Analysis
-
max time kernel
339s -
max time network
344s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system -
submitted
06-07-2024 18:11
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://www.mediafire.com/folder/m2y78v01hc7nu/ex-peng
Resource
win10v2004-20240704-en
General
-
Target
https://www.mediafire.com/folder/m2y78v01hc7nu/ex-peng
Malware Config
Extracted
redline
185.196.9.26:6302
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
resource yara_rule behavioral1/memory/4524-450-0x0000000000410000-0x0000000000460000-memory.dmp family_redline -
Loads dropped DLL 2 IoCs
pid Process 6076 crispylake-2.exe 5764 crispylake.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 6076 set thread context of 4524 6076 crispylake-2.exe 127 PID 5764 set thread context of 5752 5764 crispylake.exe 133 -
Program crash 1 IoCs
pid pid_target Process procid_target 6052 5708 WerFault.exe 122 -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000_Classes\Local Settings msedge.exe -
Suspicious behavior: EnumeratesProcesses 46 IoCs
pid Process 4640 msedge.exe 4640 msedge.exe 4100 msedge.exe 4100 msedge.exe 5160 identity_helper.exe 5160 identity_helper.exe 5532 msedge.exe 5532 msedge.exe 5532 msedge.exe 5532 msedge.exe 3696 msedge.exe 3696 msedge.exe 5752 MSBuild.exe 5752 MSBuild.exe 5752 MSBuild.exe 5752 MSBuild.exe 5752 MSBuild.exe 5752 MSBuild.exe 5752 MSBuild.exe 5752 MSBuild.exe 5752 MSBuild.exe 5752 MSBuild.exe 5752 MSBuild.exe 5752 MSBuild.exe 5752 MSBuild.exe 5752 MSBuild.exe 5752 MSBuild.exe 5752 MSBuild.exe 5752 MSBuild.exe 5752 MSBuild.exe 5752 MSBuild.exe 5752 MSBuild.exe 5752 MSBuild.exe 5752 MSBuild.exe 5752 MSBuild.exe 5752 MSBuild.exe 5752 MSBuild.exe 5752 MSBuild.exe 5752 MSBuild.exe 5752 MSBuild.exe 5752 MSBuild.exe 4524 MSBuild.exe 4524 MSBuild.exe 4524 MSBuild.exe 4524 MSBuild.exe 4524 MSBuild.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs
pid Process 4100 msedge.exe 4100 msedge.exe 4100 msedge.exe 4100 msedge.exe 4100 msedge.exe 4100 msedge.exe 4100 msedge.exe 4100 msedge.exe 4100 msedge.exe 4100 msedge.exe 4100 msedge.exe 4100 msedge.exe 4100 msedge.exe 4100 msedge.exe 4100 msedge.exe 4100 msedge.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
description pid Process Token: SeDebugPrivilege 5752 MSBuild.exe Token: SeBackupPrivilege 5752 MSBuild.exe Token: SeSecurityPrivilege 5752 MSBuild.exe Token: SeSecurityPrivilege 5752 MSBuild.exe Token: SeSecurityPrivilege 5752 MSBuild.exe Token: SeSecurityPrivilege 5752 MSBuild.exe Token: SeDebugPrivilege 4524 MSBuild.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 4100 msedge.exe 4100 msedge.exe 4100 msedge.exe 4100 msedge.exe 4100 msedge.exe 4100 msedge.exe 4100 msedge.exe 4100 msedge.exe 4100 msedge.exe 4100 msedge.exe 4100 msedge.exe 4100 msedge.exe 4100 msedge.exe 4100 msedge.exe 4100 msedge.exe 4100 msedge.exe 4100 msedge.exe 4100 msedge.exe 4100 msedge.exe 4100 msedge.exe 4100 msedge.exe 4100 msedge.exe 4100 msedge.exe 4100 msedge.exe 4100 msedge.exe 4100 msedge.exe 4100 msedge.exe 4100 msedge.exe 4100 msedge.exe 4100 msedge.exe 4100 msedge.exe 4100 msedge.exe 4100 msedge.exe 4100 msedge.exe 4100 msedge.exe 4100 msedge.exe 4100 msedge.exe 4100 msedge.exe 4100 msedge.exe 4100 msedge.exe 4100 msedge.exe 4100 msedge.exe 4100 msedge.exe 4100 msedge.exe 4100 msedge.exe 4100 msedge.exe 4100 msedge.exe 4100 msedge.exe 4100 msedge.exe 4100 msedge.exe 4100 msedge.exe 4100 msedge.exe 4100 msedge.exe 4100 msedge.exe 4100 msedge.exe 4100 msedge.exe 4100 msedge.exe 4100 msedge.exe 4100 msedge.exe 4100 msedge.exe 4100 msedge.exe 4100 msedge.exe 4100 msedge.exe 4100 