redline | hxxps://gofile[.]io/d/EZPoJ6

Analysis

max time kernel
140s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
11/08/2024, 15:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gofile.io/d/EZPoJ6

Score

10^/10

redline sectoprat cheat discovery infostealer pyinstaller rat trojan

Malware Config

Extracted

Family

redline

Botnet

cheat

191.96.207.95:27157

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0007000000023545-169.dat	family_redline
behavioral1/memory/972-177-0x0000000000330000-0x000000000034E000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0007000000023545-169.dat	family_sectoprat
behavioral1/memory/972-177-0x0000000000330000-0x000000000034E000-memory.dmp	family_sectoprat

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	alocal.dll
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	alocal.dll
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	alocal.dll

Executes dropped EXE 11 IoCs

pid	Process
5904	Maku_PTO.exe
6080	vshost.exe
6100	alocal.dll
5128	winst.exe
972	build.exe
5972	Maku_PTO.exe
5848	alocal.dll
4844	build.exe
4832	Maku_PTO.exe
5236	alocal.dll
4984	build.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x0008000000023551-241.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	build.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Maku_PTO.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	build.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Maku_PTO.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Maku_PTO.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vshost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	alocal.dll
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	alocal.dll
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	alocal.dll
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	build.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	Taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	Taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	Taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 6 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	Taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings	Taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	Taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Taskmgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	Taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	Taskmgr.exe

