redline | a40d0566a33770a979dc2d41936ef8f93b710dc3e493079733f012675515fe07

Analysis

max time kernel
191s
max time network
218s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
05/05/2023, 18:47

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a40d0566a33770a979dc2d41936ef8f93b710dc3e493079733f012675515fe07.exe
Size

1.5MB
MD5

1e9fb0d3a229266cf7c22eccf548aba1
SHA1

74a2f0a528639f7bb193856dedd00b440eb3bf34
SHA256

a40d0566a33770a979dc2d41936ef8f93b710dc3e493079733f012675515fe07
SHA512

819ce52d47fec16157e92b3ba3fe02046d96368a8c2865547be3769b6783f14c0dc848fdb4951878f5796ea2759c81b87c5098c1ecaa6594887992c44410a3a2
SSDEEP

49152:A0aBGKnIufyat/A3pOPwEK0nQKma3CiPuM3E:yxt/YEmsjLyiPuT

Score

10^/10

redline boom discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

boom

217.196.96.56:4138

Attributes

auth_value
1ce6aebe15bac07a7bc88b114bc49335

Signatures

Detects Redline Stealer samples 3 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/4280-216-0x0000000008170000-0x0000000008788000-memory.dmp	redline_stealer
behavioral2/memory/4280-222-0x0000000007E50000-0x0000000007EB6000-memory.dmp	redline_stealer
behavioral2/memory/4280-227-0x00000000094F0000-0x00000000096B2000-memory.dmp	redline_stealer

Modifies Windows Defender Real-time Protection settings 3 TTPs 11 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	a3845112.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a3845112.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a3845112.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a3845112.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	d1336291.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	d1336291.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	d1336291.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a3845112.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a3845112.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	d1336291.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	d1336291.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	e2357719.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	c9803236.exe

Executes dropped EXE 12 IoCs

pid	Process
3548	v0706844.exe
3408	v5098111.exe
4864	v0177662.exe
548	v4460953.exe
4040	a3845112.exe
4280	b3327494.exe
3936	c9803236.exe
4512	oneetx.exe
5076	d1336291.exe
3360	e2357719.exe
4756	1.exe
4080	f5862944.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	a3845112.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	a3845112.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	d1336291.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v4460953.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	v4460953.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v5098111.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v0177662.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v0177662.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v0706844.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v5098111.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	a40d0566a33770a979dc2d41936ef8f93b710dc3e493079733f012675515fe07.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	a40d0566a33770a979dc2d41936ef8f93b710dc3e493079733f012675515fe07.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v0706844.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 19 IoCs

pid	pid_target	Process	procid_target
3544	4040	WerFault.exe	86
544	3936	WerFault.exe	92
2900	3936	WerFault.exe	92
4148	3936	WerFault.exe	92
3116	3936	WerFault.exe	92
4504	3936	WerFault.exe	92
4436	3936	WerFault.exe	92
1808	3936	WerFault.exe	92
1084	3936	WerFault.exe	92
1252	3936	WerFault.exe	92
1492	3936	WerFault.exe	92
3560	4512	WerFault.exe	111
1432	4512	WerFault.exe	111
3740	4512	WerFault.exe	111
1220	4512	WerFault.exe	111
716	4512	WerFault.exe	111
1916	3360	WerFault.exe	123
3224	4512	WerFault.exe	111
4108	4512	WerFault.exe	111

