redline | hxxps://www[.]mediafire[.]com/folder/7hgg0aygtrp9q/arman6

Analysis

max time kernel
149s
max time network
150s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
04/09/2024, 17:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.mediafire.com/folder/7hgg0aygtrp9q/arman6

Score

10^/10

redline @verhsa discovery infostealer

Malware Config

Extracted

Family

redline

Botnet

@verhsa

185.215.113.22:80

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral1/memory/1760-319-0x0000000000400000-0x0000000000452000-memory.dmp	family_redline

Executes dropped EXE 1 IoCs

pid	Process
2828	Salex.exe

Loads dropped DLL 1 IoCs

pid	Process
2828	Salex.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2828 set thread context of 1760	2828	Salex.exe	101

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4460	1760	WerFault.exe	101

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Salex.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133699432525948242"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1416	chrome.exe
1416	chrome.exe
4440	chrome.exe
4440	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1416	chrome.exe
Token: SeCreatePagefilePrivilege	1416	chrome.exe
Token: SeShutdownPrivilege	1416	chrome.exe
Token: SeCreatePagefilePrivilege	1416	chrome.exe
Token: SeShutdownPrivilege	1416	chrome.exe
Token: SeCreatePagefilePrivilege	1416	chrome.exe
Token: SeShutdownPrivilege	1416	chrome.exe
Token: SeCreatePagefilePrivilege	1416	chrome.exe
Token: SeShutdownPrivilege	1416	chrome.exe
Token: SeCreatePagefilePrivilege	1416	chrome.exe
Token: SeShutdownPrivilege	1416	chrome.exe
Token: SeCreatePagefilePrivilege	1416	chrome.exe
Token: SeShutdownPrivilege	1416	chrome.exe
Token: SeCreatePagefilePrivilege	1416	chrome.exe
Token: SeShutdownPrivilege	1416	chrome.exe
Token: SeCreatePagefilePrivilege	1416	chrome.exe
Token: SeShutdownPrivilege	1416	chrome.exe
Token: SeCreatePagefilePrivilege	1416	chrome.exe
Token: SeShutdownPrivilege	1416	chrome.exe
Token: SeCreatePagefilePrivilege	1416	chrome.exe
Token: SeShutdownPrivilege	1416	chrome.exe
Token: SeCreatePagefilePrivilege	1416	chrome.exe
Token: SeShutdownPrivilege	1416	chrome.exe
Token: SeCreatePagefilePrivilege	1416	chrome.exe
Token: SeShutdownPrivilege	1416	chrome.exe
Token: SeCreatePagefilePrivilege	1416	chrome.exe
Token: SeShutdownPrivilege	1416	chrome.exe
Token: SeCreatePagefilePrivilege	1416	chrome.exe
Token: SeShutdownPrivilege	1416	chrome.exe
Token: SeCreatePagefilePrivilege	1416	chrome.exe
Token: SeShutdownPrivilege	1416	chrome.exe
Token: SeCreatePagefilePrivilege	1416	chrome.exe
Token: SeShutdownPrivilege	1416	chrome.exe
Token: SeCreatePagefilePrivilege	1416	chrome.exe
Token: SeShutdownPrivilege	1416	chrome.exe
Token: SeCreatePagefilePrivilege	1416	chrome.exe
Token: SeShutdownPrivilege	1416	chrome.exe
Token: SeCreatePagefilePrivilege	1416	chrome.exe
Token: SeShutdownPrivilege	1416	chrome.exe
Token: SeCreatePagefilePrivilege	1416	chrome.exe
Token: SeShutdownPrivilege	1416	chrome.exe
Token: SeCreatePagefilePrivilege	1416	chrome.exe
Token: SeShutdownPrivilege	1416	chrome.exe
Token: SeCreatePagefilePrivilege	1416	chrome.exe
Token: SeShutdownPrivilege	1416	chrome.exe
Token: SeCreatePagefilePrivilege	1416	chrome.exe
Token: SeShutdownPrivilege	1416	chrome.exe
Token: SeCreatePagefilePrivilege	1416	chrome.exe
Token: SeShutdownPrivilege	1416	chrome.exe
Token: SeCreatePagefilePrivilege	1416	chrome.exe
Token: SeShutdownPrivilege	1416	chrome.exe
Token: SeCreatePagefilePrivilege	1416	chrome.exe
Token: SeShutdownPrivilege	1416	chrome.exe
Token: SeCreatePagefilePrivilege	1416	chrome.exe
Token: SeShutdownPrivilege	1416	chrome.exe
Token: SeCreatePagefilePrivilege	1416	chrome.exe
Token: SeShutdownPrivilege	1416	chrome.exe
Token: SeCreatePagefilePrivilege	1416	chrome.exe
Token: SeShutdownPrivilege	1416	chrome.exe
Token: SeCreatePagefilePrivilege	1416	chrome.exe
Token: SeShutdownPrivilege	1416	chrome.exe
Token: SeCreatePagefilePrivilege	1416	chrome.exe
Token: SeRestorePrivilege	2888	7zG.exe
Token: 35	2888	7zG.exe

