redline | 1632394673bb124a783b4db7a1fa2f1dd7c7e450289c0f09e93effe48a56a9dd

Analysis

max time kernel
158s
max time network
163s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
05/05/2023, 18:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1632394673bb124a783b4db7a1fa2f1dd7c7e450289c0f09e93effe48a56a9dd.exe
Size

1.5MB
MD5

45b9d8cbcfda945c36e96f058c831a30
SHA1

d74842b57ca32293475a3f9e4f673a717b2227eb
SHA256

1632394673bb124a783b4db7a1fa2f1dd7c7e450289c0f09e93effe48a56a9dd
SHA512

8af5331f48426edd87f2b8d918e6aeb17d6596f74355b1db4eb2c01a4f15e0167165c613082df20bcf506a7ef71ae1988a2aff2894636be68c534a217d6a17c7
SSDEEP

24576:EyHjJw72MSZXX9yt38du/X3OY7QOZS8zR8/BJLXIoCJcpkK4VZM2CMAXvz:THjmBSZXX94TXb0OZ/F8rXIoCGiZ2

Score

10^/10

redline boom mazda discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

mazda

217.196.96.56:4138

Attributes

auth_value
3d2870537d84a4c6d7aeecd002871c51

Extracted

Family

redline

Botnet

boom

217.196.96.56:4138

Attributes

auth_value
1ce6aebe15bac07a7bc88b114bc49335

Signatures

Detects Redline Stealer samples 3 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/3948-213-0x000000000B3F0000-0x000000000BA08000-memory.dmp	redline_stealer
behavioral2/memory/3948-220-0x000000000B350000-0x000000000B3B6000-memory.dmp	redline_stealer
behavioral2/memory/3948-222-0x000000000C610000-0x000000000C7D2000-memory.dmp	redline_stealer

Modifies Windows Defender Real-time Protection settings 3 TTPs 11 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	d6576253.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	a4447379.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a4447379.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a4447379.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	d6576253.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	d6576253.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	d6576253.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	d6576253.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a4447379.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a4447379.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a4447379.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	e7377834.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	c9374953.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	oneetx.exe

Executes dropped EXE 13 IoCs

pid	Process
4632	v8490105.exe
2956	v9601255.exe
1876	v9614958.exe
3284	v8730229.exe
208	a4447379.exe
3948	b3216845.exe
4196	c9374953.exe
4944	oneetx.exe
4336	d6576253.exe
4940	e7377834.exe
4556	1.exe
4948	f3271798.exe
208	oneetx.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	a4447379.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	a4447379.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	d6576253.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	1632394673bb124a783b4db7a1fa2f1dd7c7e450289c0f09e93effe48a56a9dd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	1632394673bb124a783b4db7a1fa2f1dd7c7e450289c0f09e93effe48a56a9dd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v8490105.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v8490105.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v9601255.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v9601255.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v9614958.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v9614958.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v8730229.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	v8730229.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 29 IoCs

pid	pid_target	Process	procid_target
4124	4196	WerFault.exe	89
3228	4196	WerFault.exe	89
2972	4196	WerFault.exe	89
2520	4196	WerFault.exe	89
4936	4196	WerFault.exe	89
2344	4196	WerFault.exe	89
3664	4196	WerFault.exe	89
4100	4196	WerFault.exe	89
4480	4196	WerFault.exe	89
1204	4196	WerFault.exe	89
1600	4196	WerFault.exe	89
1900	4944	WerFault.exe	111
3572	4944	WerFault.exe	111
4188	4944	WerFault.exe	111
3792	4944	WerFault.exe	111
2884	4944	WerFault.exe	111
1536	4944	WerFault.exe	111
980	4944	WerFault.exe	111
1428	4944	WerFault.exe	111
4612	4944	WerFault.exe	111
208	4944	WerFault.exe	111
496	4944	WerFault.exe	111
2508	4944	WerFault.exe	111
4656	4944	WerFault.exe	111
3720	4944	WerFault.exe	111
3096	4940	WerFault.exe	153
2604	208	WerFault.exe	158
3660	4944	WerFault.exe	111
3960	4944	WerFault.exe	111

