redline | 1041ffa7fe11147bca657c7f9b58b76a63fab9bedd01e37726e7a5f9df72aed2

Analysis

max time kernel
81s
max time network
78s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
03/10/2023, 19:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Setup.exe
Size

1.7MB
MD5

46a22f0849344f152364d921c3c28435
SHA1

44fb399a95aaddd99270fe73a8705f53c0f73b72
SHA256

1041ffa7fe11147bca657c7f9b58b76a63fab9bedd01e37726e7a5f9df72aed2
SHA512

a992ece8155f66b7d3ccf801961ae69af857dc7366bf096805700ce69e5305867db9c5b346074e14d83292daa7a72be5c2becf58565305684adc3bb9f0942e32
SSDEEP

24576:WwzT5gWn2HsJRx/6a9DhvhSCPhwtzZc7m6fgA7:dx/6a3vtqtu7m6

Score

10^/10

redline infostealer spyware

Malware Config

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral2/memory/4568-0-0x0000000000400000-0x000000000045A000-memory.dmp	family_redline

Downloads MZ/PE file

Executes dropped EXE 3 IoCs

pid	Process
5768	Setup.exe
5692	Setup.exe
5744	Setup.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2284 set thread context of 4568	2284	Setup.exe	87
PID 5768 set thread context of 5860	5768	Setup.exe	118
PID 5692 set thread context of 5824	5692	Setup.exe	127
PID 5744 set thread context of 5972	5744	Setup.exe	130

Program crash 4 IoCs

pid	pid_target	Process	procid_target
3016	2284	WerFault.exe	80
5908	5768	WerFault.exe	113
5936	5692	WerFault.exe	123
5932	5744	WerFault.exe	125

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\Setup.exe:Zone.Identifier	firefox.exe

Suspicious behavior: EnumeratesProcesses 43 IoCs

pid	Process
4568	AppLaunch.exe
4568	AppLaunch.exe
4568	AppLaunch.exe
4568	AppLaunch.exe
4568	AppLaunch.exe
5860	AppLaunch.exe
5860	AppLaunch.exe
5860	AppLaunch.exe
5860	AppLaunch.exe
5860	AppLaunch.exe
5824	AppLaunch.exe
5824	AppLaunch.exe
5972	AppLaunch.exe
5972	AppLaunch.exe
5972	AppLaunch.exe
5824	AppLaunch.exe
5824	AppLaunch.exe
5824	AppLaunch.exe
2484	taskmgr.exe
2484	taskmgr.exe
5972	AppLaunch.exe
5972	AppLaunch.exe
2484	taskmgr.exe
2484	taskmgr.exe
2484	taskmgr.exe
2484	taskmgr.exe
2484	taskmgr.exe
2484	taskmgr.exe
2484	taskmgr.exe
2484	taskmgr.exe
2484	taskmgr.exe
2484	taskmgr.exe
2484	taskmgr.exe
2484	taskmgr.exe
2484	taskmgr.exe
2484	taskmgr.exe
2484	taskmgr.exe
2484	taskmgr.exe
2484	taskmgr.exe
2484	taskmgr.exe
2484	taskmgr.exe
2484	taskmgr.exe
2484	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeDebugPrivilege	4568	AppLaunch.exe
Token: SeDebugPrivilege	1488	firefox.exe
Token: SeDebugPrivilege	1488	firefox.exe
Token: SeDebugPrivilege	5860	AppLaunch.exe
Token: SeDebugPrivilege	5824	AppLaunch.exe
Token: SeDebugPrivilege	5972	AppLaunch.exe
Token: SeDebugPrivilege	2484	taskmgr.exe
Token: SeSystemProfilePrivilege	2484	taskmgr.exe
Token: SeCreateGlobalPrivilege	2484	taskmgr.exe
Token: 33	2484	taskmgr.exe
Token: SeIncBasePriorityPrivilege	2484	taskmgr.exe

