Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
159s -
max time network
163s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
05/05/2023, 18:21
Static task
static1
Behavioral task
behavioral1
Sample
45bbed85ebbc60dd139f50d98d9f70be979069c5cc57ae060a599e23284b1f2d.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
45bbed85ebbc60dd139f50d98d9f70be979069c5cc57ae060a599e23284b1f2d.exe
Resource
win10v2004-20230220-en
General
-
Target
45bbed85ebbc60dd139f50d98d9f70be979069c5cc57ae060a599e23284b1f2d.exe
-
Size
1.5MB
-
MD5
83f88944f53ffb95730512cc5807b178
-
SHA1
c06b03f02a8827688ab4c0d568a8fa15a24ad456
-
SHA256
45bbed85ebbc60dd139f50d98d9f70be979069c5cc57ae060a599e23284b1f2d
-
SHA512
1c631d254cea6adb1f859df89e5334adc4563fc1ecdff84417884cc45bba5a6f9e13aacbae053ac6ca9c2a987d9cf948f1ec0ed73f14df4eae97a435fb79a6ba
-
SSDEEP
24576:EyU0fZjCxu/Jrug01HTJ7QYDtRK7DPkbjfV0xO3Ov+LP2evzWavPGCEzJIL/D6B:TU7Y/01HNBKUfV0xAOv+b5x6Ir
Malware Config
Extracted
redline
maxi
217.196.96.56:4138
-
auth_value
6e90da232d4c2e35c1a36c250f5f8904
Extracted
redline
boom
217.196.96.56:4138
-
auth_value
1ce6aebe15bac07a7bc88b114bc49335
Signatures
-
Detects Redline Stealer samples 3 IoCs
This rule detects the presence of Redline Stealer samples based on their unique strings.
resource yara_rule behavioral2/memory/3544-213-0x000000000A5E0000-0x000000000ABF8000-memory.dmp redline_stealer behavioral2/memory/3544-221-0x000000000AC00000-0x000000000AC66000-memory.dmp redline_stealer behavioral2/memory/3544-223-0x000000000B320000-0x000000000B4E2000-memory.dmp redline_stealer -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection a1693777.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" a1693777.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" a1693777.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" d1770320.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" d1770320.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" d1770320.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" d1770320.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" a1693777.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" a1693777.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" a1693777.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" d1770320.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation oneetx.exe Key value queried \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation e2050852.exe Key value queried \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation c1181027.exe -
Executes dropped EXE 13 IoCs
pid Process 3128 v8198418.exe 3640 v9233574.exe 3540 v7560470.exe 5004 v9130807.exe 2220 a1693777.exe 3544 b6970603.exe 1280 c1181027.exe 3476 oneetx.exe 404 d1770320.exe 4044 oneetx.exe 972 e2050852.exe 2700 1.exe 3364 f3354977.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" a1693777.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" d1770320.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features a1693777.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 10 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce v9130807.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" v8198418.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce v7560470.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce v8198418.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce v9233574.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" v9233574.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" v7560470.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" v9130807.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 45bbed85ebbc60dd139f50d98d9f70be979069c5cc57ae060a599e23284b1f2d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 45bbed85ebbc60dd139f50d98d9f70be979069c5cc57ae060a599e23284b1f2d.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 30 IoCs