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4892	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
208	a4447379.exe
208	a4447379.exe
3948	b3216845.exe
3948	b3216845.exe
4556	1.exe
4556	1.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	208	a4447379.exe
Token: SeDebugPrivilege	3948	b3216845.exe
Token: SeDebugPrivilege	4940	e7377834.exe
Token: SeDebugPrivilege	4556	1.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4196	c9374953.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 3388 wrote to memory of 4632	3388	1632394673bb124a783b4db7a1fa2f1dd7c7e450289c0f09e93effe48a56a9dd.exe	82
PID 3388 wrote to memory of 4632	3388	1632394673bb124a783b4db7a1fa2f1dd7c7e450289c0f09e93effe48a56a9dd.exe	82
PID 3388 wrote to memory of 4632	3388	1632394673bb124a783b4db7a1fa2f1dd7c7e450289c0f09e93effe48a56a9dd.exe	82
PID 4632 wrote to memory of 2956	4632	v8490105.exe	83
PID 4632 wrote to memory of 2956	4632	v8490105.exe	83
PID 4632 wrote to memory of 2956	4632	v8490105.exe	83
PID 2956 wrote to memory of 1876	2956	v9601255.exe	84
PID 2956 wrote to memory of 1876	2956	v9601255.exe	84
PID 2956 wrote to memory of 1876	2956	v9601255.exe	84
PID 1876 wrote to memory of 3284	1876	v9614958.exe	85
PID 1876 wrote to memory of 3284	1876	v9614958.exe	85
PID 1876 wrote to memory of 3284	1876	v9614958.exe	85
PID 3284 wrote to memory of 208	3284	v8730229.exe	86
PID 3284 wrote to memory of 208	3284	v8730229.exe	86
PID 3284 wrote to memory of 208	3284	v8730229.exe	86
PID 3284 wrote to memory of 3948	3284	v8730229.exe	88
PID 3284 wrote to memory of 3948	3284	v8730229.exe	88
PID 3284 wrote to memory of 3948	3284	v8730229.exe	88
PID 1876 wrote to memory of 4196	1876	v9614958.exe	89
PID 1876 wrote to memory of 4196	1876	v9614958.exe	89
PID 1876 wrote to memory of 4196	1876	v9614958.exe	89
PID 4196 wrote to memory of 4944	4196	c9374953.exe	111
PID 4196 wrote to memory of 4944	4196	c9374953.exe	111
PID 4196 wrote to memory of 4944	4196	c9374953.exe	111
PID 2956 wrote to memory of 4336	2956	v9601255.exe	115
PID 2956 wrote to memory of 4336	2956	v9601255.exe	115
PID 2956 wrote to memory of 4336	2956	v9601255.exe	115
PID 4944 wrote to memory of 4892	4944	oneetx.exe	129
PID 4944 wrote to memory of 4892	4944	oneetx.exe	129
PID 4944 wrote to memory of 4892	4944	oneetx.exe	129
PID 4944 wrote to memory of 1792	4944	oneetx.exe	135
PID 4944 wrote to memory of 1792	4944	oneetx.exe	135
PID 4944 wrote to memory of 1792	4944	oneetx.exe	135
PID 1792 wrote to memory of 3068	1792	cmd.exe	139
PID 1792 wrote to memory of 3068	1792	cmd.exe	139
PID 1792 wrote to memory of 3068	1792	cmd.exe	139
PID 1792 wrote to memory of 3416	1792	cmd.exe	140
PID 1792 wrote to memory of 3416	1792	cmd.exe	140
PID 1792 wrote to memory of 3416	1792	cmd.exe	140
PID 1792 wrote to memory of 5056	1792	cmd.exe	141
PID 1792 wrote to memory of 5056	1792	cmd.exe	141
PID 1792 wrote to memory of 5056	1792	cmd.exe	141
PID 1792 wrote to memory of 1448	1792	cmd.exe	142
PID 1792 wrote to memory of 1448	1792	cmd.exe	142
PID 1792 wrote to memory of 1448	1792	cmd.exe	142
PID 1792 wrote to memory of 3752	1792	cmd.exe	143
PID 1792 wrote to memory of 3752	1792	cmd.exe	143
PID 1792 wrote to memory of 3752	1792	cmd.exe	143
PID 1792 wrote to memory of 3900	1792	cmd.exe	144
PID 1792 wrote to memory of 3900	1792	cmd.exe	144
PID 1792 wrote to memory of 3900	1792	cmd.exe	144
PID 4632 wrote to memory of 4940	4632	v8490105.exe	153
PID 4632 wrote to memory of 4940	4632	v8490105.exe	153
PID 4632 wrote to memory of 4940	4632	v8490105.exe	153
PID 4940 wrote to memory of 4556	4940	e7377834.exe	154
PID 4940 wrote to memory of 4556	4940	e7377834.exe	154
PID 4940 wrote to memory of 4556	4940	e7377834.exe	154
PID 3388 wrote to memory of 4948	3388	1632394673bb124a783b4db7a1fa2f1dd7c7e450289c0f09e93effe48a56a9dd.exe	157
PID 3388 wrote to memory of 4948	3388	1632394673bb124a783b4db7a1fa2f1dd7c7e450289c0f09e93effe48a56a9dd.exe	157
PID 3388 wrote to memory of 4948	3388	1632394673bb124a783b4db7a1fa2f1dd7c7e450289c0f09e93effe48a56a9dd.exe	157