Suspicious use of FindShellTrayWindow 54 IoCs

pid	Process
1488	firefox.exe
1488	firefox.exe
1488	firefox.exe
1488	firefox.exe
2484	taskmgr.exe
2484	taskmgr.exe
2484	taskmgr.exe
2484	taskmgr.exe
2484	taskmgr.exe
2484	taskmgr.exe
2484	taskmgr.exe
2484	taskmgr.exe
2484	taskmgr.exe
2484	taskmgr.exe
2484	taskmgr.exe
2484	taskmgr.exe
2484	taskmgr.exe
2484	taskmgr.exe
2484	taskmgr.exe
2484	taskmgr.exe
2484	taskmgr.exe
2484	taskmgr.exe
2484	taskmgr.exe
2484	taskmgr.exe
2484	taskmgr.exe
2484	taskmgr.exe
2484	taskmgr.exe
2484	taskmgr.exe
2484	taskmgr.exe
2484	taskmgr.exe
2484	taskmgr.exe
2484	taskmgr.exe
2484	taskmgr.exe
2484	taskmgr.exe
2484	taskmgr.exe
2484	taskmgr.exe
2484	taskmgr.exe
2484	taskmgr.exe
2484	taskmgr.exe
2484	taskmgr.exe
2484	taskmgr.exe
2484	taskmgr.exe
2484	taskmgr.exe
2484	taskmgr.exe
2484	taskmgr.exe
2484	taskmgr.exe
2484	taskmgr.exe
2484	taskmgr.exe
2484	taskmgr.exe
2484	taskmgr.exe
2484	taskmgr.exe
2484	taskmgr.exe
2484	taskmgr.exe
2484	taskmgr.exe