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4040	a3845112.exe
4040	a3845112.exe
4280	b3327494.exe
4280	b3327494.exe
5076	d1336291.exe
5076	d1336291.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	4040	a3845112.exe
Token: SeDebugPrivilege	4280	b3327494.exe
Token: SeDebugPrivilege	5076	d1336291.exe
Token: SeDebugPrivilege	3360	e2357719.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3936	c9803236.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 3528 wrote to memory of 3548	3528	a40d0566a33770a979dc2d41936ef8f93b710dc3e493079733f012675515fe07.exe	82
PID 3528 wrote to memory of 3548	3528	a40d0566a33770a979dc2d41936ef8f93b710dc3e493079733f012675515fe07.exe	82
PID 3528 wrote to memory of 3548	3528	a40d0566a33770a979dc2d41936ef8f93b710dc3e493079733f012675515fe07.exe	82
PID 3548 wrote to memory of 3408	3548	v0706844.exe	83
PID 3548 wrote to memory of 3408	3548	v0706844.exe	83
PID 3548 wrote to memory of 3408	3548	v0706844.exe	83
PID 3408 wrote to memory of 4864	3408	v5098111.exe	84
PID 3408 wrote to memory of 4864	3408	v5098111.exe	84
PID 3408 wrote to memory of 4864	3408	v5098111.exe	84
PID 4864 wrote to memory of 548	4864	v0177662.exe	85
PID 4864 wrote to memory of 548	4864	v0177662.exe	85
PID 4864 wrote to memory of 548	4864	v0177662.exe	85
PID 548 wrote to memory of 4040	548	v4460953.exe	86
PID 548 wrote to memory of 4040	548	v4460953.exe	86
PID 548 wrote to memory of 4040	548	v4460953.exe	86
PID 548 wrote to memory of 4280	548	v4460953.exe	91
PID 548 wrote to memory of 4280	548	v4460953.exe	91
PID 548 wrote to memory of 4280	548	v4460953.exe	91
PID 4864 wrote to memory of 3936	4864	v0177662.exe	92
PID 4864 wrote to memory of 3936	4864	v0177662.exe	92
PID 4864 wrote to memory of 3936	4864	v0177662.exe	92
PID 3936 wrote to memory of 4512	3936	c9803236.exe	111
PID 3936 wrote to memory of 4512	3936	c9803236.exe	111
PID 3936 wrote to memory of 4512	3936	c9803236.exe	111
PID 3408 wrote to memory of 5076	3408	v5098111.exe	115
PID 3408 wrote to memory of 5076	3408	v5098111.exe	115
PID 3408 wrote to memory of 5076	3408	v5098111.exe	115
PID 3548 wrote to memory of 3360	3548	v0706844.exe	123
PID 3548 wrote to memory of 3360	3548	v0706844.exe	123
PID 3548 wrote to memory of 3360	3548	v0706844.exe	123
PID 3360 wrote to memory of 4756	3360	e2357719.exe	126
PID 3360 wrote to memory of 4756	3360	e2357719.exe	126
PID 3360 wrote to memory of 4756	3360	e2357719.exe	126
PID 3528 wrote to memory of 4080	3528	a40d0566a33770a979dc2d41936ef8f93b710dc3e493079733f012675515fe07.exe	133
PID 3528 wrote to memory of 4080	3528	a40d0566a33770a979dc2d41936ef8f93b710dc3e493079733f012675515fe07.exe	133
PID 3528 wrote to memory of 4080	3528	a40d0566a33770a979dc2d41936ef8f93b710dc3e493079733f012675515fe07.exe	133

C:\Users\Admin\AppData\Local\Temp\a40d0566a33770a979dc2d41936ef8f93b710dc3e493079733f012675515fe07.exe
"C:\Users\Admin\AppData\Local\Temp\a40d0566a33770a979dc2d41936ef8f93b710dc3e493079733f012675515fe07.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3528
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0706844.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0706844.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3548
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5098111.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5098111.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3408
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0177662.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0177662.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4864
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v4460953.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v4460953.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:548
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a3845112.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a3845112.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4040
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4040 -s 1092
        7⤵
        Program crash
        
        PID:3544
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3327494.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3327494.exe
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4280
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c9803236.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c9803236.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        Suspicious use of WriteProcessMemory
        
        PID:3936
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3936 -s 680
        6⤵
        Program crash
        
        PID:544
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3936 -s 780
        6⤵
        Program crash
        
        PID:2900
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3936 -s 856
        6⤵
        Program crash
        
        PID:4148
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3936 -s 960
        6⤵
        Program crash
        
