gurcu | hxxps://mega[.]nz/file/a1tDEAjJ#3JZZnt-xJSIP74QYyIEOb5jv8Sfdcu5gDFdJJfJQAb8

Analysis

max time kernel
112s
max time network
112s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250217-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250217-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
18/02/2025, 16:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://mega.nz/file/a1tDEAjJ#3JZZnt-xJSIP74QYyIEOb5jv8Sfdcu5gDFdJJfJQAb8

Score

10^/10

gurcu redline discovery infostealer stealer

Malware Config

Extracted

Family

redline

65.108.29.210:21638

Attributes

auth_value
ad39d6a8ea7823f2a92f57ebaa4c98a5

Signatures

Gurcu family
gurcu
Gurcu, WhiteSnake
Gurcu aka WhiteSnake is a malware stealer written in C#.
stealer gurcu
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral1/memory/2696-355-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 6 IoCs

pid	Process
3752	Start.exe
2696	Start.exe
4924	Start.exe
3776	Start.exe
632	Start.exe
392	Start.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 3752 set thread context of 2696	3752	Start.exe	108
PID 4924 set thread context of 3776	4924	Start.exe	114
PID 632 set thread context of 392	632	Start.exe	117

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Start.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Start.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Start.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Start.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Start.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Start.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Start.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Start.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Start.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Start.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Start.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Start.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3452737631-513087862-588053281-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
2788	msedge.exe
2788	msedge.exe
3936	msedge.exe
3936	msedge.exe
652	identity_helper.exe
652	identity_helper.exe
2040	msedge.exe
2040	msedge.exe
2696	Start.exe
2696	Start.exe
2696	Start.exe
3776	Start.exe
3776	Start.exe
3776	Start.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
392	Start.exe
392	Start.exe
392	Start.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: 33	464	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	464	AUDIODG.EXE
Token: SeRestorePrivilege	1152	7zG.exe
Token: 35	1152	7zG.exe
Token: SeSecurityPrivilege	1152	7zG.exe
Token: SeSecurityPrivilege	1152	7zG.exe
Token: SeDebugPrivilege	2696	Start.exe
Token: SeDebugPrivilege	3776	Start.exe
Token: SeDebugPrivilege	2808	taskmgr.exe
Token: SeSystemProfilePrivilege	2808	taskmgr.exe
Token: SeCreateGlobalPrivilege	2808	taskmgr.exe
Token: 33	2808	taskmgr.exe
Token: SeIncBasePriorityPrivilege	2808	taskmgr.exe
Token: SeDebugPrivilege	392	Start.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
1152	7zG.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe

