Analysis
-
max time kernel
299s -
max time network
302s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-de -
resource tags
-
submitted
23-11-2024 20:15
General
-
Target
GitHub.Installer.zip
-
Size
20.0MB
-
MD5
14871c98f75a900ac3b41c9091b0484d
-
SHA1
5849d6ab6cc59560a5857267953e98071bd3ae55
-
SHA256
403d0422e6db9adbfc47a7056e3946737b7e76fe097c4c43d4906fe167a5e75a
-
SHA512
7c3b8d3fac4357e03d68147dde1aebc0cd3253b31a592a5bb1fd94dd60b192d89961f9d4573e144e82d023b5945aafcee61955cea657d8aba959465610ade40e
-
SSDEEP
393216:dXz7pLcn49wQSjauUux6BjNNXfGNHaBso4ZiYj6ZvfQ89HbZ+:dXY4GQSjaPLjNNXO621TUf79HbZ+
Malware Config
Extracted
redline
@Sentak88
45.15.156.167:80
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 14 IoCs
-
Redline family
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 23 IoCs
-
Loads dropped DLL 2 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in System32 directory 49 IoCs
-
Drops file in Windows directory 15 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 17 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 26 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies data under HKEY_USERS 11 IoCs
-
Modifies registry class 64 IoCs
-
Modifies system certificate store 2 TTPs 2 IoCs
-
Opens file in notepad (likely ransom note) 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 53 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of SetWindowsHookEx 9 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\GitHub.Installer.zip"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\Desktop\GitHub.Installer\Launcher.exe"C:\Users\Admin\Desktop\GitHub.Installer\Launcher.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2304 -s 8842⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2304 -ip 23041⤵
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\GitHub.Installer\Instruction.txt1⤵
- Opens file in notepad (likely ransom note)
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\Desktop\GitHub.Installer\Launcher.exe"C:\Users\Admin\Desktop\GitHub.Installer\Launcher.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3832 -s 8642⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3832 -ip 38321⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\GitHub.Installer\Engine.js"1⤵
-
C:\Users\Admin\Desktop\GitHub.Installer\Launcher.exe"C:\Users\Admin\Desktop\GitHub.Installer\Launcher.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1404 -s 8802⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 1404 -ip 14041⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffac447cc40,0x7ffac447cc4c,0x7ffac447cc582⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1976,i,7295940247920419803,10128868832872394280,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1968 /prefetch:22⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2200,i,7295940247920419803,10128868832872394280,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2100 /prefetch:32⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2300,i,7295940247920419803,10128868832872394280,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2468 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3164,i,7295940247920419803,10128868832872394280,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3192 