pid pid_target Process procid_target 2228 2220 WerFault.exe 86 2332 1280 WerFault.exe 98 1892 1280 WerFault.exe 98 2088 1280 WerFault.exe 98 2052 1280 WerFault.exe 98 2960 1280 WerFault.exe 98 3424 1280 WerFault.exe 98 1184 1280 WerFault.exe 98 400 1280 WerFault.exe 98 1624 1280 WerFault.exe 98 2260 1280 WerFault.exe 98 1256 1280 WerFault.exe 98 4972 1280 WerFault.exe 98 2632 3476 WerFault.exe 121 1980 1280 WerFault.exe 98 4236 3476 WerFault.exe 121 2760 3476 WerFault.exe 121 4664 3476 WerFault.exe 121 2604 3476 WerFault.exe 121 944 3476 WerFault.exe 121 4456 3476 WerFault.exe 121 3356 3476 WerFault.exe 121 1564 3476 WerFault.exe 121 4612 3476 WerFault.exe 121 1080 3476 WerFault.exe 121 64 4044 WerFault.exe 156 4100 3476 WerFault.exe 121 1512 3476 WerFault.exe 121 1268 972 WerFault.exe 166 4748 3476 WerFault.exe 121 -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1848 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 2220 a1693777.exe 2220 a1693777.exe 3544 b6970603.exe 3544 b6970603.exe 404 d1770320.exe 404 d1770320.exe 2700 1.exe 2700 1.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 2220 a1693777.exe Token: SeDebugPrivilege 3544 b6970603.exe Token: SeDebugPrivilege 404 d1770320.exe Token: SeDebugPrivilege 972 e2050852.exe Token: SeDebugPrivilege 2700 1.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1280 c1181027.exe -
Suspicious use of WriteProcessMemory 60 IoCs
description pid Process procid_target PID 4464 wrote to memory of 3128 4464 45bbed85ebbc60dd139f50d98d9f70be979069c5cc57ae060a599e23284b1f2d.exe 82 PID 4464 wrote to memory of 3128 4464 45bbed85ebbc60dd139f50d98d9f70be979069c5cc57ae060a599e23284b1f2d.exe 82 PID 4464 wrote to memory of 3128 4464 45bbed85ebbc60dd139f50d98d9f70be979069c5cc57ae060a599e23284b1f2d.exe 82 PID 3128 wrote to memory of 3640 3128 v8198418.exe 83 PID 3128 wrote to memory of 3640 3128 v8198418.exe 83 PID 3128 wrote to memory of 3640 3128 v8198418.exe 83 PID 3640 wrote to memory of 3540 3640 v9233574.exe 84 PID 3640 wrote to memory of 3540 3640 v9233574.exe 84 PID 3640 wrote to memory of 3540 3640 v9233574.exe 84 PID 3540 wrote to memory of 5004 3540 v7560470.exe 85 PID 3540 wrote to memory of 5004 3540 v7560470.exe 85 PID 3540 wrote to memory of 5004 3540 v7560470.exe 85 PID 5004 wrote to memory of 2220 5004 v9130807.exe 86 PID 5004 wrote to memory of 2220 5004 v9130807.exe 86 PID 5004 wrote to memory of 2220 5004 v9130807.exe 86 PID 5004 wrote to memory of 3544 5004 v9130807.exe 96 PID 5004 wrote to memory of 3544 5004 v9130807.exe 96 PID 5004 wrote to memory of 3544 5004 v9130807.exe 96 PID 3540 wrote to memory of 1280 3540 v7560470.exe 98 PID 3540 wrote to memory of 1280 3540 v7560470.exe 98 PID 3540 wrote to memory of 1280 3540 v7560470.exe 98 PID 1280 wrote to memory of 3476 1280 c1181027.exe 121 PID 1280 wrote to memory of 3476 1280 c1181027.exe 121 PID 1280 wrote to memory of 3476 1280 c1181027.exe 121 PID 3640 wrote to memory of 404 3640 v9233574.exe 130 PID 3640 wrote to memory of 404 3640 v9233574.exe 130 PID 3640 wrote to memory of 404 3640 v9233574.exe 130 PID 3476 wrote to memory of 1848 3476 oneetx.exe 141 PID 3476 wrote to memory of 1848 3476 oneetx.exe 141 PID 3476 wrote to memory of 1848 3476 oneetx.exe 141 PID 3476 wrote to memory of 3332 3476 oneetx.exe 147 PID 3476 wrote to memory of 3332 3476 oneetx.exe 147 PID 3476 wrote to memory of 3332 3476 oneetx.exe 