redline | c2348da208353e096df8a9b8be2029c434959abdfb3a8fee2e82e5742b87de68

Resubmissions

22/03/2023, 20:41

230322-zgjjzabc24 10

Analysis

max time kernel
140s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2023, 20:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c2348da208353e096df8a9b8be2029c434959abdfb3a8fee2e82e5742b87de68.exe
Size

298KB
MD5

c2d4b5490f3b41491624df1cd5a0ff62
SHA1

bb86ae0caa8a21149a2fdce11ca05bc0ce950bbd
SHA256

c2348da208353e096df8a9b8be2029c434959abdfb3a8fee2e82e5742b87de68
SHA512

583b0dc713b35b39a6dda1314890299cf32f1bc70699927d59fdfae96e27c6283b6ee0a4294dc8fa6073cad8dc697e48851200b3f38603da510a876606f89ae6
SSDEEP

6144:5HiCpw0G0c6sIxxmeY0yDmeMkonGV9XjdK6Igk6jsGLe63hs:5HiCVG0c6vPo0gLhV9lIgkC/L93

Score

10^/10

redline persom infostealer

Malware Config

Extracted

Family

redline

Botnet

persom

45.155.204.13:25916

Attributes

auth_value
95b39b00ba8fba008cebd278bd0303f0

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 33 IoCs

resource	yara_rule
behavioral2/memory/3224-139-0x0000000004D30000-0x0000000004D82000-memory.dmp	family_redline
behavioral2/memory/3224-140-0x0000000004D30000-0x0000000004D82000-memory.dmp	family_redline
behavioral2/memory/3224-142-0x0000000004D30000-0x0000000004D82000-memory.dmp	family_redline
behavioral2/memory/3224-144-0x0000000004D30000-0x0000000004D82000-memory.dmp	family_redline
behavioral2/memory/3224-146-0x0000000004D30000-0x0000000004D82000-memory.dmp	family_redline
behavioral2/memory/3224-148-0x0000000004D30000-0x0000000004D82000-memory.dmp	family_redline
behavioral2/memory/3224-150-0x0000000004D30000-0x0000000004D82000-memory.dmp	family_redline
behavioral2/memory/3224-152-0x0000000004D30000-0x0000000004D82000-memory.dmp	family_redline
behavioral2/memory/3224-154-0x0000000004D30000-0x0000000004D82000-memory.dmp	family_redline
behavioral2/memory/3224-156-0x0000000004D30000-0x0000000004D82000-memory.dmp	family_redline
behavioral2/memory/3224-158-0x0000000004D30000-0x0000000004D82000-memory.dmp	family_redline
behavioral2/memory/3224-160-0x0000000004D30000-0x0000000004D82000-memory.dmp	family_redline
behavioral2/memory/3224-162-0x0000000004D30000-0x0000000004D82000-memory.dmp	family_redline
behavioral2/memory/3224-164-0x0000000004D30000-0x0000000004D82000-memory.dmp	family_redline
behavioral2/memory/3224-166-0x0000000004D30000-0x0000000004D82000-memory.dmp	family_redline
behavioral2/memory/3224-168-0x0000000004D30000-0x0000000004D82000-memory.dmp	family_redline
behavioral2/memory/3224-170-0x0000000004D30000-0x0000000004D82000-memory.dmp	family_redline
behavioral2/memory/3224-172-0x0000000004D30000-0x0000000004D82000-memory.dmp	family_redline
behavioral2/memory/3224-174-0x0000000004D30000-0x0000000004D82000-memory.dmp	family_redline
behavioral2/memory/3224-176-0x0000000004D30000-0x0000000004D82000-memory.dmp	family_redline
behavioral2/memory/3224-178-0x0000000004D30000-0x0000000004D82000-memory.dmp	family_redline
behavioral2/memory/3224-180-0x0000000004D30000-0x0000000004D82000-memory.dmp	family_redline
behavioral2/memory/3224-182-0x0000000004D30000-0x0000000004D82000-memory.dmp	family_redline
behavioral2/memory/3224-184-0x0000000004D30000-0x0000000004D82000-memory.dmp	family_redline
behavioral2/memory/3224-186-0x0000000004D30000-0x0000000004D82000-memory.dmp	family_redline
behavioral2/memory/3224-188-0x0000000004D30000-0x0000000004D82000-memory.dmp	family_redline
behavioral2/memory/3224-190-0x0000000004D30000-0x0000000004D82000-memory.dmp	family_redline
behavioral2/memory/3224-192-0x0000000004D30000-0x0000000004D82000-memory.dmp	family_redline
behavioral2/memory/3224-194-0x0000000004D30000-0x0000000004D82000-memory.dmp	family_redline
behavioral2/memory/3224-196-0x0000000004D30000-0x0000000004D82000-memory.dmp	family_redline
behavioral2/memory/3224-198-0x0000000004D30000-0x0000000004D82000-memory.dmp	family_redline
behavioral2/memory/3224-200-0x0000000004D30000-0x0000000004D82000-memory.dmp	family_redline
behavioral2/memory/3224-202-0x0000000004D30000-0x0000000004D82000-memory.dmp	family_redline