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3352,i,7295940247920419803,10128868832872394280,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3444 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4552,i,7295940247920419803,10128868832872394280,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3728 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4848,i,7295940247920419803,10128868832872394280,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4860 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4912,i,7295940247920419803,10128868832872394280,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4936 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4072,i,7295940247920419803,10128868832872394280,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5264 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=4396,i,7295940247920419803,10128868832872394280,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3452 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=4756,i,7295940247920419803,10128868832872394280,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5292 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=5256,i,7295940247920419803,10128868832872394280,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3416 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5348,i,7295940247920419803,10128868832872394280,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5332 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5340,i,7295940247920419803,10128868832872394280,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5496 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3556,i,7295940247920419803,10128868832872394280,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4976 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵
-
C:\Users\Admin\Downloads\VC_redist.x86.exe"C:\Users\Admin\Downloads\VC_redist.x86.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\Temp\{32140EFA-7E64-4BC7-930F-8C59934DB604}\.cr\VC_redist.x86.exe"C:\Windows\Temp\{32140EFA-7E64-4BC7-930F-8C59934DB604}\.cr\VC_redist.x86.exe" -burn.clean.room="C:\Users\Admin\Downloads\VC_redist.x86.exe" -burn.filehandle.attached=716 -burn.filehandle.self=7202⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
-
C:\Windows\Temp\{DD7D8969-CC62-472B-B764-BE9688E8BBAE}\.be\VC_redist.x86.exe"C:\Windows\Temp\{DD7D8969-CC62-472B-B764-BE9688E8BBAE}\.be\VC_redist.x86.exe" -q -burn.elevated BurnPipe.{89E1196E-1570-4850-AE57-2868E980D236} {287B24BC-3595-4ECC-BB4F-5EA35F3861A3} 48643⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe"C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe" -uninstall -quiet -burn.related.upgrade -burn.ancestors={e7802eac-3305-4da0-9378-e55d1ed05518} -burn.filehandle.self=1216 -burn.embedded BurnPipe.{CFB8C2DB-4103-42D6-BB41-C23660722139} {D687EE56-3C53-4A6F-B92D-D4A797A8CCD7} 39724⤵
- System Location Discovery: System Language Discovery
-
C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe"C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe" -burn.clean.room="C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe" -burn.filehandle.attached=544 -burn.filehandle.self=564 -uninstall -quiet -burn.related.upgrade -burn.ancestors={e7802eac-3305-4da0-9378-e55d1ed05518} -burn.filehandle.self=1216 -burn.embedded BurnPipe.{CFB8C2DB-4103-42D6-BB41-C23660722139} {D687EE56-3C53-4A6F-B92D-D4A797A8CCD7} 39725⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe"C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe" -q -burn.elevated BurnPipe.{9831F514-2C14-4BCD-A213-F4966118A5A8} {902885B0-00D3-42E5-9FD6-817266064963} 22486⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