C:\Users\Admin\AppData\Local\Temp\1632394673bb124a783b4db7a1fa2f1dd7c7e450289c0f09e93effe48a56a9dd.exe
"C:\Users\Admin\AppData\Local\Temp\1632394673bb124a783b4db7a1fa2f1dd7c7e450289c0f09e93effe48a56a9dd.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3388
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8490105.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8490105.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4632
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9601255.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9601255.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2956
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9614958.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9614958.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1876
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8730229.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8730229.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:3284
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4447379.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4447379.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:208
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3216845.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3216845.exe
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3948
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c9374953.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c9374953.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        Suspicious use of WriteProcessMemory
        
        PID:4196
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4196 -s 696
        6⤵
        Program crash
        
        PID:4124
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4196 -s 780
        6⤵
        Program crash
        
        PID:3228
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4196 -s 860
        6⤵
        Program crash
        
        PID:2972
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4196 -s 960
        6⤵
        Program crash
        
        PID:2520
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4196 -s 976
        6⤵
        Program crash
        
        PID:4936
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4196 -s 976
        6⤵
        Program crash
        
        PID:2344
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4196 -s 1224
        6⤵
        Program crash
        
        PID:3664
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4196 -s 1328
        6⤵
        Program crash
        
        PID:4100
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4196 -s 1360
        6⤵
        Program crash
        
        PID:4480
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4196 -s 1412
        6⤵
        Program crash
        
        PID:1204
      - C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4944
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4944 -s 584
        7⤵
        Program crash
        
        PID:1900
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4944 -s 832
        7⤵
        Program crash
        
        PID:3572
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4944 -s 912
        7⤵
        Program crash
        
        PID:4188
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4944 -s 1052
        7⤵
        Program crash
        
        PID:3792
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4944 -s 1072
        7⤵
        Program crash
        
        PID:2884
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4944 -s 1072
        7⤵
        Program crash
        
        PID:1536
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4944 -s 1064
        7⤵
        Program crash
        
        PID:980
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe" /F
        7⤵
        Creates scheduled task(s)
        
        PID:4892
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4944 -s 1000
        7⤵
        Program crash
        
        PID:1428
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4944 -s 700
        7⤵
        Program crash
        
        PID:4612
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\c3912af058" /P "Admin:N"&&CACLS "..\c3912af058" /P "Admin:R" /E&&Exit
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        8⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "oneetx.exe" /P "Admin:N"
        8⤵
        
        PID:3416
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "oneetx.exe" /P "Admin:R" /E
        8⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        8⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\c3912af058" /P "Admin:N"
        8⤵
        
        PID:3752
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\c3912af058" /P "Admin:R" /E
        8⤵
        
        PID:3900
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4944 -s 1284
        7⤵
        Program crash
        
        PID:208
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4944 -s 996
        7⤵
        Program crash
        
        PID:496
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4944 -s 936
        7⤵
        Program crash
        
        PID:2508
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4944 -s 136
        7⤵
        Program crash
        
        PID:4656
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4944 -s 1532
        7⤵
        Program crash
        
        PID:3720
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4944 -s 1096
        7⤵
        Program crash
        
        PID:3660
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4944 -s 1644
        7⤵
        Program crash
        
        PID:3960
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4196 -s 1396
        6⤵
        Program crash
        
        PID:1600
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d6576253.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d6576253.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      PID:4336
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\e7377834.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\e7377834.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4940
  - - C:\Windows\Temp\1.exe
      "C:\Windows\Temp\1.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4556
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4940 -s 1500
      4⤵
      Program crash
      PID:3096
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\f3271798.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\f3271798.exe
  2⤵
  - Executes dropped EXE
  PID:4948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 4196 -ip 4196
1⤵
PID:1744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4196 -ip 4196
1⤵
PID:3484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4196 -ip 4196
1⤵
PID:2968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4196 -ip 4196
1⤵
PID:3804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4196 -ip 4196
1⤵
PID:4548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4196 -ip 4196
1⤵
PID:3200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4196 -ip 4196
1⤵
PID:2160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4196 -ip 4196
1⤵
PID:4192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4196 -ip 4196
1⤵
PID:3020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4196 -ip 4196
1⤵
PID:1488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4196 -ip 4196
1⤵
PID:3820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4944 -ip 4944
1⤵
PID:4468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 4944 -ip 4944
1⤵
PID:4984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4944 -ip 4944
1⤵
PID:1452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 4944 -ip 4944
1⤵
PID:3832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 4944 -ip 4944
1⤵
PID:212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 4944 -ip 4944
1⤵
PID:4720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 4944 -ip 4944
1⤵
PID:4912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 4944 -ip 4944
1⤵
PID:1496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 4944 -ip 4944
1⤵
PID:1948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 4944 -ip 4944
1⤵
PID:4184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 4944 -ip 4944
1⤵
PID:3172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 4944 -ip 4944
1⤵
PID:4628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 4944 -ip 4944
1⤵
PID:3660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4944 -ip 4944
1⤵
PID:852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 720 -p 4940 -ip 4940
1⤵
PID:3416