        PID:3116
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3936 -s 964
        6⤵
        Program crash
        
        PID:4504
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3936 -s 872
        6⤵
        Program crash
        
        PID:4436
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3936 -s 1216
        6⤵
        Program crash
        
        PID:1808
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3936 -s 1232
        6⤵
        Program crash
        
        PID:1084
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3936 -s 1316
        6⤵
        Program crash
        
        PID:1252
      - C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe"
        6⤵
        Executes dropped EXE
        
        PID:4512
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4512 -s 692
        7⤵
        Program crash
        
        PID:3560
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4512 -s 868
        7⤵
        Program crash
        
        PID:1432
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4512 -s 856
        7⤵
        Program crash
        
        PID:3740
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4512 -s 880
        7⤵
        Program crash
        
        PID:1220
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4512 -s 1056
        7⤵
        Program crash
        
        PID:716
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4512 -s 1076
        7⤵
        Program crash
        
        PID:3224
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4512 -s 1100
        7⤵
        Program crash
        
        PID:4108
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3936 -s 1344
        6⤵
        Program crash
        
        PID:1492
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d1336291.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d1336291.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5076
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\e2357719.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\e2357719.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3360
  - - C:\Windows\Temp\1.exe
      "C:\Windows\Temp\1.exe"
      4⤵
      Executes dropped EXE
      PID:4756
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3360 -s 1384
      4⤵
      Program crash
      PID:1916
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\f5862944.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\f5862944.exe
  2⤵
  - Executes dropped EXE
  PID:4080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4040 -ip 4040
1⤵
PID:2752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3936 -ip 3936
1⤵
PID:4940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3936 -ip 3936
1⤵
PID:4768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3936 -ip 3936
1⤵
PID:5080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 3936 -ip 3936
1⤵
PID:3764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3936 -ip 3936
1⤵
PID:1828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 3936 -ip 3936
1⤵
PID:4220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3936 -ip 3936
1⤵
PID:3784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3936 -ip 3936
1⤵
PID:1556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3936 -ip 3936
1⤵
PID:1112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 3936 -ip 3936
1⤵
PID:4520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 4512 -ip 4512
1⤵
PID:2328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4512 -ip 4512
1⤵
PID:1396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 4512 -ip 4512
1⤵
PID:3884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4512 -ip 4512
1⤵
PID:4688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 4512 -ip 4512
1⤵
PID:3256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 3360 -ip 3360
1⤵
PID:708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 4512 -ip 4512
1⤵
PID:4676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 4512 -ip 4512
1⤵
PID:3300

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\f5862944.exe

Filesize
204KB

MD5
ee00fb2eb6ec3fc725cd7e14eb189ab9

SHA1
36d6a2f0fded5d3d397975bcd481f5cc297e05f6

SHA256
802b4f8c1daac09ee58321342b12a88a9681e3b2da8e049e0eef411cc0ef248d

SHA512
2e911bc7e5cf35cc9548b03f521e5d730b42260345c9bdc963a98a3af40b2110aa65f8a6dbb32766959b00dfc8d2ed00bd2df2586f87bea9f7282e7f8dbc2065

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\f5862944.exe

Filesize
204KB

MD5
ee00fb2eb6ec3fc725cd7e14eb189ab9

SHA1
36d6a2f0fded5d3d397975bcd481f5cc297e05f6

SHA256
802b4f8c1daac09ee58321342b12a88a9681e3b2da8e049e0eef411cc0ef248d

SHA512
2e911bc7e5cf35cc9548b03f521e5d730b42260345c9bdc963a98a3af40b2110aa65f8a6dbb32766959b00dfc8d2ed00bd2df2586f87bea9f7282e7f8dbc2065