-
-
-
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:21⤵
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Desktop\GitHub.Installer\Launcher.exe"C:\Users\Admin\Desktop\GitHub.Installer\Launcher.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4108 -s 8642⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4108 -ip 41081⤵
-
C:\Users\Admin\Desktop\GitHub.Installer\Launcher.exe"C:\Users\Admin\Desktop\GitHub.Installer\Launcher.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\Desktop\GitHub.Installer\Launcher.exe"C:\Users\Admin\Desktop\GitHub.Installer\Launcher.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4496 -s 8802⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4496 -ip 44961⤵
-
C:\Users\Admin\Desktop\GitHub.Installer\Launcher.exe"C:\Users\Admin\Desktop\GitHub.Installer\Launcher.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2268 -s 8642⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2268 -ip 22681⤵
-
C:\Users\Admin\Desktop\GitHub.Installer\Launcher.exe"C:\Users\Admin\Desktop\GitHub.Installer\Launcher.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 768 -s 8642⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 768 -ip 7681⤵
-
C:\Users\Admin\Desktop\GitHub.Installer\Launcher.exe"C:\Users\Admin\Desktop\GitHub.Installer\Launcher.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2848 -s 8642⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2848 -ip 28481⤵
-
C:\Users\Admin\Desktop\GitHub.Installer\Launcher.exe"C:\Users\Admin\Desktop\GitHub.Installer\Launcher.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 8642⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4264 -ip 42641⤵
-
C:\Users\Admin\Desktop\GitHub.Installer\Launcher.exe"C:\Users\Admin\Desktop\GitHub.Installer\Launcher.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3868 -s 8642⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3868 -ip 38681⤵
-
C:\Users\Admin\Desktop\GitHub.Installer\Launcher.exe"C:\Users\Admin\Desktop\GitHub.Installer\Launcher.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2188 -s 8642⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 2188 -ip 21881⤵
-
C:\Users\Admin\Desktop\GitHub.Installer\Launcher.exe"C:\Users\Admin\Desktop\GitHub.Installer\Launcher.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4864 -s 8642⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4864 -ip 48641⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Desktop\GitHub.Installer\Launcher.exe"C:\Users\Admin\Desktop\GitHub.Installer\Launcher.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1116 -s 8642⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1116 -ip 11161⤵
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\GitHub.Installer\Config\_conf.txt1⤵
- Opens file in notepad (likely ransom note)
-
C:\Users\Admin\Desktop\GitHub.Installer\Launcher.exe"C:\Users\Admin\Desktop\GitHub.Installer\Launcher.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2728 -s 8802⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2728 -ip 27281⤵
