Analysis
-
max time kernel
142s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
14-04-2023 03:54
Static task
static1
General
-
Target
9457b1fc853f44960ee63529dc39164c1add654730eecc2518194a56c8e93440.exe
-
Size
1.0MB
-
MD5
87874bc904cc52e48417551412bc38be
-
SHA1
a6b163b7c4a7c39894b0f517ebe3b59671685b7d
-
SHA256
9457b1fc853f44960ee63529dc39164c1add654730eecc2518194a56c8e93440
-
SHA512
91819c05281992f0e17635a366312b4743a402018ba94f682d870f0e4cac25deb460a22cd94dd68e39d23400f53a96822874d88ab0861a11777af15279023df0
-
SSDEEP
24576:JyeD2l8/AKObxNGuERW4uSZJjRlolrsp4jaj:8eD2YA5sY4uSfdlohy
Malware Config
Extracted
redline
lada
185.161.248.90:4125
-
auth_value
0b3678897547fedafe314eda5a2015ba
Extracted
redline
disa
185.161.248.90:4125
-
auth_value
93f8c4ca7000e3381dd4b6b86434de05
Signatures
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection it197223.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" it197223.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" it197223.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" it197223.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" it197223.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" it197223.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation jr798582.exe Key value queried \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation lr635937.exe Key value queried \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation oneetx.exe -
Executes dropped EXE 10 IoCs
pid Process 1148 ziZV6295.exe 2940 ziwF2872.exe 3876 it197223.exe 3836 jr798582.exe 3940 1.exe 4712 kp671016.exe 3016 lr635937.exe 2304 oneetx.exe 2180 oneetx.exe 1596 oneetx.exe -
Loads dropped DLL 1 IoCs
pid Process 2020 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" it197223.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 9457b1fc853f44960ee63529dc39164c1add654730eecc2518194a56c8e93440.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 9457b1fc853f44960ee63529dc39164c1add654730eecc2518194a56c8e93440.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce ziZV6295.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" ziZV6295.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce ziwF2872.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" ziwF2872.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 32 IoCs
pid pid_target Process procid_target 1200 3836 WerFault.exe 81 3568 3016 WerFault.exe 89 4968 3016 WerFault.exe 89 3104 3016 WerFault.exe 89 1112 3016 WerFault.exe 89 960 3016 WerFault.exe 89 1508 3016 WerFault.exe 89 3652 3016 WerFault.exe 89 728 3016 WerFault.exe 89 904 3016 WerFault.exe 89 1380 3016 WerFault.exe 89 316 2304 WerFault.exe 108 532 2304 WerFault.exe 108 1280 2304 WerFault.exe 108 3792 2304 WerFault.exe 108 3464 2304 WerFault.exe 108 3616 2304 WerFault.exe 108 384 2304 WerFault.exe 108 3884 2304 WerFault.exe 108 3468 2304 WerFault.exe 108 2024 2304 WerFault.exe 108 2784 2304 WerFault.exe 108 4976 2304 WerFault.exe 108 1056 2180 WerFault.exe 137 1952 2180 WerFault.exe 137 4256 2180 WerFault.exe 137 3836 2304 WerFault.exe 108 4440 2304 WerFault.exe 108 4708 2304 WerFault.exe 108 4348 1596 WerFault.exe 151 4712 1596 WerFault.exe 151 4364 1596 WerFault.exe 151 -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1156 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 3876 it197223.exe 3876 it197223.exe 3940 1.exe 3940 1.exe 4712 kp671016.exe 4712 kp671016.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 3876 it197223.exe Token: SeDebugPrivilege 3836 jr798582.exe Token: SeDebugPrivilege 3940 1.exe Token: SeDebugPrivilege 4712 kp671016.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 3016 lr635937.exe -
Suspicious use of WriteProcessMemory 29 IoCs
