Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
81s -
max time network
78s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
03/10/2023, 19:26
Static task
static1
Behavioral task
behavioral1
Sample
Setup.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
Setup.exe
Resource
win10v2004-20230915-en
General
-
Target
Setup.exe
-
Size
1.7MB
-
MD5
46a22f0849344f152364d921c3c28435
-
SHA1
44fb399a95aaddd99270fe73a8705f53c0f73b72
-
SHA256
1041ffa7fe11147bca657c7f9b58b76a63fab9bedd01e37726e7a5f9df72aed2
-
SHA512
a992ece8155f66b7d3ccf801961ae69af857dc7366bf096805700ce69e5305867db9c5b346074e14d83292daa7a72be5c2becf58565305684adc3bb9f0942e32
-
SSDEEP
24576:WwzT5gWn2HsJRx/6a9DhvhSCPhwtzZc7m6fgA7:dx/6a3vtqtu7m6
Malware Config
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
resource yara_rule behavioral2/memory/4568-0-0x0000000000400000-0x000000000045A000-memory.dmp family_redline -
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
pid Process 5768 Setup.exe 5692 Setup.exe 5744 Setup.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 2284 set thread context of 4568 2284 Setup.exe 87 PID 5768 set thread context of 5860 5768 Setup.exe 118 PID 5692 set thread context of 5824 5692 Setup.exe 127 PID 5744 set thread context of 5972 5744 Setup.exe 130 -
Program crash 4 IoCs
pid pid_target Process procid_target 3016 2284 WerFault.exe 80 5908 5768 WerFault.exe 113 5936 5692 WerFault.exe 123 5932 5744 WerFault.exe 125 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe -
NTFS ADS 1 IoCs
description ioc Process File created C:\Users\Admin\Downloads\Setup.exe:Zone.Identifier firefox.exe -
Suspicious behavior: EnumeratesProcesses 43 IoCs
pid Process 4568 AppLaunch.exe 4568 AppLaunch.exe 4568 AppLaunch.exe 4568 AppLaunch.exe 4568 AppLaunch.exe 5860 AppLaunch.exe 5860 AppLaunch.exe 5860 AppLaunch.exe 5860 AppLaunch.exe 5860 AppLaunch.exe 5824 AppLaunch.exe 5824 AppLaunch.exe 5972 AppLaunch.exe 5972 AppLaunch.exe 5972 AppLaunch.exe 5824 AppLaunch.exe 5824 AppLaunch.exe 5824 AppLaunch.exe 2484 taskmgr.exe 2484 taskmgr.exe 5972 AppLaunch.exe 5972 AppLaunch.exe 2484 taskmgr.exe 2484 taskmgr.exe 2484 taskmgr.exe 2484 taskmgr.exe 2484 taskmgr.exe 2484 taskmgr.exe 2484 taskmgr.exe 2484 taskmgr.exe 2484 taskmgr.exe 2484 taskmgr.exe 2484 taskmgr.exe 2484 taskmgr.exe 2484 taskmgr.exe 2484 taskmgr.exe 2484 taskmgr.exe 2484 taskmgr.exe 2484 taskmgr.exe 2484 taskmgr.exe 2484 taskmgr.exe 2484 taskmgr.exe 2484 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: SeDebugPrivilege 4568 AppLaunch.exe Token: SeDebugPrivilege 1488 firefox.exe Token: SeDebugPrivilege 1488 firefox.exe Token: SeDebugPrivilege 5860 AppLaunch.exe Token: SeDebugPrivilege 5824 AppLaunch.exe Token: SeDebugPrivilege 5972 AppLaunch.exe Token: SeDebugPrivilege 2484 taskmgr.exe Token: SeSystemProfilePrivilege 2484 taskmgr.exe Token: SeCreateGlobalPrivilege 2484 taskmgr.exe Token: 33 2484 taskmgr.exe Token: SeIncBasePriorityPrivilege 2484 taskmgr.exe -
Suspicious use of FindShellTrayWindow 54 IoCs