Suspicious use of SendNotifyMessage 60 IoCs

pid	Process
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe
2808	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3936 wrote to memory of 3768	3936	msedge.exe	83
PID 3936 wrote to memory of 3768	3936	msedge.exe	83
PID 3936 wrote to memory of 940	3936	msedge.exe	84
PID 3936 wrote to memory of 940	3936	msedge.exe	84
PID 3936 wrote to memory of 940	3936	msedge.exe	84
PID 3936 wrote to memory of 940	3936	msedge.exe	84
PID 3936 wrote to memory of 940	3936	msedge.exe	84
PID 3936 wrote to memory of 940	3936	msedge.exe	84
PID 3936 wrote to memory of 940	3936	msedge.exe	84
PID 3936 wrote to memory of 940	3936	msedge.exe	84
PID 3936 wrote to memory of 940	3936	msedge.exe	84
PID 3936 wrote to memory of 940	3936	msedge.exe	84
PID 3936 wrote to memory of 940	3936	msedge.exe	84
PID 3936 wrote to memory of 940	3936	msedge.exe	84
PID 3936 wrote to memory of 940	3936	msedge.exe	84
PID 3936 wrote to memory of 940	3936	msedge.exe	84
PID 3936 wrote to memory of 940	3936	msedge.exe	84
PID 3936 wrote to memory of 940	3936	msedge.exe	84
PID 3936 wrote to memory of 940	3936	msedge.exe	84
PID 3936 wrote to memory of 940	3936	msedge.exe	84
PID 3936 wrote to memory of 940	3936	msedge.exe	84
PID 3936 wrote to memory of 940	3936	msedge.exe	84
PID 3936 wrote to memory of 940	3936	msedge.exe	84
PID 3936 wrote to memory of 940	3936	msedge.exe	84
PID 3936 wrote to memory of 940	3936	msedge.exe	84
PID 3936 wrote to memory of 940	3936	msedge.exe	84
PID 3936 wrote to memory of 940	3936	msedge.exe	84
PID 3936 wrote to memory of 940	3936	msedge.exe	84
PID 3936 wrote to memory of 940	3936	msedge.exe	84
PID 3936 wrote to memory of 940	3936	msedge.exe	84
PID 3936 wrote to memory of 940	3936	msedge.exe	84
PID 3936 wrote to memory of 940	3936	msedge.exe	84
PID 3936 wrote to memory of 940	3936	msedge.exe	84
PID 3936 wrote to memory of 940	3936	msedge.exe	84
PID 3936 wrote to memory of 940	3936	msedge.exe	84
PID 3936 wrote to memory of 940	3936	msedge.exe	84
PID 3936 wrote to memory of 940	3936	msedge.exe	84
PID 3936 wrote to memory of 940	3936	msedge.exe	84
PID 3936 wrote to memory of 940	3936	msedge.exe	84
PID 3936 wrote to memory of 940	3936	msedge.exe	84
PID 3936 wrote to memory of 940	3936	msedge.exe	84
PID 3936 wrote to memory of 940	3936	msedge.exe	84
PID 3936 wrote to memory of 2788	3936	msedge.exe	85
PID 3936 wrote to memory of 2788	3936	msedge.exe	85
PID 3936 wrote to memory of 4348	3936	msedge.exe	86
PID 3936 wrote to memory of 4348	3936	msedge.exe	86
PID 3936 wrote to memory of 4348	3936	msedge.exe	86
PID 3936 wrote to memory of 4348	3936	msedge.exe	86
PID 3936 wrote to memory of 4348	3936	msedge.exe	86
PID 3936 wrote to memory of 4348	3936	msedge.exe	86
PID 3936 wrote to memory of 4348	3936	msedge.exe	86
PID 3936 wrote to memory of 4348	3936	msedge.exe	86
PID 3936 wrote to memory of 4348	3936	msedge.exe	86
PID 3936 wrote to memory of 4348	3936	msedge.exe	86
PID 3936 wrote to memory of 4348	3936	msedge.exe	86
PID 3936 wrote to memory of 4348	3936	msedge.exe	86
PID 3936 wrote to memory of 4348	3936	msedge.exe	86
PID 3936 wrote to memory of 4348	3936	msedge.exe	86
PID 3936 wrote to memory of 4348	3936	msedge.exe	86
PID 3936 wrote to memory of 4348	3936	msedge.exe	86
PID 3936 wrote to memory of 4348	3936	msedge.exe	86
PID 3936 wrote to memory of 4348	3936	msedge.exe	86
PID 3936 wrote to memory of 4348	3936	msedge.exe	86
PID 3936 wrote to memory of 4348	3936	msedge.exe	86

