redline | 54259854d6c513fd408a76b03e1d72f326d6c18527c7114358485e936b10353e

Analysis

max time kernel
188s
max time network
195s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
05-05-2023 18:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

54259854d6c513fd408a76b03e1d72f326d6c18527c7114358485e936b10353e.exe
Size

1.2MB
MD5

d5fb730b57b9c2ba513d4482384dea5b
SHA1

d276dd4a87c0be18317ac7ce531f72bd7a8eeedd
SHA256

54259854d6c513fd408a76b03e1d72f326d6c18527c7114358485e936b10353e
SHA512

cf57397b2de119b9be32ca922b72d12fd68ef5113fe80a44af2edf15831a956233949474026998903a89f8c3c275345ee5c2f59ba4d93c61bbdf387ed9ec4b40
SSDEEP

24576:3yn2smzBd1f8LQesIpt5QWUUFvpphY9rBC18iDCMVQe4hMHaQ1o:C2smzBd1fqhvQWUUHIrBC1th4hMHa

Score

10^/10

redline discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Signatures

Detects Redline Stealer samples 3 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/4700-155-0x0000000007D20000-0x0000000008338000-memory.dmp	redline_stealer
behavioral2/memory/4700-161-0x0000000007B30000-0x0000000007B96000-memory.dmp	redline_stealer
behavioral2/memory/4700-165-0x00000000089F0000-0x0000000008BB2000-memory.dmp	redline_stealer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	h7420927.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	h7420927.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	h7420927.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	h7420927.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	h7420927.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	h7420927.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	j5071264.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	oneetx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	i4111945.exe

Executes dropped EXE 8 IoCs

pid	Process
4316	x1216249.exe
4312	x5217051.exe
4700	g7317973.exe
2732	h7420927.exe
660	i4111945.exe
3948	1.exe
4552	j5071264.exe
224	oneetx.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	h7420927.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	h7420927.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	54259854d6c513fd408a76b03e1d72f326d6c18527c7114358485e936b10353e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	54259854d6c513fd408a76b03e1d72f326d6c18527c7114358485e936b10353e.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x1216249.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x1216249.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x5217051.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x5217051.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDefender = "C:\\Windows\\Temp\\1.exe"	i4111945.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 26 IoCs

pid	pid_target	Process	procid_target
3400	2732	WerFault.exe	88
920	660	WerFault.exe	95
4788	4552	WerFault.exe	99
964	4552	WerFault.exe	99
2132	4552	WerFault.exe	99
3296	4552	WerFault.exe	99
2628	4552	WerFault.exe	99
1576	4552	WerFault.exe	99
4956	4552	WerFault.exe	99
1508	4552	WerFault.exe	99
4444	4552	WerFault.exe	99
1036	4552	WerFault.exe	99
3784	224	WerFault.exe	118
4208	224	WerFault.exe	118
4820	224	WerFault.exe	118
1164	224	WerFault.exe	118
2024	224	WerFault.exe	118
1316	224	WerFault.exe	118
4808	224	WerFault.exe	118
4396	224	WerFault.exe	118
3340	224	WerFault.exe	118
2956	224	WerFault.exe	118
2772	224	WerFault.exe	118
616	224	WerFault.exe	118
528	224	WerFault.exe	118
3016	224	WerFault.exe	118

