redline | hxxps://drive[.]google[.]com/file/d/1hebSlQoO8LMXi3foAwAp2KhoEneBUBe8/view

Analysis

max time kernel
55s
max time network
56s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20-09-2024 23:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/file/d/1hebSlQoO8LMXi3foAwAp2KhoEneBUBe8/view

Score

10^/10

redline credential_access discovery infostealer spyware stealer

Malware Config

Extracted

Family

redline

185.196.9.26:6302

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral1/memory/3916-168-0x0000000000400000-0x0000000000452000-memory.dmp	family_redline

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Executes dropped EXE 1 IoCs

pid	Process
5116	ESCALIBUR.exe

Loads dropped DLL 1 IoCs

pid	Process
5116	ESCALIBUR.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
4	drive.google.com
9	drive.google.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 5116 set thread context of 3916	5116	ESCALIBUR.exe	121

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ESCALIBUR.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
1980	msedge.exe
1980	msedge.exe
4172	msedge.exe
4172	msedge.exe
1692	identity_helper.exe
1692	identity_helper.exe
4928	msedge.exe
4928	msedge.exe
1752	7zFM.exe
1752	7zFM.exe
3916	MSBuild.exe
3916	MSBuild.exe
3916	MSBuild.exe
3916	MSBuild.exe
3916	MSBuild.exe
3916	MSBuild.exe
3916	MSBuild.exe
3916	MSBuild.exe
3916	MSBuild.exe
3916	MSBuild.exe
3916	MSBuild.exe
3916	MSBuild.exe
3916	MSBuild.exe
3916	MSBuild.exe
3916	MSBuild.exe
3916	MSBuild.exe
3916	MSBuild.exe
3916	MSBuild.exe
3916	MSBuild.exe
3916	MSBuild.exe
3916	MSBuild.exe
3916	MSBuild.exe
3916	MSBuild.exe
3916	MSBuild.exe
3916	MSBuild.exe
3916	MSBuild.exe
3916	MSBuild.exe
3916	MSBuild.exe
1752	7zFM.exe
1752	7zFM.exe
1752	7zFM.exe
1752	7zFM.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
652	OpenWith.exe
1752	7zFM.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeRestorePrivilege	1752	7zFM.exe
Token: 35	1752	7zFM.exe
Token: SeSecurityPrivilege	1752	7zFM.exe
Token: SeDebugPrivilege	3916	MSBuild.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
1752	7zFM.exe
1752	7zFM.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe