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0706844.exe

Filesize
1.4MB

MD5
106d9af3271b1c99215a4ff34f68e671

SHA1
44e0eac1baa76e2c98aca44dae43a4f1c3b5956a

SHA256
d3c2fd0f6315f6d1de296457a76fed5391fd658dd9718d8dffb0f49982d98b3e

SHA512
dcf12b153ab308d30c21257af752a4effd59a17e2ca8b06484142de8954f4e7db16ef7e0095152be591712ea079a4777877673a30253593b4579457253a04c0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0706844.exe

Filesize
1.4MB

MD5
106d9af3271b1c99215a4ff34f68e671

SHA1
44e0eac1baa76e2c98aca44dae43a4f1c3b5956a

SHA256
d3c2fd0f6315f6d1de296457a76fed5391fd658dd9718d8dffb0f49982d98b3e

SHA512
dcf12b153ab308d30c21257af752a4effd59a17e2ca8b06484142de8954f4e7db16ef7e0095152be591712ea079a4777877673a30253593b4579457253a04c0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\e2357719.exe

Filesize
548KB

MD5
7cfe40264c9b84f2818642c0fe2b6d7a

SHA1
3da5c7c4453442bd2ca19fb0eb31ea596baa64ae

SHA256
26f97e8a9b5d351f7456ab38ff50ea3f74f3e6ec59b7e94463b947e02eee24b5

SHA512
7ced06c0ad6644156e68f8082c4039f9e30eeb3fa513d4dffd611b2d09b97404b448c0350ee196df941dabf9ba82483f2ef40d82c7df176aab5cef697b8b95dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\e2357719.exe

Filesize
548KB

MD5
7cfe40264c9b84f2818642c0fe2b6d7a

SHA1
3da5c7c4453442bd2ca19fb0eb31ea596baa64ae

SHA256
26f97e8a9b5d351f7456ab38ff50ea3f74f3e6ec59b7e94463b947e02eee24b5

SHA512
7ced06c0ad6644156e68f8082c4039f9e30eeb3fa513d4dffd611b2d09b97404b448c0350ee196df941dabf9ba82483f2ef40d82c7df176aab5cef697b8b95dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5098111.exe

Filesize
912KB

MD5
c8d23573e807c7bf54afd79f4261b7df

SHA1
d1f25edc2a460183322e861d914ed7bb99be5aa7

SHA256
7d9b6b52899e58595add602e1b24af3afb6f97ac08f16d1842baa16ef1a36c19

SHA512
259da19efb38ba5708dddf10ef09b136d3f5ddad30163bf964ce192a57e0d94cf136035022fb1e732c1387fb842e30c31ed123cac6e6b3a5671fe700e289bb64

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5098111.exe

Filesize
912KB

MD5
c8d23573e807c7bf54afd79f4261b7df

SHA1
d1f25edc2a460183322e861d914ed7bb99be5aa7

SHA256
7d9b6b52899e58595add602e1b24af3afb6f97ac08f16d1842baa16ef1a36c19

SHA512
259da19efb38ba5708dddf10ef09b136d3f5ddad30163bf964ce192a57e0d94cf136035022fb1e732c1387fb842e30c31ed123cac6e6b3a5671fe700e289bb64

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d1336291.exe

Filesize
175KB

MD5
a9c9f8b3da23797f9c31fdcc86e9eee8

SHA1
7e0fa59f6820f9f5f7ff53580ed98794f451e64f

SHA256
7fd13b498ff48910d8dab5e1b723e52364e4dccd4c48987514726fa6a71a3465

SHA512
0c99ea5b9da3aaa6c76a1a4888f694e155b2e624e3f596a86a59d2a1fed922f5879def32b0bee20eef6faded2ce833e5c9144991b5d2918c83be387ff0718d17

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d1336291.exe

Filesize
175KB

MD5
a9c9f8b3da23797f9c31fdcc86e9eee8

SHA1
7e0fa59f6820f9f5f7ff53580ed98794f451e64f

SHA256
7fd13b498ff48910d8dab5e1b723e52364e4dccd4c48987514726fa6a71a3465

SHA512
0c99ea5b9da3aaa6c76a1a4888f694e155b2e624e3f596a86a59d2a1fed922f5879def32b0bee20eef6faded2ce833e5c9144991b5d2918c83be387ff0718d17