Suspicious use of FindShellTrayWindow 41 IoCs

pid	Process
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe
2888	7zG.exe

Suspicious use of SendNotifyMessage 26 IoCs

pid	Process
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1416 wrote to memory of 4864	1416	chrome.exe	73
PID 1416 wrote to memory of 4864	1416	chrome.exe	73
PID 1416 wrote to memory of 308	1416	chrome.exe	75
PID 1416 wrote to memory of 308	1416	chrome.exe	75
PID 1416 wrote to memory of 308	1416	chrome.exe	75
PID 1416 wrote to memory of 308	1416	chrome.exe	75
PID 1416 wrote to memory of 308	1416	chrome.exe	75
PID 1416 wrote to memory of 308	1416	chrome.exe	75
PID 1416 wrote to memory of 308	1416	chrome.exe	75
PID 1416 wrote to memory of 308	1416	chrome.exe	75
PID 1416 wrote to memory of 308	1416	chrome.exe	75
PID 1416 wrote to memory of 308	1416	chrome.exe	75
PID 1416 wrote to memory of 308	1416	chrome.exe	75
PID 1416 wrote to memory of 308	1416	chrome.exe	75
PID 1416 wrote to memory of 308	1416	chrome.exe	75
PID 1416 wrote to memory of 308	1416	chrome.exe	75
PID 1416 wrote to memory of 308	1416	chrome.exe	75
PID 1416 wrote to memory of 308	1416	chrome.exe	75
PID 1416 wrote to memory of 308	1416	chrome.exe	75
PID 1416 wrote to memory of 308	1416	chrome.exe	75
PID 1416 wrote to memory of 308	1416	chrome.exe	75
PID 1416 wrote to memory of 308	1416	chrome.exe	75
PID 1416 wrote to memory of 308	1416	chrome.exe	75
PID 1416 wrote to memory of 308	1416	chrome.exe	75
PID 1416 wrote to memory of 308	1416	chrome.exe	75
PID 1416 wrote to memory of 308	1416	chrome.exe	75
PID 1416 wrote to memory of 308	1416	chrome.exe	75
PID 1416 wrote to memory of 308	1416	chrome.exe	75
PID 1416 wrote to memory of 308	1416	chrome.exe	75
PID 1416 wrote to memory of 308	1416	chrome.exe	75
PID 1416 wrote to memory of 308	1416	chrome.exe	75
PID 1416 wrote to memory of 308	1416	chrome.exe	75
PID 1416 wrote to memory of 308	1416	chrome.exe	75
PID 1416 wrote to memory of 308	1416	chrome.exe	75
PID 1416 wrote to memory of 308	1416	chrome.exe	75
PID 1416 wrote to memory of 308	1416	chrome.exe	75
PID 1416 wrote to memory of 308	1416	chrome.exe	75
PID 1416 wrote to memory of 308	1416	chrome.exe	75
PID 1416 wrote to memory of 308	1416	chrome.exe	75
PID 1416 wrote to memory of 308	1416	chrome.exe	75
PID 1416 wrote to memory of 740	1416	chrome.exe	76
PID 1416 wrote to memory of 740	1416	chrome.exe	76
PID 1416 wrote to memory of 1708	1416	chrome.exe	77
PID 1416 wrote to memory of 1708	1416	chrome.exe	77
PID 1416 wrote to memory of 1708	1416	chrome.exe	77
PID 1416 wrote to memory of 1708	1416	chrome.exe	77
PID 1416 wrote to memory of 1708	1416	chrome.exe	77
PID 1416 wrote to memory of 1708	1416	chrome.exe	77
PID 1416 wrote to memory of 1708	1416	chrome.exe	77
PID 1416 wrote to memory of 1708	1416	chrome.exe	77
PID 1416 wrote to memory of 1708	1416	chrome.exe	77
PID 1416 wrote to memory of 1708	1416	chrome.exe	77
PID 1416 wrote to memory of 1708	1416	chrome.exe	77
PID 1416 wrote to memory of 1708	1416	chrome.exe	77
PID 1416 wrote to memory of 1708	1416	chrome.exe	77
PID 1416 wrote to memory of 1708	1416	chrome.exe	77
PID 1416 wrote to memory of 1708	1416	chrome.exe	77
PID 1416 wrote to memory of 1708	1416	chrome.exe	77
PID 1416 wrote to memory of 1708	1416	chrome.exe	77
PID 1416 wrote to memory of 1708	1416	chrome.exe	77
PID 1416 wrote to memory of 1708	1416	chrome.exe	77
PID 1416 wrote to memory of 1708	1416	chrome.exe	77
PID 1416 wrote to memory of 1708	1416	chrome.exe	77
PID 1416 wrote to memory of 1708	1416	chrome.exe	77