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://mega.nz/file/a1tDEAjJ#3JZZnt-xJSIP74QYyIEOb5jv8Sfdcu5gDFdJJfJQAb8
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x128,0x12c,0x130,0x104,0x134,0x7ffd6c4746f8,0x7ffd6c474708,0x7ffd6c474718
  2⤵
  PID:3768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,11970976714115547455,10620711916810265530,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2
  2⤵
  PID:940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,11970976714115547455,10620711916810265530,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,11970976714115547455,10620711916810265530,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1408 /prefetch:8
  2⤵
  PID:4348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,11970976714115547455,10620711916810265530,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:1
  2⤵
  PID:396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,11970976714115547455,10620711916810265530,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:1
  2⤵
  PID:2348
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,11970976714115547455,10620711916810265530,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5488 /prefetch:8
  2⤵
  PID:1208
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,11970976714115547455,10620711916810265530,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5488 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,11970976714115547455,10620711916810265530,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5760 /prefetch:1
  2⤵
  PID:4720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2136,11970976714115547455,10620711916810265530,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4292 /prefetch:8
  2⤵
  PID:2424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2136,11970976714115547455,10620711916810265530,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6116 /prefetch:8
  2⤵
  PID:2412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,11970976714115547455,10620711916810265530,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6036 /prefetch:1
  2⤵
  PID:4556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2136,11970976714115547455,10620711916810265530,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6472 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,11970976714115547455,10620711916810265530,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6076 /prefetch:1
  2⤵
  PID:4776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,11970976714115547455,10620711916810265530,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2212 /prefetch:1
  2⤵
  PID:2992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,11970976714115547455,10620711916810265530,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6080 /prefetch:1
  2⤵
  PID:4132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,11970976714115547455,10620711916810265530,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6304 /prefetch:1
  2⤵
  PID:1244

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1344

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4876

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2ec 0x2c8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:464

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2084

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Autorisoft\" -ad -an -ai#7zMap3141:82:7zEvent22431
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1152

C:\Users\Admin\Downloads\Autorisoft\Start.exe
"C:\Users\Admin\Downloads\Autorisoft\Start.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3752
- C:\Users\Admin\Downloads\Autorisoft\Start.exe
  "C:\Users\Admin\Downloads\Autorisoft\Start.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2696

C:\Users\Admin\Downloads\Autorisoft\Start.exe
"C:\Users\Admin\Downloads\Autorisoft\Start.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4924
- C:\Users\Admin\Downloads\Autorisoft\Start.exe
  "C:\Users\Admin\Downloads\Autorisoft\Start.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3776

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2808

C:\Users\Admin\Downloads\Autorisoft\Start.exe
"C:\Users\Admin\Downloads\Autorisoft\Start.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:632
- C:\Users\Admin\Downloads\Autorisoft\Start.exe
  "C:\Users\Admin\Downloads\Autorisoft\Start.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Start.exe.log

Filesize
1KB

MD5
bd76295661516015cc654d284dc2c276

SHA1
66f835bf0b154292d8ad17212a0feabc5f4f1a18

SHA256
aeef561f6ece2de3d114091d2304534b65152dfee9e195c80876477344422f12

SHA512
0aa544e8684fe8b668623d5668a82abc590938c60fbbfd4959a8e8b1cb16d96858824d170a174b2084569b2756a97ce1b825d588a8a5b3cd4ed040182bcad5fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
40a7fd2af012a0035df4439e84a91899

SHA1
bd0c6bec4e1bf2c0c84702b8505796975b75cc48

SHA256
d19928a212694cfa6674d5b9efa82707baabdca4242023343af8dc711b355326

SHA512
e68fe33f1ea0cb67d4f845724c860e70e032f1dbdf0685c7a2dd417b594f2c5c0959152a95904ce4f05eac03e31a88738f7a34de569769760dac21ae8722077d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
1be9daea82c072063226d6b29c833d92

SHA1
fe176a1c90b4707245a8a0cb229cd479d8dd327a

SHA256
e4215ba2fda6a759a8749fd8cf53e79db11c4c72b3a2c5356773f26ec7801622

SHA512
054367cff5b590ea91bbc12c2a3696b256b280e65ccf12f0e8896680b9e93b27771dc138961fee70f0c9391fa52687ea9f3572d6a2a961d48d5e97b5f604d59d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
257B

MD5
ba4e2003fe7d847c86a7514b27c21c5f

SHA1
7dc5189fa073797ff6cec15cf7921146f4fa0ab5

SHA256
16d31950c2af414b5028501c261a72b6f7f125e5e35a62ad274ea4b1bd7de92a

SHA512
079550c3eed1641c8de52f55d9967e4862465835d9899fad9439580c1e66fb7cd56326be1088a8ecc10f648bcc603957c5979885909b42485733ff37b079ce5e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
f62a80898e9eec2b02388a9e747cc219