C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
1⤵
- Executes dropped EXE
PID:208
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 208 -s 332
  2⤵
  - Program crash
  PID:2604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 764 -p 208 -ip 208
1⤵
PID:4896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 4944 -ip 4944
1⤵
PID:856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 4944 -ip 4944
1⤵
PID:1788

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\f3271798.exe

Filesize
206KB

MD5
141244f26873518e31b243f833cc3406

SHA1
dae9b0ebf03e3b151ac038a94b32ecb9ceaa1242

SHA256
cb98f0523f7d0fd46bce25688c10545327f590dfa375be70e2b5ff63d89446bc

SHA512
0b8b7c153160b818fe573bd5b9cbc112a0a3081f888d734ba2324b24c41a4f345b8320712c43cf758cb782d09335c614016a8e48b6cf5b87880a8a1820f920d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\f3271798.exe

Filesize
206KB

MD5
141244f26873518e31b243f833cc3406

SHA1
dae9b0ebf03e3b151ac038a94b32ecb9ceaa1242

SHA256
cb98f0523f7d0fd46bce25688c10545327f590dfa375be70e2b5ff63d89446bc

SHA512
0b8b7c153160b818fe573bd5b9cbc112a0a3081f888d734ba2324b24c41a4f345b8320712c43cf758cb782d09335c614016a8e48b6cf5b87880a8a1820f920d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8490105.exe

Filesize
1.4MB

MD5
942843a9fb0e53456b85f18e6eac1d17

SHA1
dd4924a48ea5ddc5aded15cb045767138e9fbf16

SHA256
20c63f546cd3ef93837a67010e403224913742fb7af257be06a86556ae61541f

SHA512
e09c99f9f928bb928b3893bc7036ebc218b18919c6af84c2a79cc5af45f8c2023501ee4fffdbf9791b8a3b5254cfe3e6b3f03bc76751a583c24e55cd71db5183

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8490105.exe

Filesize
1.4MB

MD5
942843a9fb0e53456b85f18e6eac1d17

SHA1
dd4924a48ea5ddc5aded15cb045767138e9fbf16

SHA256
20c63f546cd3ef93837a67010e403224913742fb7af257be06a86556ae61541f

SHA512
e09c99f9f928bb928b3893bc7036ebc218b18919c6af84c2a79cc5af45f8c2023501ee4fffdbf9791b8a3b5254cfe3e6b3f03bc76751a583c24e55cd71db5183

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\e7377834.exe

Filesize
547KB

MD5
9d8ba3b4d59c2d366197a70115e9d8c6

SHA1
754360d2977ff42c1859909b7682f948ff9fe677

SHA256
7dddf21023c3c8f3bf75b09f8570b1e5d87679dd04d28e34c9149fe2bef3e61b

SHA512
225f2aa9bd9f3819349c61c558ab4610634c59716a0f4fd9199afede37254b950af1e39b7cc47e533b9322d10ce840c4e007b14f52e44db7880332e64143689d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\e7377834.exe

Filesize
547KB

MD5
9d8ba3b4d59c2d366197a70115e9d8c6

SHA1
754360d2977ff42c1859909b7682f948ff9fe677

SHA256
7dddf21023c3c8f3bf75b09f8570b1e5d87679dd04d28e34c9149fe2bef3e61b

SHA512
225f2aa9bd9f3819349c61c558ab4610634c59716a0f4fd9199afede37254b950af1e39b7cc47e533b9322d10ce840c4e007b14f52e44db7880332e64143689d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9601255.exe

Filesize
911KB

MD5
ddef7f96d6ecc3eab1bf75b587357d0c

SHA1
772c4207f3b339beeba227caa6eeb3ad5a9a2fd0

SHA256
65a69f5cd871b2f4398de929e9daafec2c9ee637c7e4a1d39c3088ae3aeebd27

SHA512
419f2a56cd01a589015339b3c0232ecb358271d211e4511a390cd0e99e65f8838af7c76da51e6bf5a6fc1c40ce8a69cfb4cc77a8ac82c0615a51418a1ec3ca2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9601255.exe