Suspicious use of SetWindowsHookEx 37 IoCs

pid	Process
652	OpenWith.exe
652	OpenWith.exe
652	OpenWith.exe
652	OpenWith.exe
652	OpenWith.exe
652	OpenWith.exe
652	OpenWith.exe
652	OpenWith.exe
652	OpenWith.exe
652	OpenWith.exe
652	OpenWith.exe
652	OpenWith.exe
652	OpenWith.exe
652	OpenWith.exe
652	OpenWith.exe
652	OpenWith.exe
652	OpenWith.exe
652	OpenWith.exe
652	OpenWith.exe
652	OpenWith.exe
652	OpenWith.exe
652	OpenWith.exe
652	OpenWith.exe
652	OpenWith.exe
652	OpenWith.exe
652	OpenWith.exe
652	OpenWith.exe
652	OpenWith.exe
652	OpenWith.exe
652	OpenWith.exe
652	OpenWith.exe
652	OpenWith.exe
652	OpenWith.exe
652	OpenWith.exe
652	OpenWith.exe
652	OpenWith.exe
652	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4172 wrote to memory of 4840	4172	msedge.exe	82
PID 4172 wrote to memory of 4840	4172	msedge.exe	82
PID 4172 wrote to memory of 2068	4172	msedge.exe	83
PID 4172 wrote to memory of 2068	4172	msedge.exe	83
PID 4172 wrote to memory of 2068	4172	msedge.exe	83
PID 4172 wrote to memory of 2068	4172	msedge.exe	83
PID 4172 wrote to memory of 2068	4172	msedge.exe	83
PID 4172 wrote to memory of 2068	4172	msedge.exe	83
PID 4172 wrote to memory of 2068	4172	msedge.exe	83
PID 4172 wrote to memory of 2068	4172	msedge.exe	83
PID 4172 wrote to memory of 2068	4172	msedge.exe	83
PID 4172 wrote to memory of 2068	4172	msedge.exe	83
PID 4172 wrote to memory of 2068	4172	msedge.exe	83
PID 4172 wrote to memory of 2068	4172	msedge.exe	83
PID 4172 wrote to memory of 2068	4172	msedge.exe	83
PID 4172 wrote to memory of 2068	4172	msedge.exe	83
PID 4172 wrote to memory of 2068	4172	msedge.exe	83
PID 4172 wrote to memory of 2068	4172	msedge.exe	83
PID 4172 wrote to memory of 2068	4172	msedge.exe	83
PID 4172 wrote to memory of 2068	4172	msedge.exe	83
PID 4172 wrote to memory of 2068	4172	msedge.exe	83
PID 4172 wrote to memory of 2068	4172	msedge.exe	83
PID 4172 wrote to memory of 2068	4172	msedge.exe	83
PID 4172 wrote to memory of 2068	4172	msedge.exe	83
PID 4172 wrote to memory of 2068	4172	msedge.exe	83
PID 4172 wrote to memory of 2068	4172	msedge.exe	83
PID 4172 wrote to memory of 2068	4172	msedge.exe	83
PID 4172 wrote to memory of 2068	4172	msedge.exe	83
PID 4172 wrote to memory of 2068	4172	msedge.exe	83
PID 4172 wrote to memory of 2068	4172	msedge.exe	83
PID 4172 wrote to memory of 2068	4172	msedge.exe	83
PID 4172 wrote to memory of 2068	4172	msedge.exe	83
PID 4172 wrote to memory of 2068	4172	msedge.exe	83
PID 4172 wrote to memory of 2068	4172	msedge.exe	83
PID 4172 wrote to memory of 2068	4172	msedge.exe	83
PID 4172 wrote to memory of 2068	4172	msedge.exe	83
PID 4172 wrote to memory of 2068	4172	msedge.exe	83
PID 4172 wrote to memory of 2068	4172	msedge.exe	83
PID 4172 wrote to memory of 2068	4172	msedge.exe	83
PID 4172 wrote to memory of 2068	4172	msedge.exe	83
PID 4172 wrote to memory of 2068	4172	msedge.exe	83
PID 4172 wrote to memory of 2068	4172	msedge.exe	83
PID 4172 wrote to memory of 1980	4172	msedge.exe	84
PID 4172 wrote to memory of 1980	4172	msedge.exe	84
PID 4172 wrote to memory of 3612	4172	msedge.exe	85
PID 4172 wrote to memory of 3612	4172	msedge.exe	85
PID 4172 wrote to memory of 3612	4172	msedge.exe	85
PID 4172 wrote to memory of 3612	4172	msedge.exe	85
PID 4172 wrote to memory of 3612	4172	msedge.exe	85
PID 4172 wrote to memory of 3612	4172	msedge.exe	85
PID 4172 wrote to memory of 3612	4172	msedge.exe	85
PID 4172 wrote to memory of 3612	4172	msedge.exe	85
PID 4172 wrote to memory of 3612	4172	msedge.exe	85
PID 4172 wrote to memory of 3612	4172	msedge.exe	85
PID 4172 wrote to memory of 3612	4172	msedge.exe	85
PID 4172 wrote to memory of 3612	4172	msedge.exe	85
PID 4172 wrote to memory of 3612	4172	msedge.exe	85
PID 4172 wrote to memory of 3612	4172	msedge.exe	85
PID 4172 wrote to memory of 3612	4172	msedge.exe	85
PID 4172 wrote to memory of 3612	4172	msedge.exe	85
PID 4172 wrote to memory of 3612	4172	msedge.exe	85
PID 4172 wrote to memory of 3612	4172	msedge.exe	85
PID 4172 wrote to memory of 3612	4172	msedge.exe	85
PID 4172 wrote to memory of 3612	4172	msedge.exe	85

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://drive.google.com/file/d/1hebSlQoO8LMXi3foAwAp2KhoEneBUBe8/view
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9991f46f8,0x7ff9991f4708,0x7ff9991f4718
  2⤵
  PID:4840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,3721359134284037853,9963089217106150651,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:2
  2⤵
  PID:2068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,3721359134284037853,9963089217106150651,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2112,3721359134284037853,9963089217106150651,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2880 /prefetch:8
  2⤵
  PID:3612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,3721359134284037853,9963089217106150651,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
  2⤵
  PID:2344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,3721359134284037853,9963089217106150651,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
  2⤵
  PID:1324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,3721359134284037853,9963089217106150651,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4968 /prefetch:1
  2⤵
  PID:4996
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,3721359134284037853,9963089217106150651,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5360 /prefetch:8
  2⤵
  PID:1456
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,3721359134284037853,9963089217106150651,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5360 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,3721359134284037853,9963089217106150651,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5564 /prefetch:1
  2⤵
  PID:1668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,3721359134284037853,9963089217106150651,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5620 /prefetch:1
  2⤵
  PID:2000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,3721359134284037853,9963089217106150651,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4980 /prefetch:1
  2⤵
  PID:2808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,3721359134284037853,9963089217106150651,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5456 /prefetch:1
  2⤵
  PID:1548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,3721359134284037853,9963089217106150651,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5748 /prefetch:1
  2⤵
  PID:1172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2112,3721359134284037853,9963089217106150651,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6012 /prefetch:8
  2⤵
  PID:2000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,3721359134284037853,9963089217106150651,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5800 /prefetch:1
  2⤵
  PID:1064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2112,3721359134284037853,9963089217106150651,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5976 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4928