147 PID 3332 wrote to memory of 4048 3332 cmd.exe 151 PID 3332 wrote to memory of 4048 3332 cmd.exe 151 PID 3332 wrote to memory of 4048 3332 cmd.exe 151 PID 3332 wrote to memory of 4876 3332 cmd.exe 152 PID 3332 wrote to memory of 4876 3332 cmd.exe 152 PID 3332 wrote to memory of 4876 3332 cmd.exe 152 PID 3332 wrote to memory of 1868 3332 cmd.exe 153 PID 3332 wrote to memory of 1868 3332 cmd.exe 153 PID 3332 wrote to memory of 1868 3332 cmd.exe 153 PID 3332 wrote to memory of 4996 3332 cmd.exe 154 PID 3332 wrote to memory of 4996 3332 cmd.exe 154 PID 3332 wrote to memory of 4996 3332 cmd.exe 154 PID 3332 wrote to memory of 5008 3332 cmd.exe 155 PID 3332 wrote to memory of 5008 3332 cmd.exe 155 PID 3332 wrote to memory of 5008 3332 cmd.exe 155 PID 3332 wrote to memory of 1116 3332 cmd.exe 157 PID 3332 wrote to memory of 1116 3332 cmd.exe 157 PID 3332 wrote to memory of 1116 3332 cmd.exe 157 PID 3128 wrote to memory of 972 3128 v8198418.exe 166 PID 3128 wrote to memory of 972 3128 v8198418.exe 166 PID 3128 wrote to memory of 972 3128 v8198418.exe 166 PID 972 wrote to memory of 2700 972 e2050852.exe 167 PID 972 wrote to memory of 2700 972 e2050852.exe 167 PID 972 wrote to memory of 2700 972 e2050852.exe 167 PID 4464 wrote to memory of 3364 4464 45bbed85ebbc60dd139f50d98d9f70be979069c5cc57ae060a599e23284b1f2d.exe 170 PID 4464 wrote to memory of 3364 4464 45bbed85ebbc60dd139f50d98d9f70be979069c5cc57ae060a599e23284b1f2d.exe 170 PID 4464 wrote to memory of 3364 4464 45bbed85ebbc60dd139f50d98d9f70be979069c5cc57ae060a599e23284b1f2d.exe 170
Processes
-
C:\Users\Admin\AppData\Local\Temp\45bbed85ebbc60dd139f50d98d9f70be979069c5cc57ae060a599e23284b1f2d.exe"C:\Users\Admin\AppData\Local\Temp\45bbed85ebbc60dd139f50d98d9f70be979069c5cc57ae060a599e23284b1f2d.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4464 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8198418.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8198418.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3128 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9233574.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9233574.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3640 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7560470.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7560470.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3540 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9130807.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9130807.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5004 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1693777.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1693777.exe6⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2220 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2220 -s 10807⤵
- Program crash
PID:2228
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b6970603.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b6970603.exe6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3544
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c1181027.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c1181027.exe5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1280 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1280 -s 6966⤵
- Program crash
PID:2332
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1280 -s 7806⤵
- Program crash
PID:1892
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1280 -s 8606⤵
- Program crash
PID:2088
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1280 -s 9526⤵
- Program crash
PID:2052
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1280 -s 9806⤵
