redline | b761861f7b9817ca62cf48c54f304631c90922bf8760de3724c63e4f067dd542

Resubmissions

05/10/2024, 17:58

241005-wkfeyaybkl 10

Analysis

max time kernel
20s
max time network
28s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
05/10/2024, 17:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FoxGPT.exe
Size

11.7MB
MD5

70ae44c33f2bc89e0b1aa4c1e616579d
SHA1

996071535f9ced7df27e676a96a41c4887dd285f
SHA256

b761861f7b9817ca62cf48c54f304631c90922bf8760de3724c63e4f067dd542
SHA512

d5922b50e5a290ae9fd49270d8c68dc51e32929d9f67bef4e84a0a27f34997949eeaa5d20a353de04848dee96850a205cb44a6eaf12bc30ee37c28e49547628c
SSDEEP

196608:chgRB5tz81kUt6UxwDyIgOxJia1xR2F6+x9yfKDDGdTq1JLZcdxD:cm9O6U4yIgCJiU2DbDrJLZy

Score

10^/10

redline spotifychecker2 defense_evasion discovery infostealer

Malware Config

Extracted

Family

redline

Botnet

SpotifyChecker2

172.205.128.102:1912

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000400000002a9ea-4.dat	family_redline
behavioral1/memory/4492-13-0x00000000005C0000-0x0000000000612000-memory.dmp	family_redline

Executes dropped EXE 2 IoCs

pid	Process
4492	CrunchRo.exe
3040	CrunchRo.exe

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CrunchRo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	foxGPT.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CrunchRo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FoxGPT.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1956	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1956	powershell.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1592 wrote to memory of 1956	1592	FoxGPT.exe	78
PID 1592 wrote to memory of 1956	1592	FoxGPT.exe	78
PID 1592 wrote to memory of 1956	1592	FoxGPT.exe	78
PID 1592 wrote to memory of 4492	1592	FoxGPT.exe	80
PID 1592 wrote to memory of 4492	1592	FoxGPT.exe	80
PID 1592 wrote to memory of 4492	1592	FoxGPT.exe	80
PID 1592 wrote to memory of 2344	1592	FoxGPT.exe	81
PID 1592 wrote to memory of 2344	1592	FoxGPT.exe	81
PID 1592 wrote to memory of 2344	1592	FoxGPT.exe	81
PID 2344 wrote to memory of 3516	2344	foxGPT.exe	82
PID 2344 wrote to memory of 3516	2344	foxGPT.exe	82
PID 2344 wrote to memory of 3516	2344	foxGPT.exe	82
PID 2344 wrote to memory of 3040	2344	foxGPT.exe	84
PID 2344 wrote to memory of 3040	2344	foxGPT.exe	84
PID 2344 wrote to memory of 3040	2344	foxGPT.exe	84
PID 2344 wrote to memory of 4608	2344	foxGPT.exe	85
PID 2344 wrote to memory of 4608	2344	foxGPT.exe	85
PID 2344 wrote to memory of 4608	2344	foxGPT.exe	85

C:\Users\Admin\AppData\Local\Temp\FoxGPT.exe
"C:\Users\Admin\AppData\Local\Temp\FoxGPT.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1592
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGkAaQBoACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AagBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHcAcQBlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHgAaQBoACMAPgA="
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1956
- C:\Users\Admin\AppData\Local\Temp\CrunchRo.exe
  "C:\Users\Admin\AppData\Local\Temp\CrunchRo.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4492
- C:\Users\Admin\AppData\Local\Temp\foxGPT.exe
  "C:\Users\Admin\AppData\Local\Temp\foxGPT.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2344
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGkAaQBoACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AagBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHcAcQBlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHgAaQBoACMAPgA="
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3516
- - C:\Users\Admin\AppData\Local\Temp\CrunchRo.exe
    "C:\Users\Admin\AppData\Local\Temp\CrunchRo.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3040
- - C:\Users\Admin\AppData\Local\Temp\foxGPT.exe
    "C:\Users\Admin\AppData\Local\Temp\foxGPT.exe"
    3⤵
    PID:4608
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGkAaQBoACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AagBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHcAcQBlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHgAaQBoACMAPgA="
      4⤵
      PID:2552
  - - C:\Users\Admin\AppData\Local\Temp\CrunchRo.exe
      "C:\Users\Admin\AppData\Local\Temp\CrunchRo.exe"
      4⤵
      PID:2820
  - - C:\Users\Admin\AppData\Local\Temp\foxGPT.exe
      "C:\Users\Admin\AppData\Local\Temp\foxGPT.exe"
      4⤵
      PID:2156
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGkAaQBoACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AagBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHcAcQBlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHgAaQBoACMAPgA="
        5⤵
        