pid Process 1488 firefox.exe 1488 firefox.exe 1488 firefox.exe 1488 firefox.exe 2484 taskmgr.exe 2484 taskmgr.exe 2484 taskmgr.exe 2484 taskmgr.exe 2484 taskmgr.exe 2484 taskmgr.exe 2484 taskmgr.exe 2484 taskmgr.exe 2484 taskmgr.exe 2484 taskmgr.exe 2484 taskmgr.exe 2484 taskmgr.exe 2484 taskmgr.exe 2484 taskmgr.exe 2484 taskmgr.exe 2484 taskmgr.exe 2484 taskmgr.exe 2484 taskmgr.exe 2484 taskmgr.exe 2484 taskmgr.exe 2484 taskmgr.exe 2484 taskmgr.exe 2484 taskmgr.exe 2484 taskmgr.exe 2484 taskmgr.exe 2484 taskmgr.exe 2484 taskmgr.exe 2484 taskmgr.exe 2484 taskmgr.exe 2484 taskmgr.exe 2484 taskmgr.exe 2484 taskmgr.exe 2484 taskmgr.exe 2484 taskmgr.exe 2484 taskmgr.exe 2484 taskmgr.exe 2484 taskmgr.exe 2484 taskmgr.exe 2484 taskmgr.exe 2484 taskmgr.exe 2484 taskmgr.exe 2484 taskmgr.exe 2484 taskmgr.exe 2484 taskmgr.exe 2484 taskmgr.exe 2484 taskmgr.exe 2484 taskmgr.exe 2484 taskmgr.exe 2484 taskmgr.exe 2484 taskmgr.exe -
Suspicious use of SendNotifyMessage 52 IoCs
pid Process 1488 firefox.exe 1488 firefox.exe 1488 firefox.exe 2484 taskmgr.exe 2484 taskmgr.exe 2484 taskmgr.exe 2484 taskmgr.exe 2484 taskmgr.exe 2484 taskmgr.exe 2484 taskmgr.exe 2484 taskmgr.exe 2484 taskmgr.exe 2484 taskmgr.exe 2484 taskmgr.exe 2484 taskmgr.exe 2484 taskmgr.exe 2484 taskmgr.exe 2484 taskmgr.exe 2484 taskmgr.exe 2484 taskmgr.exe 2484 taskmgr.exe 2484 taskmgr.exe 2484 taskmgr.exe 2484 taskmgr.exe 2484 taskmgr.exe 2484 taskmgr.exe 2484 taskmgr.exe 2484 taskmgr.exe 2484 taskmgr.exe 2484 taskmgr.exe 2484 taskmgr.exe 2484 taskmgr.exe 2484 taskmgr.exe 2484 taskmgr.exe 2484 taskmgr.exe 2484 taskmgr.exe 2484 taskmgr.exe 2484 taskmgr.exe 2484 taskmgr.exe 2484 taskmgr.exe 2484 taskmgr.exe 2484 taskmgr.exe 2484 taskmgr.exe 2484 taskmgr.exe 2484 taskmgr.exe 2484 taskmgr.exe 2484 taskmgr.exe 2484 taskmgr.exe 2484 taskmgr.exe 2484 taskmgr.exe 2484 taskmgr.exe 2484 taskmgr.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 1488 firefox.exe 1488 firefox.exe 1488 firefox.exe 1488 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2284 wrote to memory of 4568 2284 Setup.exe 87 PID 2284 wrote to memory of 4568 2284 Setup.exe 87 PID 2284 wrote to memory of 4568 2284 Setup.exe 87 PID 2284 wrote to memory of 4568 2284 Setup.exe 87 PID 2284 wrote to memory of 4568 2284 Setup.exe 87 PID 2284 wrote to memory of 4568 2284 Setup.exe 87 PID 2284 wrote to memory of 4568 2284 Setup.exe 87 PID 2284 wrote to memory of 4568 2284 Setup.exe 87 PID 944 wrote to memory of 1488 944 firefox.exe 102 PID 944 wrote to memory of 1488 944 firefox.exe 102 PID 944 wrote to memory of 1488 944 firefox.exe 102 PID 944 wrote to memory of 1488 944 firefox.exe 102 PID 944 wrote to memory of 1488 944 firefox.exe 102 PID 944 wrote to memory of 1488 944 firefox.exe 102 PID 944 wrote to memory of 1488 944 firefox.exe 102 PID 944 wrote to memory of 1488 944 firefox.exe 102 PID 944 wrote to memory of 1488 944 firefox.exe 102 PID 944 wrote to memory of 1488 944 firefox.exe 102 PID 944 wrote to memory of 1488 944 firefox.exe 102 PID 1488 wrote to memory of 5008 1488 firefox.exe 103 PID 1488 wrote to memory of 5008 1488 firefox.exe 103 PID 1488 wrote to memory of 2304 1488 firefox.exe 104 PID 1488 wrote to memory of 2304 1488 firefox.exe 104 PID 1488 wrote to memory of 2304 1488 firefox.exe 104 PID 1488 wrote to memory of 2304 1488 firefox.exe 104 PID 1488 wrote to memory of 2304 1488 firefox.exe 104 PID 1488 wrote to memory of 2304 1488 firefox.exe 104 PID 1488 wrote to memory of 2304 1488 firefox.exe 104 PID 1488 wrote to memory of 2304 1488 firefox.exe 104 PID 1488 wrote to memory of 2304 1488 firefox.exe 104 PID 1488 wrote to memory of 2304 1488 firefox.exe 104 PID 1488 wrote to memory of 2304 1488 firefox.exe 104 PID 1488 wrote to memory of 2304 1488 firefox.exe 104 PID 1488 wrote to memory of 2304 