- Program crash
PID:2960
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1280 -s 9806⤵
- Program crash
PID:3424
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1280 -s 12606⤵
- Program crash
PID:1184
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1280 -s 12686⤵
- Program crash
PID:400
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1280 -s 13286⤵
- Program crash
PID:1624
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1280 -s 11326⤵
- Program crash
PID:2260
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1280 -s 7966⤵
- Program crash
PID:1256
-
-
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe"C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3476 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3476 -s 6927⤵
- Program crash
PID:2632
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3476 -s 8687⤵
- Program crash
PID:4236
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3476 -s 9047⤵
- Program crash
PID:2760
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3476 -s 8927⤵
- Program crash
PID:4664
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3476 -s 10887⤵
- Program crash
PID:2604
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3476 -s 11087⤵
- Program crash
PID:944
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3476 -s 11287⤵
- Program crash
PID:4456
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe" /F7⤵
- Creates scheduled task(s)
PID:1848
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3476 -s 10167⤵
- Program crash
PID:3356
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3476 -s 7447⤵
- Program crash
PID:1564
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\c3912af058" /P "Admin:N"&&CACLS "..\c3912af058" /P "Admin:R" /E&&Exit7⤵
- Suspicious use of WriteProcessMemory
PID:3332 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"8⤵PID:4048
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "oneetx.exe" /P "Admin:N"8⤵PID:4876
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "oneetx.exe" /P "Admin:R" /E8⤵PID:1868
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"8⤵PID:4996
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\c3912af058" /P "Admin:N"8⤵PID:5008
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\c3912af058" /P "Admin:R" /E8⤵PID:1116
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3476 -s 12727⤵
- Program crash
PID:4612
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3476 -s 6927⤵
- Program crash
PID:1080
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3476 -s 7527⤵
- Program crash
PID:4100
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3476 -s 12727⤵
- Program crash
PID:1512
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3476 -s 11127⤵
- Program crash
PID:4748
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1280 -s 8966⤵
- Program crash
PID:4972
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1280 -s 13966⤵
- Program crash
PID:1980
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d1770320.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d1770320.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:404
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\e2050852.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\e2050852.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:972 -
C:\Windows\Temp\1.exe"C:\Windows\Temp\1.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2700
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 972 -s 14404⤵
- Program crash
PID:1268
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\f3354977.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\f3354977.exe2⤵