.NET Reactor proctector 33 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral2/memory/3224-139-0x0000000004D30000-0x0000000004D82000-memory.dmp	net_reactor
behavioral2/memory/3224-140-0x0000000004D30000-0x0000000004D82000-memory.dmp	net_reactor
behavioral2/memory/3224-142-0x0000000004D30000-0x0000000004D82000-memory.dmp	net_reactor
behavioral2/memory/3224-144-0x0000000004D30000-0x0000000004D82000-memory.dmp	net_reactor
behavioral2/memory/3224-146-0x0000000004D30000-0x0000000004D82000-memory.dmp	net_reactor
behavioral2/memory/3224-148-0x0000000004D30000-0x0000000004D82000-memory.dmp	net_reactor
behavioral2/memory/3224-150-0x0000000004D30000-0x0000000004D82000-memory.dmp	net_reactor
behavioral2/memory/3224-152-0x0000000004D30000-0x0000000004D82000-memory.dmp	net_reactor
behavioral2/memory/3224-154-0x0000000004D30000-0x0000000004D82000-memory.dmp	net_reactor
behavioral2/memory/3224-156-0x0000000004D30000-0x0000000004D82000-memory.dmp	net_reactor
behavioral2/memory/3224-158-0x0000000004D30000-0x0000000004D82000-memory.dmp	net_reactor
behavioral2/memory/3224-160-0x0000000004D30000-0x0000000004D82000-memory.dmp	net_reactor
behavioral2/memory/3224-162-0x0000000004D30000-0x0000000004D82000-memory.dmp	net_reactor
behavioral2/memory/3224-164-0x0000000004D30000-0x0000000004D82000-memory.dmp	net_reactor
behavioral2/memory/3224-166-0x0000000004D30000-0x0000000004D82000-memory.dmp	net_reactor
behavioral2/memory/3224-168-0x0000000004D30000-0x0000000004D82000-memory.dmp	net_reactor
behavioral2/memory/3224-170-0x0000000004D30000-0x0000000004D82000-memory.dmp	net_reactor
behavioral2/memory/3224-172-0x0000000004D30000-0x0000000004D82000-memory.dmp	net_reactor
behavioral2/memory/3224-174-0x0000000004D30000-0x0000000004D82000-memory.dmp	net_reactor
behavioral2/memory/3224-176-0x0000000004D30000-0x0000000004D82000-memory.dmp	net_reactor
behavioral2/memory/3224-178-0x0000000004D30000-0x0000000004D82000-memory.dmp	net_reactor
behavioral2/memory/3224-180-0x0000000004D30000-0x0000000004D82000-memory.dmp	net_reactor
behavioral2/memory/3224-182-0x0000000004D30000-0x0000000004D82000-memory.dmp	net_reactor
behavioral2/memory/3224-184-0x0000000004D30000-0x0000000004D82000-memory.dmp	net_reactor
behavioral2/memory/3224-186-0x0000000004D30000-0x0000000004D82000-memory.dmp	net_reactor
behavioral2/memory/3224-188-0x0000000004D30000-0x0000000004D82000-memory.dmp	net_reactor
behavioral2/memory/3224-190-0x0000000004D30000-0x0000000004D82000-memory.dmp	net_reactor
behavioral2/memory/3224-192-0x0000000004D30000-0x0000000004D82000-memory.dmp	net_reactor
behavioral2/memory/3224-194-0x0000000004D30000-0x0000000004D82000-memory.dmp	net_reactor
behavioral2/memory/3224-196-0x0000000004D30000-0x0000000004D82000-memory.dmp	net_reactor
behavioral2/memory/3224-198-0x0000000004D30000-0x0000000004D82000-memory.dmp	net_reactor
behavioral2/memory/3224-200-0x0000000004D30000-0x0000000004D82000-memory.dmp	net_reactor
behavioral2/memory/3224-202-0x0000000004D30000-0x0000000004D82000-memory.dmp	net_reactor