description pid Process procid_target PID 1536 wrote to memory of 1148 1536 9457b1fc853f44960ee63529dc39164c1add654730eecc2518194a56c8e93440.exe 77 PID 1536 wrote to memory of 1148 1536 9457b1fc853f44960ee63529dc39164c1add654730eecc2518194a56c8e93440.exe 77 PID 1536 wrote to memory of 1148 1536 9457b1fc853f44960ee63529dc39164c1add654730eecc2518194a56c8e93440.exe 77 PID 1148 wrote to memory of 2940 1148 ziZV6295.exe 78 PID 1148 wrote to memory of 2940 1148 ziZV6295.exe 78 PID 1148 wrote to memory of 2940 1148 ziZV6295.exe 78 PID 2940 wrote to memory of 3876 2940 ziwF2872.exe 79 PID 2940 wrote to memory of 3876 2940 ziwF2872.exe 79 PID 2940 wrote to memory of 3836 2940 ziwF2872.exe 81 PID 2940 wrote to memory of 3836 2940 ziwF2872.exe 81 PID 2940 wrote to memory of 3836 2940 ziwF2872.exe 81 PID 3836 wrote to memory of 3940 3836 jr798582.exe 82 PID 3836 wrote to memory of 3940 3836 jr798582.exe 82 PID 3836 wrote to memory of 3940 3836 jr798582.exe 82 PID 1148 wrote to memory of 4712 1148 ziZV6295.exe 86 PID 1148 wrote to memory of 4712 1148 ziZV6295.exe 86 PID 1148 wrote to memory of 4712 1148 ziZV6295.exe 86 PID 1536 wrote to memory of 3016 1536 9457b1fc853f44960ee63529dc39164c1add654730eecc2518194a56c8e93440.exe 89 PID 1536 wrote to memory of 3016 1536 9457b1fc853f44960ee63529dc39164c1add654730eecc2518194a56c8e93440.exe 89 PID 1536 wrote to memory of 3016 1536 9457b1fc853f44960ee63529dc39164c1add654730eecc2518194a56c8e93440.exe 89 PID 3016 wrote to memory of 2304 3016 lr635937.exe 108 PID 3016 wrote to memory of 2304 3016 lr635937.exe 108 PID 3016 wrote to memory of 2304 3016 lr635937.exe 108 PID 2304 wrote to memory of 1156 2304 oneetx.exe 125 PID 2304 wrote to memory of 1156 2304 oneetx.exe 125 PID 2304 wrote to memory of 1156 2304 oneetx.exe 125 PID 2304 wrote to memory of 2020 2304 oneetx.exe 146 PID 2304 wrote to memory of 2020 2304 oneetx.exe 146 PID 2304 wrote to memory of 2020 2304 oneetx.exe 146
Processes
-
C:\Users\Admin\AppData\Local\Temp\9457b1fc853f44960ee63529dc39164c1add654730eecc2518194a56c8e93440.exe"C:\Users\Admin\AppData\Local\Temp\9457b1fc853f44960ee63529dc39164c1add654730eecc2518194a56c8e93440.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1536 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziZV6295.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziZV6295.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1148 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziwF2872.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziwF2872.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it197223.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it197223.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3876
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr798582.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr798582.exe4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3836 -
C:\Windows\Temp\1.exe"C:\Windows\Temp\1.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3940
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3836 -s 12045⤵
- Program crash
PID:1200
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp671016.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp671016.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4712
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr635937.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr635937.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 7003⤵
- Program crash
PID:3568
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 7763⤵
- Program crash
PID:4968
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 8083⤵
- Program crash
PID:3104
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 9563⤵
- Program crash
PID:1112
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 8723⤵
- Program crash
PID:960
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 9763⤵
- Program crash
PID:1508
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 12163⤵
- Program crash
PID:3652
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 12163⤵
- Program crash
PID:728
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 13203⤵
- Program crash
PID:904
-
-
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe"C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2304 -s 6964⤵
- Program crash
PID:316
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2304 -s 8364⤵