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4852	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4700	g7317973.exe
4700	g7317973.exe
2732	h7420927.exe
2732	h7420927.exe
3948	1.exe
3948	1.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	4700	g7317973.exe
Token: SeDebugPrivilege	2732	h7420927.exe
Token: SeDebugPrivilege	660	i4111945.exe
Token: SeDebugPrivilege	3948	1.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4552	j5071264.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 2996 wrote to memory of 4316	2996	54259854d6c513fd408a76b03e1d72f326d6c18527c7114358485e936b10353e.exe	82
PID 2996 wrote to memory of 4316	2996	54259854d6c513fd408a76b03e1d72f326d6c18527c7114358485e936b10353e.exe	82
PID 2996 wrote to memory of 4316	2996	54259854d6c513fd408a76b03e1d72f326d6c18527c7114358485e936b10353e.exe	82
PID 4316 wrote to memory of 4312	4316	x1216249.exe	83
PID 4316 wrote to memory of 4312	4316	x1216249.exe	83
PID 4316 wrote to memory of 4312	4316	x1216249.exe	83
PID 4312 wrote to memory of 4700	4312	x5217051.exe	84
PID 4312 wrote to memory of 4700	4312	x5217051.exe	84
PID 4312 wrote to memory of 4700	4312	x5217051.exe	84
PID 4312 wrote to memory of 2732	4312	x5217051.exe	88
PID 4312 wrote to memory of 2732	4312	x5217051.exe	88
PID 4312 wrote to memory of 2732	4312	x5217051.exe	88
PID 4316 wrote to memory of 660	4316	x1216249.exe	95
PID 4316 wrote to memory of 660	4316	x1216249.exe	95
PID 4316 wrote to memory of 660	4316	x1216249.exe	95
PID 660 wrote to memory of 3948	660	i4111945.exe	96
PID 660 wrote to memory of 3948	660	i4111945.exe	96
PID 660 wrote to memory of 3948	660	i4111945.exe	96
PID 2996 wrote to memory of 4552	2996	54259854d6c513fd408a76b03e1d72f326d6c18527c7114358485e936b10353e.exe	99
PID 2996 wrote to memory of 4552	2996	54259854d6c513fd408a76b03e1d72f326d6c18527c7114358485e936b10353e.exe	99
PID 2996 wrote to memory of 4552	2996	54259854d6c513fd408a76b03e1d72f326d6c18527c7114358485e936b10353e.exe	99
PID 4552 wrote to memory of 224	4552	j5071264.exe	118
PID 4552 wrote to memory of 224	4552	j5071264.exe	118
PID 4552 wrote to memory of 224	4552	j5071264.exe	118
PID 224 wrote to memory of 4852	224	oneetx.exe	137
PID 224 wrote to memory of 4852	224	oneetx.exe	137
PID 224 wrote to memory of 4852	224	oneetx.exe	137
PID 224 wrote to memory of 1852	224	oneetx.exe	143
PID 224 wrote to memory of 1852	224	oneetx.exe	143
PID 224 wrote to memory of 1852	224	oneetx.exe	143
PID 1852 wrote to memory of 3740	1852	cmd.exe	147
PID 1852 wrote to memory of 3740	1852	cmd.exe	147
PID 1852 wrote to memory of 3740	1852	cmd.exe	147
PID 1852 wrote to memory of 940	1852	cmd.exe	148
PID 1852 wrote to memory of 940	1852	cmd.exe	148
PID 1852 wrote to memory of 940	1852	cmd.exe	148
PID 1852 wrote to memory of 1768	1852	cmd.exe	149
PID 1852 wrote to memory of 1768	1852	cmd.exe	149
PID 1852 wrote to memory of 1768	1852	cmd.exe	149
PID 1852 wrote to memory of 4648	1852	cmd.exe	151
PID 1852 wrote to memory of 4648	1852	cmd.exe	151
PID 1852 wrote to memory of 4648	1852	cmd.exe	151
PID 1852 wrote to memory of 3796	1852	cmd.exe	150
PID 1852 wrote to memory of 3796	1852	cmd.exe	150
PID 1852 wrote to memory of 3796	1852	cmd.exe	150
PID 1852 wrote to memory of 2672	1852	cmd.exe	152
PID 1852 wrote to memory of 2672	1852	cmd.exe	152
PID 1852 wrote to memory of 2672	1852	cmd.exe	152

C:\Users\Admin\AppData\Local\Temp\54259854d6c513fd408a76b03e1d72f326d6c18527c7114358485e936b10353e.exe
"C:\Users\Admin\AppData\Local\Temp\54259854d6c513fd408a76b03e1d72f326d6c18527c7114358485e936b10353e.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2996
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1216249.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1216249.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4316
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5217051.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5217051.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4312
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g7317973.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g7317973.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4700
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h7420927.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h7420927.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2732
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2732 -s 1044
        5⤵
        Program crash
        