Filesize
911KB

MD5
ddef7f96d6ecc3eab1bf75b587357d0c

SHA1
772c4207f3b339beeba227caa6eeb3ad5a9a2fd0

SHA256
65a69f5cd871b2f4398de929e9daafec2c9ee637c7e4a1d39c3088ae3aeebd27

SHA512
419f2a56cd01a589015339b3c0232ecb358271d211e4511a390cd0e99e65f8838af7c76da51e6bf5a6fc1c40ce8a69cfb4cc77a8ac82c0615a51418a1ec3ca2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d6576253.exe

Filesize
179KB

MD5
22e6bf441fce0df1dd912e84e44926e5

SHA1
fb946a9c862de2ddfa0a71a40d9ddd8b7c235331

SHA256
b7d430ba5d8db4c69854639143555d1ee7622e9515a339d53371d705937b4bcf

SHA512
586f2ee842855771989041bb6c631ababf6acc8b6655eb1b7fcccfae44b75a953318d2b1bf07d7b5b72652c0a0e512fec4ebad583d1b48a5117cb5e749d06cf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9614958.exe

Filesize
707KB

MD5
fe15c1dafb3ecc4a3b5fa4da767de198

SHA1
2eecc1a6bbd2d57f2eaefd4d90f67e9ab56306ee

SHA256
2be4529d5dd9aa548f095dc5a29e62470702409c978e5b9924dd573e191a73d0

SHA512
a0abbc9be75ce3996ab178f4a455ae4d209430ce1936178b7cf2e46b83cbca6d0051aa8fc25f14d6e2f0997b3f797e15188ec82b8dfb4e763c825212f5292d77

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9614958.exe

Filesize
707KB

MD5
fe15c1dafb3ecc4a3b5fa4da767de198

SHA1
2eecc1a6bbd2d57f2eaefd4d90f67e9ab56306ee

SHA256
2be4529d5dd9aa548f095dc5a29e62470702409c978e5b9924dd573e191a73d0

SHA512
a0abbc9be75ce3996ab178f4a455ae4d209430ce1936178b7cf2e46b83cbca6d0051aa8fc25f14d6e2f0997b3f797e15188ec82b8dfb4e763c825212f5292d77

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c9374953.exe

Filesize
340KB

MD5
ddb7f5ca4d274199d906b6e3fd877ddf

SHA1
150d96421182c9ec302e4e9d4d7950e554f56c81

SHA256
3d7070983a11e19c50415947ac54988b1fae5910d9d9187889b20efe75b790e1

SHA512
946eccc39c64a5f9fa6aacbda644a49b657cb2917978aecec00c3a4233ffbd9cda9227ef7f190a19e9e0f1a6aacefcd1b65119658690876639a09b2ccbd96453

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c9374953.exe

Filesize
340KB

MD5
ddb7f5ca4d274199d906b6e3fd877ddf

SHA1
150d96421182c9ec302e4e9d4d7950e554f56c81

SHA256
3d7070983a11e19c50415947ac54988b1fae5910d9d9187889b20efe75b790e1

SHA512
946eccc39c64a5f9fa6aacbda644a49b657cb2917978aecec00c3a4233ffbd9cda9227ef7f190a19e9e0f1a6aacefcd1b65119658690876639a09b2ccbd96453

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8730229.exe

Filesize
416KB

MD5
c815692cfe1d26767dacbeaad23e0dbe

SHA1
15d85944bbbbebff76cfe8338a92b5fb37a9a91d

SHA256
60e237197187e5cb4fe9410d6faf8a4e524a354fc009a0d66426b97e05e5fe01

SHA512
d865e2a09c62ad53360f4123a030b15fbb8188abc2b2f243c18d9c69ce10066051fb3b984fd8c753056df0d981c7ba3db6f1e19c02b0897e03b514a49b3e93f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8730229.exe

Filesize
416KB

MD5
c815692cfe1d26767dacbeaad23e0dbe

SHA1
15d85944bbbbebff76cfe8338a92b5fb37a9a91d

SHA256
60e237197187e5cb4fe9410d6faf8a4e524a354fc009a0d66426b97e05e5fe01

SHA512
d865e2a09c62ad53360f4123a030b15fbb8188abc2b2f243c18d9c69ce10066051fb3b984fd8c753056df0d981c7ba3db6f1e19c02b0897e03b514a49b3e93f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4447379.exe