-
C:\Users\Admin\Desktop\GitHub.Installer\Launcher.exe"C:\Users\Admin\Desktop\GitHub.Installer\Launcher.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2960 -s 8642⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 2960 -ip 29601⤵
-
C:\Users\Admin\Desktop\GitHub.Installer\Launcher.exe"C:\Users\Admin\Desktop\GitHub.Installer\Launcher.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3780 -s 8642⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3780 -ip 37801⤵
-
C:\Users\Admin\Desktop\GitHub.Installer\Launcher.exe"C:\Users\Admin\Desktop\GitHub.Installer\Launcher.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2436 -s 8682⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2436 -ip 24361⤵
-
C:\Users\Admin\Desktop\GitHub.Installer\Launcher.exe"C:\Users\Admin\Desktop\GitHub.Installer\Launcher.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\Desktop\GitHub.Installer\Launcher.exe"C:\Users\Admin\Desktop\GitHub.Installer\Launcher.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Modify Registry
2Subvert Trust Controls
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
16KB
MD562f9e6cc9787aab22112c28d7abe210e
SHA17359f68006a6ea41ac12d41e69e3e7eb225314d3
SHA256b6dee70874847e22a5ceb5e68dfc916ae6dd4d6ff8735e1f50d3980e775d995b
SHA512dbe83d6bee4d076b66dbeb8616d6fb01f8da4e8fc0432078dca3611d0604a7b28887bd0848d68f994ac9dedd21eb6b9a1cddafab81fa590c96f23b54b87ead50
-
Filesize
18KB
MD506730e1ae3d5321bb9dc1b91a5a8da74
SHA1a2a403be1eaf1f001489257c698557f2c2e4529c
SHA25649b41c10585337705a812d125a18c7d25edbab2286dca7045d82abce57b56976
SHA512b4fae653dd9f0b15ad10de7192b3a8759542714a383148ffa901e46c6568f042b15229f96be11a5bfbde79a837267931cec58ae8eb93087272c5076b19f289cf
-
Filesize
20KB
MD50ecc2208bc5eed45dcb887baac7c2f65
SHA165c99710caa96bbaae30b844c90e245289fd5b04
SHA256d53266e66c141ace6f7bfad0ba2d1fa69da8c2f291ac9f51f475ca7baed51e49
SHA512194c9c030fcabe463c5e7446ed41986233a009de1dfc8e5939689806cb6958ee600a5826a7c824555cc428017f19c0a0e678c4e23cc56faa5460a4497344bd19
-
Filesize
19KB
MD5a200687ec6bfc323423c7cbf872f4e47
SHA144f8f085e88421a4c9b7b774a43209b9413a3913
SHA256e7e0c62886f3c4d613df56697c8b3129424afe59f0726f7121d51bdc13f5c898
SHA5127b263685a2cc1d68b370589e7942e8855abf20fe30be24853d51695ee13b48ae7accde900a96580698f9fd03d495cc6babe87c9cb6b1152d6b918b35eaaaed6c
-
Filesize
649B
MD53295758722894f255bdc4f8c0c41829c
SHA132c4aaf87874ef51eaee6e1e6743b5c8f94ae0f2
SHA256c2b602eaea4810ca93fb6b512939004033aba1f7f0f99465c008965f005edd24
SHA5129806a97e756e9ef98d646bad4df3e4547ae62019bde861099a88763527454ecaa574164f0071b2a13ac7beef5235dc772dbc31be1565dedf43a4218e168420ce
-
Filesize
432B
MD5fc4faaee4c3ca73f028178551a0d5be7
SHA1fa3ac1d8ed5ef310bfa0fa1c96ada130d7cc8177
SHA256d0b82b5cadf453171c0532cbb69d49cea7020262575258403e2024727aca7ef3
SHA512a17ee4dbddf0973d671f5de0afb8feb36fb75c5301162600b506d8150cf34c725dfddb69f0ba6d4b275ec798e0159a1d84cec9a1034d608977105c32eee77ba1
-
Filesize
4KB
MD5f20a20bf8f569898ee2401d413e11d5c
SHA1d42c9971c6ff6515f70cdf85bc1686239a91fde0
SHA256da42861a62035dd0d9b27060b4d49b64660cdea0bb803571254244e1e960512b
SHA5124f1c9600fa52f97ff8028a2233709170be16007a9271e774c3984db5af8585357a6b6ae5b1ec0b5a04ef0ec3c617d20e802e9a2f4952417113055a4780f64e23
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
356B
MD5109cba301118fa94ea4c74791af0850f