        PID:2892
    - - C:\Users\Admin\AppData\Local\Temp\CrunchRo.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrunchRo.exe"
        5⤵
        
        PID:5052
    - - C:\Users\Admin\AppData\Local\Temp\foxGPT.exe
        
        "C:\Users\Admin\AppData\Local\Temp\foxGPT.exe"
        5⤵
        
        PID:2184
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGkAaQBoACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AagBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHcAcQBlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHgAaQBoACMAPgA="
        6⤵
        
        PID:4324
      - C:\Users\Admin\AppData\Local\Temp\CrunchRo.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrunchRo.exe"
        6⤵
        
        PID:4232
      - C:\Users\Admin\AppData\Local\Temp\foxGPT.exe
        
        "C:\Users\Admin\AppData\Local\Temp\foxGPT.exe"
        6⤵
        
        PID:4708
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGkAaQBoACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AagBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHcAcQBlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHgAaQBoACMAPgA="
        7⤵
        
        PID:1492
        
        C:\Users\Admin\AppData\Local\Temp\CrunchRo.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrunchRo.exe"
        7⤵
        
        PID:688
        
        C:\Users\Admin\AppData\Local\Temp\foxGPT.exe
        
        "C:\Users\Admin\AppData\Local\Temp\foxGPT.exe"
        7⤵
        
        PID:3512
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGkAaQBoACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AagBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHcAcQBlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHgAaQBoACMAPgA="
        8⤵
        
        PID:3264
        
        C:\Users\Admin\AppData\Local\Temp\CrunchRo.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrunchRo.exe"
        8⤵
        
        PID:2808
        
        C:\Users\Admin\AppData\Local\Temp\foxGPT.exe
        
        "C:\Users\Admin\AppData\Local\Temp\foxGPT.exe"
        8⤵
        
        PID:1468
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGkAaQBoACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AagBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHcAcQBlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHgAaQBoACMAPgA="
        9⤵
        
        PID:2420
        
        C:\Users\Admin\AppData\Local\Temp\CrunchRo.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrunchRo.exe"
        9⤵
        
        PID:3076
        
        C:\Users\Admin\AppData\Local\Temp\foxGPT.exe
        
        "C:\Users\Admin\AppData\Local\Temp\foxGPT.exe"
        9⤵
        
        PID:488
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGkAaQBoACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AagBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHcAcQBlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHgAaQBoACMAPgA="
        10⤵
        
        PID:2796
        
        C:\Users\Admin\AppData\Local\Temp\CrunchRo.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrunchRo.exe"
        10⤵
        
        PID:2436
        
        C:\Users\Admin\AppData\Local\Temp\foxGPT.exe
        
        "C:\Users\Admin\AppData\Local\Temp\foxGPT.exe"
        10⤵
        
        PID:4540
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGkAaQBoACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AagBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHcAcQBlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHgAaQBoACMAPgA="
        11⤵
        
        PID:4208
        
        C:\Users\Admin\AppData\Local\Temp\CrunchRo.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrunchRo.exe"
        11⤵
        
        PID:4708
        
        C:\Users\Admin\AppData\Local\Temp\foxGPT.exe
        
        "C:\Users\Admin\AppData\Local\Temp\foxGPT.exe"
        11⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGkAaQBoACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AagBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHcAcQBlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHgAaQBoACMAPgA="
        12⤵
        
        PID:3284
        
        C:\Users\Admin\AppData\Local\Temp\CrunchRo.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrunchRo.exe"
        12⤵
        
        PID:3216
        
        C:\Users\Admin\AppData\Local\Temp\foxGPT.exe
        
        "C:\Users\Admin\AppData\Local\Temp\foxGPT.exe"
        12⤵
        
        PID:3580
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGkAaQBoACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AagBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHcAcQBlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHgAaQBoACMAPgA="
        13⤵
        
        PID:864
        
        C:\Users\Admin\AppData\Local\Temp\CrunchRo.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrunchRo.exe"
        13⤵
        