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	3224	c2348da208353e096df8a9b8be2029c434959abdfb3a8fee2e82e5742b87de68.exe
Token: SeDebugPrivilege	4968	taskmgr.exe
Token: SeSystemProfilePrivilege	4968	taskmgr.exe
Token: SeCreateGlobalPrivilege	4968	taskmgr.exe
Token: 33	4968	taskmgr.exe
Token: SeIncBasePriorityPrivilege	4968	taskmgr.exe
Token: SeDebugPrivilege	2360	firefox.exe
Token: SeDebugPrivilege	2360	firefox.exe

Suspicious use of FindShellTrayWindow 45 IoCs

pid	Process
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
2360	firefox.exe
2360	firefox.exe
2360	firefox.exe
2360	firefox.exe

Suspicious use of SendNotifyMessage 44 IoCs

pid	Process
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
2360	firefox.exe
2360	firefox.exe
2360	firefox.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2360	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1964 wrote to memory of 2360	1964	firefox.exe	113
PID 1964 wrote to memory of 2360	1964	firefox.exe	113
PID 1964 wrote to memory of 2360	1964	firefox.exe	113
PID 1964 wrote to memory of 2360	1964	firefox.exe	113
PID 1964 wrote to memory of 2360	1964	firefox.exe	113
PID 1964 wrote to memory of 2360	1964	firefox.exe	113
PID 1964 wrote to memory of 2360	1964	firefox.exe	113
PID 1964 wrote to memory of 2360	1964	firefox.exe	113
PID 1964 wrote to memory of 2360	1964	firefox.exe	113
PID 1964 wrote to memory of 2360	1964	firefox.exe	113
PID 1964 wrote to memory of 2360	1964	firefox.exe	113
PID 2360 wrote to memory of 4664	2360	firefox.exe	114
PID 2360 wrote to memory of 4664	2360	firefox.exe	114
PID 2360 wrote to memory of 1276	2360	firefox.exe	115
PID 2360 wrote to memory of 1276	2360	firefox.exe	115
PID 2360 wrote to memory of 1276	2360	firefox.exe	115
PID 2360 wrote to memory of 1276	2360	firefox.exe	115
PID 2360 wrote to memory of 1276	2360	firefox.exe	115
PID 2360 wrote to memory of 1276	2360	firefox.exe	115
PID 2360 wrote to memory of 1276	2360	firefox.exe	115
PID 2360 wrote to memory of 1276	2360	firefox.exe	115
PID 2360 wrote to memory of 1276	2360	firefox.exe	115
PID 2360 wrote to memory of 1276	2360	firefox.exe	115
PID 2360 wrote to memory of 1276	2360	firefox.exe	115
PID 2360 wrote to memory of 1276	2360	firefox.exe	115
PID 2360 wrote to memory of 1276	2360	firefox.exe	115
PID 2360 wrote to memory of 1276	2360	firefox.exe	115
PID 2360 wrote to memory of 1276	2360	firefox.exe	115
PID 2360 wrote to memory of 1276	2360	firefox.exe	115
PID 2360 wrote to memory of 1276	2360	firefox.exe	115
PID 2360 wrote to memory of 1276	2360	firefox.exe	115
PID 2360 wrote to memory of 1276	2360	firefox.exe	115
PID 2360 wrote to memory of 1276	2360	firefox.exe	115
PID 2360 wrote to memory of 1276	2360	firefox.exe	115
PID 2360 wrote to memory of 1276	2360	firefox.exe	115
PID 2360 wrote to memory of 1276	2360	firefox.exe	115
PID 2360 wrote to memory of 1276	2360	firefox.exe	115
PID 2360 wrote to memory of 1276	2360	firefox.exe	115
PID 2360 wrote to memory of 1276	2360	firefox.exe	115
PID 2360 wrote to memory of 1276	2360	firefox.exe	115
PID 2360 wrote to memory of 1276	2360	firefox.exe	115
PID 2360 wrote to memory of 1276	2360	firefox.exe	115
PID 2360 wrote to memory of 1276	2360	firefox.exe	115
PID 2360 wrote to memory of 1276	2360	firefox.exe	115
PID 2360 wrote to memory of 1276	2360	firefox.exe	115
PID 2360 wrote to memory of 1276	2360	firefox.exe	115
PID 2360 wrote to memory of 1276	2360	firefox.exe	115
PID 2360 wrote to memory of 1276	2360	firefox.exe	115
PID 2360 wrote to memory of 1276	2360	firefox.exe	115
PID 2360 wrote to memory of 1276	2360	firefox.exe	115
PID 2360 wrote to memory of 1276	2360	firefox.exe	115
PID 2360 wrote to memory of 1276	2360	firefox.exe	115
PID 2360 wrote to memory of 1276	2360	firefox.exe	115
PID 2360 wrote to memory of 1276	2360	firefox.exe	115
PID 2360 wrote to memory of 1276	2360	firefox.exe	115
PID 2360 wrote to memory of 1276	2360	firefox.exe	115
PID 2360 wrote to memory of 1276	2360	firefox.exe	115
PID 2360 wrote to memory of 1276	2360	firefox.exe	115
PID 2360 wrote to memory of 1276	2360	firefox.exe	115
PID 2360 wrote to memory of 1276	2360	firefox.exe	115
PID 2360 wrote to memory of 1276	2360	firefox.exe	115
PID 2360 wrote to memory of 544	2360	firefox.exe	116
PID 2360 wrote to memory of 544	2360	firefox.exe	116
PID 2360 wrote to memory of 544	2360	firefox.exe	116