Suspicious behavior: EnumeratesProcesses 41 IoCs

pid	Process
4352	msedge.exe
4352	msedge.exe
3808	msedge.exe
3808	msedge.exe
2188	identity_helper.exe
2188	identity_helper.exe
5368	msedge.exe
5368	msedge.exe
6008	Taskmgr.exe
6008	Taskmgr.exe
6008	Taskmgr.exe
6008	Taskmgr.exe
6008	Taskmgr.exe
6008	Taskmgr.exe
6008	Taskmgr.exe
6008	Taskmgr.exe
6008	Taskmgr.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
3896	msedge.exe
6008	Taskmgr.exe
6008	Taskmgr.exe
6008	Taskmgr.exe
6008	Taskmgr.exe
6008	Taskmgr.exe
6008	Taskmgr.exe
6008	Taskmgr.exe
6008	Taskmgr.exe
6008	Taskmgr.exe
6008	Taskmgr.exe
6008	Taskmgr.exe
6008	Taskmgr.exe
6008	Taskmgr.exe
6008	Taskmgr.exe
6008	Taskmgr.exe
6008	Taskmgr.exe
6008	Taskmgr.exe
6008	Taskmgr.exe
6008	Taskmgr.exe
6008	Taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
3808	msedge.exe
3808	msedge.exe
3808	msedge.exe
3808	msedge.exe
3808	msedge.exe
3808	msedge.exe
3808	msedge.exe
3808	msedge.exe
3808	msedge.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeRestorePrivilege	5716	7zG.exe
Token: 35	5716	7zG.exe
Token: SeSecurityPrivilege	5716	7zG.exe
Token: SeSecurityPrivilege	5716	7zG.exe
Token: SeDebugPrivilege	972	build.exe
Token: SeDebugPrivilege	4844	build.exe
Token: SeDebugPrivilege	4984	build.exe
Token: SeDebugPrivilege	6008	Taskmgr.exe
Token: SeSystemProfilePrivilege	6008	Taskmgr.exe
Token: SeCreateGlobalPrivilege	6008	Taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3808	msedge.exe
3808	msedge.exe
3808	msedge.exe
3808	msedge.exe
3808	msedge.exe
3808	msedge.exe
3808	msedge.exe
3808	msedge.exe
3808	msedge.exe
3808	msedge.exe
3808	msedge.exe
3808	msedge.exe
3808	msedge.exe
3808	msedge.exe
3808	msedge.exe
3808	msedge.exe
3808	msedge.exe
3808	msedge.exe
3808	msedge.exe
3808	msedge.exe
3808	msedge.exe
3808	msedge.exe
3808	msedge.exe
3808	msedge.exe
3808	msedge.exe
3808	msedge.exe
3808	msedge.exe
3808	msedge.exe
3808	msedge.exe
3808	msedge.exe
3808	msedge.exe
3808	msedge.exe
3808	msedge.exe
3808	msedge.exe
3808	msedge.exe
3808	msedge.exe
3808	msedge.exe
3808	msedge.exe
3808	msedge.exe
3808	msedge.exe
3808	msedge.exe
3808	msedge.exe
3808	msedge.exe
3808	msedge.exe
3808	msedge.exe
3808	msedge.exe
3808	msedge.exe
3808	msedge.exe
3808	msedge.exe
3808	msedge.exe
5716	7zG.exe
6008	Taskmgr.exe
6008	Taskmgr.exe
6008	Taskmgr.exe
6008	Taskmgr.exe
6008	Taskmgr.exe
6008	Taskmgr.exe
6008	Taskmgr.exe
6008	Taskmgr.exe
6008	Taskmgr.exe
6008	Taskmgr.exe
6008	Taskmgr.exe
6008	Taskmgr.exe
6008	Taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3808	msedge.exe
3808	msedge.exe
3808	msedge.exe
3808	msedge.exe
3808	msedge.exe
3808	msedge.exe
3808	msedge.exe
3808	msedge.exe
3808	msedge.exe
3808	msedge.exe
3808	msedge.exe
3808	msedge.exe
3808	msedge.exe
3808	msedge.exe
3808	msedge.exe
3808	msedge.exe
3808	msedge.exe
3808	msedge.exe
3808	msedge.exe
3808	msedge.exe
3808	msedge.exe
3808	msedge.exe
3808	msedge.exe
3808	msedge.exe
6008	Taskmgr.exe
6008	Taskmgr.exe
6008	Taskmgr.exe
6008	Taskmgr.exe
6008	Taskmgr.exe
6008	Taskmgr.exe
6008	Taskmgr.exe
6008	Taskmgr.exe
6008	Taskmgr.exe
6008	Taskmgr.exe
6008	Taskmgr.exe
6008	Taskmgr.exe
6008	Taskmgr.exe
6008	Taskmgr.exe
6008	Taskmgr.exe
6008	Taskmgr.exe
6008	Taskmgr.exe
6008	Taskmgr.exe
6008	Taskmgr.exe
6008	Taskmgr.exe
6008	Taskmgr.exe
6008	Taskmgr.exe
6008	Taskmgr.exe
6008	Taskmgr.exe
6008	Taskmgr.exe
6008	Taskmgr.exe
6008	Taskmgr.exe
6008	Taskmgr.exe
6008	Taskmgr.exe
6008	Taskmgr.exe
6008	Taskmgr.exe
6008	Taskmgr.exe
6008	Taskmgr.exe
6008	Taskmgr.exe
6008	Taskmgr.exe
6008	Taskmgr.exe
6008	Taskmgr.exe
6008	Taskmgr.exe
6008	Taskmgr.exe
6008	Taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3808 wrote to memory of 3164	3808	msedge.exe	84
PID 3808 wrote to memory of 3164	3808	msedge.exe	84
PID 3808 wrote to memory of 3716	3808	msedge.exe	85
PID 3808 wrote to memory of 3716	3808	msedge.exe	85
PID 3808 wrote to memory of 3716	3808	msedge.exe	85
PID 3808 wrote to memory of 3716	3808	msedge.exe	85
PID 3808 wrote to memory of 3716	3808	msedge.exe	85
PID 3808 wrote to memory of 3716	3808	msedge.exe	85
PID 3808 wrote to memory of 3716	3808	msedge.exe	85
PID 3808 wrote to memory of 3716	3808	msedge.exe	85
PID 3808 wrote to memory of 3716	3808	msedge.exe	85
PID 3808 wrote to memory of 3716	3808	msedge.exe	85
PID 3808 wrote to memory of 3716	3808	msedge.exe	85
PID 3808 wrote to memory of 3716	3808	msedge.exe	85
PID 3808 wrote to memory of 3716	3808	msedge.exe	85
PID 3808 wrote to memory of 3716	3808	msedge.exe	85
PID 3808 wrote to memory of 3716	3808	msedge.exe	85
PID 3808 wrote to memory of 3716	3808	msedge.exe	85
PID 3808 wrote to memory of 3716	3808	msedge.exe	85
PID 3808 wrote to memory of 3716	3808	msedge.exe	85
PID 3808 wrote to memory of 3716	3808	msedge.exe	85
PID 3808 wrote to memory of 3716	3808	msedge.exe	85
PID 3808 wrote to memory of 3716	3808	msedge.exe	85
PID 3808 wrote to memory of 3716	3808	msedge.exe	85
PID 3808 wrote to memory of 3716	3808	msedge.exe	85
PID 3808 wrote to memory of 3716	3808	msedge.exe	85
PID 3808 wrote to memory of 3716	3808	msedge.exe	85