1488 firefox.exe 104 PID 1488 wrote to memory of 2304 1488 firefox.exe 104 PID 1488 wrote to memory of 2304 1488 firefox.exe 104 PID 1488 wrote to memory of 2304 1488 firefox.exe 104 PID 1488 wrote to memory of 2304 1488 firefox.exe 104 PID 1488 wrote to memory of 2304 1488 firefox.exe 104 PID 1488 wrote to memory of 2304 1488 firefox.exe 104 PID 1488 wrote to memory of 2304 1488 firefox.exe 104 PID 1488 wrote to memory of 2304 1488 firefox.exe 104 PID 1488 wrote to memory of 2304 1488 firefox.exe 104 PID 1488 wrote to memory of 2304 1488 firefox.exe 104 PID 1488 wrote to memory of 2304 1488 firefox.exe 104 PID 1488 wrote to memory of 2304 1488 firefox.exe 104 PID 1488 wrote to memory of 2304 1488 firefox.exe 104 PID 1488 wrote to memory of 2304 1488 firefox.exe 104 PID 1488 wrote to memory of 2304 1488 firefox.exe 104 PID 1488 wrote to memory of 2304 1488 firefox.exe 104 PID 1488 wrote to memory of 2304 1488 firefox.exe 104 PID 1488 wrote to memory of 2304 1488 firefox.exe 104 PID 1488 wrote to memory of 2304 1488 firefox.exe 104 PID 1488 wrote to memory of 2304 1488 firefox.exe 104 PID 1488 wrote to memory of 2304 1488 firefox.exe 104 PID 1488 wrote to memory of 2304 1488 firefox.exe 104 PID 1488 wrote to memory of 2304 1488 firefox.exe 104 PID 1488 wrote to memory of 2304 1488 firefox.exe 104 PID 1488 wrote to memory of 2304 1488 firefox.exe 104 PID 1488 wrote to memory of 2304 1488 firefox.exe 104 PID 1488 wrote to memory of 2304 1488 firefox.exe 104 PID 1488 wrote to memory of 2304 1488 firefox.exe 104 PID 1488 wrote to memory of 2304 1488 firefox.exe 104 PID 1488 wrote to memory of 2304 1488 firefox.exe 104 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2284 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4568
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2284 -s 1482⤵
- Program crash
PID:3016
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2284 -ip 22841⤵PID:4592
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:944 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1488 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1488.0.1942868499\90315651" -parentBuildID 20221007134813 -prefsHandle 1904 -prefMapHandle 1896 -prefsLen 20938 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b3524f94-f3f8-4f72-bf8f-2abdca0baa47} 1488 "\\.\pipe\gecko-crash-server-pipe.1488" 1996 1b5639ef558 gpu3⤵PID:5008
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1488.1.2058533479\367990489" -parentBuildID 20221007134813 -prefsHandle 2368 -prefMapHandle 2364 -prefsLen 20974 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {88228d39-22d2-44e9-bbbc-309403f34705} 1488 "\\.\pipe\gecko-crash-server-pipe.1488" 2396 1b5637e3858 socket3⤵
- Checks processor information in registry
PID:2304
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1488.2.1272781419\5192662" -childID 1 -isForBrowser -prefsHandle 2984 -prefMapHandle 3000 -prefsLen 21012 -prefMapSize 232675 -jsInitHandle 1328 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cb486ff6-ecbc-44c9-8fb4-23286cb26d99} 1488 "\\.\pipe\gecko-crash-server-pipe.1488" 3180 1b567aa7558 tab3⤵PID:3036
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1488.3.1799952229\1033651882" -childID 2 -isForBrowser -prefsHandle 3068 -prefMapHandle 2812 -prefsLen 26437 -prefMapSize 232675 -jsInitHandle 1328 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fffbf77d-86ba-4fa5-b7ad-978612c87946} 1488 "\\.\pipe\gecko-crash-server-pipe.1488" 3312 1b56881a658 tab3⤵PID:4808