SHA10e55a870f9b9a419335c13988f6e786b1b4c6d21
SHA256b15bb7a693f08b53f3f5f265805249f581181db9de002054c1aa50d500d5205e
SHA51274f9852ad7be4ef9e0ede8a6fcf2428c73ded9826c6e178b0fbc2f2130c93d4c3c1811b4580e1fdf64995026a20623a23296572d93f9c8312734229d05bb04ec
-
Filesize
858B
MD5bd6645a06004528eb85b8df2fe99d26a
SHA186bd86003aff897fa1030fb160f890cd12cdbf9f
SHA256cc0af77db50e032c57b9503cf63e9d4b88972bd69537d2881bdaca34c798f175
SHA512cecab43afe595ef48a76a1db3a55bc27d42ccbfc1e2629215db9fca65c7795755326dc57f6cd45ac1b7d4a2f2d5af7f2d0ac72b87d8fa2b773b7fabe9f55f965
-
Filesize
691B
MD55d4c34e8ca0afb1aab4d96c1a4d82ba1
SHA10bb3a34be7d56b7adaae5e5c1a028bda1a42a425
SHA256398d63556d38d766cbffe15bcb47a1a9f4f0339e52e0e46d11580a10fd9828d5
SHA51212144807de4e422d7ead214ff22ce76ed2f3449f0da4a07e2ef0ea086f6ab1f7e0e3c1aed5babd9b1334e3589a6259a68096522d22ecfe53fd5f0531d3eaddce
-
Filesize
9KB
MD5db29fecba0b0faf051f2aaedce717256
SHA1efc733803cc59d231048fbcee3ddc3fadc0d5d13
SHA256eb1072e1dbd0ae5435a41e88b810a6bd40fbf141e9b6ee52d183e128a917b5b4
SHA512daf2d1069d817ab6019fb2baf0e5dd5ec5ee7909c57230aa471e06c2ea07101e7852a43fa56ec50fe3e52a275cd7a0d1a1e82a88159db969f48ce98b9d193caa
-
Filesize
10KB
MD59fb35f2071fefab023f659b1147d4d10
SHA1fb0954ae97f54a00780a27f3e33569ccb811240b
SHA256295ff9d63d2bfadb68adbd99075463fc14304298e2f5a076c59450d3cbf76ce2
SHA512395dd8a0cb86829da33c39484babbd49d7948cf90811774a8b107368f2e78d801a60ed8655f472233215929b45344f19a28f53ddb66df881c545e79e907f2d78
-
Filesize
10KB
MD57025930febec15a41746040d0e431672
SHA11a13187aa1664c796dcd409ab5bba3c795c4a5b7
SHA2569d658b5cdf1624b10a3923a0b54fae5fc420f723548e3c18f20470809f9d7364
SHA512a19cd8732c4465332d0146ae57f4262428ab0024778112d72bd79c1187f1e91f6beaeb0d49c792160d6eae692057c43f967c5b431c503f47c8654dedd5d0ac54
-
Filesize
9KB
MD55bd05d73d91823437d4c29bb1e189cf5
SHA18a7659cf622d4080ca2da3d0fccd9c7b1daddf33
SHA256d369fcf6f51b052de55a363cc4c1a41e12150d8fc88e0d1c97a156a2931a89b3
SHA5120edb89d4637718769a6d2e65203009cd42a3fc649290e81371d93afcc63c0c174ca685f9f8286df3a39de3fadba7f6422cee0b3e6cb5a6f4b9f574131fbb92dd
-
Filesize
10KB
MD5c3f1c34170526db163a2e12e530e764d
SHA1d89f57e13b823a358a74ad227eac8136a51c286c
SHA25624d29d7ba658047925c61af0901a69ab590fae4f754acda7beb0ff592c4e3070
SHA51251817bd43bfb149d70b6ddc323312eb0cc63c995d2cef65ad5167b73ae04c2f6b26c080503ecf5cb1aa99f09c995a2c8e636436a634ad12bf67f78f60137556d
-
Filesize
10KB
MD5f3645a07fc5ff296c6cbe8d689711d1f
SHA19235ab7f1bc911bb7b30659a9ff578db7bfa4680
SHA256cfce90a93adf429577c4c8c30623664ed668f931ddb850aeb0b0a3b999f35094
SHA5127cb814485035c0f08737d5c3dc430d5cabd288a89db69e75e289e31a4ace4586556c1b0ba81d66bbf838e387c5290fc17fdc2b1967b8d13f12853b0791f580c5
-
Filesize
10KB
MD5948b1b9ebd6b2e1b8f5e9dd297403f07
SHA124b845190e493107c63801492996678f2cb51cc8
SHA2562af2a8a176781d6a494f7adc5308832281f9d7b11419556060c838ca8e546a67
SHA5120aa826ec176990f4c4f02e3930efb755fecb447486f9ac37a373a3002be0cb3dd0443e4f08b4cc4e2490f2db48a4faede120b2da6dd1d780b6c397cb79331431
-
Filesize
10KB
MD52658c6c6f9f56fb093ec03d879598a0f
SHA1c093e1e43e7e171cf0f39467654c945da6d3906f
SHA25608a4e219768c090268f1301626aac99a710c63ba44c8630fed7ac000466e38cb
SHA512dda896d04e036deea77f043aa12f4608df562b6b3f7ed22e0a583ee33790c3f04d6b0002ce5ef9f569ecfee92c0f4f8929ddf6ecb9ae2ed1ac79dac35bf5dc5d
-
Filesize
10KB