PID 3808 wrote to memory of 3716	3808	msedge.exe	85
PID 3808 wrote to memory of 3716	3808	msedge.exe	85
PID 3808 wrote to memory of 3716	3808	msedge.exe	85
PID 3808 wrote to memory of 3716	3808	msedge.exe	85
PID 3808 wrote to memory of 3716	3808	msedge.exe	85
PID 3808 wrote to memory of 3716	3808	msedge.exe	85
PID 3808 wrote to memory of 3716	3808	msedge.exe	85
PID 3808 wrote to memory of 3716	3808	msedge.exe	85
PID 3808 wrote to memory of 3716	3808	msedge.exe	85
PID 3808 wrote to memory of 3716	3808	msedge.exe	85
PID 3808 wrote to memory of 3716	3808	msedge.exe	85
PID 3808 wrote to memory of 3716	3808	msedge.exe	85
PID 3808 wrote to memory of 3716	3808	msedge.exe	85
PID 3808 wrote to memory of 3716	3808	msedge.exe	85
PID 3808 wrote to memory of 3716	3808	msedge.exe	85
PID 3808 wrote to memory of 4352	3808	msedge.exe	86
PID 3808 wrote to memory of 4352	3808	msedge.exe	86
PID 3808 wrote to memory of 2144	3808	msedge.exe	87
PID 3808 wrote to memory of 2144	3808	msedge.exe	87
PID 3808 wrote to memory of 2144	3808	msedge.exe	87
PID 3808 wrote to memory of 2144	3808	msedge.exe	87
PID 3808 wrote to memory of 2144	3808	msedge.exe	87
PID 3808 wrote to memory of 2144	3808	msedge.exe	87
PID 3808 wrote to memory of 2144	3808	msedge.exe	87
PID 3808 wrote to memory of 2144	3808	msedge.exe	87
PID 3808 wrote to memory of 2144	3808	msedge.exe	87
PID 3808 wrote to memory of 2144	3808	msedge.exe	87
PID 3808 wrote to memory of 2144	3808	msedge.exe	87
PID 3808 wrote to memory of 2144	3808	msedge.exe	87
PID 3808 wrote to memory of 2144	3808	msedge.exe	87
PID 3808 wrote to memory of 2144	3808	msedge.exe	87
PID 3808 wrote to memory of 2144	3808	msedge.exe	87
PID 3808 wrote to memory of 2144	3808	msedge.exe	87
PID 3808 wrote to memory of 2144	3808	msedge.exe	87
PID 3808 wrote to memory of 2144	3808	msedge.exe	87
PID 3808 wrote to memory of 2144	3808	msedge.exe	87
PID 3808 wrote to memory of 2144	3808	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://gofile.io/d/EZPoJ6
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffab34b46f8,0x7ffab34b4708,0x7ffab34b4718
  2⤵
  PID:3164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,2060510929691345094,13477786234823440409,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2096 /prefetch:2
  2⤵
  PID:3716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,2060510929691345094,13477786234823440409,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2116,2060510929691345094,13477786234823440409,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2736 /prefetch:8
  2⤵
  PID:2144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,2060510929691345094,13477786234823440409,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
  2⤵
  PID:4604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,2060510929691345094,13477786234823440409,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
  2⤵
  PID:4056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,2060510929691345094,13477786234823440409,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4628 /prefetch:1
  2⤵
  PID:820
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,2060510929691345094,13477786234823440409,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4944 /prefetch:8
  2⤵
  PID:696
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,2060510929691345094,13477786234823440409,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4944 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,2060510929691345094,13477786234823440409,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3904 /prefetch:1
  2⤵
  PID:3752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,2060510929691345094,13477786234823440409,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5436 /prefetch:1
  2⤵
  PID:1708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,2060510929691345094,13477786234823440409,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5504 /prefetch:1
  2⤵
  PID:2376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,2060510929691345094,13477786234823440409,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5268 /prefetch:1
  2⤵
  PID:528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2116,2060510929691345094,13477786234823440409,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5720 /prefetch:8
  2⤵
  PID:4392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,2060510929691345094,13477786234823440409,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6148 /prefetch:1
  2⤵
  PID:4616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,2060510929691345094,13477786234823440409,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5368 /prefetch:1
  2⤵
  PID:2732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2116,2060510929691345094,13477786234823440409,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5784 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,2060510929691345094,13477786234823440409,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4872 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3896