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1488.4.832225759\2029555152" -childID 3 -isForBrowser -prefsHandle 4248 -prefMapHandle 4244 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1328 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cb032602-2caa-43a0-aab7-5e66bfece43a} 1488 "\\.\pipe\gecko-crash-server-pipe.1488" 3596 1b569244858 tab3⤵PID:1500
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1488.7.569006179\1374454681" -childID 6 -isForBrowser -prefsHandle 5356 -prefMapHandle 5232 -prefsLen 26577 -prefMapSize 232675 -jsInitHandle 1328 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0279a7cd-ab33-4e69-b605-c18e101ad05c} 1488 "\\.\pipe\gecko-crash-server-pipe.1488" 5608 1b569efee58 tab3⤵PID:3292
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1488.6.91706846\1289006696" -childID 5 -isForBrowser -prefsHandle 5216 -prefMapHandle 5208 -prefsLen 26577 -prefMapSize 232675 -jsInitHandle 1328 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b42f465b-829a-4b21-87e4-9f14cd426928} 1488 "\\.\pipe\gecko-crash-server-pipe.1488" 5232 1b569efdf58 tab3⤵PID:4568
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1488.5.17429839\1682022157" -childID 4 -isForBrowser -prefsHandle 5200 -prefMapHandle 5196 -prefsLen 26577 -prefMapSize 232675 -jsInitHandle 1328 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e911b599-694f-412e-8a84-be03b18243af} 1488 "\\.\pipe\gecko-crash-server-pipe.1488" 5156 1b569d58a58 tab3⤵PID:4588
-
-
C:\Users\Admin\Downloads\Setup.exe"C:\Users\Admin\Downloads\Setup.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5768 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"4⤵PID:5836
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"4⤵PID:5844
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"4⤵PID:5852
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5860
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5768 -s 6444⤵
- Program crash
PID:5908
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5768 -ip 57681⤵PID:5872
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:5636
-
C:\Users\Admin\Downloads\Setup.exe"C:\Users\Admin\Downloads\Setup.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5692 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5824
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5692 -s 6202⤵
- Program crash
PID:5936
-
-
C:\Users\Admin\Downloads\Setup.exe"C:\Users\Admin\Downloads\Setup.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5744 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5972
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5744 -s 6202⤵
- Program crash
PID:5932
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 5692 -ip 56921⤵PID:5820
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 5744 -ip 57441⤵PID:5772
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /01⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2484
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD55cbe5838fcf3e7c3fe38a379ab781de2
SHA104a11803a9096bc36392f766d8a21b3de13457df
SHA2562c240781cf1198385b246f5265757a83acd7f8e2e92105ca956ec0680bc17a69
SHA512a009ae31f52ad23b53a04ec79e47a6f6b508eba566b9bd82dd5dadd52ed72607c7b6d04ade3e7c9f5b80508afff8fe8fdd922c0df34401bbd64ea3446936970c
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wp0zrwot.default-release\activity-stream.discovery_stream.json.tmp