        PID:472
        
        C:\Users\Admin\AppData\Local\Temp\foxGPT.exe
        
        "C:\Users\Admin\AppData\Local\Temp\foxGPT.exe"
        13⤵
        
        PID:1764
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGkAaQBoACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AagBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHcAcQBlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHgAaQBoACMAPgA="
        14⤵
        
        PID:1924
        
        C:\Users\Admin\AppData\Local\Temp\CrunchRo.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrunchRo.exe"
        14⤵
        
        PID:1960
        
        C:\Users\Admin\AppData\Local\Temp\foxGPT.exe
        
        "C:\Users\Admin\AppData\Local\Temp\foxGPT.exe"
        14⤵
        
        PID:4996
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGkAaQBoACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AagBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHcAcQBlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHgAaQBoACMAPgA="
        15⤵
        
        PID:5228
        
        C:\Users\Admin\AppData\Local\Temp\CrunchRo.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrunchRo.exe"
        15⤵
        
        PID:5276
        
        C:\Users\Admin\AppData\Local\Temp\foxGPT.exe
        
        "C:\Users\Admin\AppData\Local\Temp\foxGPT.exe"
        15⤵
        
        PID:5420
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGkAaQBoACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AagBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHcAcQBlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHgAaQBoACMAPgA="
        16⤵
        
        PID:5864
        
        C:\Users\Admin\AppData\Local\Temp\CrunchRo.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrunchRo.exe"
        16⤵
        
        PID:6088
        
        C:\Users\Admin\AppData\Local\Temp\foxGPT.exe
        
        "C:\Users\Admin\AppData\Local\Temp\foxGPT.exe"
        16⤵
        
        PID:5220
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGkAaQBoACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AagBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHcAcQBlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHgAaQBoACMAPgA="
        17⤵
        
        PID:6300

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:5236
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  PID:5412
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1948 -parentBuildID 20240401114208 -prefsHandle 1852 -prefMapHandle 1844 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {946dd83e-ce66-4ee2-b96f-661ec1d4a4bf} 5412 "\\.\pipe\gecko-crash-server-pipe.5412" gpu
    3⤵
    PID:5752
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2376 -parentBuildID 20240401114208 -prefsHandle 2368 -prefMapHandle 2364 -prefsLen 23714 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {59d03dcd-327d-40a9-b814-c9d1ccf50b96} 5412 "\\.\pipe\gecko-crash-server-pipe.5412" socket
    3⤵
    PID:5888
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2996 -childID 1 -isForBrowser -prefsHandle 2988 -prefMapHandle 2984 -prefsLen 23855 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {40fa031c-d6aa-438a-b30a-e228fb2b64f0} 5412 "\\.\pipe\gecko-crash-server-pipe.5412" tab
    3⤵
    PID:6132
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3696 -childID 2 -isForBrowser -prefsHandle 3688 -prefMapHandle 3684 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dd1f3847-63ef-4936-928d-5267b800270f} 5412 "\\.\pipe\gecko-crash-server-pipe.5412" tab
    3⤵
    PID:5472
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4344 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4340 -prefMapHandle 4336 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cce29e7b-5170-40ed-b038-8df4765fd9ca} 5412 "\\.\pipe\gecko-crash-server-pipe.5412" utility
    3⤵
    PID:6720

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:6064
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  PID:6080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d0c46cad6c0778401e21910bd6b56b70

SHA1
7be418951ea96326aca445b8dfe449b2bfa0dca6

SHA256
9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02

SHA512
057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
8ae7f9d10a91289950ee0d3e11b03904

SHA1
99bf9328cb81ab6bee94b0df695d5ae019547415

SHA256
d7eed66f4c1aa75460f5ca206ec5fdf29f74abf03df8a047af90d89048c23632

SHA512
1c40a75a368d654b5bb58aa76fa78e4cd23399a1a90b0d5bd7ab8c3b52d6b77a95f620de740c89242797e92b1103b4a922f8137f017f680ff891d17e7a3ec61d

Download Submit
C:\Users\Admin\AppData\Local\Temp\CrunchRo.exe

Filesize
300KB

MD5
6fe4f3c4d2344b5897f113d9b4db144a

SHA1
e903dd65d9cef948405d94ae30b3cee6c29a1d03

SHA256
e79ff7545b40f2afa245ffc75b660300417d20a7ebb81475288268b0d46a3d62

SHA512
442ffdd7bb87a8c57262c63e3fafe075121963e3fad9fa2ebe27b427321e023168728e952f5546415bd0ba8c214c57ce3aa7bf1b167988e6c8dfea3f9fcb83b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qttfj5um.bmw.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\AlternateServices.bin