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 4100 msedge.exe 4100 msedge.exe 4100 msedge.exe 4100 msedge.exe 4100 msedge.exe 4100 msedge.exe 4100 msedge.exe 4100 msedge.exe 4100 msedge.exe 4100 msedge.exe 4100 msedge.exe 4100 msedge.exe 4100 msedge.exe 4100 msedge.exe 4100 msedge.exe 4100 msedge.exe 4100 msedge.exe 4100 msedge.exe 4100 msedge.exe 4100 msedge.exe 4100 msedge.exe 4100 msedge.exe 4100 msedge.exe 4100 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4100 wrote to memory of 3008 4100 msedge.exe 82 PID 4100 wrote to memory of 3008 4100 msedge.exe 82 PID 4100 wrote to memory of 2724 4100 msedge.exe 84 PID 4100 wrote to memory of 2724 4100 msedge.exe 84 PID 4100 wrote to memory of 2724 4100 msedge.exe 84 PID 4100 wrote to memory of 2724 4100 msedge.exe 84 PID 4100 wrote to memory of 2724 4100 msedge.exe 84 PID 4100 wrote to memory of 2724 4100 msedge.exe 84 PID 4100 wrote to memory of 2724 4100 msedge.exe 84 PID 4100 wrote to memory of 2724 4100 msedge.exe 84 PID 4100 wrote to memory of 2724 4100 msedge.exe 84 PID 4100 wrote to memory of 2724 4100 msedge.exe 84 PID 4100 wrote to memory of 2724 4100 msedge.exe 84 PID 4100 wrote to memory of 2724 4100 msedge.exe 84 PID 4100 wrote to memory of 2724 4100 msedge.exe 84 PID 4100 wrote to memory of 2724 4100 msedge.exe 84 PID 4100 wrote to memory of 2724 4100 msedge.exe 84 PID 4100 wrote to memory of 2724 4100 msedge.exe 84 PID 4100 wrote to memory of 2724 4100 msedge.exe 84 PID 4100 wrote to memory of 2724 4100 msedge.exe 84 PID 4100 wrote to memory of 2724 4100 msedge.exe 84 PID 4100 wrote to memory of 2724 4100 msedge.exe 84 PID 4100 wrote to memory of 2724 4100 msedge.exe 84 PID 4100 wrote to memory of 2724 4100 msedge.exe 84 PID 4100 wrote to memory of 2724 4100 msedge.exe 84 PID 4100 wrote to memory of 2724 4100 msedge.exe 84 PID 4100 wrote to memory of 2724 4100 msedge.exe 84 PID 4100 wrote to memory of 2724 4100 msedge.exe 84 PID 4100 wrote to memory of 2724 4100 msedge.exe 84 PID 4100 wrote to memory of 2724 4100 msedge.exe 84 PID 4100 wrote to memory of 2724 4100 msedge.exe 84 PID 4100 wrote to memory of 2724 4100 msedge.exe 84 PID 4100 wrote to memory of 2724 4100 msedge.exe 84 PID 4100 wrote to memory of 2724 4100 msedge.exe 84 PID 4100 wrote to memory of 2724 4100 msedge.exe 84 PID 4100 wrote to memory of 2724 4100 msedge.exe 84 PID 4100 wrote to memory of 2724 4100 msedge.exe 84 PID 4100 wrote to memory of 2724 4100 msedge.exe 84 PID 4100 wrote to memory of 2724 4100 msedge.exe 84 PID 4100 wrote to memory of 2724 4100 msedge.exe 84 PID 4100 wrote to memory of 2724 4100 msedge.exe 84 PID 4100 wrote to memory of 2724 4100 msedge.exe 84 PID 4100 wrote to memory of 4640 4100 msedge.exe 85 PID 4100 wrote to memory of 4640 4100 msedge.exe 85 PID 4100 wrote to memory of 2180 4100 msedge.exe 86 PID 4100 wrote to memory of 2180 4100 msedge.exe 86 PID 4100 wrote to memory of 2180 4100 msedge.exe 86 PID 4100 wrote to memory of 2180 4100 msedge.exe 86 PID 4100 wrote to memory of 2180 4100 msedge.exe 86 PID 4100 wrote to memory of 2180 4100 msedge.exe 86 PID 4100 wrote to memory of 2180 4100 msedge.exe 86 PID 4100 wrote to memory of 2180 4100 msedge.exe 86 PID 4100 wrote to memory of 2180 4100 msedge.exe 86 PID 4100 wrote to memory of 2180 4100 msedge.exe 86 PID 4100 wrote to memory of 2180 4100 msedge.exe 86 PID 4100 wrote to memory of 2180 4100 msedge.exe 86 PID 4100 wrote to memory of 2180 4100 msedge.exe 86 PID 4100 wrote to memory of 2180 4100 msedge.exe 86 PID 4100 wrote to memory of 2180 4100 msedge.exe 86 PID 4100 wrote to memory of 2180 4100 msedge.exe 86 PID 4100 wrote to memory of 2180 4100 msedge.exe 86 PID 4100 wrote to memory of 2180 4100 msedge.exe 86 PID 4100 wrote to memory of 2180 4100 msedge.exe 86 PID 4100 wrote to memory of 2180 4100 msedge.exe 86