- Executes dropped EXE
PID:3364
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2220 -ip 22201⤵PID:2432
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1280 -ip 12801⤵PID:4904
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1280 -ip 12801⤵PID:1600
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1280 -ip 12801⤵PID:1724
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1280 -ip 12801⤵PID:5064
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 208 -p 1280 -ip 12801⤵PID:904
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1280 -ip 12801⤵PID:3304
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1280 -ip 12801⤵PID:872
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1280 -ip 12801⤵PID:3516
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1280 -ip 12801⤵PID:4936
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 1280 -ip 12801⤵PID:3632
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 1280 -ip 12801⤵PID:4232
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1280 -ip 12801⤵PID:3816
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3476 -ip 34761⤵PID:220
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1280 -ip 12801⤵PID:2644
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3476 -ip 34761⤵PID:4788
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3476 -ip 34761⤵PID:5032
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3476 -ip 34761⤵PID:4760
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3476 -ip 34761⤵PID:4588
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3476 -ip 34761⤵PID:484
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3476 -ip 34761⤵PID:2116
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3476 -ip 34761⤵PID:4024
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3476 -ip 34761⤵PID:3264
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3476 -ip 34761⤵PID:3700
-
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exeC:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe1⤵
- Executes dropped EXE
PID:4044 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4044 -s 3122⤵
- Program crash
PID:64
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 3476 -ip 34761⤵PID:1852
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 4044 -ip 40441⤵PID:4548
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 3476 -ip 34761⤵PID:4348
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 3476 -ip 34761⤵PID:3056
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 972 -ip 9721⤵PID:1724
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 208 -p 3476 -ip 34761⤵PID:1512
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
205KB
MD5aa01efd80e438fad0a549dd040492b1c
SHA16eb2285d58869b4c0d9699ded4f8f5d1a23100e8
SHA256980fcc559f3300c33a0dd7ee13b228cc5a625db6f1fbea98d78781daa2acfd17
SHA512b65e9a851fb4b211d3c02bbd5b752117ff19e6afa7a5a96bbb3b212a952be958907f56746f44f9ca619de798abbbdebe4476005ae07323da93489223c134c678
-
Filesize
205KB
MD5aa01efd80e438fad0a549dd040492b1c
SHA16eb2285d58869b4c0d9699ded4f8f5d1a23100e8
SHA256980fcc559f3300c33a0dd7ee13b228cc5a625db6f1fbea98d78781daa2acfd17
SHA512b65e9a851fb4b211d3c02bbd5b752117ff19e6afa7a5a96bbb3b212a952be958907f56746f44f9ca619de798abbbdebe4476005ae07323da93489223c134c678
-
Filesize
1.3MB
MD5cf2a9aec502b51eb0ec7b67af93edd02
SHA18625ef4c4bed8d41ddb7b9a9d7da9c9e403783be
SHA256b9590f62fca81715e6a15718d218231f1744a9bb3fb5362488491c89d4cedf59
SHA512c60fbafb3b0ef76679ebcccc85d57d1a4aac6dc511277340e3ff19222393bb9adcb34161c1bc610b297e28f9a6801c924985d3f27eeeec42fa17a68ce7a766b5
-
Filesize
1.3MB
MD5cf2a9aec502b51eb0ec7b67af93edd02