MD561f4359451049393bb82ce6d1fc10612
SHA12b9a06a7bb08953d4e02835d06c83145280f4c21
SHA256e6086849809a6efce96995cc786a848b97b7617199ac20e50a634ac012bc1358
SHA512f311a7e157bd2fdd8048df7e72aea3f51217d16b7a298645d31ffb26b414932a7906dd4bc83ec1d891c62a6ab65e54fccfd442fa0827649d6b6397173a0164cd
-
Filesize
15KB
MD5f590bce48b93e6fdd38db494afcd7165
SHA13b1d98c181e945358ef26c357a0b618ddf9bc06e
SHA2566729dae825aaad672497498018cc153fbe6a7d1c1f6aa0452c651460af9ef5ac
SHA512e65a5305dff3e431b6038b8f9a7ddaa5a7de06d2d9003da06b0fe3c744d6c9b7a20c8cb727ef9a5385b27e28f4db22bf6b792acd91003d607004770f75d87b0b
-
Filesize
234KB
MD5ddaef564102cd55cb688d51dc100a28d
SHA14d3b769c7f35cb475e056b077e03d1cc3e9d7423
SHA25607456a8bdc32a16fc9e6a211e77c7c40b8e5b5a5059cf7ac0f298ced817fa1b6
SHA51275b8ba79370e641a00a28df6dd22472d64c4b20f63e84c7eac000325d6691ec404739cb35cc0471e8112b4dfe9f861e9d93d41b480fddc7c5560d83c5d9a868a
-
Filesize
2KB
MD51420d30f964eac2c85b2ccfe968eebce
SHA1bdf9a6876578a3e38079c4f8cf5d6c79687ad750
SHA256f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9
SHA5126fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8
-
Filesize
2KB
MD507751d97d556d73b0dfe2fedd1f5529d
SHA14a41e2dd958c98bcfa019a7f856fd48040caa7ef
SHA256e145cbbe89ccc84067f2aa4ef40341d83b6617e51c7809efd63d3fc92f64c6c7
SHA512b9ddec1167652d088406a627c40e1c22544a097adb59c8815b57ca6293c295851d8abd664ca3adb343e8c4ab1765361d1334b32e0708862c1b328e9c54b7bd8f
-
Filesize
2KB
MD59a0f2b2ca8f89b2290f17f21091b1e81
SHA167d592ddfd8e446f67a104b851fa9730e3adf778
SHA256d62e82dd25b9e45a61ff9694599afcf0a5225971b72b7225548c1d6bdc6a38e4
SHA5120b2c010d7de474041d902dcaac2414452c2beccc210f60bc62409bdf2ce02e33f8ae48bd64be8e52f8ba609b64f68ce32f038f35119ac5d33f00241843d735f7
-
Filesize
2KB
MD522bdf9e52c16154b975a8fd776bd796e
SHA185178725fdc0402a81f9fb5e0c2ba0467fc846c2
SHA256a97d4d4ed8d01f5f53189b67c48d408b05476c5ffabd129174c53ac4d5e218d9
SHA512e64c51256044f3f06e3044a53f2ac7079eefe70b3b29bf227f5dc2e0d0f30e8b000c721b5043557fffedb924e2ccdc4abad3dacd8242b45919b00e63a4594baf
-
Filesize
1.7MB
MD5bc647cffd94c397f082fde790cf89ed0
SHA1167d905425eba6c6356caf54366a8478eb4f7ca8
SHA25620c8687e1b6bf93662201372b5f822d7aaabd4ec910049a9284aab0a1cf65807
SHA51211b65b799ee7be287ce84a982f9b07b0d4eecc6147000cfff572442259374109d571360fddf2818659a14801660b55f9a2a63d19d48d4405e5017e7beb1767a1
-
Filesize
665B
MD5020b23309be6ad43a4684be4afa57982
SHA11e3c76c45c4c8c94f275c4c83fe88f3258ca7a7f
SHA2564492460f115876142628b75eee706beeabde5a698c964d6886ef4ac8b945e5e7
SHA512e63f56ddfe0894a60e6b7554c07416ebb27dbb0f3d0ed3259d145071e63ac611d3ea7b277aa5c356b7001ca3b69a521cc3754e5375607f7d3c6325638e2013a8
-
Filesize
823KB
MD51a7c1cdedfe2ec2a02268337359045cb
SHA1b02945f751a0b130ebc3d6bc30bef896cceaea04
SHA2562f2413654c9b24998e670ed4589eb9c43620295aa010f6d4ad1aa707ab2b514f
SHA51209faef200b01d333b91f4a10c51d30f604bc74252727a8f1b5b97487a7034aa0428853494c473e45b1a2ca8876f8bc2d5bf290f6aab7cd1c5317ca09fe4e0845
-
Filesize
2KB
MD548c9fe1757ec5826b0b3b2675a59b0f8
SHA16a4670a34ed716d0264d93051de150365b97ed9e
SHA2562577efea8c9909f139ef4d2c785b6463592bf5214c2b45ac7bf8c1a686947fa6
SHA512314351a0f270291c9ae0ac41fa461e5190b8b8db1affa04c971cdc437cea5925dbfd4fc0124ee39225205fbc20dd3ec635e9761727fa765a85756f9ed95e7014
-
Filesize
13.3MB
MD58a6f4f3282236325360a9ac4413b7bc3
SHA1cb617803813e969be73f2e0e175a67620e53aa59