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.mediafire.com/folder/m2y78v01hc7nu/ex-peng1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4100 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa648946f8,0x7ffa64894708,0x7ffa648947182⤵PID:3008
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,6257036418435057207,10292267709016686962,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:22⤵PID:2724
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2056,6257036418435057207,10292267709016686962,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2416 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:4640
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2056,6257036418435057207,10292267709016686962,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2940 /prefetch:82⤵PID:2180
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,6257036418435057207,10292267709016686962,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:12⤵PID:2088
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,6257036418435057207,10292267709016686962,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3420 /prefetch:12⤵PID:3100
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,6257036418435057207,10292267709016686962,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5088 /prefetch:12⤵PID:4760
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,6257036418435057207,10292267709016686962,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5728 /prefetch:12⤵PID:1868
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,6257036418435057207,10292267709016686962,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4228 /prefetch:12⤵PID:428
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,6257036418435057207,10292267709016686962,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4236 /prefetch:12⤵PID:2572
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,6257036418435057207,10292267709016686962,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4152 /prefetch:12⤵PID:4380
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,6257036418435057207,10292267709016686962,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6652 /prefetch:12⤵PID:2564
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,6257036418435057207,10292267709016686962,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6980 /prefetch:12⤵PID:2408
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,6257036418435057207,10292267709016686962,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6612 /prefetch:12⤵PID:3324
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,6257036418435057207,10292267709016686962,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6828 /prefetch:12⤵PID:2172
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,6257036418435057207,10292267709016686962,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6856 /prefetch:82⤵PID:4680
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,6257036418435057207,10292267709016686962,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6856 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5160
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2056,6257036418435057207,10292267709016686962,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=7560 /prefetch:82⤵PID:5172
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,6257036418435057207,10292267709016686962,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6128 /prefetch:12⤵PID:5180