- Program crash
PID:532
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2304 -s 8804⤵
- Program crash
PID:1280
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2304 -s 10644⤵
- Program crash
PID:3792
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2304 -s 10644⤵
- Program crash
PID:3464
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2304 -s 10644⤵
- Program crash
PID:3616
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2304 -s 10884⤵
- Program crash
PID:384
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe" /F4⤵
- Creates scheduled task(s)
PID:1156
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2304 -s 9964⤵
- Program crash
PID:3884
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2304 -s 7484⤵
- Program crash
PID:3468
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2304 -s 9924⤵
- Program crash
PID:2024
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2304 -s 12684⤵
- Program crash
PID:2784
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2304 -s 11164⤵
- Program crash
PID:4976
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2304 -s 16044⤵
- Program crash
PID:3836
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main4⤵
- Loads dropped DLL
PID:2020
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2304 -s 11324⤵
- Program crash
PID:4440
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2304 -s 16204⤵
- Program crash
PID:4708
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 14643⤵
- Program crash
PID:1380
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3836 -ip 38361⤵PID:2272
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3016 -ip 30161⤵PID:3344
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3016 -ip 30161⤵PID:2336
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3016 -ip 30161⤵PID:2088
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3016 -ip 30161⤵PID:232
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3016 -ip 30161⤵PID:452
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3016 -ip 30161⤵PID:2308
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3016 -ip 30161⤵PID:1888
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3016 -ip 30161⤵PID:4044
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3016 -ip 30161⤵PID:1364
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3016 -ip 30161⤵PID:2052
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2304 -ip 23041⤵PID:2268
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 2304 -ip 23041⤵PID:4276
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 2304 -ip 23041⤵PID:4212
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 2304 -ip 23041⤵PID:1556
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 2304 -ip 23041⤵PID:4268
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 2304 -ip 23041⤵PID:1168
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 2304 -ip 23041⤵PID:4864
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 2304 -ip 23041⤵PID:1564
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2304 -ip 23041⤵PID:3416
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 2304 -ip 23041⤵PID:3152
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2304 -ip 23041⤵PID:3412
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2304 -ip 23041⤵PID:4384
-
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exeC:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe1⤵
- Executes dropped EXE
PID:2180 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2180 -s 3962⤵
- Program crash
PID:1056
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2180 -s 4402⤵
- Program crash
PID:1952
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2180 -s 4402⤵
- Program crash
PID:4256
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 2180 -ip 21801⤵PID:2108
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2180 -ip 21801⤵PID:428
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2180 -ip 21801⤵PID:4292
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 2304 -ip 23041⤵PID:3576