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\c2348da208353e096df8a9b8be2029c434959abdfb3a8fee2e82e5742b87de68.exe
"C:\Users\Admin\AppData\Local\Temp\c2348da208353e096df8a9b8be2029c434959abdfb3a8fee2e82e5742b87de68.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3224

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4968

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1964
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2360
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2360.0.814739019\1904828182" -parentBuildID 20221007134813 -prefsHandle 1840 -prefMapHandle 1832 -prefsLen 20890 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1f66ae99-b61e-4926-9734-ea6d9ae145e5} 2360 "\\.\pipe\gecko-crash-server-pipe.2360" 1916 22f92eec858 gpu
    3⤵
    PID:4664
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2360.1.1318996186\2092726096" -parentBuildID 20221007134813 -prefsHandle 2304 -prefMapHandle 2300 -prefsLen 20926 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {078fe37d-ebe6-43c5-8a81-522acfea89d1} 2360 "\\.\pipe\gecko-crash-server-pipe.2360" 2316 22f85e6f558 socket
    3⤵
    - Checks processor information in registry
    PID:1276
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2360.2.1631702230\368855620" -childID 1 -isForBrowser -prefsHandle 3160 -prefMapHandle 2860 -prefsLen 21074 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3fce1080-8736-4b25-8b8b-586ad5e2e76d} 2360 "\\.\pipe\gecko-crash-server-pipe.2360" 3224 22f969f8158 tab
    3⤵
    PID:544
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2360.3.1230300815\379615575" -childID 2 -isForBrowser -prefsHandle 1440 -prefMapHandle 2492 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c913962e-62f7-416a-8042-ef8d148d6d83} 2360 "\\.\pipe\gecko-crash-server-pipe.2360" 1276 22f92ec5b58 tab
    3⤵
    PID:4296
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2360.4.1023183513\2098145184" -childID 3 -isForBrowser -prefsHandle 3804 -prefMapHandle 3800 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d09a0dcd-de9d-4b12-ad7f-b3a90519c574} 2360 "\\.\pipe\gecko-crash-server-pipe.2360" 3736 22f85e5cd58 tab
    3⤵
    PID:3272
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2360.5.138632393\1049666613" -childID 4 -isForBrowser -prefsHandle 4980 -prefMapHandle 4984 -prefsLen 26578 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e8f2779b-dbd9-4d68-a0ab-89d74633555c} 2360 "\\.\pipe\gecko-crash-server-pipe.2360" 4992 22f99276258 tab
    3⤵
    PID:3764
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2360.6.1846925744\1190783325" -childID 5 -isForBrowser -prefsHandle 5172 -prefMapHandle 4992 -prefsLen 26659 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d47fda68-b0c4-4ba1-8a3d-639adc48ab1d} 2360 "\\.\pipe\gecko-crash-server-pipe.2360" 5164 22f98d43b58 tab
    3⤵
    PID:1544
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2360.7.799662329\1901961612" -childID 6 -isForBrowser -prefsHandle 5152 -prefMapHandle 5148 -prefsLen 26659 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5890676d-3ff8-4d9a-ae76-b4a565b84657} 2360 "\\.\pipe\gecko-crash-server-pipe.2360" 5272 22f994abf58 tab
    3⤵
    PID:2248