        PID:3400
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i4111945.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i4111945.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:660
  - - C:\Windows\Temp\1.exe
      "C:\Windows\Temp\1.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3948
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 660 -s 1376
      4⤵
      Program crash
      PID:920
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j5071264.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j5071264.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4552
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4552 -s 696
    3⤵
    - Program crash
    PID:4788
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4552 -s 780
    3⤵
    - Program crash
    PID:964
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4552 -s 796
    3⤵
    - Program crash
    PID:2132
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4552 -s 960
    3⤵
    - Program crash
    PID:3296
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4552 -s 964
    3⤵
    - Program crash
    PID:2628
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4552 -s 964
    3⤵
    - Program crash
    PID:1576
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4552 -s 1216
    3⤵
    - Program crash
    PID:4956
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4552 -s 1264
    3⤵
    - Program crash
    PID:1508
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4552 -s 1312
    3⤵
    - Program crash
    PID:4444
- - C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
    "C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:224
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 224 -s 692
      4⤵
      Program crash
      PID:3784
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 224 -s 876
      4⤵
      Program crash
      PID:4208
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 224 -s 936
      4⤵
      Program crash
      PID:4820
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 224 -s 868
      4⤵
      Program crash
      PID:1164
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 224 -s 880
      4⤵
      Program crash
      PID:2024
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 224 -s 1072
      4⤵
      Program crash
      PID:1316
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 224 -s 1072
      4⤵
      Program crash
      PID:4808
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 224 -s 868
      4⤵
      Program crash
      PID:4396
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe" /F
      4⤵
      Creates scheduled task(s)
      PID:4852
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 224 -s 1000
      4⤵
      Program crash
      PID:3340
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 224 -s 904
      4⤵
      Program crash
      PID:2956
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\c3912af058" /P "Admin:N"&&CACLS "..\c3912af058" /P "Admin:R" /E&&Exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1852
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:3740
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "oneetx.exe" /P "Admin:N"
        5⤵
        
        PID:940
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "oneetx.exe" /P "Admin:R" /E
        5⤵
        
        PID:1768
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\c3912af058" /P "Admin:N"
        5⤵
        
        PID:3796
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:4648
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\c3912af058" /P "Admin:R" /E
        5⤵
        
        PID:2672
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 224 -s 756
      4⤵
      Program crash
      PID:2772
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 224 -s 720
      4⤵
      Program crash
      PID:616
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 224 -s 1272
      4⤵
      Program crash
      PID:528
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 224 -s 764
      4⤵
      Program crash
      PID:3016
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4552 -s 1756
    3⤵
    - Program crash
    PID:1036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2732 -ip 2732
1⤵
PID:4248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 660 -ip 660
1⤵
PID:4496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4552 -ip 4552
1⤵
PID:2136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4552 -ip 4552
1⤵
PID:436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4552 -ip 4552
1⤵
PID:4572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4552 -ip 4552
1⤵
PID:3684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4552 -ip 4552
1⤵
PID:3540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4552 -ip 4552
1⤵
PID:736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4552 -ip 4552
1⤵
PID:376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4552 -ip 4552
1⤵
PID:3024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4552 -ip 4552
1⤵
PID:2964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4552 -ip 4552
1⤵
PID:3192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 224 -ip 224
1⤵
PID:4512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 224 -ip 224
1⤵
PID:4212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 224 -ip 224
1⤵
PID:1776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 224 -ip 224
1⤵
PID:1504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 224 -ip 224
1⤵
PID:1676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 224 -ip 224
1⤵
PID:3236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 224 -ip 224
1⤵
PID:2892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 224 -ip 224
1⤵
PID:4768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 224 -ip 224
1⤵
PID:1312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 224 -ip 224
1⤵
PID:4108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 224 -ip 224
1⤵
PID:4592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 224 -ip 224
1⤵
PID:3700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 224 -ip 224
1⤵
PID:1816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 224 -ip 224
1⤵
PID:592

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j5071264.exe

Filesize
339KB

MD5
60428402ffcb3b1c63ad1252e1caea4d

SHA1
6072bfa4e139c94a7ad07c18fabf50da751b458a

SHA256
7467afbe2a1cb7a337c3e980adabb77fbd85d5d24b0461dfd14c81b0798962a2

SHA512
a26b48a5cc1631eb17e7c293f0e81da64b6824fd51b32d2a6a6ee894bbcbd3fdbf883c1dc72f1a27d07f33560ac8de1aff6098736fb4837a7249f03a701cdf58