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0177662.exe

Filesize
708KB

MD5
2c62cac9e2f7e943e2d39b0a7a51d31f

SHA1
564a87206cf4357c36a1e419bcb67d6223b7375e

SHA256
cd2529ed82b9ebc3a57139f64880c1dff44aa149cfd5cf7c403bb5c7f1aeae80

SHA512
534715559943a6aa2918799c555fe7cff282d10516c9cd4bf787a650797b1ec39ec2994d62566517e39749f45f33cf445d9ab95ddc1d0dca199ad309244e9f4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0177662.exe

Filesize
708KB

MD5
2c62cac9e2f7e943e2d39b0a7a51d31f

SHA1
564a87206cf4357c36a1e419bcb67d6223b7375e

SHA256
cd2529ed82b9ebc3a57139f64880c1dff44aa149cfd5cf7c403bb5c7f1aeae80

SHA512
534715559943a6aa2918799c555fe7cff282d10516c9cd4bf787a650797b1ec39ec2994d62566517e39749f45f33cf445d9ab95ddc1d0dca199ad309244e9f4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c9803236.exe

Filesize
340KB

MD5
e75f404090d1a981af0785aad71f534c

SHA1
51af8d4bd60669058fbfd62d8d8e0ec018e5bf02

SHA256
01e5b068ff7d1392bc28734965baced76f320693ea4bfaf2edd18b20cd805be8

SHA512
67a552f6b906c460905b83fa74db839af562a7873a6f4f9780418f2f5a4f0d7e117fa6f87d56776d1651cbe904e1b10df81b43949e546c530046aa69b26e0586

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c9803236.exe

Filesize
340KB

MD5
e75f404090d1a981af0785aad71f534c

SHA1
51af8d4bd60669058fbfd62d8d8e0ec018e5bf02

SHA256
01e5b068ff7d1392bc28734965baced76f320693ea4bfaf2edd18b20cd805be8

SHA512
67a552f6b906c460905b83fa74db839af562a7873a6f4f9780418f2f5a4f0d7e117fa6f87d56776d1651cbe904e1b10df81b43949e546c530046aa69b26e0586

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v4460953.exe

Filesize
416KB

MD5
058c221dc1f0521da10daac360f20d32

SHA1
dfdf4dc1bcbf41c692625ebfbf283cafee7a8ad3

SHA256
98d2c00ad82bd8e769edb60713dd575df402535da7c14d06cfea2a0f156c0985

SHA512
36f979efbeb94bbc8a6f5fbff31feba34627f29ac9109c1f159b4c5a477f166a3029a359ec9f7154648341c5a6b5c73fb2475d2a015a3a5844f6dcd93ade5c68

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v4460953.exe

Filesize
416KB

MD5
058c221dc1f0521da10daac360f20d32

SHA1
dfdf4dc1bcbf41c692625ebfbf283cafee7a8ad3

SHA256
98d2c00ad82bd8e769edb60713dd575df402535da7c14d06cfea2a0f156c0985

SHA512
36f979efbeb94bbc8a6f5fbff31feba34627f29ac9109c1f159b4c5a477f166a3029a359ec9f7154648341c5a6b5c73fb2475d2a015a3a5844f6dcd93ade5c68

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a3845112.exe

Filesize
360KB

MD5
8667bf510d4b93a2422d14f9963fd3fc

SHA1
71a8649bd6ada51a09211254c1d2911ab42bad03

SHA256
e5a708cc1e8bbd2ea32f3865d93cb1c3811b1d8094a3119a923623008a1bf01d

SHA512
8ccd4463d62884b1f944a972478148469a3e78b48d3e23e32010388b91e6594b64df1cd8fbb1d457c0b4db8420207aa3ebf79423d7794a166471ab55cced08c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a3845112.exe