Filesize22KB
MD5a530ed2b4f1e263d947f7d0714346634
SHA1dd13d6ba77ea7853ffe011a07e939a14a9f3ec29
SHA256131055d347df63e9acc1146b2258d688bb25f86920ec0b22d804c56f5517dece
SHA5127d6de8d262626122e8372f57c2f9673fdc6d4646bb48dc2a59c2a3f43e0f563207fb867b11d645d687c588ce568f33e574e6171ffa5aeb44d9c87d859ea9d0f0
-
Filesize
6KB
MD552dc4b419eaf2d2e3bdfd018539b9a3e
SHA1999f7ba53f8dedb173714a3ffa8e7c4f6aa11616
SHA25644d2c22f7282fe72cc4906a1dfec0112b735c5d9e52dc30172a0982352c4c3a5
SHA512c89a7d94cb20169071b4be6d203fb6201462abaf365df9f338a3ea9e31aff0edb60c5785bd5d11107502d89550ec62f02ecd00cdb520da86e7b53463c9d614fe
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wp0zrwot.default-release\sessionCheckpoints.json.tmp
Filesize259B
MD5c8dc58eff0c029d381a67f5dca34a913
SHA13576807e793473bcbd3cf7d664b83948e3ec8f2d
SHA2564c22e8a42797f14510228f9f4de8eea45c526228a869837bd43c0540092e5f17
SHA512b8f7c4150326f617b63d6bc72953160804a3749f6dec0492779f6c72b3b09c8d1bd58f47d499205c9a0e716f55fe5f1503d7676a4c85d31d1c1e456898af77b4
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wp0zrwot.default-release\sessionstore-backups\recovery.jsonlz4
Filesize1KB
MD55db3fe2568abfe52ab65575a78fe6523
SHA14a09a18afae15ddad46ff4dcae5923bf9d0a3475
SHA256520a69f6f51e69d4b91b1af47284e4ceff72f76eecc0ccc359aa805ca2b48ef5
SHA51272103955078839b4355c63c0ed69d43b367b4bf3d3c590f727bd40046d5b668342f4bad71bd41f56b625523570c02388961bbce4db1d7c92c7f94fb25cbfc22c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wp0zrwot.default-release\sessionstore.jsonlz4
Filesize942B
MD54f83f0e0b31eef0711143cec2ae42506
SHA13a891ca96a5c477543ac16dfc2533775f13c2c17
SHA256b5433c1476c4aac259ef0f3f82aa69858ef2f5a39b54259e23eaa854c1b57f08
SHA5126bbbe1c160f72ad6022d8d1b8ef8a01a1dcecd5f4a1edd8d2236c91bcfeb14ec48b02d21c9f51f2537eb4dd5fd996f8d1baa5db9b7fd81b4706e92cc9ebbb79e
-
Filesize
272KB
MD59cc21f07946533628cfff7536b31e3b5
SHA1cce51d70561e7a748543d314b760f3d36a1d9eb8
SHA2563b93f285f263d55519c2aabe5ef2ce69d950e83de588502192cd50944df08eff
SHA51277290ddbdd9e845241c850c80c16a8f03f9a4485082fce81a42bff7320587ca33a14d7709bfecc1c0e6ea8c65ffa2a36518306eedba3a9a6a1eee319f32ae75b
-
Filesize
1.7MB
MD546a22f0849344f152364d921c3c28435
SHA144fb399a95aaddd99270fe73a8705f53c0f73b72
SHA2561041ffa7fe11147bca657c7f9b58b76a63fab9bedd01e37726e7a5f9df72aed2
SHA512a992ece8155f66b7d3ccf801961ae69af857dc7366bf096805700ce69e5305867db9c5b346074e14d83292daa7a72be5c2becf58565305684adc3bb9f0942e32
-
Filesize
1.7MB
MD546a22f0849344f152364d921c3c28435
SHA144fb399a95aaddd99270fe73a8705f53c0f73b72
SHA2561041ffa7fe11147bca657c7f9b58b76a63fab9bedd01e37726e7a5f9df72aed2
SHA512a992ece8155f66b7d3ccf801961ae69af857dc7366bf096805700ce69e5305867db9c5b346074e14d83292daa7a72be5c2becf58565305684adc3bb9f0942e32
-
Filesize
1.7MB
MD546a22f0849344f152364d921c3c28435
SHA144fb399a95aaddd99270fe73a8705f53c0f73b72
SHA2561041ffa7fe11147bca657c7f9b58b76a63fab9bedd01e37726e7a5f9df72aed2
SHA512a992ece8155f66b7d3ccf801961ae69af857dc7366bf096805700ce69e5305867db9c5b346074e14d83292daa7a72be5c2becf58565305684adc3bb9f0942e32
-
Filesize
1.7MB
MD546a22f0849344f152364d921c3c28435
SHA144fb399a95aaddd99270fe73a8705f53c0f73b72
SHA2561041ffa7fe11147bca657c7f9b58b76a63fab9bedd01e37726e7a5f9df72aed2
SHA512a992ece8155f66b7d3ccf801961ae69af857dc7366bf096805700ce69e5305867db9c5b346074e14d83292daa7a72be5c2becf58565305684adc3bb9f0942e32