SHA1
4a8b5050616421df409c2dbe155ef6d495a3b21e

SHA256
e1a01bddfdf3734df406b27938cecb15d355c97ac0b03841158bc3022cb7905c

SHA512
03f63b31c26e5d80a984b2890d9c2bcac83f3e530b525887d3118c239fb52efaedf44e9872ca73c631f17b90618df1da230b9b9cc4f585516a14ca9d9e543606

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
9088f3c279781360fb0c6d6ccbb9a72a

SHA1
d63646a6de9c8d74e5ed3062f109793ede2c87b3

SHA256
b827dfd84af1f11ffd3b032faaa245ab77200089949019ff59c33085a76c32c3

SHA512
1da714b318ddd72efe32f60b777174296e2bbc6dfd533c3a8f8417f806b4df845e7b3c54ce11f20ff57e5a0db2af853a5ba33bcaec456da5ab3826c7beca3279

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
2cf003630b8422b83727fd7613a875e6

SHA1
8c3399774f3e2fa4e4b9e92dc6522e8abb1ef821

SHA256
00e779eda54e5cf4a4755a3d228baccb3aaa93601672ae68a0285f58df5948fb

SHA512
4430c0cafa443195fb7eb5312ad7f389d5157f78a33766e3b3bbbc5025ad5f0f883a4a6712a2a95f0a721ebecca94b6736b8b160bf90b42a6a6ce1da3211a2a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
7cea671c9d512a2198dd38982941633f

SHA1
48ab2bcc5acbb87e4552f399c611aab5417b9729

SHA256
613ef4fff59958c618b99c48e9f3188d1a2490f3287fd6ab6c73b40c5563ca2e

SHA512
9f4f8fd48307fceb178b71885ace114e8a1fb498679c0b6814bc48ff8f6023b85d8086c5561366422ec25dca96d8413ae8458f52c6728649b99dce78fb3ce33a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
021395baff8fafd40fc028125ad98871

SHA1
25e833a45a28f30a6dd82574d2888af5ee65299e

SHA256
1797269a89def0726836580a651bc14438b70856e5ebfc9cde854abc6c346957

SHA512
20530f1d0cb969d6fe3f8a95d0980368c7e9c5190c0cbf67a3be6747d442bd6227df82ac862a352c790b9ec94c92e0968b4a4272aefd0fa49ab3c4013c1da85f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe583469.TMP

Filesize
48B

MD5
9aa3a5f39e976b2147e98497a5c21312

SHA1
609cad467053a328fb0f44d8eb1204e22e02d7a7

SHA256
ebbe7222731726b2e71fecbd3750ff2289b21f9dd74f36483544de51c9938e27

SHA512
8247b89b4f81a36a3ca75444a03cd7f02bbe3e35dadc4da7283acb1fac8287e07056252d8852c0de5ad32ca45c204341c73e66255c3493267215866eeb6fed44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
d5f457af3842a979a0fb90febd30212c

SHA1
60ca40a37bbe5e3555f25a89935b2d2a9cd1441c

SHA256
d8e94f7a9884ced774b0a0c9546ee9bb981082bdc4345b087cb1752e9d7ca90b

SHA512
e6eab49e4ffa00cf16bfad0972d8bd8c7b6e032ea591d0b9734f8dafa4555bff7cdd67e0b5b12e164beb35ef784e0de61060d36193a0ae318b52262e1fc557d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
4b1ca836dd7ee4d87d898eb344299777

SHA1
7818889b9bfad95bfbff9d05d3e5e2382e32594c

SHA256
59ab68899b5d5a44dde8a4dc5cb10509b8da1ff124dc98b8bb8967d7cb8036a5

SHA512
8bbb58644e2456bd7ed1d37537b24485ff26f87d54f99d388da5039a51bc9f3ba79abde360791891e91f64ab55664f7da29e735a196a9ddafec7fab6420913c6