SHA256dd1a8be03398367745a87a5e35bebdab00fdad080cf42af0c3f20802d08c25d4
SHA5122c1facb8567a052b4fa65d173b0bda64fa5fded2cddb9073b7c28507ed95414c17d2839d06d5e961617c754cda54d6134964b1aff5c9e9cdfbace71f1de2ac3a
-
Filesize
2KB
MD54f1fae46f14d885c56dde9a00f70a18f
SHA1e05ec8abab59d0295f30e7595b792e444180825e
SHA256f5343dd41d28e1b18cdb7dc2b53ec402f015e662cb4955256ab1e4024be389d6
SHA5124fe0fcea4ee158c5a64a42a3c80b2d2508522bed4a4eada21e996fb04a210d51e3769bec23096a799722e2adf242896e6e593bb883acd2ab6f61f8fea7dd1aae
-
Filesize
191KB
MD5eab9caf4277829abdf6223ec1efa0edd
SHA174862ecf349a9bedd32699f2a7a4e00b4727543d
SHA256a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041
SHA51245b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2
-
Filesize
669KB
MD5f7aca1ef43beaa02107214482e6b51d6
SHA1fb5cec36519b148119dec501cec92d894eb3b60a
SHA256169b8f7025b301ffce5402c98c07f9e01bbadce52a2961175b777279f92624a7
SHA51282cf5ebaa0a16e229b82e2dd550d7ab76409c89b4cfb7f163d1cce6d156db737ec5a09a3aa832b4076039665a6044aaeca3a6d311f8264492707ae281bbe7443
-
Filesize
1KB
MD5d6bd210f227442b3362493d046cea233
SHA1ff286ac8370fc655aea0ef35e9cf0bfcb6d698de
SHA256335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef
SHA512464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b
-
Filesize
215KB
MD5f68f43f809840328f4e993a54b0d5e62
SHA101da48ce6c81df4835b4c2eca7e1d447be893d39
SHA256e921f69b9fb4b5ad4691809d06896c5f1d655ab75e0ce94a372319c243c56d4e
SHA512a7a799ecf1784fb5e8cd7191bf78b510ff5b07db07363388d7b32ed21f4fddc09e34d1160113395f728c0f4e57d13768a0350dbdb207d9224337d2153dc791e1
-
Filesize
842KB
MD5a04f3e3bd8684cf660619e0f6af4d751
SHA12b5b1a39de1faa20d9a5774ec7b27dee5f6fc065
SHA256b31b87a09f3aa2df573050949e87a68eeda01cb80dc974714d0603cea2c0708b
SHA512fb3c081ad9f23661ed6f167ca878469d702f5cb60c15bb6d04c21331b43f8b88d98a680ad74ff5855e4c286260452be9e25b49b5b245d14fa30297cc8add5828
-
Filesize
4.9MB
MD5654f67c3c99d57a0008427141bd1cfc6
SHA160887d57c8910a5034379ddc7a0ad5e2c2bfcde6
SHA256d87d9b997b91f9e375bf3cf994b67882ce21c0fbd4d0c4611dd6f593d4a8f3be
SHA5120f3182a9c923a51f9ffed2e8639f9bcb72ace859c6253aa860a95c2c67c6b9d80d7945042460a7f73e357614b149c9d906c101f800724825279f07902571a064
-
Filesize
200KB
MD595715c58dd2864b361dbd9e651b2f5ad
SHA1c8b19282b7950e7b8e106b5bbccad4fc7b3aa661
SHA256a6447de0d0d5b56b50988ae350432d68e9d83fbb566e2fcaa3f758a2b2574fea
SHA51210eb258d1c1ab690e03fd782316133305530a7a50769263176765862a754dcf5ec258ca5805d2be447a53b29b3557b519a6cec812208d88982201c86ea8d5fb3
-
Filesize
200KB
MD5975e07089d93c2540f0e91da7e1e0142
SHA1e65a155b9f88cabf6fc34111751051f8872f1dc2
SHA25616547c99e9dc8602603beda79bb9099d06b2f0e06273660aaffd3193d82e8bf5
SHA512047ca9eaf996b5b89cedf0f9e9d7544cb8700bba02e10aa90fbd283fdebb2e1ec98295569f145e0dc9bbf3dbd44f64e4d02429cbcdff7e149f2804c135ee2595
-
Filesize
584KB
-
Filesize
592KB
-
Filesize
328KB
-
Filesize
40KB
-
Filesize
1.0MB
-
Filesize
472KB
-
Filesize
120KB
-
Filesize
6.1MB
-
Filesize
1.0MB
-
Filesize
72KB
-
Filesize
240KB
-
Filesize
304KB
-
Filesize
5.6MB
-
Filesize
328KB
-
Filesize
476KB
-
Filesize
328KB
-
Filesize
328KB
-
Filesize
476KB
-
Filesize
328KB
-
Filesize
4KB
-
Filesize
328KB
-
Filesize
328KB
-
Filesize
328KB
-
Filesize
328KB
-
Filesize
328KB
-
Filesize
328KB
-
Filesize
328KB
-
Filesize
328KB
-
Filesize
10.8MB
-
Filesize
476KB
-
Filesize
328KB