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3568

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3940

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5576

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\MakuAIO+Multi+Advanced+Checker\" -spe -an -ai#7zMap1845:122:7zEvent7108
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5716

C:\Users\Admin\Downloads\MakuAIO+Multi+Advanced+Checker\Maku_PTO.exe
"C:\Users\Admin\Downloads\MakuAIO+Multi+Advanced+Checker\Maku_PTO.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5904
- C:\ProgramData\vshost\vshost.exe
  C:\ProgramData\\vshost\\vshost.exe ,.
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:6080
- C:\Users\Admin\Downloads\MakuAIO+Multi+Advanced+Checker\alocal.dll
  alocal.dll
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:6100
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\build.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\build.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:972
- C:\ProgramData\winst\winst.exe
  C:\ProgramData\\winst\\winst.exe OpyTxsBXKmgom2FlOiiKHRIgYBcUbcaB1AsIFEsxxEadDPANhjtXUpGyuPUY5AiB
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5128

C:\Users\Admin\Downloads\MakuAIO+Multi+Advanced+Checker\Maku_PTO.exe
"C:\Users\Admin\Downloads\MakuAIO+Multi+Advanced+Checker\Maku_PTO.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5972
- C:\Users\Admin\Downloads\MakuAIO+Multi+Advanced+Checker\alocal.dll
  alocal.dll
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5848
- - C:\Users\Admin\AppData\Local\Temp\RarSFX1\build.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX1\build.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:4844

C:\Users\Admin\Downloads\MakuAIO+Multi+Advanced+Checker\Maku_PTO.exe
"C:\Users\Admin\Downloads\MakuAIO+Multi+Advanced+Checker\Maku_PTO.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4832
- C:\Users\Admin\Downloads\MakuAIO+Multi+Advanced+Checker\alocal.dll
  alocal.dll
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5236
- - C:\Users\Admin\AppData\Local\Temp\RarSFX2\build.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX2\build.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:4984

C:\Windows\System32\Taskmgr.exe
"C:\Windows\System32\Taskmgr.exe"
1⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:6008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\vshost.lnk

Filesize
493B

MD5
29a978468ca21adf7a2306fed4c085d1

SHA1
192d0a23292eeae8e9c625d0cde7197887cf795a

SHA256
566bde2411a128b5ef5983e576fc297508df8bf41d1bb2a301a23723e6f77b0c

SHA512
fdcacb5d123f1df6655e96b76a49b16fe69e54933960bf545dc8555fbf4f063a01663067d754c8413e25359c191a60960286f0d3f88fdea2c85fc795e76c3380

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\winst.lnk

Filesize
603B

MD5
5ed8b112437df4141bd6013f46624626

SHA1
147952ae105613d6be8eaf5d27d6f22f34864b9e

SHA256
cf4cd4658e2174dfb0b8a11a2c6a178e4f5f8952157e212991c62663ba36f812

SHA512
c303ebb49122c14732e5ce92607ca5ce26191c30434deb9121593674273df4693f3390fb3ba6ded5b13f99c0a1521ae6b047d23b735824685047700761542aec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
111c361619c017b5d09a13a56938bd54

SHA1
e02b363a8ceb95751623f25025a9299a2c931e07

SHA256
d7be4042a1e3511b0dbf0ab5c493245e4ac314440a4ae0732813db01a21ef8bc

SHA512
fc16a4ad0b56899b82d05114d7b0ca8ee610cdba6ff0b6a67dea44faf17b3105109335359b78c0a59c9011a13152744a7f5d4f6a5b66ea519df750ef03f622b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
983cbc1f706a155d63496ebc4d66515e

SHA1
223d0071718b80cad9239e58c5e8e64df6e2a2fe

SHA256
cc34b8f8e3f4bfe4c9a227d88f56ea2dd276ca3ac81df622ff5e9a8ec46b951c

SHA512
d9cf2ca46d9379902730c81e615a3eb694873ffd535c6bb3ded2dc97cdbbfb71051ab11a07754ed6f610f04285605b702b5a48a6cfda3ee3287230c41c9c45cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
288B

MD5
b74744b3357c2bfa11094db7f95439a7

SHA1
b8434281b1ccf83af043ebdc329d30a0a6c8dfb8

SHA256
ec56b0a0d8c656a18475a07dc1a6bdbbc437490ab6e99af2abad1a45231b5059

SHA512
e77a86f83b277696c00d36d08bcb851feb74a5e5406e503ed7638191b2823b1367fba392f263c14bc4969f34d5ece703c21045eff03481866e29241159b1e83c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
390B