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,6257036418435057207,10292267709016686962,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7312 /prefetch:12⤵PID:5504
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,6257036418435057207,10292267709016686962,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6688 /prefetch:12⤵PID:5512
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,6257036418435057207,10292267709016686962,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7964 /prefetch:12⤵PID:5832
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,6257036418435057207,10292267709016686962,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7884 /prefetch:12⤵PID:5840
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,6257036418435057207,10292267709016686962,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6748 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:5532
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2056,6257036418435057207,10292267709016686962,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7864 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3696
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4380
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3536
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4636
-
C:\Users\Admin\Downloads\brownmouse\brownmouse\crispylake-2.exe"C:\Users\Admin\Downloads\brownmouse\brownmouse\crispylake-2.exe"1⤵PID:5708
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5708 -s 10042⤵
- Program crash
PID:6052
-
-
C:\Users\Admin\Downloads\brownmouse\brownmouse\crispylake-2.exe"C:\Users\Admin\Downloads\brownmouse\brownmouse\crispylake-2.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:6076 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4524
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 5708 -ip 57081⤵PID:3776
-
C:\Users\Admin\Downloads\brownmouse\brownmouse\crispylake.exe"C:\Users\Admin\Downloads\brownmouse\brownmouse\crispylake.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:5764 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5752
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5f57bf6e78035d7f9150292a466c1a82d
SHA158cce014a5e6a6c6d08f77b1de4ce48e31bc4331
SHA25625a36c129865722052d07b37daa985a3e4b64def94120b6343fb5a96d9026415
SHA512fa240d2d26370589457780269bae17a883538f535e6e462cc1f969306522526faacd314d29e78f71902b799046e4395c86c34007d2cfee5090e01cd72150675f
-
Filesize
152B
MD5fbc957a83b42f65c351e04ce810c1c11
SHA178dcdf88beec5a9c112c145f239aefb1203d55ad
SHA2567bb59b74f42792a15762a77ca69f52bf5cc4506261a67f78cd673a2d398e6128
SHA512efad54eb0bd521c30bc4a96b9d4cb474c4ca42b4c108e08983a60c880817f61bc19d97538cc09a54b2db95ab9c8996f790672e19fb3851a5d93f174acdfac0ce
-
Filesize
152B
MD55b6ff6669a863812dff3a9e76cb311e4
SHA1355f7587ad1759634a95ae191b48b8dbaa2f1631
SHA256c7fb7eea8bea4488bd4605df51aa560c0e1b11660e9228863eb4ad1be0a07906
SHA512d153b1412fadda28c0582984e135b819ba330e01d3299bb4887062ffd6d3303da4f2c4b64a3de277773f4756da361e7bc5885c226ae2a5cfdd16ee60512e2e5e
-
Filesize
211KB
MD5151fb811968eaf8efb840908b89dc9d4
SHA17ec811009fd9b0e6d92d12d78b002275f2f1bee1
SHA256043fd8558e4a5a60aaccd2f0377f77a544e3e375242e9d7200dc6e51f94103ed
SHA51283aface0ab01da52fd077f747c9d5916e3c06b0ea5c551d7d316707ec3e8f3f986ce1c82e6f2136e48c6511a83cb0ac67ff6dc8f0e440ac72fc6854086a87674
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize2KB
MD59e41cac6f45b159b1a7a50c59d4c5c7b
SHA1075b5f6662d3afaa01572897863b4e33abc3550a
SHA256fc562feda2d8911605b29b4795bb54344253714f5a005604f7c6344324d9bffc