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j5071264.exe

Filesize
339KB

MD5
60428402ffcb3b1c63ad1252e1caea4d

SHA1
6072bfa4e139c94a7ad07c18fabf50da751b458a

SHA256
7467afbe2a1cb7a337c3e980adabb77fbd85d5d24b0461dfd14c81b0798962a2

SHA512
a26b48a5cc1631eb17e7c293f0e81da64b6824fd51b32d2a6a6ee894bbcbd3fdbf883c1dc72f1a27d07f33560ac8de1aff6098736fb4837a7249f03a701cdf58

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1216249.exe

Filesize
914KB

MD5
aed28560f5941846841aa05dac54a7af

SHA1
6d668cf7e04ec3a14b9c59d2593c411c7a300768

SHA256
836c86a7d1c154524ba89d442224d754dc91035dbf15fd70ddd35cbcf9620386

SHA512
46db918360224d17e175c89154ef0c13beaf32268580d97fe5fe719a1e035ab31b9e2223c9f1b07b6a86238370eb79562efe03f04665201a42f46af8b3ddfdf0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1216249.exe

Filesize
914KB

MD5
aed28560f5941846841aa05dac54a7af

SHA1
6d668cf7e04ec3a14b9c59d2593c411c7a300768

SHA256
836c86a7d1c154524ba89d442224d754dc91035dbf15fd70ddd35cbcf9620386

SHA512
46db918360224d17e175c89154ef0c13beaf32268580d97fe5fe719a1e035ab31b9e2223c9f1b07b6a86238370eb79562efe03f04665201a42f46af8b3ddfdf0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i4111945.exe

Filesize
547KB

MD5
aabd3e285991b4b8cb132185d9ee3a34

SHA1
2c08b427323341c93550dd8ba9d9441ec0d0f394

SHA256
a951292863bd43d59d8ecad9463cef9d55cbcd7c08b1577af9fc568d2eed8953

SHA512
babec27518475a1c7a821611be85f1c57db0b5cc6f45fa27de907d7a26502df813672f2bbd249e60d72ff5ed864f5ea24f30ebded25e6ba35a96230cbe4228b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i4111945.exe

Filesize
547KB

MD5
aabd3e285991b4b8cb132185d9ee3a34

SHA1
2c08b427323341c93550dd8ba9d9441ec0d0f394

SHA256
a951292863bd43d59d8ecad9463cef9d55cbcd7c08b1577af9fc568d2eed8953

SHA512
babec27518475a1c7a821611be85f1c57db0b5cc6f45fa27de907d7a26502df813672f2bbd249e60d72ff5ed864f5ea24f30ebded25e6ba35a96230cbe4228b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5217051.exe

Filesize
416KB

MD5
704c2ff62f4c5fea535d194351bcc1d2

SHA1
34c803cae04b990b6388f7c68622ee8f9eb07b1b

SHA256
f54b6c7b964c6347687ca81cbfa21fab18946764e4a54422d4613a33e6f319c8

SHA512
df438009e96bac0adf4de3342536ae57f624e9165cc95d32b9d03cf9643f4bdba773d6437909fcdf8697d51891d5d4ff237a534af3494b2e271dfaf737fc81b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5217051.exe

Filesize
416KB

MD5
704c2ff62f4c5fea535d194351bcc1d2

SHA1
34c803cae04b990b6388f7c68622ee8f9eb07b1b

SHA256
f54b6c7b964c6347687ca81cbfa21fab18946764e4a54422d4613a33e6f319c8

SHA512
df438009e96bac0adf4de3342536ae57f624e9165cc95d32b9d03cf9643f4bdba773d6437909fcdf8697d51891d5d4ff237a534af3494b2e271dfaf737fc81b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g7317973.exe

Filesize
136KB

MD5
2604496cd8bb25168a2e6bf914975ae0

SHA1
5f172ad0483fed7a957aa4fa354b68d36f82f9c0

SHA256
34bb8fcc25719939e7262ea8494711e31c6942509b151a44db377c1fffef81e3

SHA512
22ab4ac10e38689818d87687d0464fa7ed103933326e99922a0ba826fc2dfb8f1b9fb0a6ebda83db7bc3eae53e486b489e15262fedb2fcc49cae3118bd99a901