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2592

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2312

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:652

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4996

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\ESCALIBUR.rar"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1752
- C:\Users\Admin\AppData\Local\Temp\7zO8D6CFE08\ESCALIBUR.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO8D6CFE08\ESCALIBUR.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:5116
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f9664c896e19205022c094d725f820b6

SHA1
f8f1baf648df755ba64b412d512446baf88c0184

SHA256
7121d84202a850791c2320385eb59eda4d697310dc51b1fcd4d51264aba2434e

SHA512
3fa5d2c68a9e70e4a25eaac2095171d87c741eec2624c314c6a56f4fa390d6319633bf4c48b1a4af7e9a0451f346beced9693da88cfc7bcba8dfe209cbd1b3ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
847d47008dbea51cb1732d54861ba9c9

SHA1
f2099242027dccb88d6f05760b57f7c89d926c0d

SHA256
10292fa05d896a2952c1d602a72d761d34bc776b44d6a7df87e49b5b613a8ac1

SHA512
bd1526aa1cc1c016d95dfcc53a78b45b09dde4ce67357fc275ab835dbe1bb5b053ca386239f50cde95ad243a9c1bbb12f7505818577589beecc6084f7b94e83f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
408B

MD5
4d3903b3efff6854534bbe0cba91abf9

SHA1
57b5e4b7653db5336e5ec53f790e9474f4c489ef

SHA256
9875bbead3e8d70b473adbbdbb897fb2619053fbf9d735d4e632e84e844e072b

SHA512
259476a9e107b7ebfd30e7e082d2f212c227c1860e1e82145ed592b01d1d9a40f4d2e689bae5e3b68cea5a2d6ef2f01d03f70cb59c6bac10796e1fe30736d63e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies

Filesize
20KB

MD5
b79ec9be10aad7779015ec0d28cf6b83

SHA1
e78fbbb02e1a867afda6ba5fa2d5f1ad9c613b40

SHA256
bae62afd202308666cf4861852ea8635c88cf4dee71854357219936fc450d79a

SHA512
3cabad49c9115fea2b0e35edcd3dbedd85d694879f24b2c02cfd42d116d29308a3fa40cc875fd60b254f619e0c2279fba52e246be9fed5f890f2f514cc033ff0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
1fa52b21d5ec85c04c614e75f8ad0b54

SHA1
adbcf3f289cbc87516a816813a61d383b5595f44

SHA256
535d9a4af62d9fde3f6e8aac554ed2b368bb9e07d1041b6f649fd1bf63ee0eff

SHA512
000d613b85c421497bc5ed5cdfdc408a190d8c5342b46873e44f3062f7be891c0ffd7c29cc98118c8e7f781c5dc1fa011b38d506553aad2cd4a9cc65967dec7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
adf187b2d4631847217e09334d9f280c

SHA1
d57cfa241962cb16a86747e8c5c2da86d91a6b5c

SHA256
599bb61fbfe78073faa9af27476a57853fd165a140b2926f9c9db414fbd587d9

SHA512
c5c6d134705962981fb39e0059b58da2d742da93d991c74b43ea4a3388aff4b6d61c8c492943d691ea502405c945e053d0a7b242c9f517bd4413affe18e227ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
3954601fb4252b92fb88a2888d1a2f40

SHA1
c3f5a6b699ae17f7985a40fe2abf11b9d04e90fe

SHA256
4560e76dd4f3b96d0e8b708ec17721e1974f07b05ce74726a5eeffef7d0cdf03

SHA512
0fb01358ed23819fc007ff6a858bf54839e6d0e45a1d5a976cc47f8aed50a2e9d5744fb91995edc3f9cf179d68d120faa23d0b4d841d9deadb0d4964e337c6df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
bab8855de79f26ddf85300970b0d504a