Filesize
360KB

MD5
e181f54e4427d80eda71f369d30b7469

SHA1
c796325fc1d781d9b7b7f34fb7d8f07ec08b7f45

SHA256
36be67c913c0270bd9da444bb4de83fb2ef23abe7ce13bf65e4b393d1d521ab0

SHA512
bf90550280a7d92313f9724466ab24d815df94282871abeb4ff45f1ab8364a74c8961058be3b6a851f6fbc4685c51527d9f35c796c9c9a156b0392723b5457b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4447379.exe

Filesize
360KB

MD5
e181f54e4427d80eda71f369d30b7469

SHA1
c796325fc1d781d9b7b7f34fb7d8f07ec08b7f45

SHA256
36be67c913c0270bd9da444bb4de83fb2ef23abe7ce13bf65e4b393d1d521ab0

SHA512
bf90550280a7d92313f9724466ab24d815df94282871abeb4ff45f1ab8364a74c8961058be3b6a851f6fbc4685c51527d9f35c796c9c9a156b0392723b5457b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3216845.exe

Filesize
168KB

MD5
bc6ce76656969b80d09a44683cb180db

SHA1
a88fda79611cd1a9761996a522fcdbd9ba19bea5

SHA256
a6cf98cb6ba243c49ea5e291ae9c87052906bdbe67c3dfc22cc3d55386801e0c

SHA512
0f3f807761c092d15049c68406c648e8f021ed63982e4f760350fe8d9cbee0ad6d765d4ea30e39db3420823ab345518ced933cf042e977ad2e127ce292f2c737

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3216845.exe

Filesize
168KB

MD5
bc6ce76656969b80d09a44683cb180db

SHA1
a88fda79611cd1a9761996a522fcdbd9ba19bea5

SHA256
a6cf98cb6ba243c49ea5e291ae9c87052906bdbe67c3dfc22cc3d55386801e0c

SHA512
0f3f807761c092d15049c68406c648e8f021ed63982e4f760350fe8d9cbee0ad6d765d4ea30e39db3420823ab345518ced933cf042e977ad2e127ce292f2c737

Download Submit
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe

Filesize
340KB

MD5
ddb7f5ca4d274199d906b6e3fd877ddf

SHA1
150d96421182c9ec302e4e9d4d7950e554f56c81

SHA256
3d7070983a11e19c50415947ac54988b1fae5910d9d9187889b20efe75b790e1

SHA512
946eccc39c64a5f9fa6aacbda644a49b657cb2917978aecec00c3a4233ffbd9cda9227ef7f190a19e9e0f1a6aacefcd1b65119658690876639a09b2ccbd96453

Download Submit
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe

Filesize
340KB

MD5
ddb7f5ca4d274199d906b6e3fd877ddf

SHA1
150d96421182c9ec302e4e9d4d7950e554f56c81

SHA256
3d7070983a11e19c50415947ac54988b1fae5910d9d9187889b20efe75b790e1

SHA512
946eccc39c64a5f9fa6aacbda644a49b657cb2917978aecec00c3a4233ffbd9cda9227ef7f190a19e9e0f1a6aacefcd1b65119658690876639a09b2ccbd96453

Download Submit
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe

Filesize
340KB

MD5
ddb7f5ca4d274199d906b6e3fd877ddf

SHA1
150d96421182c9ec302e4e9d4d7950e554f56c81

SHA256
3d7070983a11e19c50415947ac54988b1fae5910d9d9187889b20efe75b790e1

SHA512
946eccc39c64a5f9fa6aacbda644a49b657cb2917978aecec00c3a4233ffbd9cda9227ef7f190a19e9e0f1a6aacefcd1b65119658690876639a09b2ccbd96453

Download Submit
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe

Filesize
340KB

MD5
ddb7f5ca4d274199d906b6e3fd877ddf

SHA1
150d96421182c9ec302e4e9d4d7950e554f56c81

SHA256
3d7070983a11e19c50415947ac54988b1fae5910d9d9187889b20efe75b790e1

SHA512
946eccc39c64a5f9fa6aacbda644a49b657cb2917978aecec00c3a4233ffbd9cda9227ef7f190a19e9e0f1a6aacefcd1b65119658690876639a09b2ccbd96453

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
8451a2c5daa42b25333b1b2089c5ea39

SHA1
700cc99ec8d3113435e657070d2d6bde0a833adc

SHA256
b8c8aedd84c363853db934a55087a3b730cf9dc758dea3dc3a98f54217f4c9d0

SHA512
6d2bad0e6ec7852d7b6d1a70a10285db28c06c37252503e01c52458a463582d5211b7e183ae064a36b60f990971a5b14f8af3aaaacc4226be1c2e3e0bf38af53