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g7317973.exe

Filesize
136KB

MD5
2604496cd8bb25168a2e6bf914975ae0

SHA1
5f172ad0483fed7a957aa4fa354b68d36f82f9c0

SHA256
34bb8fcc25719939e7262ea8494711e31c6942509b151a44db377c1fffef81e3

SHA512
22ab4ac10e38689818d87687d0464fa7ed103933326e99922a0ba826fc2dfb8f1b9fb0a6ebda83db7bc3eae53e486b489e15262fedb2fcc49cae3118bd99a901

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h7420927.exe

Filesize
360KB

MD5
db554ce5e1942feb771b54d545842bed

SHA1
a3b10fe86fd4d3a585032bb0bf1bc187e9b3c51f

SHA256
974e4b8d68ec69b0ee33876ef3b50e5b30fbc970f9a12718a6a984273a85ad61

SHA512
8cbac5ae96a39269f60788fa41f54064e54345b54727efe64cf6270b146d913f540859e7a76547e28ecae9e4137918a03e1ebb55031b2801c16d80c0a00ed982

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h7420927.exe

Filesize
360KB

MD5
db554ce5e1942feb771b54d545842bed

SHA1
a3b10fe86fd4d3a585032bb0bf1bc187e9b3c51f

SHA256
974e4b8d68ec69b0ee33876ef3b50e5b30fbc970f9a12718a6a984273a85ad61

SHA512
8cbac5ae96a39269f60788fa41f54064e54345b54727efe64cf6270b146d913f540859e7a76547e28ecae9e4137918a03e1ebb55031b2801c16d80c0a00ed982

Download Submit
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe

Filesize
339KB

MD5
60428402ffcb3b1c63ad1252e1caea4d

SHA1
6072bfa4e139c94a7ad07c18fabf50da751b458a

SHA256
7467afbe2a1cb7a337c3e980adabb77fbd85d5d24b0461dfd14c81b0798962a2

SHA512
a26b48a5cc1631eb17e7c293f0e81da64b6824fd51b32d2a6a6ee894bbcbd3fdbf883c1dc72f1a27d07f33560ac8de1aff6098736fb4837a7249f03a701cdf58

Download Submit
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe

Filesize
339KB

MD5
60428402ffcb3b1c63ad1252e1caea4d

SHA1
6072bfa4e139c94a7ad07c18fabf50da751b458a

SHA256
7467afbe2a1cb7a337c3e980adabb77fbd85d5d24b0461dfd14c81b0798962a2

SHA512
a26b48a5cc1631eb17e7c293f0e81da64b6824fd51b32d2a6a6ee894bbcbd3fdbf883c1dc72f1a27d07f33560ac8de1aff6098736fb4837a7249f03a701cdf58

Download Submit
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe

Filesize
339KB

MD5
60428402ffcb3b1c63ad1252e1caea4d

SHA1
6072bfa4e139c94a7ad07c18fabf50da751b458a

SHA256
7467afbe2a1cb7a337c3e980adabb77fbd85d5d24b0461dfd14c81b0798962a2

SHA512
a26b48a5cc1631eb17e7c293f0e81da64b6824fd51b32d2a6a6ee894bbcbd3fdbf883c1dc72f1a27d07f33560ac8de1aff6098736fb4837a7249f03a701cdf58

Download Submit
C:\Windows\Temp\1.exe

Filesize
136KB

MD5
6b4ad9c773e164effa4804bf294831a7

SHA1
6a0bfcfaf73aff765b7d515f2527773df326f2cc

SHA256
967d69ee61666a88719486692c18ba56a85516035b6b7dacfde589417d3b5c85

SHA512
accbdf423c36f8d688adeccfc683c6ac5ab983f6f5461554a1cdbfcd8dfb9cf29bfe75cdf6755dd70fa5c29f0fda4a2119f468dd0c42d80c8d0b0aee1a2137d8

Download Submit
C:\Windows\Temp\1.exe

Filesize
136KB

MD5
6b4ad9c773e164effa4804bf294831a7

SHA1
6a0bfcfaf73aff765b7d515f2527773df326f2cc

SHA256
967d69ee61666a88719486692c18ba56a85516035b6b7dacfde589417d3b5c85

SHA512
accbdf423c36f8d688adeccfc683c6ac5ab983f6f5461554a1cdbfcd8dfb9cf29bfe75cdf6755dd70fa5c29f0fda4a2119f468dd0c42d80c8d0b0aee1a2137d8