SHA1
083662172b966d98f1dc711bcdb7ca733dbe0d0b

SHA256
4aed47bfc838e51b9d92ff6679c0b59ba888a6c6798c15db128912b38c03bc2e

SHA512
cc442ef0d66d951d95fd5787abe695e3e40c344b08896ec61b8074229f81aed22fffb92d884d1f6019ac340a177402d7a1d40a6c645ce340472ffaf4c277c433

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
9f9b6a866e18684bdb62a931acb2bc0b

SHA1
1fb1ee24bfd89abcb3f0310b6c47d50f78352b63

SHA256
d4fd801ff0044cb402913572e49da31f8e8523acac4f4d4211e08fd9076f3e17

SHA512
0dafc1d2d624d612dcc92a03c2490e29be3aa2d1737afa46cdd491e47ce99dddf505d3e8b5dc8b6d18a0666a1d3cbceaf4a2376342391f3bd6d6ffd4640f645a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
0be77009b39a7412cecbd663574f3e66

SHA1
032a38cf4944457e156d8a14f239c05ef5dff53b

SHA256
aa48c19138859622c74af27da6cb092797fcbd9ef6affdde0ac30fb7d43651bb

SHA512
1b9414f3dea783a878000ec8452fd5b61211554a852f44f54d50f411869e1c6089537d0a270df383090e5f445e05bfb9514150e122466316a1c6b13f42cbb175

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO8D6CFE08\ESCALIBUR.exe

Filesize
404KB

MD5
17009634efa37ec1e9e2887876f15fc0

SHA1
b27f87906a9b4bc795bc08e451bb4f3fe58294c3

SHA256
73213e644a96c8c5b1c6af2577001737f722d0ad19dfb6e3c48421db2bbc71da

SHA512
4ec0cacaa5b5c6665b0e11a7bb8af25131998f187430708fc0ffb6d3717ad3357292e43248ce0b6fc84b25b5fcd977599b2548a6eca6588e2193ae707dc7c9fb

Download Submit
C:\Users\Admin\AppData\Roaming\msvcp110.dll

Filesize
598KB

MD5
e4f30398db57df7dbcc66bdb4eac7c8e

SHA1
f695c0d1e7209784c8249568ecbf755454898589

SHA256
1bc4d05eedd7fa0ebdabf2ccfe6b371e6b9bb6d095e504faee05cd73e72453ca

SHA512
1e693369339b5da1c20d6fbbd56b007efabf553ac17e83f70006092983456e5d47f4bd4776912a29dd865170dbcbaf2ff537707da1ea3c63f80d0703e8ddaa46

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 888208.crdownload

Filesize
349KB

MD5
cc072217cdf69fe59658a1beb601408f

SHA1
f0fc2f8404a5bfd9a92fba1d7bbfda240df57a70

SHA256
bffb574a6e578d6e2cbdd9550ea52d2b2af054f8955febd726b26e0c50e8847b

SHA512
18c0f6159d7e40d14abe122e26273fbfc723e2205fe08e9cb939aad9fe742231b812cc2784ba561a392c4ce9b7daece30b2d7f211e4145c76d691e37956a836c

Download Submit
memory/3916-176-0x0000000005AA0000-0x0000000005ADC000-memory.dmp

Filesize
240KB

Download
memory/3916-177-0x0000000005C20000-0x0000000005C6C000-memory.dmp

Filesize
304KB

Download
memory/3916-171-0x00000000057A0000-0x0000000005832000-memory.dmp

Filesize
584KB

Download
memory/3916-172-0x0000000005960000-0x000000000596A000-memory.dmp

Filesize
40KB

Download
memory/3916-173-0x0000000006880000-0x0000000006E98000-memory.dmp

Filesize
6.1MB

Download
memory/3916-174-0x0000000005B10000-0x0000000005C1A000-memory.dmp

Filesize
1.0MB

Download
memory/3916-170-0x0000000005CB0000-0x0000000006254000-memory.dmp

Filesize
5.6MB

Download
memory/3916-168-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/3916-175-0x0000000005A40000-0x0000000005A52000-memory.dmp

Filesize
72KB

Download
memory/3916-189-0x0000000006350000-0x00000000063B6000-memory.dmp

Filesize
408KB

Download
memory/3916-190-0x00000000073B0000-0x0000000007400000-memory.dmp

Filesize
320KB

Download
memory/3916-191-0x00000000077D0000-0x0000000007992000-memory.dmp

Filesize
1.8MB

Download
memory/3916-192-0x0000000007ED0000-0x00000000083FC000-memory.dmp

Filesize
5.2MB

Download
memory/5116-160-0x0000000000930000-0x000000000099E000-memory.dmp

Filesize
440KB

Download
memory/5116-161-0x0000000002E30000-0x0000000002E36000-memory.dmp

Filesize
24KB

Download