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
7070d754b720fe5162742116d8683a49

SHA1
e1e928cacf55633f30125dcf2e7aa6a0e6f4172e

SHA256
5eec6e9402f614e6c92a23665003ad26a2606aa0700ebe58a86557bb84f4b7a2

SHA512
cb8d4382b3e9617a9bb98f3e6b1a2a15df004a33008cfbc92049e3ef588b1bf7deb3748a4262962543588e1a36ac737001c3d99659dca974bb12ff78eac9739b

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
7070d754b720fe5162742116d8683a49

SHA1
e1e928cacf55633f30125dcf2e7aa6a0e6f4172e

SHA256
5eec6e9402f614e6c92a23665003ad26a2606aa0700ebe58a86557bb84f4b7a2

SHA512
cb8d4382b3e9617a9bb98f3e6b1a2a15df004a33008cfbc92049e3ef588b1bf7deb3748a4262962543588e1a36ac737001c3d99659dca974bb12ff78eac9739b

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
7070d754b720fe5162742116d8683a49

SHA1
e1e928cacf55633f30125dcf2e7aa6a0e6f4172e

SHA256
5eec6e9402f614e6c92a23665003ad26a2606aa0700ebe58a86557bb84f4b7a2

SHA512
cb8d4382b3e9617a9bb98f3e6b1a2a15df004a33008cfbc92049e3ef588b1bf7deb3748a4262962543588e1a36ac737001c3d99659dca974bb12ff78eac9739b