Suspicious use of SendNotifyMessage 52 IoCs

pid	Process
1488	firefox.exe
1488	firefox.exe
1488	firefox.exe
2484	taskmgr.exe
2484	taskmgr.exe
2484	taskmgr.exe
2484	taskmgr.exe
2484	taskmgr.exe
2484	taskmgr.exe
2484	taskmgr.exe
2484	taskmgr.exe
2484	taskmgr.exe
2484	taskmgr.exe
2484	taskmgr.exe
2484	taskmgr.exe
2484	taskmgr.exe
2484	taskmgr.exe
2484	taskmgr.exe
2484	taskmgr.exe
2484	taskmgr.exe
2484	taskmgr.exe
2484	taskmgr.exe
2484	taskmgr.exe
2484	taskmgr.exe
2484	taskmgr.exe
2484	taskmgr.exe
2484	taskmgr.exe
2484	taskmgr.exe
2484	taskmgr.exe
2484	taskmgr.exe
2484	taskmgr.exe
2484	taskmgr.exe
2484	taskmgr.exe
2484	taskmgr.exe
2484	taskmgr.exe
2484	taskmgr.exe
2484	taskmgr.exe
2484	taskmgr.exe
2484	taskmgr.exe
2484	taskmgr.exe
2484	taskmgr.exe
2484	taskmgr.exe
2484	taskmgr.exe
2484	taskmgr.exe
2484	taskmgr.exe
2484	taskmgr.exe
2484	taskmgr.exe
2484	taskmgr.exe
2484	taskmgr.exe
2484	taskmgr.exe
2484	taskmgr.exe
2484	taskmgr.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1488	firefox.exe
1488	firefox.exe
1488	firefox.exe
1488	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2284 wrote to memory of 4568	2284	Setup.exe	87
PID 2284 wrote to memory of 4568	2284	Setup.exe	87
PID 2284 wrote to memory of 4568	2284	Setup.exe	87
PID 2284 wrote to memory of 4568	2284	Setup.exe	87
PID 2284 wrote to memory of 4568	2284	Setup.exe	87
PID 2284 wrote to memory of 4568	2284	Setup.exe	87
PID 2284 wrote to memory of 4568	2284	Setup.exe	87
PID 2284 wrote to memory of 4568	2284	Setup.exe	87
PID 944 wrote to memory of 1488	944	firefox.exe	102
PID 944 wrote to memory of 1488	944	firefox.exe	102
PID 944 wrote to memory of 1488	944	firefox.exe	102
PID 944 wrote to memory of 1488	944	firefox.exe	102
PID 944 wrote to memory of 1488	944	firefox.exe	102
PID 944 wrote to memory of 1488	944	firefox.exe	102
PID 944 wrote to memory of 1488	944	firefox.exe	102
PID 944 wrote to memory of 1488	944	firefox.exe	102
PID 944 wrote to memory of 1488	944	firefox.exe	102
PID 944 wrote to memory of 1488	944	firefox.exe	102
PID 944 wrote to memory of 1488	944	firefox.exe	102
PID 1488 wrote to memory of 5008	1488	firefox.exe	103
PID 1488 wrote to memory of 5008	1488	firefox.exe	103
PID 1488 wrote to memory of 2304	1488	firefox.exe	104
PID 1488 wrote to memory of 2304	1488	firefox.exe	104
PID 1488 wrote to memory of 2304	1488	firefox.exe	104
PID 1488 wrote to memory of 2304	1488	firefox.exe	104
PID 1488 wrote to memory of 2304	1488	firefox.exe	104
PID 1488 wrote to memory of 2304	1488	firefox.exe	104
PID 1488 wrote to memory of 2304	1488	firefox.exe	104
PID 1488 wrote to memory of 2304	1488	firefox.exe	104
PID 1488 wrote to memory of 2304	1488	firefox.exe	104
PID 1488 wrote to memory of 2304	1488	firefox.exe	104
PID 1488 wrote to memory of 2304	1488	firefox.exe	104
PID 1488 wrote to memory of 2304	1488	firefox.exe	104
PID 1488 wrote to memory of 2304	1488	firefox.exe	104
PID 1488 wrote to memory of 2304	1488	firefox.exe	104
PID 1488 wrote to memory of 2304	1488	firefox.exe	104
PID 1488 wrote to memory of 2304	1488	firefox.exe	104
PID 1488 wrote to memory of 2304	1488	firefox.exe	104
PID 1488 wrote to memory of 2304	1488	firefox.exe	104
PID 1488 wrote to memory of 2304	1488	firefox.exe	104
PID 1488 wrote to memory of 2304	1488	firefox.exe	104
PID 1488 wrote to memory of 2304	1488	firefox.exe	104
PID 1488 wrote to memory of 2304	1488	firefox.exe	104
PID 1488 wrote to memory of 2304	1488	firefox.exe	104
PID 1488 wrote to memory of 2304	1488	firefox.exe	104
PID 1488 wrote to memory of 2304	1488	firefox.exe	104
PID 1488 wrote to memory of 2304	1488	firefox.exe	104
PID 1488 wrote to memory of 2304	1488	firefox.exe	104
PID 1488 wrote to memory of 2304	1488	firefox.exe	104
PID 1488 wrote to memory of 2304	1488	firefox.exe	104
PID 1488 wrote to memory of 2304	1488	firefox.exe	104
PID 1488 wrote to memory of 2304	1488	firefox.exe	104
PID 1488 wrote to memory of 2304	1488	firefox.exe	104
PID 1488 wrote to memory of 2304	1488	firefox.exe	104
PID 1488 wrote to memory of 2304	1488	firefox.exe	104
PID 1488 wrote to memory of 2304	1488	firefox.exe	104
PID 1488 wrote to memory of 2304	1488	firefox.exe	104
PID 1488 wrote to memory of 2304	1488	firefox.exe	104
PID 1488 wrote to memory of 2304	1488	firefox.exe	104
PID 1488 wrote to memory of 2304	1488	firefox.exe	104
PID 1488 wrote to memory of 2304	1488	firefox.exe	104
PID 1488 wrote to memory of 2304	1488	firefox.exe	104
PID 1488 wrote to memory of 2304	1488	firefox.exe	104
PID 1488 wrote to memory of 2304	1488	firefox.exe	104