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://www.mediafire.com/folder/7hgg0aygtrp9q/arman6
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1416
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffb49589758,0x7ffb49589768,0x7ffb49589778
  2⤵
  PID:4864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1508 --field-trial-handle=1828,i,10517772485315585298,14062877675079693702,131072 /prefetch:2
  2⤵
  PID:308
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1780 --field-trial-handle=1828,i,10517772485315585298,14062877675079693702,131072 /prefetch:8
  2⤵
  PID:740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2076 --field-trial-handle=1828,i,10517772485315585298,14062877675079693702,131072 /prefetch:8
  2⤵
  PID:1708
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2812 --field-trial-handle=1828,i,10517772485315585298,14062877675079693702,131072 /prefetch:1
  2⤵
  PID:1856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2820 --field-trial-handle=1828,i,10517772485315585298,14062877675079693702,131072 /prefetch:1
  2⤵
  PID:1536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4868 --field-trial-handle=1828,i,10517772485315585298,14062877675079693702,131072 /prefetch:8
  2⤵
  PID:3588
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4804 --field-trial-handle=1828,i,10517772485315585298,14062877675079693702,131072 /prefetch:8
  2⤵
  PID:4280
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=5140 --field-trial-handle=1828,i,10517772485315585298,14062877675079693702,131072 /prefetch:1
  2⤵
  PID:4896
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4428 --field-trial-handle=1828,i,10517772485315585298,14062877675079693702,131072 /prefetch:1
  2⤵
  PID:2132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=5188 --field-trial-handle=1828,i,10517772485315585298,14062877675079693702,131072 /prefetch:1
  2⤵
  PID:1596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=5492 --field-trial-handle=1828,i,10517772485315585298,14062877675079693702,131072 /prefetch:1
  2⤵
  PID:2148
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=5784 --field-trial-handle=1828,i,10517772485315585298,14062877675079693702,131072 /prefetch:1
  2⤵
  PID:4212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=5928 --field-trial-handle=1828,i,10517772485315585298,14062877675079693702,131072 /prefetch:1
  2⤵
  PID:3332
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=6452 --field-trial-handle=1828,i,10517772485315585298,14062877675079693702,131072 /prefetch:1
  2⤵
  PID:4884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6656 --field-trial-handle=1828,i,10517772485315585298,14062877675079693702,131072 /prefetch:8
  2⤵
  PID:5008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6760 --field-trial-handle=1828,i,10517772485315585298,14062877675079693702,131072 /prefetch:8
  2⤵
  PID:68
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1604 --field-trial-handle=1828,i,10517772485315585298,14062877675079693702,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4440

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1420

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4440

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\Salex53\Salex\" -ad -an -ai#7zMap25277:84:7zEvent13799
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2888

C:\Users\Admin\Desktop\Salex53\Salex\Salex.exe
"C:\Users\Admin\Desktop\Salex53\Salex\Salex.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2828
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  PID:1760
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1760 -s 148
    3⤵
    - Program crash
    PID:4460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
c86640aaa33658aa24db5a9e946108b5

SHA1
42a8819c961a6db7e165a84bab0781ef72e71d81

SHA256
bad1ea3662cf7bbc1c20e838088b1b20eb1cdc6060eff54f7513c67a6bfd0717

SHA512
5fea5255ffee9a38d99ff112b0ccadccc5c08458ba90d91655a92bbfdb83d921188bd1952893c934467d211b10e6b9f89ae8b4a5fe1a3db1124641f86897fc83

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
695d45e6761c6b6ef798b3bb954df09f

SHA1
fd28d5ccccdf79ab7cf04eb34863268b63273d50

SHA256
136c609848b63ccdb60843d3681c6a258c3a4b14b7da479993b206ed67d358aa

SHA512
c43fc7c7a7c326e4b5a926bea72b1e5b7cdf320f59e2bf3e49f0aa3e7200c1b7a6224159a924b97122c2da3ba7040118f7e3596ea2400f69f6deb208f26344a9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
11KB

MD5
18bd098ff7c0b099de65e23a27d3772e

SHA1
4b0e56b6680d29032003808f732ea31abbc3cfe9

SHA256
fbf0a9ff62099492ae3545cb091b985f659d92623e97aed887f1d1a2deaeafcf

SHA512
7a3f1a753e1c8a9f0e4b7813e19f84eee359267ab2469d6383ffa3de2b5a0dac6d691050b90cb3e0808cddd285b12e17c62da5634be73dff58f609b25d3400e9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
81e1bb17252cbfe876fd7d8a97c455fb