MD5
31faa8489b5c6524fb1620b53a0ecc3d

SHA1
c4c7d737e44abca37fbd209cd9a59e6e3e9d7ea3

SHA256
ff9e0418f42f85bdd01f9e787d4a5f8bd2942f9bd0b6d463e39b4906c9253668

SHA512
7707e0e83781606ee1aa21874052857c69f07a5cacf223fe3fed8e8eea14f8248a2a8054dd2400f195986aef43660150b92a9c7b09a62a5b4e902d1b8e8756ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7109af102f7f47c6e5e9b015cba23d35

SHA1
ce262fcebae8cde60d1d24f51c3677c339e3e12f

SHA256
8a2990874a7196115fb1194a6bd305e83015a3dff2255ed231dc494a5d6ad8e8

SHA512
728d904a29c5f15a4513e213bd078f84d380196ad1d43070e8b085af0934f11fd2b8db50f8de2dee1b5e93582e89f1e2e94d46dcbbab47fd5cf9907b81bb819a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
809428b21cdc72ab2b0f93189d39d4a9

SHA1
cf23937234f2fe9a51d8a8b1c9a53633dade2af7

SHA256
10dacbbeacabf8ef22f9cc3041c95185004e95f8de3c7712e363ee6b175be4a2

SHA512
4d813872afc921532a33b0f2cfaa79daa587c4e11b2f9e09e5751f324b432a9c4390d106cd61bc88e2b0b206dd27d78e52190089e5f4fb5b24de6faee344644f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
dc3bfc463ede73ccdf8e8e3863da7107

SHA1
f67890d5419be2cf27f8cfea4e4073002fa6e658

SHA256
cde8c9b21fd766aad1006df0fec175f704cb4f3660f630f7092a9581116ca570

SHA512
0234f458383fe50da007ca0c130ca9271946d60381186996201c08cfa3935cc42ea518ac4a21155d8e38613a49d75c9a8bf7c66b6a49e5d340611c26440dbda7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
19c4d2d17bc6a35795bb6e1e51f987ff

SHA1
aabc655b10b86b2c7bea0d5c98b994af3ec01237

SHA256
de36eb76b2878bc94afce6b01584f9d4c37f46086ee6ca27fc8897726e7ee7a0

SHA512
5372241fe11350142e6dfc44ca11f99df9b510664eae762dc3f24d64e6b9ec33bfcaa72ed0ab7c613fa74c7bebe429b026a03fb8efb6829a2e0f58d929fe3575

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\build.exe

Filesize
95KB

MD5
b4f75eba0edf38d489fe203f5c4426a3

SHA1
75493862ad565549715f3adc5fa4ba09981c81b5

SHA256
a0412f64345b726af93cffaaf31feaac2d269b8d64af37e23adda84f987b5b31

SHA512
6fb11cb166e20f6672f9168597c31ee761959cf3de878ff2e648bd9a99fb7b005c29b1b8e89cfea1c8ebc0844a8813a0ce4504731c154087d01a7482d94f04de

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\main_PTO.exe

Filesize
43.3MB

MD5
e8d9232f83f6b85fa470fd0330616eca

SHA1
08e498688377293271f104bf7af7a8f194d40f54

SHA256
6c37e5f5d35f9bf65cf0085bc307eb25d68d672095139db54d65b725e88eada8

SHA512
18f8682b37f67196b3d526adeb7519924a303ffead25c9fcea6e98f3ef46fc9e73ad8a542ffdb2f1d19c1a0364409a5ada218249a5ba84dc9ba83fa53b039b81

Download Submit
C:\Users\Admin\Downloads\MakuAIO+Multi+Advanced+Checker.zip

Filesize
48.1MB

MD5
15e137a732f3d559c6c7b5dbe828ffb2

SHA1
ccac040218562ad3a82382136154694a69269088

SHA256
07c74ffaf64d15e8c730a87a923cb7b8b6d2ca94e653bc873fd91badebcdb44b

SHA512
8bf7ec982c0a98e7d1e5181dedec61fe42744e1ccdf2e6bd280f0b494aad6b5760ed7df334545c80c8d3e1fd5719c4fe26101296f419e9561575d255cb93d94b