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2284
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4568
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2284 -s 148
  2⤵
  - Program crash
  PID:3016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2284 -ip 2284
1⤵
PID:4592

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:944
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1488
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1488.0.1942868499\90315651" -parentBuildID 20221007134813 -prefsHandle 1904 -prefMapHandle 1896 -prefsLen 20938 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b3524f94-f3f8-4f72-bf8f-2abdca0baa47} 1488 "\\.\pipe\gecko-crash-server-pipe.1488" 1996 1b5639ef558 gpu
    3⤵
    PID:5008
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1488.1.2058533479\367990489" -parentBuildID 20221007134813 -prefsHandle 2368 -prefMapHandle 2364 -prefsLen 20974 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {88228d39-22d2-44e9-bbbc-309403f34705} 1488 "\\.\pipe\gecko-crash-server-pipe.1488" 2396 1b5637e3858 socket
    3⤵
    - Checks processor information in registry
    PID:2304
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1488.2.1272781419\5192662" -childID 1 -isForBrowser -prefsHandle 2984 -prefMapHandle 3000 -prefsLen 21012 -prefMapSize 232675 -jsInitHandle 1328 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cb486ff6-ecbc-44c9-8fb4-23286cb26d99} 1488 "\\.\pipe\gecko-crash-server-pipe.1488" 3180 1b567aa7558 tab
    3⤵
    PID:3036
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1488.3.1799952229\1033651882" -childID 2 -isForBrowser -prefsHandle 3068 -prefMapHandle 2812 -prefsLen 26437 -prefMapSize 232675 -jsInitHandle 1328 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fffbf77d-86ba-4fa5-b7ad-978612c87946} 1488 "\\.\pipe\gecko-crash-server-pipe.1488" 3312 1b56881a658 tab
    3⤵
    PID:4808
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1488.4.832225759\2029555152" -childID 3 -isForBrowser -prefsHandle 4248 -prefMapHandle 4244 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1328 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cb032602-2caa-43a0-aab7-5e66bfece43a} 1488 "\\.\pipe\gecko-crash-server-pipe.1488" 3596 1b569244858 tab
    3⤵
    PID:1500
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1488.7.569006179\1374454681" -childID 6 -isForBrowser -prefsHandle 5356 -prefMapHandle 5232 -prefsLen 26577 -prefMapSize 232675 -jsInitHandle 1328 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0279a7cd-ab33-4e69-b605-c18e101ad05c} 1488 "\\.\pipe\gecko-crash-server-pipe.1488" 5608 1b569efee58 tab
    3⤵
    PID:3292
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1488.6.91706846\1289006696" -childID 5 -isForBrowser -prefsHandle 5216 -prefMapHandle 5208 -prefsLen 26577 -prefMapSize 232675 -jsInitHandle 1328 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b42f465b-829a-4b21-87e4-9f14cd426928} 1488 "\\.\pipe\gecko-crash-server-pipe.1488" 5232 1b569efdf58 tab
    3⤵
    PID:4568
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1488.5.17429839\1682022157" -childID 4 -isForBrowser -prefsHandle 5200 -prefMapHandle 5196 -prefsLen 26577 -prefMapSize 232675 -jsInitHandle 1328 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e911b599-694f-412e-8a84-be03b18243af} 1488 "\\.\pipe\gecko-crash-server-pipe.1488" 5156 1b569d58a58 tab
    3⤵
    PID:4588
- - C:\Users\Admin\Downloads\Setup.exe
    "C:\Users\Admin\Downloads\Setup.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:5768
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:5836
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:5844
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:5852
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5860
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5768 -s 644
      4⤵
      Program crash
      PID:5908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5768 -ip 5768
1⤵
PID:5872