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2304 -ip 23041⤵PID:3340
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2304 -ip 23041⤵PID:4952
-
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exeC:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe1⤵
- Executes dropped EXE
PID:1596 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1596 -s 3962⤵
- Program crash
PID:4348
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1596 -s 4402⤵
- Program crash
PID:4712
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1596 -s 4402⤵
- Program crash
PID:4364
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1596 -ip 15961⤵PID:2140
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1596 -ip 15961⤵PID:4876
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1596 -ip 15961⤵PID:4244
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
397KB
MD573322119dde2931ef4675da872b6e388
SHA1666909e836d4896520d7b01669820f0e8eb103a1
SHA256a79c5393e57aa37ec1e86e848e11468788a7b9e9f580b8ce551913a3add57cd3
SHA512360a30c047d52828252bb6aa484a900e00f6671bd5efdc27845476701b1c9ffcdbcfc7e5b3dceac05d89b83a66273b9e5b9dbd8e982810ba94fd226af216faef
-
Filesize
397KB
MD573322119dde2931ef4675da872b6e388
SHA1666909e836d4896520d7b01669820f0e8eb103a1
SHA256a79c5393e57aa37ec1e86e848e11468788a7b9e9f580b8ce551913a3add57cd3
SHA512360a30c047d52828252bb6aa484a900e00f6671bd5efdc27845476701b1c9ffcdbcfc7e5b3dceac05d89b83a66273b9e5b9dbd8e982810ba94fd226af216faef
-
Filesize
397KB
MD573322119dde2931ef4675da872b6e388
SHA1666909e836d4896520d7b01669820f0e8eb103a1
SHA256a79c5393e57aa37ec1e86e848e11468788a7b9e9f580b8ce551913a3add57cd3
SHA512360a30c047d52828252bb6aa484a900e00f6671bd5efdc27845476701b1c9ffcdbcfc7e5b3dceac05d89b83a66273b9e5b9dbd8e982810ba94fd226af216faef
-
Filesize
397KB
MD573322119dde2931ef4675da872b6e388
SHA1666909e836d4896520d7b01669820f0e8eb103a1
SHA256a79c5393e57aa37ec1e86e848e11468788a7b9e9f580b8ce551913a3add57cd3
SHA512360a30c047d52828252bb6aa484a900e00f6671bd5efdc27845476701b1c9ffcdbcfc7e5b3dceac05d89b83a66273b9e5b9dbd8e982810ba94fd226af216faef
-
Filesize
397KB
MD573322119dde2931ef4675da872b6e388
SHA1666909e836d4896520d7b01669820f0e8eb103a1
SHA256a79c5393e57aa37ec1e86e848e11468788a7b9e9f580b8ce551913a3add57cd3
SHA512360a30c047d52828252bb6aa484a900e00f6671bd5efdc27845476701b1c9ffcdbcfc7e5b3dceac05d89b83a66273b9e5b9dbd8e982810ba94fd226af216faef
-
Filesize
397KB
MD573322119dde2931ef4675da872b6e388
SHA1666909e836d4896520d7b01669820f0e8eb103a1
SHA256a79c5393e57aa37ec1e86e848e11468788a7b9e9f580b8ce551913a3add57cd3
SHA512360a30c047d52828252bb6aa484a900e00f6671bd5efdc27845476701b1c9ffcdbcfc7e5b3dceac05d89b83a66273b9e5b9dbd8e982810ba94fd226af216faef
-
Filesize
397KB
MD573322119dde2931ef4675da872b6e388
SHA1666909e836d4896520d7b01669820f0e8eb103a1
SHA256a79c5393e57aa37ec1e86e848e11468788a7b9e9f580b8ce551913a3add57cd3
SHA512360a30c047d52828252bb6aa484a900e00f6671bd5efdc27845476701b1c9ffcdbcfc7e5b3dceac05d89b83a66273b9e5b9dbd8e982810ba94fd226af216faef
-
Filesize
723KB
MD5e0eb9d1ee80aa12f3303086ec3553897
SHA1ba2d1f5735c7c225cfee6cffacaaa4be8014dd76
SHA256e9578cac563114cd88fcd4da5342fde5ef950628f4a37a4ffbe7e605fcd001aa
SHA512120769084123a687e67f622e8e9be233e76025a9f2b2d810a734b52f2121d75d084b3f33ab1b645be8f76ae6d4303306d6cf7f528e26cccf79be9c4feef4aad8
-
Filesize
723KB
MD5e0eb9d1ee80aa12f3303086ec3553897
SHA1ba2d1f5735c7c225cfee6cffacaaa4be8014dd76
SHA256e9578cac563114cd88fcd4da5342fde5ef950628f4a37a4ffbe7e605fcd001aa
SHA512120769084123a687e67f622e8e9be233e76025a9f2b2d810a734b52f2121d75d084b3f33ab1b645be8f76ae6d4303306d6cf7f528e26cccf79be9c4feef4aad8
-
Filesize
169KB
MD5814f4b63ea650816ae1d0f8f7cab4ee3
SHA1055a7a92a857097edbaa0d2236547c3c19e03494
SHA2568cd5ce62b35e7a7ba8487893ae5af5827335e3d6cf73bd72fc2d6cba3e3bb457
SHA51261e134292dbc71378b7cc86f237bd15531a88cbb709963de4cd890e888282e12e87c61b784e187b5e712baecdf7b7d06b8786b05d11fed3abeb24d15ffbcf747
-
Filesize
169KB
MD5814f4b63ea650816ae1d0f8f7cab4ee3
SHA1055a7a92a857097edbaa0d2236547c3c19e03494
SHA2568cd5ce62b35e7a7ba8487893ae5af5827335e3d6cf73bd72fc2d6cba3e3bb457