Download Submit
C:\Windows\Temp\1.exe

Filesize
136KB

MD5
6b4ad9c773e164effa4804bf294831a7

SHA1
6a0bfcfaf73aff765b7d515f2527773df326f2cc

SHA256
967d69ee61666a88719486692c18ba56a85516035b6b7dacfde589417d3b5c85

SHA512
accbdf423c36f8d688adeccfc683c6ac5ab983f6f5461554a1cdbfcd8dfb9cf29bfe75cdf6755dd70fa5c29f0fda4a2119f468dd0c42d80c8d0b0aee1a2137d8

Download Submit
memory/660-243-0x0000000002B60000-0x0000000002BC1000-memory.dmp

Filesize
388KB

Download
memory/660-337-0x0000000002B50000-0x0000000002B60000-memory.dmp

Filesize
64KB

Download
memory/660-2412-0x0000000002B50000-0x0000000002B60000-memory.dmp

Filesize
64KB

Download
memory/660-2409-0x0000000002B50000-0x0000000002B60000-memory.dmp

Filesize
64KB

Download
memory/660-2407-0x0000000002B50000-0x0000000002B60000-memory.dmp

Filesize
64KB

Download
memory/660-2406-0x0000000002B50000-0x0000000002B60000-memory.dmp

Filesize
64KB

Download
memory/660-2405-0x0000000002B50000-0x0000000002B60000-memory.dmp

Filesize
64KB

Download
memory/660-335-0x0000000002B50000-0x0000000002B60000-memory.dmp

Filesize
64KB

Download
memory/660-249-0x0000000002B60000-0x0000000002BC1000-memory.dmp

Filesize
388KB

Download
memory/660-247-0x0000000002B60000-0x0000000002BC1000-memory.dmp

Filesize
388KB

Download
memory/660-245-0x0000000002B60000-0x0000000002BC1000-memory.dmp

Filesize
388KB

Download
memory/660-241-0x0000000002B60000-0x0000000002BC1000-memory.dmp

Filesize
388KB

Download
memory/660-239-0x0000000002B60000-0x0000000002BC1000-memory.dmp

Filesize
388KB

Download
memory/660-237-0x0000000002B60000-0x0000000002BC1000-memory.dmp

Filesize
388KB

Download
memory/660-235-0x0000000002B60000-0x0000000002BC1000-memory.dmp

Filesize
388KB

Download
memory/660-233-0x0000000002B60000-0x0000000002BC1000-memory.dmp

Filesize
388KB

Download
memory/660-231-0x0000000002B60000-0x0000000002BC1000-memory.dmp

Filesize
388KB

Download
memory/660-229-0x0000000002B60000-0x0000000002BC1000-memory.dmp

Filesize
388KB

Download
memory/660-227-0x0000000002B60000-0x0000000002BC1000-memory.dmp

Filesize
388KB

Download
memory/660-225-0x0000000002B60000-0x0000000002BC1000-memory.dmp

Filesize
388KB

Download
memory/660-223-0x0000000002B60000-0x0000000002BC1000-memory.dmp

Filesize
388KB

Download
memory/660-221-0x0000000002B60000-0x0000000002BC1000-memory.dmp

Filesize
388KB

Download
memory/660-219-0x0000000002B60000-0x0000000002BC1000-memory.dmp

Filesize
388KB

Download
memory/660-218-0x0000000002B60000-0x0000000002BC1000-memory.dmp

Filesize
388KB

Download
memory/660-217-0x00000000009A0000-0x00000000009FC000-memory.dmp

Filesize
368KB

Download
memory/2732-191-0x0000000002730000-0x0000000002742000-memory.dmp

Filesize
72KB

Download
memory/2732-176-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

Filesize
64KB

Download
memory/2732-210-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

Filesize
64KB

Download
memory/2732-212-0x0000000000400000-0x00000000006F4000-memory.dmp

Filesize
3.0MB

Download
memory/2732-187-0x0000000002730000-0x0000000002742000-memory.dmp

Filesize
72KB

Download
memory/2732-175-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

Filesize
64KB

Download
memory/2732-206-0x0000000000400000-0x00000000006F4000-memory.dmp

Filesize
3.0MB

Download