SHA1
01d66b8e4a04e27e643e000af43a66a529ac6da3

SHA256
24ac71b57bba28df56985ca97e9b18757b535bcfd37cf9b62c4cb163e744ceaf

SHA512
ae298633df0d8b25ac358945e4d69cc76efba7241ff4939765a618b537ccfdd329cd2999172cc791d8c7c61577fd6ceeb655239180e2b7935384057998fcac45

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
5359c3dd684956987da983fc39d6f3f0

SHA1
598672739485023de035ec038d1f718e50524f76

SHA256
47befc40775a7dec11085a11eca269cc4ebdffe66c402559fa81aacf4932278e

SHA512
eab6ffba925600201e92e2c46187f807bd5b0cbd54074f6c607deecbece69fa6d382b357de3da690346b7fb7be073c390beedfea6d9a0421d706b53ecf8c9b64

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
0e6cbeeb6cf3dcebf3d46f1bef6c3296

SHA1
acfdec57f753c78a23b573135b53773fa280c521

SHA256
2c35393c0d48cc31fb383ac55b65ae41170f4c9d2660fe8d8e5f77fe616ce1c4

SHA512
08e48bb2f790b8535b419c1c85c232c25d9e284a16a9fc24cbd0f74a10a2cf88fb286a71c416d080341e7bcccbe5a14ea1bd02666cf3e02936cde0d509e99985

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
39725e8ee7020584e4d380bdb9cce98e

SHA1
a8f4f6bcab5769220232c99d6315fa2d1a67a9d6

SHA256
c6d6eb290e075a206e3b9174013f5a6d32e7cf3ae74165c5919c277319f9becd

SHA512
838f45a1574a40a307741e35dbb45014ee365ed1e4480bb6ad977beb06c3adbc9a3aa83286ee5f2e380472420f7b88ca282fb61e81581d4233e0c50bf149f9fb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
136KB

MD5
54c579beee000621e99e3a361b2d2a56

SHA1
29b18edc060f216140ea7f6d88cbcf3335b9a337

SHA256
5a102d348a0a7b2aa6ae823e1df6dc990505b6ba2e1059245e25a2c7052ef672

SHA512
1c8f93bc48b2962d3ef5c61b9e7ab37628a17af2309440ba02feb4b6821eec8afd7801a46dab8e26a754f19dc38c739e21ce12d0f1c755deed0df087f35b3987

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
136KB

MD5
566ff39b0489e8ca1df4bfd2555a7c3f

SHA1
ceb86d41c0ba5a429e880098379ed868d83071f9

SHA256
7c1bf18058e494581a0508cdf4b9e4839a01c2459867f56736d01ce61a6673b6

SHA512
764780b3a0f3f2053f7812f046a2b92d651ca20a9c4ea4ee737c3070f96abe23ae09e0b088d0df978f21cf7cb9151cf80477efafc3a783179855c4e1f899cbfb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\Desktop\Salex53\Salex\Salex.exe

Filesize
265KB

MD5
47c30cd4a77e26c29a7c9c26a8355667

SHA1
2870d053444148bf66ab7c9350af9ab741e8ffdb

SHA256
cd14593d6a9b0addcaca4f8aa9f563b6660be7c54fa599bc0de128c4634b76d1

SHA512
a6b28fe6c72e3aeda3aa66a22cca1482eadcff0771bdcbbdb8af6dd06bb0818703c6d9d0582cccb335b3ae28a0afe78b0261ebe00a9b80de2fc5b7d15c48a863

Download Submit
C:\Users\Admin\Desktop\Salex53\Salex\msvcp140.dll

Filesize
585KB

MD5
fa6b5db4fae46f0da42a7730ae2fb587

SHA1
d235833e3f9e7153536e876f76061550d5a2ccfc

SHA256
96873e7714a31d679965f2f86be0c41ad48225ef33b1dfd92f40c45f213c0150

SHA512
1aa2fc3c4750331389885bf2bc887d86eae762789292340264fdfc90088f426c35aab0fb2768ee1859c1b12d59d932150f96ee208db748157c689aedaf685940

Download Submit
\Users\Admin\AppData\Roaming\msvcp110.dll

Filesize
585KB

MD5
b9add402cd09e4a31ca0c4d10ef88dac

SHA1
c2174a4e8d944d0f35e0b8f241e82db13c43ee5c

SHA256
aa1bcc1b371f7f769ceb70d5631df2da199b2b57d2e92490637159c7369a98de

SHA512
0e473dd4fade3a44d7555238df6a591e93761c1d290783635c21e6ccba7b90ecfbc4d4db20c231a87a20d927624e5654c043dbaf47c5b8d301f6998172dcd9ea

Download Submit
memory/1760-319-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download