029ccec4328c

SHA512
603e6c621f3bdec8d787838878a7f4a387e6c9c1f4eafacd51ba9b9e814b06142e3b51194109895a0246f1e8e13b75067547970ecd9c8185fa033d773143be35

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
70a9aefb0810263dfcdd28a719ee8b2e

SHA1
50542082fe3a8cac99227afa2ef93467580ee55d

SHA256
7f9aa67b732455ee4ce3783bc216864e485a9adbe88b7c15137b1fd74e27dd2b

SHA512
2536deaa2a7637a3dd1550646bb60277c5e12e14540338848526788ebd54da5daf391b463bb07ed1ce89adaca155325bfe5db24f842d5b70309005555ab4a59b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cae60f0ddddac635da71bba775a2c5b4

SHA1
386f1a036af61345a7d303d45f5230e2df817477

SHA256
b2dd636b7b0d3bfe44cef5e1175828b1fa7bd84d5563f54342944156ba996c16

SHA512
28ed8a8bc132ef56971cfd7b517b17cdb74a7f8c247ef6bff232996210075e06aa58a415825a1e038cfb547ad3dc6882bf1ca1b68c5b360ef0512a1440850253

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4hcoqeyn.jyy.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 259178.crdownload

Filesize
15.9MB

MD5
a7c8d9364b29015f1afd057b7a311fd5

SHA1
88560cebc6e5ae5d547e432f9a9e5044e724bda4

SHA256
47dd5cea0d653b63dd804d4038a967acadf628e57ba9c0b4ba37856d448348f2

SHA512
f38b30d6d92542dc0057594a8b2ad8dbdcb5f1a72f12823daf146a64c6e907af0baca8e3e7fac4a2d76808c4791635f29dcb9b242881b0419ce1a26c6d45b2d3

Download Submit
\??\pipe\LOCAL\crashpad_3908_UUREGUBFNEJZZPDQ

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1280-186-0x0000000005870000-0x0000000005902000-memory.dmp

Filesize
584KB

Download
memory/1280-195-0x0000000006E80000-0x0000000006E9E000-memory.dmp

Filesize
120KB

Download
memory/1280-188-0x0000000006EA0000-0x00000000074B8000-memory.dmp

Filesize
6.1MB

Download
memory/1280-189-0x0000000006A10000-0x0000000006B1A000-memory.dmp

Filesize
1.0MB

Download
memory/1280-190-0x0000000006940000-0x0000000006952000-memory.dmp

Filesize
72KB

Download
memory/1280-191-0x00000000069A0000-0x00000000069DC000-memory.dmp

Filesize
240KB

Download
memory/1280-192-0x0000000006B20000-0x0000000006B6C000-memory.dmp

Filesize
304KB

Download
memory/1280-193-0x0000000006CA0000-0x0000000006D06000-memory.dmp

Filesize
408KB

Download
memory/1280-194-0x0000000007640000-0x00000000076B6000-memory.dmp

Filesize
472KB

Download
memory/1280-187-0x0000000005A20000-0x0000000005A2A000-memory.dmp

Filesize
40KB

Download
memory/1280-196-0x0000000008B40000-0x0000000008D02000-memory.dmp

Filesize
1.8MB

Download
memory/1280-197-0x0000000009240000-0x000000000976C000-memory.dmp

Filesize
5.2MB

Download
memory/1280-185-0x0000000005ED0000-0x0000000006474000-memory.dmp

Filesize
5.6MB

Download
memory/1280-183-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2940-243-0x0000000000790000-0x0000000000791000-memory.dmp

Filesize
4KB

Download
memory/5004-184-0x00000000013F0000-0x00000000013F1000-memory.dmp

Filesize
4KB

Download
memory/5004-182-0x00000000013F0000-0x00000000013F1000-memory.dmp

Filesize
4KB

Download
memory/5220-168-0x000002AA30260000-0x000002AA30282000-memory.dmp

Filesize
136KB

Download
memory/5832-221-0x0000000000F50000-0x0000000000F51000-memory.dmp

Filesize
4KB

Download