Download Submit
C:\Users\Admin\Downloads\MakuAIO+Multi+Advanced+Checker\Maku_PTO.exe

Filesize
307KB

MD5
3de88a8757e4500069700760e2dc3265

SHA1
92234d19cb7d07465aabc47df6729dcea23e6ea0

SHA256
ba0dff6b16a2374683ba282edbf5c33700dd5921f52b8b946ff930e6752cb461

SHA512
3904ffbe5e6ebee866037173944b5acd5f448bf10cf5f0b789f86afd654c2df7429a45a09c9e6d32d830ac41fe7f1a02dffe2b1fe0ddf95f4570e15f20582fb7

Download Submit
C:\Users\Admin\Downloads\MakuAIO+Multi+Advanced+Checker\alocal.dll

Filesize
43.0MB

MD5
b789a7d3ddda67ef55b44f85f936727b

SHA1
958a37f235919b238c638f751dfaff7eea1a7bb5

SHA256
57b80d0b5e2afd6cdf60cc36044da439c78d065895418a4de33b44fddaded93b

SHA512
9a7cc3ff66e8157920171c1f166a4902c5c4abe4c5683b9752117974a88141484c44df77bcb9acbe8a9fdafdd379799b72738f9bce3ce3a3fd67b4d804eafdd9

Download Submit
C:\Users\Admin\Downloads\MakuAIO+Multi+Advanced+Checker\data32.dll

Filesize
238KB

MD5
4e6a7ee0e286ab61d36c26bd38996821

SHA1
820674b4c75290f8f667764bfb474ca8c1242732

SHA256
f67daf4bf2ad0e774bbd53f243e66806397036e5fde694f3856b27bc0463c0a3

SHA512
f9d99d960afce980421e654d1d541c1fdb81252615c48eed5c4a5c962cb20123d06dbdf383a37a476aa41e4ffabca30e95a8735739c35f66efbaa1dee8a9ba8a

Download Submit
C:\Users\Admin\Downloads\MakuAIO+Multi+Advanced+Checker\mip_core.bin

Filesize
211KB

MD5
59238144771807b1cbc407b250d6b2c3

SHA1
6c9f87cca7e857e888cb19ea45cf82d2e2d29695

SHA256
8baa5811836c0b4a64810f6a7d6e1d31d7f80350c69643dc9594f58fd0233a7b

SHA512
cf2f8b84526ae8a1445a2d8a2b9099b164f80a7b7290f68058583b0b235395d749ad0b726c4e36d5e901c18d6946fd9b0dd76c20016b65dc7a3977f68ee4a220

Download Submit
memory/972-178-0x00000000053C0000-0x00000000059D8000-memory.dmp

Filesize
6.1MB

Download
memory/972-184-0x0000000005000000-0x000000000510A000-memory.dmp

Filesize
1.0MB

Download
memory/972-183-0x0000000004DA0000-0x0000000004DEC000-memory.dmp

Filesize
304KB

Download
memory/972-182-0x0000000004D50000-0x0000000004D8C000-memory.dmp

Filesize
240KB

Download
memory/972-177-0x0000000000330000-0x000000000034E000-memory.dmp

Filesize
120KB

Download
memory/972-181-0x0000000004CF0000-0x0000000004D02000-memory.dmp

Filesize
72KB

Download
memory/6008-267-0x000001E87D010000-0x000001E87D011000-memory.dmp

Filesize
4KB

Download
memory/6008-256-0x000001E87D010000-0x000001E87D011000-memory.dmp

Filesize
4KB

Download
memory/6008-266-0x000001E87D010000-0x000001E87D011000-memory.dmp

Filesize
4KB

Download
memory/6008-265-0x000001E87D010000-0x000001E87D011000-memory.dmp

Filesize
4KB

Download
memory/6008-264-0x000001E87D010000-0x000001E87D011000-memory.dmp

Filesize
4KB

Download
memory/6008-263-0x000001E87D010000-0x000001E87D011000-memory.dmp

Filesize
4KB

Download
memory/6008-262-0x000001E87D010000-0x000001E87D011000-memory.dmp

Filesize
4KB

Download
memory/6008-261-0x000001E87D010000-0x000001E87D011000-memory.dmp

Filesize
4KB

Download
memory/6008-257-0x000001E87D010000-0x000001E87D011000-memory.dmp

Filesize
4KB

Download
memory/6008-255-0x000001E87D010000-0x000001E87D011000-memory.dmp

Filesize
4KB

Download