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5636

C:\Users\Admin\Downloads\Setup.exe
"C:\Users\Admin\Downloads\Setup.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5692
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5824
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5692 -s 620
  2⤵
  - Program crash
  PID:5936

C:\Users\Admin\Downloads\Setup.exe
"C:\Users\Admin\Downloads\Setup.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5744
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5972
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5744 -s 620
  2⤵
  - Program crash
  PID:5932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 5692 -ip 5692
1⤵
PID:5820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 5744 -ip 5744
1⤵
PID:5772

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log

Filesize
2KB

MD5
5cbe5838fcf3e7c3fe38a379ab781de2

SHA1
04a11803a9096bc36392f766d8a21b3de13457df

SHA256
2c240781cf1198385b246f5265757a83acd7f8e2e92105ca956ec0680bc17a69

SHA512
a009ae31f52ad23b53a04ec79e47a6f6b508eba566b9bd82dd5dadd52ed72607c7b6d04ade3e7c9f5b80508afff8fe8fdd922c0df34401bbd64ea3446936970c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wp0zrwot.default-release\activity-stream.discovery_stream.json.tmp

Filesize
22KB

MD5
a530ed2b4f1e263d947f7d0714346634

SHA1
dd13d6ba77ea7853ffe011a07e939a14a9f3ec29

SHA256
131055d347df63e9acc1146b2258d688bb25f86920ec0b22d804c56f5517dece

SHA512
7d6de8d262626122e8372f57c2f9673fdc6d4646bb48dc2a59c2a3f43e0f563207fb867b11d645d687c588ce568f33e574e6171ffa5aeb44d9c87d859ea9d0f0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wp0zrwot.default-release\prefs-1.js

Filesize
6KB

MD5
52dc4b419eaf2d2e3bdfd018539b9a3e

SHA1
999f7ba53f8dedb173714a3ffa8e7c4f6aa11616

SHA256
44d2c22f7282fe72cc4906a1dfec0112b735c5d9e52dc30172a0982352c4c3a5

SHA512
c89a7d94cb20169071b4be6d203fb6201462abaf365df9f338a3ea9e31aff0edb60c5785bd5d11107502d89550ec62f02ecd00cdb520da86e7b53463c9d614fe

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wp0zrwot.default-release\sessionCheckpoints.json.tmp

Filesize
259B

MD5
c8dc58eff0c029d381a67f5dca34a913

SHA1
3576807e793473bcbd3cf7d664b83948e3ec8f2d

SHA256
4c22e8a42797f14510228f9f4de8eea45c526228a869837bd43c0540092e5f17

SHA512
b8f7c4150326f617b63d6bc72953160804a3749f6dec0492779f6c72b3b09c8d1bd58f47d499205c9a0e716f55fe5f1503d7676a4c85d31d1c1e456898af77b4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wp0zrwot.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
5db3fe2568abfe52ab65575a78fe6523

SHA1
4a09a18afae15ddad46ff4dcae5923bf9d0a3475

SHA256
520a69f6f51e69d4b91b1af47284e4ceff72f76eecc0ccc359aa805ca2b48ef5

SHA512
72103955078839b4355c63c0ed69d43b367b4bf3d3c590f727bd40046d5b668342f4bad71bd41f56b625523570c02388961bbce4db1d7c92c7f94fb25cbfc22c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wp0zrwot.default-release\sessionstore.jsonlz4

Filesize
942B

MD5
4f83f0e0b31eef0711143cec2ae42506

SHA1
3a891ca96a5c477543ac16dfc2533775f13c2c17

SHA256
b5433c1476c4aac259ef0f3f82aa69858ef2f5a39b54259e23eaa854c1b57f08

SHA512
6bbbe1c160f72ad6022d8d1b8ef8a01a1dcecd5f4a1edd8d2236c91bcfeb14ec48b02d21c9f51f2537eb4dd5fd996f8d1baa5db9b7fd81b4706e92cc9ebbb79e