Filesize
360KB

MD5
8667bf510d4b93a2422d14f9963fd3fc

SHA1
71a8649bd6ada51a09211254c1d2911ab42bad03

SHA256
e5a708cc1e8bbd2ea32f3865d93cb1c3811b1d8094a3119a923623008a1bf01d

SHA512
8ccd4463d62884b1f944a972478148469a3e78b48d3e23e32010388b91e6594b64df1cd8fbb1d457c0b4db8420207aa3ebf79423d7794a166471ab55cced08c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3327494.exe

Filesize
136KB

MD5
df0204ed9b34563c659d0376d3a82288

SHA1
5bf5095e59ca9df9148206346d67c41de5c60d6e

SHA256
7af3da496056282ac1a2a30b5caeca865f0552b50a55cb9885c13ac873b14d6b

SHA512
e60d82ab1a92678ca9aa733422f01bf54d3c8d45e98e66c7314dfeb4b0d33adec990ab7a67d90351d6486948177c913a50402b9ca961d1153eb30c9933fbcf13

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3327494.exe

Filesize
136KB

MD5
df0204ed9b34563c659d0376d3a82288

SHA1
5bf5095e59ca9df9148206346d67c41de5c60d6e

SHA256
7af3da496056282ac1a2a30b5caeca865f0552b50a55cb9885c13ac873b14d6b

SHA512
e60d82ab1a92678ca9aa733422f01bf54d3c8d45e98e66c7314dfeb4b0d33adec990ab7a67d90351d6486948177c913a50402b9ca961d1153eb30c9933fbcf13

Download Submit
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe

Filesize
340KB

MD5
e75f404090d1a981af0785aad71f534c

SHA1
51af8d4bd60669058fbfd62d8d8e0ec018e5bf02

SHA256
01e5b068ff7d1392bc28734965baced76f320693ea4bfaf2edd18b20cd805be8

SHA512
67a552f6b906c460905b83fa74db839af562a7873a6f4f9780418f2f5a4f0d7e117fa6f87d56776d1651cbe904e1b10df81b43949e546c530046aa69b26e0586

Download Submit
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe

Filesize
340KB

MD5
e75f404090d1a981af0785aad71f534c

SHA1
51af8d4bd60669058fbfd62d8d8e0ec018e5bf02

SHA256
01e5b068ff7d1392bc28734965baced76f320693ea4bfaf2edd18b20cd805be8

SHA512
67a552f6b906c460905b83fa74db839af562a7873a6f4f9780418f2f5a4f0d7e117fa6f87d56776d1651cbe904e1b10df81b43949e546c530046aa69b26e0586

Download Submit
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe

Filesize
340KB

MD5
e75f404090d1a981af0785aad71f534c

SHA1
51af8d4bd60669058fbfd62d8d8e0ec018e5bf02

SHA256
01e5b068ff7d1392bc28734965baced76f320693ea4bfaf2edd18b20cd805be8

SHA512
67a552f6b906c460905b83fa74db839af562a7873a6f4f9780418f2f5a4f0d7e117fa6f87d56776d1651cbe904e1b10df81b43949e546c530046aa69b26e0586

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
7070d754b720fe5162742116d8683a49

SHA1
e1e928cacf55633f30125dcf2e7aa6a0e6f4172e

SHA256
5eec6e9402f614e6c92a23665003ad26a2606aa0700ebe58a86557bb84f4b7a2

SHA512
cb8d4382b3e9617a9bb98f3e6b1a2a15df004a33008cfbc92049e3ef588b1bf7deb3748a4262962543588e1a36ac737001c3d99659dca974bb12ff78eac9739b

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
7070d754b720fe5162742116d8683a49

SHA1
e1e928cacf55633f30125dcf2e7aa6a0e6f4172e

SHA256
5eec6e9402f614e6c92a23665003ad26a2606aa0700ebe58a86557bb84f4b7a2

SHA512
cb8d4382b3e9617a9bb98f3e6b1a2a15df004a33008cfbc92049e3ef588b1bf7deb3748a4262962543588e1a36ac737001c3d99659dca974bb12ff78eac9739b