Download Submit
memory/208-182-0x00000000026C0000-0x00000000026D2000-memory.dmp

Filesize
72KB

Download
memory/208-178-0x00000000026C0000-0x00000000026D2000-memory.dmp

Filesize
72KB

Download
memory/208-194-0x00000000026C0000-0x00000000026D2000-memory.dmp

Filesize
72KB

Download
memory/208-196-0x00000000026C0000-0x00000000026D2000-memory.dmp

Filesize
72KB

Download
memory/208-198-0x00000000026C0000-0x00000000026D2000-memory.dmp

Filesize
72KB

Download
memory/208-200-0x00000000026C0000-0x00000000026D2000-memory.dmp

Filesize
72KB

Download
memory/208-202-0x00000000026C0000-0x00000000026D2000-memory.dmp

Filesize
72KB

Download
memory/208-203-0x0000000004F00000-0x0000000004F10000-memory.dmp

Filesize
64KB

Download
memory/208-204-0x0000000004F00000-0x0000000004F10000-memory.dmp

Filesize
64KB

Download
memory/208-205-0x0000000004F00000-0x0000000004F10000-memory.dmp

Filesize
64KB

Download
memory/208-208-0x0000000000400000-0x00000000006F4000-memory.dmp

Filesize
3.0MB

Download
memory/208-184-0x00000000026C0000-0x00000000026D2000-memory.dmp

Filesize
72KB

Download
memory/208-180-0x00000000026C0000-0x00000000026D2000-memory.dmp

Filesize
72KB

Download
memory/208-192-0x00000000026C0000-0x00000000026D2000-memory.dmp

Filesize
72KB

Download
memory/208-175-0x00000000026C0000-0x00000000026D2000-memory.dmp

Filesize
72KB

Download
memory/208-176-0x00000000026C0000-0x00000000026D2000-memory.dmp

Filesize
72KB

Download
memory/208-190-0x00000000026C0000-0x00000000026D2000-memory.dmp

Filesize
72KB

Download
memory/208-188-0x00000000026C0000-0x00000000026D2000-memory.dmp

Filesize
72KB

Download
memory/208-174-0x0000000000400000-0x00000000006F4000-memory.dmp

Filesize
3.0MB

Download
memory/208-186-0x00000000026C0000-0x00000000026D2000-memory.dmp

Filesize
72KB

Download
memory/208-173-0x0000000004F10000-0x00000000054B4000-memory.dmp

Filesize
5.6MB

Download
memory/208-172-0x0000000004F00000-0x0000000004F10000-memory.dmp

Filesize
64KB

Download
memory/208-171-0x0000000004F00000-0x0000000004F10000-memory.dmp

Filesize
64KB

Download
memory/208-170-0x0000000004F00000-0x0000000004F10000-memory.dmp

Filesize
64KB

Download
memory/208-169-0x0000000000B40000-0x0000000000B6D000-memory.dmp

Filesize
180KB

Download
memory/3948-219-0x000000000BA10000-0x000000000BAA2000-memory.dmp

Filesize
584KB

Download
memory/3948-216-0x000000000AE50000-0x000000000AE8C000-memory.dmp

Filesize
240KB

Download
memory/3948-220-0x000000000B350000-0x000000000B3B6000-memory.dmp

Filesize
408KB

Download
memory/3948-218-0x000000000B260000-0x000000000B2D6000-memory.dmp

Filesize
472KB

Download
memory/3948-224-0x000000000BC30000-0x000000000BC80000-memory.dmp

Filesize
320KB

Download
memory/3948-217-0x0000000005940000-0x0000000005950000-memory.dmp

Filesize
64KB

Download
memory/3948-223-0x000000000CD10000-0x000000000D23C000-memory.dmp

Filesize
5.2MB

Download
memory/3948-212-0x0000000000F40000-0x0000000000F70000-memory.dmp

Filesize
192KB

Download
memory/3948-222-0x000000000C610000-0x000000000C7D2000-memory.dmp

Filesize
1.8MB

Download
memory/3948-221-0x0000000005940000-0x0000000005950000-memory.dmp

Filesize
64KB

Download
memory/3948-213-0x000000000B3F0000-0x000000000BA08000-memory.dmp

Filesize
6.1MB

Download
memory/3948-214-0x000000000AEE0000-0x000000000AFEA000-memory.dmp

Filesize
1.0MB

Download
memory/3948-215-0x000000000ADF0000-0x000000000AE02000-memory.dmp

Filesize
72KB

Download
memory/4196-232-0x0000000000840000-0x0000000000875000-memory.dmp

Filesize
212KB

Download
memory/4196-245-0x0000000000400000-0x00000000006EF000-memory.dmp

Filesize
2.9MB

Download
memory/4196-230-0x0000000000840000-0x0000000000875000-memory.dmp

Filesize
212KB

Download
memory/4196-231-0x0000000000400000-0x00000000006EF000-memory.dmp

Filesize
2.9MB

Download
memory/4556-2445-0x0000000005090000-0x00000000050A0000-memory.dmp

Filesize
64KB

Download
memory/4556-2444-0x0000000000790000-0x00000000007BE000-memory.dmp

Filesize
184KB

Download
memory/4940-268-0x0000000005460000-0x00000000054C1000-memory.dmp

Filesize
388KB

Download
memory/4940-2440-0x0000000004D30000-0x0000000004D40000-memory.dmp

Filesize
64KB

Download
memory/4940-272-0x0000000005460000-0x00000000054C1000-memory.dmp

Filesize
388KB

Download
memory/4940-274-0x0000000005460000-0x00000000054C1000-memory.dmp

Filesize
388KB

Download
memory/4940-276-0x0000000005460000-0x00000000054C1000-memory.dmp

Filesize
388KB

Download
memory/4940-278-0x0000000005460000-0x00000000054C1000-memory.dmp

Filesize
388KB

Download
memory/4940-280-0x0000000005460000-0x00000000054C1000-memory.dmp

Filesize
388KB

Download
memory/4940-282-0x0000000005460000-0x00000000054C1000-memory.dmp

Filesize
388KB

Download
memory/4940-284-0x0000000005460000-0x00000000054C1000-memory.dmp

Filesize
388KB

Download
memory/4940-286-0x0000000005460000-0x00000000054C1000-memory.dmp

Filesize
388KB

Download
memory/4940-266-0x0000000005460000-0x00000000054C1000-memory.dmp

Filesize
388KB

Download
memory/4940-270-0x0000000005460000-0x00000000054C1000-memory.dmp

Filesize
388KB

Download
memory/4940-264-0x0000000005460000-0x00000000054C1000-memory.dmp

Filesize
388KB

Download
memory/4940-262-0x0000000005460000-0x00000000054C1000-memory.dmp

Filesize
388KB

Download
memory/4940-259-0x0000000005460000-0x00000000054C1000-memory.dmp

Filesize
388KB

Download
memory/4940-260-0x0000000005460000-0x00000000054C1000-memory.dmp

Filesize
388KB

Download
memory/4940-257-0x0000000004D30000-0x0000000004D40000-memory.dmp

Filesize
64KB

Download
memory/4940-258-0x0000000004D30000-0x0000000004D40000-memory.dmp

Filesize
64KB

Download
memory/4940-256-0x0000000004D30000-0x0000000004D40000-memory.dmp

Filesize
64KB

Download
memory/4940-255-0x0000000002380000-0x00000000023DC000-memory.dmp

Filesize
368KB

Download
memory/4944-248-0x0000000000400000-0x00000000006EF000-memory.dmp

Filesize
2.9MB

Download