Download Submit
C:\Users\Admin\Downloads\Setup._Eizqc4A.exe.part

Filesize
272KB

MD5
9cc21f07946533628cfff7536b31e3b5

SHA1
cce51d70561e7a748543d314b760f3d36a1d9eb8

SHA256
3b93f285f263d55519c2aabe5ef2ce69d950e83de588502192cd50944df08eff

SHA512
77290ddbdd9e845241c850c80c16a8f03f9a4485082fce81a42bff7320587ca33a14d7709bfecc1c0e6ea8c65ffa2a36518306eedba3a9a6a1eee319f32ae75b

Download Submit
C:\Users\Admin\Downloads\Setup.exe

Filesize
1.7MB

MD5
46a22f0849344f152364d921c3c28435

SHA1
44fb399a95aaddd99270fe73a8705f53c0f73b72

SHA256
1041ffa7fe11147bca657c7f9b58b76a63fab9bedd01e37726e7a5f9df72aed2

SHA512
a992ece8155f66b7d3ccf801961ae69af857dc7366bf096805700ce69e5305867db9c5b346074e14d83292daa7a72be5c2becf58565305684adc3bb9f0942e32

Download Submit
C:\Users\Admin\Downloads\Setup.exe

Filesize
1.7MB

MD5
46a22f0849344f152364d921c3c28435

SHA1
44fb399a95aaddd99270fe73a8705f53c0f73b72

SHA256
1041ffa7fe11147bca657c7f9b58b76a63fab9bedd01e37726e7a5f9df72aed2

SHA512
a992ece8155f66b7d3ccf801961ae69af857dc7366bf096805700ce69e5305867db9c5b346074e14d83292daa7a72be5c2becf58565305684adc3bb9f0942e32

Download Submit
C:\Users\Admin\Downloads\Setup.exe

Filesize
1.7MB

MD5
46a22f0849344f152364d921c3c28435

SHA1
44fb399a95aaddd99270fe73a8705f53c0f73b72

SHA256
1041ffa7fe11147bca657c7f9b58b76a63fab9bedd01e37726e7a5f9df72aed2

SHA512
a992ece8155f66b7d3ccf801961ae69af857dc7366bf096805700ce69e5305867db9c5b346074e14d83292daa7a72be5c2becf58565305684adc3bb9f0942e32

Download Submit
C:\Users\Admin\Downloads\Setup.exe

Filesize
1.7MB

MD5
46a22f0849344f152364d921c3c28435

SHA1
44fb399a95aaddd99270fe73a8705f53c0f73b72

SHA256
1041ffa7fe11147bca657c7f9b58b76a63fab9bedd01e37726e7a5f9df72aed2

SHA512
a992ece8155f66b7d3ccf801961ae69af857dc7366bf096805700ce69e5305867db9c5b346074e14d83292daa7a72be5c2becf58565305684adc3bb9f0942e32