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\85w5cth6.default-release\activity-stream.discovery_stream.json.tmp

Filesize
143KB

MD5
4c5143d54136f29061ec48299b7f1d43

SHA1
7cc82ed816c6e229c2abcb39844bb3f90dae6bef

SHA256
b6c7177c3e36ad6bb74a92430924776067edad615d5d95160ebee02fea15d5f5

SHA512
7024548e660870fd26ba15cecfb69bc69059f76c34ae056eab2fed5c52a0dbbb3bd6a5df7b1d18e39cb866e688450fb7a553086abdb4c7499f916ee0817b48ac

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85w5cth6.default-release\prefs-1.js

Filesize
6KB

MD5
eacb82a2c78562a81988f8c2a9e48324

SHA1
711d6858022b4135653afafec61d2f2769e3b6ef

SHA256
d4ade10c7c1f8f10a4bf42765bedcadc14fc8352657cab0e600b7d6961680344

SHA512
3545ea6fcb5d9c385d953d4c0f12f8e98d06742e2b87b70bfc8c87f6efbd6a7d8c6aec553ad0a93e5999b6fa37eee0ac84efe47f23e96f86262fc6de1051b678

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85w5cth6.default-release\prefs-1.js

Filesize
6KB

MD5
15eae14ba5674eef684f376fbe00a73d

SHA1
b235b6cb5d4a9cf0769953a7f95f679a4627a8ec

SHA256
bd0a2d6be976fbc4ef56acb9311f9e303adf0851eb496ee0170bce94227a16a6

SHA512
8971f6b2563889f413b48baeea0411e7d4764720ba71a5794823730a0b18d64569ae743c7aa9e96e94e936af29e56daa6c5799870b499b491138fc8ed7ff0b33

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85w5cth6.default-release\prefs.js

Filesize
6KB

MD5
f73e52d124620d05267ba934f3b312d3

SHA1
34121aa291d9f88b3e8e3a2fa37cb1c06cac2d30

SHA256
fc898a91ae8ce9d241c586f5dee2e60450dcdc5a31f1a7015d6dc2f4fefe4ac7

SHA512
4ef67626a2ba584817d707c71ddf7e7ce75a780921c3fcdfa8a03de0de9303c4b548ce3c3b493f1c4876d511271978bcd3cdbc2d1003b23c2459847180045d46

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85w5cth6.default-release\sessionstore.jsonlz4

Filesize
881B

MD5
dafb0fab59f3e980c6d3032bb66cf492

SHA1
fd0e669e5db3592e826194b0711ae477b5b2f2d2

SHA256
95ecaa45c11847fad063de544031de31c5339bf1e842ab2ccc9decadf495123b

SHA512
a26515512ae4320cdc6db84fba3da06a71acf688d799c320feca4b49bcf0b9c623e79c94c1541b74622531a590af930df183ad225ec120233d0a6d5c9f21488d