Filesize
6KB

MD5
542d55504d6d23fdd7a9dafaed7829d0

SHA1
da600f70d56287ff0b3281dd2420962d6f6132a7

SHA256
3dd22bc696e20966957d71f45f3423dbd3222927316601fb3a104ab8585195c2

SHA512
e2732131f6bf12c13c85dac1ac840c5b0b50218893d5acb672835caa475023da26af10780e354936e26297554534b7a09c975faf66970ef9468819588ae9cc5e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
9b843f07ffb1dab2981c8f60a11e8690

SHA1
86c726f63383dc5f40e8dc5168dbeee2501ca140

SHA256
910b1ca73629fb5320c570e9f935a9a7ca1bcef858d18b258508ec2684a88193

SHA512
6327a040b072e4838988ef5e71bf5c364166dae3632c0b99fb9b18d0e4644b4f26666caf1742f775549eeacaef61b21b9d28bab2fc4a5feb055d38b51cef7440

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\datareporting\glean\pending_pings\46031dba-f901-4bcc-84db-b4d0fe18d480

Filesize
982B

MD5
8608c3fd9227d323afd7d853a417a55d

SHA1
9e931940033f7edba3146bf951e47d595034328a

SHA256
7abfe508f15698a649e2775b4a4d0d70acb69473ec400bd1d096804645aaf99f

SHA512
1b7fe26f1bb5aae6a1604dfc5bf25b73a2091ed428f878f67b20b0e9c83d07e2cbb3fa36185a23d354333d9710fec01961b7f331fdb132494935274317b3e9a9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\datareporting\glean\pending_pings\a2d0b531-67fd-49b7-b821-eda3c67202bc

Filesize
671B

MD5
6fb85f151dc04e1829b2912e312ac2f3

SHA1
494cbe7aa182ecc4511d484204b1cb558dc0bd05

SHA256
73bdcf08bb94214d6ee8b6bd28ea593120d77e8afc15123fe8f155521825dd6e

SHA512
f35636e17c5a4031fe5087f57df30f05df60937c43278bf35f9dcd20d781a986917c46608550f0ddbd22f1aeefbaf432e9f66581730fc920468289acd3775c48

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\datareporting\glean\pending_pings\dc8f8c33-6fd5-4729-849a-8a078c1f89ce

Filesize
27KB

MD5
6cb6ebaf8dc5fb5296c7fe603480360c

SHA1
77f37126e3c57b6327c042884fcad2fd2a511889

SHA256
d6a43fd711e0df5862ab86759f3df136098a2a6895ab2ec14e89e6e9311e72f1

SHA512
df1c244c29ad23f4448bfe7ef467775cdba96bf7de9c86b3b28ee76c51cb648685252e79a8be195806a506d06c8e3f4810b0288c896c258dc99193f5dcead2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\prefs.js

Filesize
11KB

MD5
fe621a6f66628aad2c9655ec9464cc7d

SHA1
fc2e45806ff8f7ea51adbc2bf0383b883ae45e9d

SHA256
fd44dd6eebc543a8d6b5ae790c733f006bf27843a42ffe3c7180b292c1f12a98

SHA512
09fb15f28e1e11f2e263371f56875ef6c03f377d55f5b4a9fa93774176886679ba3dca01a0046f035ef7107195dc3cfd2f14ccd39153678bf1625ad0116fe89f