SHA5129403fb78973d0c6e20655cb19df05a68c7820574b03092b350ff6ac337b2ed11b1cb85dd63fe1a7c8ebf9c35e01137eade6e649e1e4629cd873478b36b027441
-
Filesize
36KB
MD525d3691dda546c214faa9cedbce0ca81
SHA1892a49bc11daa391b6ec0f0d7bcfd4946f36669d
SHA256af67922ede49fcb14e9ce4c641f0fca121a7808820109541ef51773108c13ee8
SHA512456ba4895f1d306b8bb1adc16651cd9ed5e8008d149f7672b0ab33a363cad419a8034e2ef1441061511bd3b9acf1b7ba2dbc62221df8bf4b85b23b5970fd98c0
-
Filesize
9KB
MD5615020fb8322670be2ad47dac51b6f1b
SHA11c467848abca134e2288cb7e94914ad98a1e2513
SHA25620f3032f1745915f7dec10ef6653849c6ad4ff23721bf2cbd8cdc41456a0967c
SHA5128102c02776abfd8bb81e9ac4a18e50175e225ab6daa3ea81916c8ed673ebfcd1d32d3b8a0bb354c413e5e9f9c55507bafb3e0362db35cdd42e500186f652eda4
-
Filesize
8KB
MD5855ec8d05a7faf141ca2a8c2ec5f7fc7
SHA18d8e6f5eb031cf4c90075670129dc4977bdcbff3
SHA256249f4266605892c6109ce29e3cf5cb245c7bcc0d375caa6e7f00d65bb51ea9a3
SHA512daf98f27f9bfb0332b552e9e44e8ba0fb0382492210d8777829f133cdf93ee11a3b2baeb4731d27e9f35ca2b98deeed6b3c10243033306c4fdc69f7a91e60212
-
Filesize
12KB
MD5ba4c9db4e1d246060d327be32429bc50
SHA1a3480d96170c77db11a21ba85caa9ecd9dc429b6
SHA2560875a96452a25a1351ba1c3b1b17e24cbf9f842c745d3d2d499254f5cf07734a
SHA512f009d4e262db4fdc4cd36272bd9dd09929622d903867ebaf584a78059f2f19cac215917f9c117849e79acffa49bf4682d7bc147524c18b5102a3379da167319a
-
Filesize
3KB
MD5b2b850dd1c0b701dd60498807b7ed279
SHA118674a07d8646d48ac35cace6279e797212e2785
SHA256ef88b8c1d11c71fb1d85f6228f7bb4e49650ae098708324dfe65d9b438eb7dba
SHA512fb3d6f799e44b89a193775bcbb576dd10efcdd6dfb96b937d0ca23b3ec97bb0158dfd05fe9e7adb645b0a8e9c48907bc11d0c77b4f31d72f635f078984ea656c
-
Filesize
1KB
MD563ad4fae881db20ac79106d5511d02f4
SHA1c81621f3abf239701ae1d4a4195df6251ba3e371
SHA25692d427c1c13ed01690a83bb2244b141d6e37c4c30be7076e2eb15079c449b624
SHA512215def4d9704e5f9a8055b98575d72becdda1e2b95f779f7085edd17c4ef04ce2d6ca256dfe47aa14c7551993c856e749dc5c250cf4521bfbe9e999444c80678
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\000004.dbtmp
Filesize16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\fd9616ac-fae2-4fd7-b32c-abd72661e0ba.tmp
Filesize6KB
MD56472423167aab7307ff917ede8184679
SHA195474e256adcb1ee45f137cdc577948b9c6ab453
SHA2568fa9d9dd0bd6b320cf1126ce33ffb5c3f1ca5aa868d0869252eb883ea6256292
SHA512a0a2e23790a08a4e4f6b7d2fe2e6923875c46241e56867418ef0d0dee981bfb4f9cbdcf07bc06ce67334ca069a739a325807200888a6ee08aeb37b5eda86edc9
-
Filesize
11KB
MD5af67f3468d11603a968abfa17fe6833c
SHA16ddefda9fc753aa5a0db40b9da24227625cfc451
SHA256a8d067639cf4be42ca3b70e36d328af1d076302c1caadaa88fcea43c4dcdb66e
SHA5122346e7ba07d6126cf1dce0714fa7dde89cc3f822f773fc813e0adb2a1e3c4ce2cf3c0c638031a846133ef96b639e3ef8b7b602758868abf92eafa7444a997c62
-
Filesize
12KB
MD53e3fd2eaac40ba619e177dd05a8d323f
SHA1daf9ffba01aea06c6e32a304e9362536a8b6f0e1
SHA256198fe24000a4acaaa03b7e42e31c146ccaabbd0752f29ca14e7f58e2190a645d
SHA512e1db90836d041337d067babf9c8790ed54c2f75d272b4b9d41f4c57693cde38c6ff048f72f3d4760b6a931e6a56b6bf168bb3bb636aaf0d5c8ab47558b9dd70f
-
Filesize
429KB
MD5270a6ebd3e43dc56434536bb1ebac0fd
SHA14bdc90176c08cf369ab10640de61d1e34f642ab9
SHA256cffb5d21ffd3a52b3099fb51fe14d2a4220e616a551e3c27f6e61f1fc1b623b6
SHA5121a10af2d9c6c2f8769e6b10b1abf6f0c9a8e857c5cbb58e1aa0f9c742fbc8483804f84cc292e8065bd27d7ec2d6e27bc77088f0173373077dd2acc6958796ea0
-
Filesize
595KB
MD5404c16d69b0fe8b907bf852eb7f1b80b
SHA1079a63d8efe3e8a6001caca2b2be8ec284e6710c
SHA25690124b61ae2b59f4b5433e2ecd7287b0b0237f8265c18270b291cff1dd7746d4
SHA5128d490194b0efd9031f2e97069abf04f7676b923604f1c330857ebfcfa44ebc0b61092b03587aaeac2dd502f1e9c6da0e8d65f4f1e679f8778ac1fcffcf2ccf05