SHA18625ef4c4bed8d41ddb7b9a9d7da9c9e403783be
SHA256b9590f62fca81715e6a15718d218231f1744a9bb3fb5362488491c89d4cedf59
SHA512c60fbafb3b0ef76679ebcccc85d57d1a4aac6dc511277340e3ff19222393bb9adcb34161c1bc610b297e28f9a6801c924985d3f27eeeec42fa17a68ce7a766b5
-
Filesize
473KB
MD5c2f699c26d3e007b3cd4b8c88674d847
SHA18ba50a7037d6705b0e39ab5bf69311d5e4c8a408
SHA2565cc8181bf7732345377a2a3d8717649de1f663ecf8802e3b74258bd638175cba
SHA512a617bcea5518a43af0d67de245a17a27b7b14ff1ce854357d3c463e1eb24b5afa5fa8447ccf7ebeef98023f4bccd98d5d07b76493f21583a27f25b62c1b5651f
-
Filesize
473KB
MD5c2f699c26d3e007b3cd4b8c88674d847
SHA18ba50a7037d6705b0e39ab5bf69311d5e4c8a408
SHA2565cc8181bf7732345377a2a3d8717649de1f663ecf8802e3b74258bd638175cba
SHA512a617bcea5518a43af0d67de245a17a27b7b14ff1ce854357d3c463e1eb24b5afa5fa8447ccf7ebeef98023f4bccd98d5d07b76493f21583a27f25b62c1b5651f
-
Filesize
846KB
MD58a291cbebbbce5b33fd6780d08e1d0e3
SHA13dd00b1eba8f64b52a9c95a19c946b1c09cb752c
SHA25668728a5f0060f9576ce2f0c0eb736aa70738b27f26b889b7f8882ae8a2d35eb8
SHA512d5e2b73c44f57523761ae2fd5f63242d04d7bcc19c5da3b109afe5c2608fafd172f1b22dfb1048cf2fa91eca390f7a635ebc229b01f776f05e8afc6d830ce34a
-
Filesize
846KB
MD58a291cbebbbce5b33fd6780d08e1d0e3
SHA13dd00b1eba8f64b52a9c95a19c946b1c09cb752c
SHA25668728a5f0060f9576ce2f0c0eb736aa70738b27f26b889b7f8882ae8a2d35eb8
SHA512d5e2b73c44f57523761ae2fd5f63242d04d7bcc19c5da3b109afe5c2608fafd172f1b22dfb1048cf2fa91eca390f7a635ebc229b01f776f05e8afc6d830ce34a
-
Filesize
177KB
MD51a8437238de2c48e463889df709a061a
SHA11d9074ed138e5b8a09396091e5e6deb1c2d8820e
SHA256aa229fe3e9a1049544070e1eb24113305c70be64a85caaa97656580b88b98f76
SHA51278af18a49925616de5cefe50491ee6eb1b3cb63b781cfc687b727378fb5ea6d42de288af9e349e6ebc60de9b391da273c3f3ad0cf097e0a050a34d46b9a85b87
-
Filesize
177KB
MD51a8437238de2c48e463889df709a061a
SHA11d9074ed138e5b8a09396091e5e6deb1c2d8820e
SHA256aa229fe3e9a1049544070e1eb24113305c70be64a85caaa97656580b88b98f76
SHA51278af18a49925616de5cefe50491ee6eb1b3cb63b781cfc687b727378fb5ea6d42de288af9e349e6ebc60de9b391da273c3f3ad0cf097e0a050a34d46b9a85b87
-
Filesize
642KB
MD50a2e60d3355b86bb63d3d145f92db5f1
SHA1f403e0ccd869c075c8a90dfa815b3b2e34aae9e4
SHA256c55143207f57392395ae1baab1a70ecea5d513bf997aa0e535ac3b3cc3a98495
SHA5123246b61f7fda07ea27eb75192eee518bfbceb765a1e1a4149df7a9bfbda92f7c47ef38c13c6a7149f81c5f79cd812d94e0b5183daf03830bfd6ed6f1922e72bd
-
Filesize
642KB
MD50a2e60d3355b86bb63d3d145f92db5f1
SHA1f403e0ccd869c075c8a90dfa815b3b2e34aae9e4
SHA256c55143207f57392395ae1baab1a70ecea5d513bf997aa0e535ac3b3cc3a98495
SHA5123246b61f7fda07ea27eb75192eee518bfbceb765a1e1a4149df7a9bfbda92f7c47ef38c13c6a7149f81c5f79cd812d94e0b5183daf03830bfd6ed6f1922e72bd
-
Filesize
265KB
MD5c8eec1de29633150cd6faef6f4990798
SHA1232b5fbc38ebfa93f054aed8cdeaa2c14351a269
SHA256722e934125b712acd779aa2133fa70a36d79fdda0079e8555f031d4ee0d7e74c
SHA51298aff15cccb92b414109e8a009a362f34b4c4e65d0e07cb0317e4c18d23ae96b4047a52fc661c716abaecbbe87dd4f7db34407a5dafcc4ed894127b4d7386d4c
-
Filesize
265KB
MD5c8eec1de29633150cd6faef6f4990798
SHA1232b5fbc38ebfa93f054aed8cdeaa2c14351a269
SHA256722e934125b712acd779aa2133fa70a36d79fdda0079e8555f031d4ee0d7e74c
SHA51298aff15cccb92b414109e8a009a362f34b4c4e65d0e07cb0317e4c18d23ae96b4047a52fc661c716abaecbbe87dd4f7db34407a5dafcc4ed894127b4d7386d4c
-
Filesize
384KB
MD54054193c90f257e51b7828d3ab9b3d07
SHA1e8293bcda8110a48213ff76449e4ac2532aca984
SHA256e2f6d69846767435cc96c26256c03f66d252ee981c3929cbbfab524ff011c958
SHA51220ccb9a3dbe2940c1659804728115f86e983d70c36bac44f850b2008a0b8cc7ea926a4c6cd95797399283d6562e6c2ab98078ddff94c3e3b863bc4906c97612d
-
Filesize
384KB