SHA51261e134292dbc71378b7cc86f237bd15531a88cbb709963de4cd890e888282e12e87c61b784e187b5e712baecdf7b7d06b8786b05d11fed3abeb24d15ffbcf747
-
Filesize
569KB
MD5ae828373ec7a521daa4e6e24ca026826
SHA1ce17dd504f67825b0778e5b1effdf6686a48d62c
SHA25645e6995bd175b5d3177e7bc860a38b75844db2c921967a6f3a82b1018dbfe92f
SHA512ef1a0418e8e1f8ea8c384f56ea505d4bf51194f406cfe7297c515a347779afce8fb4bae0011b96f399827e0b1a7c447507fa9d758483ea12fa3ecd2895b2ca2b
-
Filesize
569KB
MD5ae828373ec7a521daa4e6e24ca026826
SHA1ce17dd504f67825b0778e5b1effdf6686a48d62c
SHA25645e6995bd175b5d3177e7bc860a38b75844db2c921967a6f3a82b1018dbfe92f
SHA512ef1a0418e8e1f8ea8c384f56ea505d4bf51194f406cfe7297c515a347779afce8fb4bae0011b96f399827e0b1a7c447507fa9d758483ea12fa3ecd2895b2ca2b
-
Filesize
11KB
MD5adb4b9bc6d0130b8dd135320e29c9f0b
SHA19aa3cb6759afa11b8f9571df9e5036b57a478e8e
SHA256282c0c0824fafdc922447523a01e33798b6d36d53980905caf18371aec18fd21
SHA512a0e771ea5b4ac7fddd471711090cfc27a694de9e7c11f1c85be4f120c70231653cd2a87bf446600be5d25e6c575403c51e64aa9a5477005fb93585eaa43b4b17
-
Filesize
11KB
MD5adb4b9bc6d0130b8dd135320e29c9f0b
SHA19aa3cb6759afa11b8f9571df9e5036b57a478e8e
SHA256282c0c0824fafdc922447523a01e33798b6d36d53980905caf18371aec18fd21
SHA512a0e771ea5b4ac7fddd471711090cfc27a694de9e7c11f1c85be4f120c70231653cd2a87bf446600be5d25e6c575403c51e64aa9a5477005fb93585eaa43b4b17
-
Filesize
588KB
MD51870781a8c713f45a0c2c4d74b8fbf19
SHA13aa5e00a8362735362486056408dd8aa5e6156a5
SHA256445993ef43c5abccae08fdd992203949c3388f1eb10af1c064942e2284146808
SHA512c676c1fa348e72ea5b2f9c638c20d6142068a43b4abee96aa276c0f24fd253af699a4a240b77f58c349df19eb18f610a0eb6f449d2e3297419595be76cf2293a
-
Filesize
588KB
MD51870781a8c713f45a0c2c4d74b8fbf19
SHA13aa5e00a8362735362486056408dd8aa5e6156a5
SHA256445993ef43c5abccae08fdd992203949c3388f1eb10af1c064942e2284146808
SHA512c676c1fa348e72ea5b2f9c638c20d6142068a43b4abee96aa276c0f24fd253af699a4a240b77f58c349df19eb18f610a0eb6f449d2e3297419595be76cf2293a
-
Filesize
89KB
MD5ee69aeae2f96208fc3b11dfb70e07161
SHA15f877b7ca02c4d476f2641bcee9ef5f3a4ab3cf6
SHA25613ce132c49ab6673a4da35eb9ff11d71f1451ad1351417e99cf41db8d2f474d9
SHA51294373fb87b58db0bc0462f1b356897b0919615fe5d8f3ec47f1370b6599261562f7b27e8b0faf46f9cba5fdbabceb67c65557c816bd472d72baa1071d8ee5c6f
-
Filesize
89KB
MD5ee69aeae2f96208fc3b11dfb70e07161
SHA15f877b7ca02c4d476f2641bcee9ef5f3a4ab3cf6
SHA25613ce132c49ab6673a4da35eb9ff11d71f1451ad1351417e99cf41db8d2f474d9
SHA51294373fb87b58db0bc0462f1b356897b0919615fe5d8f3ec47f1370b6599261562f7b27e8b0faf46f9cba5fdbabceb67c65557c816bd472d72baa1071d8ee5c6f
-
Filesize
89KB
MD5ee69aeae2f96208fc3b11dfb70e07161
SHA15f877b7ca02c4d476f2641bcee9ef5f3a4ab3cf6
SHA25613ce132c49ab6673a4da35eb9ff11d71f1451ad1351417e99cf41db8d2f474d9
SHA51294373fb87b58db0bc0462f1b356897b0919615fe5d8f3ec47f1370b6599261562f7b27e8b0faf46f9cba5fdbabceb67c65557c816bd472d72baa1071d8ee5c6f
-
Filesize
162B
MD51b7c22a214949975556626d7217e9a39
SHA1d01c97e2944166ed23e47e4a62ff471ab8fa031f
SHA256340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87
SHA512ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5
-
Filesize
168KB
MD503728fed675bcde5256342183b1d6f27
SHA1d13eace7d3d92f93756504b274777cc269b222a2
SHA256f1181356c69b3dcebadc67d4c751d01164c929eab2b250b83cdedeedd4cd5ef0
SHA5126e2800d2d4e7dcbcbe1842d78029b75d2faa742c8fd7925ae2486396c3dd8c0b8f66e760f3916e42631cde41c0606c48528a4cb779f124b8d28c7af9197c18d1
-
Filesize
168KB
MD503728fed675bcde5256342183b1d6f27
SHA1d13eace7d3d92f93756504b274777cc269b222a2
SHA256f1181356c69b3dcebadc67d4c751d01164c929eab2b250b83cdedeedd4cd5ef0
SHA5126e2800d2d4e7dcbcbe1842d78029b75d2faa742c8fd7925ae2486396c3dd8c0b8f66e760f3916e42631cde41c0606c48528a4cb779f124b8d28c7af9197c18d1
-
Filesize
168KB
MD503728fed675bcde5256342183b1d6f27
SHA1d13eace7d3d92f93756504b274777cc269b222a2
SHA256f1181356c69b3dcebadc67d4c751d01164c929eab2b250b83cdedeedd4cd5ef0
SHA5126e2800d2d4e7dcbcbe1842d78029b75d2faa742c8fd7925ae2486396c3dd8c0b8f66e760f3916e42631cde41c0606c48528a4cb779f124b8d28c7af9197c18d1