Download Submit
memory/3224-170-0x0000000004D30000-0x0000000004D82000-memory.dmp

Filesize
328KB

Download
memory/3224-152-0x0000000004D30000-0x0000000004D82000-memory.dmp

Filesize
328KB

Download
memory/3224-136-0x0000000004D90000-0x0000000004E22000-memory.dmp

Filesize
584KB

Download
memory/3224-137-0x0000000004E80000-0x0000000004E90000-memory.dmp

Filesize
64KB

Download
memory/3224-138-0x0000000004E80000-0x0000000004E90000-memory.dmp

Filesize
64KB

Download
memory/3224-139-0x0000000004D30000-0x0000000004D82000-memory.dmp

Filesize
328KB

Download
memory/3224-140-0x0000000004D30000-0x0000000004D82000-memory.dmp

Filesize
328KB

Download
memory/3224-142-0x0000000004D30000-0x0000000004D82000-memory.dmp

Filesize
328KB

Download
memory/3224-144-0x0000000004D30000-0x0000000004D82000-memory.dmp

Filesize
328KB

Download
memory/3224-146-0x0000000004D30000-0x0000000004D82000-memory.dmp

Filesize
328KB

Download
memory/3224-148-0x0000000004D30000-0x0000000004D82000-memory.dmp

Filesize
328KB

Download
memory/3224-150-0x0000000004D30000-0x0000000004D82000-memory.dmp

Filesize
328KB

Download
memory/3224-174-0x0000000004D30000-0x0000000004D82000-memory.dmp

Filesize
328KB

Download
memory/3224-154-0x0000000004D30000-0x0000000004D82000-memory.dmp

Filesize
328KB

Download
memory/3224-156-0x0000000004D30000-0x0000000004D82000-memory.dmp

Filesize
328KB

Download
memory/3224-158-0x0000000004D30000-0x0000000004D82000-memory.dmp

Filesize
328KB

Download
memory/3224-160-0x0000000004D30000-0x0000000004D82000-memory.dmp

Filesize
328KB

Download
memory/3224-162-0x0000000004D30000-0x0000000004D82000-memory.dmp

Filesize
328KB

Download
memory/3224-164-0x0000000004D30000-0x0000000004D82000-memory.dmp

Filesize
328KB

Download
memory/3224-166-0x0000000004D30000-0x0000000004D82000-memory.dmp

Filesize
328KB

Download
memory/3224-168-0x0000000004D30000-0x0000000004D82000-memory.dmp

Filesize
328KB

Download
memory/3224-134-0x0000000002310000-0x0000000002372000-memory.dmp

Filesize
392KB

Download
memory/3224-135-0x0000000004E90000-0x0000000005434000-memory.dmp

Filesize
5.6MB

Download
memory/3224-172-0x0000000004D30000-0x0000000004D82000-memory.dmp

Filesize
328KB

Download
memory/3224-190-0x0000000004D30000-0x0000000004D82000-memory.dmp

Filesize
328KB

Download
memory/3224-178-0x0000000004D30000-0x0000000004D82000-memory.dmp

Filesize
328KB

Download
memory/3224-180-0x0000000004D30000-0x0000000004D82000-memory.dmp

Filesize
328KB

Download
memory/3224-182-0x0000000004D30000-0x0000000004D82000-memory.dmp

Filesize
328KB

Download
memory/3224-184-0x0000000004D30000-0x0000000004D82000-memory.dmp

Filesize
328KB

Download
memory/3224-186-0x0000000004D30000-0x0000000004D82000-memory.dmp

Filesize
328KB

Download
memory/3224-188-0x0000000004D30000-0x0000000004D82000-memory.dmp

Filesize
328KB

Download
memory/3224-176-0x0000000004D30000-0x0000000004D82000-memory.dmp

Filesize
328KB

Download
memory/3224-192-0x0000000004D30000-0x0000000004D82000-memory.dmp

Filesize
328KB

Download
memory/3224-194-0x0000000004D30000-0x0000000004D82000-memory.dmp

Filesize
328KB

Download
memory/3224-196-0x0000000004D30000-0x0000000004D82000-memory.dmp

Filesize
328KB

Download
memory/3224-198-0x0000000004D30000-0x0000000004D82000-memory.dmp

Filesize
328KB

Download
memory/3224-200-0x0000000004D30000-0x0000000004D82000-memory.dmp

Filesize
328KB

Download
memory/3224-202-0x0000000004D30000-0x0000000004D82000-memory.dmp

Filesize
328KB

Download
memory/3224-929-0x00000000074E0000-0x0000000007AF8000-memory.dmp

Filesize
6.1MB

Download
memory/3224-930-0x0000000005750000-0x0000000005762000-memory.dmp

Filesize
72KB

Download
memory/3224-931-0x0000000007B00000-0x0000000007C0A000-memory.dmp

Filesize
1.0MB

Download
memory/3224-933-0x0000000004E80000-0x0000000004E90000-memory.dmp

Filesize
64KB

Download
memory/3224-934-0x0000000005770000-0x00000000057AC000-memory.dmp

Filesize
240KB

Download
memory/3224-935-0x0000000004E80000-0x0000000004E90000-memory.dmp

Filesize
64KB

Download
memory/3224-936-0x0000000004E80000-0x0000000004E90000-memory.dmp

Filesize
64KB

Download
memory/3224-937-0x0000000004E80000-0x0000000004E90000-memory.dmp

Filesize
64KB

Download
memory/3224-939-0x0000000004E80000-0x0000000004E90000-memory.dmp

Filesize
64KB

Download