MD54054193c90f257e51b7828d3ab9b3d07
SHA1e8293bcda8110a48213ff76449e4ac2532aca984
SHA256e2f6d69846767435cc96c26256c03f66d252ee981c3929cbbfab524ff011c958
SHA51220ccb9a3dbe2940c1659804728115f86e983d70c36bac44f850b2008a0b8cc7ea926a4c6cd95797399283d6562e6c2ab98078ddff94c3e3b863bc4906c97612d
-
Filesize
286KB
MD57fad45faee013485b07dbe2df48b77e5
SHA10f4748c48d0820dbccd6bcd121bde9e22a7e789f
SHA256ae544dae0f33caf5b3cfc192accf273d26c3feb63dedd8a950ca15c4865b40ae
SHA512446e657fbc5843769556b675502ac709b16a0ad9e63329165886bacb30654c134f8fcb7cbf7e64062c229cfee54a24f196c4fb3b340de3117eb0564e3d15b241
-
Filesize
286KB
MD57fad45faee013485b07dbe2df48b77e5
SHA10f4748c48d0820dbccd6bcd121bde9e22a7e789f
SHA256ae544dae0f33caf5b3cfc192accf273d26c3feb63dedd8a950ca15c4865b40ae
SHA512446e657fbc5843769556b675502ac709b16a0ad9e63329165886bacb30654c134f8fcb7cbf7e64062c229cfee54a24f196c4fb3b340de3117eb0564e3d15b241
-
Filesize
169KB
MD5d33dca7ad0594bebe4b3461b4e0ba79c
SHA1ad1700a0b1ed0f3d99771ee3edd24916afccb652
SHA256f584e87f5032bcf37178f220c94d5dac86959afabf39a4c5d2fcf1a97bd2252b
SHA51254cbdfcd5be451bc9fb2baf505a8ea5e26abc7c928bd5a778f6ac5340e4dea537414191ef546b303bb2e2e0cfdcb288d64377b2c573e44d7c74fb5a4506016dc
-
Filesize
169KB
MD5d33dca7ad0594bebe4b3461b4e0ba79c
SHA1ad1700a0b1ed0f3d99771ee3edd24916afccb652
SHA256f584e87f5032bcf37178f220c94d5dac86959afabf39a4c5d2fcf1a97bd2252b
SHA51254cbdfcd5be451bc9fb2baf505a8ea5e26abc7c928bd5a778f6ac5340e4dea537414191ef546b303bb2e2e0cfdcb288d64377b2c573e44d7c74fb5a4506016dc
-
Filesize
265KB
MD5c8eec1de29633150cd6faef6f4990798
SHA1232b5fbc38ebfa93f054aed8cdeaa2c14351a269
SHA256722e934125b712acd779aa2133fa70a36d79fdda0079e8555f031d4ee0d7e74c
SHA51298aff15cccb92b414109e8a009a362f34b4c4e65d0e07cb0317e4c18d23ae96b4047a52fc661c716abaecbbe87dd4f7db34407a5dafcc4ed894127b4d7386d4c
-
Filesize
265KB
MD5c8eec1de29633150cd6faef6f4990798
SHA1232b5fbc38ebfa93f054aed8cdeaa2c14351a269
SHA256722e934125b712acd779aa2133fa70a36d79fdda0079e8555f031d4ee0d7e74c
SHA51298aff15cccb92b414109e8a009a362f34b4c4e65d0e07cb0317e4c18d23ae96b4047a52fc661c716abaecbbe87dd4f7db34407a5dafcc4ed894127b4d7386d4c
-
Filesize
265KB
MD5c8eec1de29633150cd6faef6f4990798
SHA1232b5fbc38ebfa93f054aed8cdeaa2c14351a269
SHA256722e934125b712acd779aa2133fa70a36d79fdda0079e8555f031d4ee0d7e74c
SHA51298aff15cccb92b414109e8a009a362f34b4c4e65d0e07cb0317e4c18d23ae96b4047a52fc661c716abaecbbe87dd4f7db34407a5dafcc4ed894127b4d7386d4c
-
Filesize
265KB
MD5c8eec1de29633150cd6faef6f4990798
SHA1232b5fbc38ebfa93f054aed8cdeaa2c14351a269
SHA256722e934125b712acd779aa2133fa70a36d79fdda0079e8555f031d4ee0d7e74c
SHA51298aff15cccb92b414109e8a009a362f34b4c4e65d0e07cb0317e4c18d23ae96b4047a52fc661c716abaecbbe87dd4f7db34407a5dafcc4ed894127b4d7386d4c
-
Filesize
168KB
MD57070d754b720fe5162742116d8683a49
SHA1e1e928cacf55633f30125dcf2e7aa6a0e6f4172e
SHA2565eec6e9402f614e6c92a23665003ad26a2606aa0700ebe58a86557bb84f4b7a2
SHA512cb8d4382b3e9617a9bb98f3e6b1a2a15df004a33008cfbc92049e3ef588b1bf7deb3748a4262962543588e1a36ac737001c3d99659dca974bb12ff78eac9739b
-
Filesize
168KB
MD57070d754b720fe5162742116d8683a49
SHA1e1e928cacf55633f30125dcf2e7aa6a0e6f4172e
SHA2565eec6e9402f614e6c92a23665003ad26a2606aa0700ebe58a86557bb84f4b7a2
SHA512cb8d4382b3e9617a9bb98f3e6b1a2a15df004a33008cfbc92049e3ef588b1bf7deb3748a4262962543588e1a36ac737001c3d99659dca974bb12ff78eac9739b
-
Filesize
168KB
MD57070d754b720fe5162742116d8683a49
SHA1e1e928cacf55633f30125dcf2e7aa6a0e6f4172e
SHA2565eec6e9402f614e6c92a23665003ad26a2606aa0700ebe58a86557bb84f4b7a2
SHA512cb8d4382b3e9617a9bb98f3e6b1a2a15df004a33008cfbc92049e3ef588b1bf7deb3748a4262962543588e1a36ac737001c3d99659dca974bb12ff78eac9739b