memory/2732-205-0x0000000002730000-0x0000000002742000-memory.dmp

Filesize
72KB

Download
memory/2732-203-0x0000000002730000-0x0000000002742000-memory.dmp

Filesize
72KB

Download
memory/2732-201-0x0000000002730000-0x0000000002742000-memory.dmp

Filesize
72KB

Download
memory/2732-199-0x0000000002730000-0x0000000002742000-memory.dmp

Filesize
72KB

Download
memory/2732-197-0x0000000002730000-0x0000000002742000-memory.dmp

Filesize
72KB

Download
memory/2732-174-0x0000000000BF0000-0x0000000000C1D000-memory.dmp

Filesize
180KB

Download
memory/2732-209-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

Filesize
64KB

Download
memory/2732-183-0x0000000002730000-0x0000000002742000-memory.dmp

Filesize
72KB

Download
memory/2732-193-0x0000000002730000-0x0000000002742000-memory.dmp

Filesize
72KB

Download
memory/2732-195-0x0000000002730000-0x0000000002742000-memory.dmp

Filesize
72KB

Download
memory/2732-185-0x0000000002730000-0x0000000002742000-memory.dmp

Filesize
72KB

Download
memory/2732-189-0x0000000002730000-0x0000000002742000-memory.dmp

Filesize
72KB

Download
memory/2732-181-0x0000000002730000-0x0000000002742000-memory.dmp

Filesize
72KB

Download
memory/2732-208-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

Filesize
64KB

Download
memory/2732-179-0x0000000002730000-0x0000000002742000-memory.dmp

Filesize
72KB

Download
memory/2732-178-0x0000000002730000-0x0000000002742000-memory.dmp

Filesize
72KB

Download
memory/2732-177-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

Filesize
64KB

Download
memory/3948-2424-0x0000000007C50000-0x0000000007C60000-memory.dmp

Filesize
64KB

Download
memory/3948-2423-0x0000000000BD0000-0x0000000000BF8000-memory.dmp

Filesize
160KB

Download
memory/4552-2430-0x0000000000880000-0x00000000008B5000-memory.dmp

Filesize
212KB

Download
memory/4552-2447-0x0000000000880000-0x00000000008B5000-memory.dmp

Filesize
212KB

Download
memory/4700-162-0x00000000086E0000-0x0000000008772000-memory.dmp

Filesize
584KB

Download
memory/4700-166-0x0000000009810000-0x0000000009D3C000-memory.dmp

Filesize
5.2MB

Download
memory/4700-168-0x0000000008930000-0x0000000008980000-memory.dmp

Filesize
320KB

Download
memory/4700-161-0x0000000007B30000-0x0000000007B96000-memory.dmp

Filesize
408KB

Download
memory/4700-160-0x00000000078A0000-0x00000000078B0000-memory.dmp

Filesize
64KB

Download
memory/4700-159-0x00000000078A0000-0x00000000078B0000-memory.dmp

Filesize
64KB

Download
memory/4700-165-0x00000000089F0000-0x0000000008BB2000-memory.dmp

Filesize
1.8MB

Download
memory/4700-167-0x00000000086C0000-0x00000000086DE000-memory.dmp

Filesize
120KB

Download
memory/4700-158-0x00000000077F0000-0x000000000782C000-memory.dmp

Filesize
240KB

Download
memory/4700-157-0x00000000078C0000-0x00000000079CA000-memory.dmp

Filesize
1.0MB

Download
memory/4700-163-0x0000000008D30000-0x00000000092D4000-memory.dmp

Filesize
5.6MB

Download
memory/4700-156-0x0000000007790000-0x00000000077A2000-memory.dmp

Filesize
72KB

Download
memory/4700-155-0x0000000007D20000-0x0000000008338000-memory.dmp

Filesize
6.1MB

Download
memory/4700-154-0x0000000000A60000-0x0000000000A88000-memory.dmp

Filesize
160KB

Download
memory/4700-164-0x0000000008780000-0x00000000087F6000-memory.dmp

Filesize
472KB

Download