Download Submit
memory/1492-169-0x0000000073FF0000-0x000000007403C000-memory.dmp

Filesize
304KB

Download
memory/1956-79-0x0000000006F40000-0x0000000006F4A000-memory.dmp

Filesize
40KB

Download
memory/1956-110-0x0000000007110000-0x0000000007125000-memory.dmp

Filesize
84KB

Download
memory/1956-19-0x0000000004CC0000-0x0000000004CE2000-memory.dmp

Filesize
136KB

Download
memory/1956-11-0x000000007371E000-0x000000007371F000-memory.dmp

Filesize
4KB

Download
memory/1956-12-0x00000000026B0000-0x00000000026E6000-memory.dmp

Filesize
216KB

Download
memory/1956-15-0x0000000004DE0000-0x000000000540A000-memory.dmp

Filesize
6.2MB

Download
memory/1956-20-0x0000000004D60000-0x0000000004DC6000-memory.dmp

Filesize
408KB

Download
memory/1956-158-0x000000007371E000-0x000000007371F000-memory.dmp

Filesize
4KB

Download
memory/1956-45-0x0000000005B60000-0x0000000005B7E000-memory.dmp

Filesize
120KB

Download
memory/1956-57-0x0000000073FF0000-0x000000007403C000-memory.dmp

Filesize
304KB

Download
memory/1956-56-0x0000000006B80000-0x0000000006BB4000-memory.dmp

Filesize
208KB

Download
memory/1956-66-0x0000000006180000-0x000000000619E000-memory.dmp

Filesize
120KB

Download
memory/1956-67-0x0000000006DC0000-0x0000000006E64000-memory.dmp

Filesize
656KB

Download
memory/1956-76-0x00000000074F0000-0x0000000007B6A000-memory.dmp

Filesize
6.5MB

Download
memory/1956-77-0x0000000006EB0000-0x0000000006ECA000-memory.dmp

Filesize
104KB

Download
memory/1956-21-0x0000000005410000-0x0000000005476000-memory.dmp

Filesize
408KB

Download
memory/1956-139-0x00000000071F0000-0x00000000071F8000-memory.dmp

Filesize
32KB

Download
memory/1956-89-0x0000000007140000-0x00000000071D6000-memory.dmp

Filesize
600KB

Download
memory/1956-98-0x00000000070C0000-0x00000000070D1000-memory.dmp

Filesize
68KB

Download
memory/1956-109-0x0000000007100000-0x000000000710E000-memory.dmp

Filesize
56KB

Download
memory/1956-112-0x0000000007200000-0x000000000721A000-memory.dmp

Filesize
104KB

Download
memory/1956-23-0x0000000005640000-0x0000000005997000-memory.dmp

Filesize
3.3MB

Download
memory/2420-206-0x0000000073FF0000-0x000000007403C000-memory.dmp

Filesize
304KB

Download
memory/2552-100-0x0000000073FF0000-0x000000007403C000-memory.dmp

Filesize
304KB

Download
memory/2796-224-0x0000000073FF0000-0x000000007403C000-memory.dmp

Filesize
304KB

Download
memory/2892-121-0x0000000073FF0000-0x000000007403C000-memory.dmp

Filesize
304KB

Download
memory/3264-187-0x0000000073FF0000-0x000000007403C000-memory.dmp

Filesize
304KB

Download
memory/3284-498-0x0000000073FF0000-0x000000007403C000-memory.dmp

Filesize
304KB

Download
memory/3516-80-0x0000000073FF0000-0x000000007403C000-memory.dmp

Filesize
304KB

Download
memory/4208-242-0x0000000073FF0000-0x000000007403C000-memory.dmp

Filesize
304KB

Download
memory/4324-130-0x0000000073FF0000-0x000000007403C000-memory.dmp

Filesize
304KB

Download
memory/4492-159-0x0000000073710000-0x0000000073EC1000-memory.dmp

Filesize
7.7MB

Download
memory/4492-22-0x0000000005050000-0x000000000505A000-memory.dmp

Filesize
40KB

Download
memory/4492-36-0x00000000060C0000-0x000000000610C000-memory.dmp

Filesize
304KB

Download
memory/4492-17-0x0000000004FB0000-0x0000000005042000-memory.dmp

Filesize
584KB

Download
memory/4492-35-0x0000000005F40000-0x0000000005F7C000-memory.dmp

Filesize
240KB

Download
memory/4492-16-0x00000000054C0000-0x0000000005A66000-memory.dmp

Filesize
5.6MB

Download
memory/4492-14-0x0000000073710000-0x0000000073EC1000-memory.dmp

Filesize
7.7MB

Download
memory/4492-13-0x00000000005C0000-0x0000000000612000-memory.dmp

Filesize
328KB

Download
memory/4492-33-0x0000000005FB0000-0x00000000060BA000-memory.dmp

Filesize
1.0MB

Download
memory/4492-34-0x0000000005EE0000-0x0000000005EF2000-memory.dmp

Filesize
72KB

Download
memory/4492-32-0x0000000006350000-0x0000000006968000-memory.dmp

Filesize
6.1MB

Download