Download Submit
C:\Users\Admin\Downloads\Autorisoft.zip

Filesize
17.9MB

MD5
5b879f39e57139ab17300879afa61554

SHA1
a18eab8e257c611f72ea92833584fff0ffaea1f2

SHA256
645e274fec3723d065308f9b16b33392ed7f51fbd5ffc3c00806c2efafb08b65

SHA512
54814430828c204a8b606c000e2efc1fb2586f41c322ebae44d9eba4d297db473d37b520fac02c1bf88407a8a9138a3e7de502e27e32745cd4c96d54c9994ac0

Download Submit
C:\Users\Admin\Downloads\Autorisoft\Start.exe

Filesize
301KB

MD5
9a0e31ffbe7ecc3a2a6f968b2a8d5567

SHA1
e88e76fe96616649d2558923afe457ce3b1976ec

SHA256
b371eae7b55688d307b653759c2d4ddfe3672eb7b5567bcfa9c3f75f5c6d6255

SHA512
db64b27997e5305473572ee8a60573032e51fbfbdc48670d9adef8ba23c81e8845d073383299c94f87a0100c74ca0e6968b9f468fc46e31e221a71ad69a32749

Download Submit
memory/2696-371-0x0000000006110000-0x000000000615C000-memory.dmp

Filesize
304KB

Download
memory/2696-367-0x00000000065F0000-0x0000000006C08000-memory.dmp

Filesize
6.1MB

Download
memory/2696-370-0x00000000060D0000-0x000000000610C000-memory.dmp

Filesize
240KB

Download
memory/2696-369-0x0000000006190000-0x000000000629A000-memory.dmp

Filesize
1.0MB

Download
memory/2696-355-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2696-368-0x0000000006060000-0x0000000006072000-memory.dmp

Filesize
72KB

Download
memory/2696-359-0x00000000052A0000-0x0000000005306000-memory.dmp

Filesize
408KB

Download
memory/2808-412-0x000002E1C6060000-0x000002E1C6061000-memory.dmp

Filesize
4KB

Download
memory/2808-418-0x000002E1C6060000-0x000002E1C6061000-memory.dmp

Filesize
4KB

Download
memory/2808-413-0x000002E1C6060000-0x000002E1C6061000-memory.dmp

Filesize
4KB

Download
memory/2808-415-0x000002E1C6060000-0x000002E1C6061000-memory.dmp

Filesize
4KB

Download
memory/2808-416-0x000002E1C6060000-0x000002E1C6061000-memory.dmp

Filesize
4KB

Download
memory/2808-417-0x000002E1C6060000-0x000002E1C6061000-memory.dmp

Filesize
4KB

Download
memory/2808-406-0x000002E1C6060000-0x000002E1C6061000-memory.dmp

Filesize
4KB

Download
memory/2808-408-0x000002E1C6060000-0x000002E1C6061000-memory.dmp

Filesize
4KB

Download
memory/2808-407-0x000002E1C6060000-0x000002E1C6061000-memory.dmp

Filesize
4KB

Download
memory/2808-414-0x000002E1C6060000-0x000002E1C6061000-memory.dmp

Filesize
4KB

Download
memory/3752-351-0x00000000053D0000-0x0000000005462000-memory.dmp

Filesize
584KB

Download
memory/3752-352-0x00000000054B0000-0x00000000054BA000-memory.dmp

Filesize
40KB

Download
memory/3752-349-0x00000000009C0000-0x0000000000A10000-memory.dmp

Filesize
320KB

Download
memory/3752-350-0x0000000005A30000-0x0000000005FD6000-memory.dmp

Filesize
5.6MB

Download
memory/3752-353-0x00000000056D0000-0x0000000005746000-memory.dmp

Filesize
472KB

Download
memory/3752-354-0x0000000005650000-0x000000000566E000-memory.dmp

Filesize
120KB

Download