Download Submit
memory/2484-204-0x000002AA07A60000-0x000002AA07A61000-memory.dmp

Filesize
4KB

Download
memory/2484-196-0x000002AA07A60000-0x000002AA07A61000-memory.dmp

Filesize
4KB

Download
memory/2484-198-0x000002AA07A60000-0x000002AA07A61000-memory.dmp

Filesize
4KB

Download
memory/2484-195-0x000002AA07A60000-0x000002AA07A61000-memory.dmp

Filesize
4KB

Download
memory/2484-202-0x000002AA07A60000-0x000002AA07A61000-memory.dmp

Filesize
4KB

Download
memory/2484-203-0x000002AA07A60000-0x000002AA07A61000-memory.dmp

Filesize
4KB

Download
memory/2484-205-0x000002AA07A60000-0x000002AA07A61000-memory.dmp

Filesize
4KB

Download
memory/2484-206-0x000002AA07A60000-0x000002AA07A61000-memory.dmp

Filesize
4KB

Download
memory/2484-208-0x000002AA07A60000-0x000002AA07A61000-memory.dmp

Filesize
4KB

Download
memory/2484-207-0x000002AA07A60000-0x000002AA07A61000-memory.dmp

Filesize
4KB

Download
memory/4568-12-0x0000000009730000-0x00000000097A6000-memory.dmp

Filesize
472KB

Download
memory/4568-7-0x0000000007EF0000-0x0000000007F02000-memory.dmp

Filesize
72KB

Download
memory/4568-17-0x0000000073C70000-0x0000000074420000-memory.dmp

Filesize
7.7MB

Download
memory/4568-16-0x00000000099C0000-0x0000000009A10000-memory.dmp

Filesize
320KB

Download
memory/4568-1-0x0000000073C70000-0x0000000074420000-memory.dmp

Filesize
7.7MB

Download
memory/4568-2-0x0000000008160000-0x0000000008704000-memory.dmp

Filesize
5.6MB

Download
memory/4568-3-0x0000000007C60000-0x0000000007CF2000-memory.dmp

Filesize
584KB

Download
memory/4568-4-0x0000000007E00000-0x0000000007E10000-memory.dmp

Filesize
64KB

Download
memory/4568-15-0x000000000AA60000-0x000000000AF8C000-memory.dmp

Filesize
5.2MB

Download
memory/4568-14-0x000000000A360000-0x000000000A522000-memory.dmp

Filesize
1.8MB

Download
memory/4568-13-0x0000000009710000-0x000000000972E000-memory.dmp

Filesize
120KB

Download
memory/4568-0-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/4568-11-0x0000000008820000-0x0000000008886000-memory.dmp

Filesize
408KB

Download
memory/4568-5-0x0000000007E30000-0x0000000007E3A000-memory.dmp

Filesize
40KB

Download
memory/4568-6-0x0000000008D30000-0x0000000009348000-memory.dmp

Filesize
6.1MB

Download
memory/4568-19-0x0000000073C70000-0x0000000074420000-memory.dmp

Filesize
7.7MB

Download
memory/4568-8-0x0000000008020000-0x000000000812A000-memory.dmp

Filesize
1.0MB

Download
memory/4568-9-0x0000000007F50000-0x0000000007F8C000-memory.dmp

Filesize
240KB

Download
memory/4568-10-0x0000000007F90000-0x0000000007FDC000-memory.dmp

Filesize
304KB

Download
memory/5824-197-0x0000000073C70000-0x0000000074420000-memory.dmp

Filesize
7.7MB

Download
memory/5824-191-0x0000000007FC0000-0x000000000800C000-memory.dmp

Filesize
304KB

Download
memory/5824-190-0x0000000007EF0000-0x0000000007F00000-memory.dmp

Filesize
64KB

Download
memory/5824-189-0x0000000073C70000-0x0000000074420000-memory.dmp

Filesize
7.7MB

Download
memory/5860-114-0x00000000733C0000-0x0000000073B70000-memory.dmp

Filesize
7.7MB

Download
memory/5860-113-0x0000000007FA0000-0x0000000007FEC000-memory.dmp

Filesize
304KB

Download
memory/5860-107-0x0000000007DE0000-0x0000000007DF0000-memory.dmp

Filesize
64KB

Download
memory/5860-106-0x00000000733C0000-0x0000000073B70000-memory.dmp

Filesize
7.7MB

Download
memory/5972-194-0x00000000079A0000-0x00000000079B0000-memory.dmp

Filesize
64KB

Download
memory/5972-193-0x0000000073C70000-0x0000000074420000-memory.dmp

Filesize
7.7MB

Download
memory/5972-209-0x0000000073C70000-0x0000000074420000-memory.dmp

Filesize
7.7MB

Download