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
7070d754b720fe5162742116d8683a49

SHA1
e1e928cacf55633f30125dcf2e7aa6a0e6f4172e

SHA256
5eec6e9402f614e6c92a23665003ad26a2606aa0700ebe58a86557bb84f4b7a2

SHA512
cb8d4382b3e9617a9bb98f3e6b1a2a15df004a33008cfbc92049e3ef588b1bf7deb3748a4262962543588e1a36ac737001c3d99659dca974bb12ff78eac9739b

Download Submit
memory/3360-399-0x0000000004E40000-0x0000000004E50000-memory.dmp

Filesize
64KB

Download
memory/3360-2480-0x0000000004E40000-0x0000000004E50000-memory.dmp

Filesize
64KB

Download
memory/3360-2479-0x0000000004E40000-0x0000000004E50000-memory.dmp

Filesize
64KB

Download
memory/3360-2478-0x0000000004E40000-0x0000000004E50000-memory.dmp

Filesize
64KB

Download
memory/3360-397-0x00000000008F0000-0x000000000094C000-memory.dmp

Filesize
368KB

Download
memory/3360-2482-0x0000000004E40000-0x0000000004E50000-memory.dmp

Filesize
64KB

Download
memory/3360-2470-0x0000000004E40000-0x0000000004E50000-memory.dmp

Filesize
64KB

Download
memory/3360-401-0x0000000004E40000-0x0000000004E50000-memory.dmp

Filesize
64KB

Download
memory/3936-249-0x0000000000400000-0x00000000006EF000-memory.dmp

Filesize
2.9MB

Download
memory/3936-234-0x0000000000840000-0x0000000000875000-memory.dmp

Filesize
212KB

Download
memory/4040-181-0x0000000002710000-0x0000000002722000-memory.dmp

Filesize
72KB

Download
memory/4040-179-0x0000000002710000-0x0000000002722000-memory.dmp

Filesize
72KB

Download
memory/4040-169-0x0000000004D40000-0x00000000052E4000-memory.dmp

Filesize
5.6MB

Download
memory/4040-170-0x0000000000700000-0x000000000072D000-memory.dmp

Filesize
180KB

Download
memory/4040-172-0x0000000004D30000-0x0000000004D40000-memory.dmp

Filesize
64KB

Download
memory/4040-171-0x0000000004D30000-0x0000000004D40000-memory.dmp

Filesize
64KB

Download
memory/4040-173-0x0000000004D30000-0x0000000004D40000-memory.dmp

Filesize
64KB

Download
memory/4040-174-0x0000000002710000-0x0000000002722000-memory.dmp

Filesize
72KB

Download
memory/4040-175-0x0000000002710000-0x0000000002722000-memory.dmp

Filesize
72KB

Download
memory/4040-177-0x0000000002710000-0x0000000002722000-memory.dmp

Filesize
72KB

Download
memory/4040-183-0x0000000002710000-0x0000000002722000-memory.dmp

Filesize
72KB

Download
memory/4040-185-0x0000000002710000-0x0000000002722000-memory.dmp

Filesize
72KB

Download
memory/4040-187-0x0000000002710000-0x0000000002722000-memory.dmp

Filesize
72KB

Download
memory/4040-189-0x0000000002710000-0x0000000002722000-memory.dmp

Filesize
72KB

Download
memory/4040-191-0x0000000002710000-0x0000000002722000-memory.dmp

Filesize
72KB

Download
memory/4040-210-0x0000000000400000-0x00000000006F4000-memory.dmp

Filesize
3.0MB

Download
memory/4040-205-0x0000000004D30000-0x0000000004D40000-memory.dmp

Filesize
64KB

Download
memory/4040-204-0x0000000004D30000-0x0000000004D40000-memory.dmp

Filesize
64KB

Download
memory/4040-202-0x0000000000400000-0x00000000006F4000-memory.dmp

Filesize
3.0MB

Download
memory/4040-201-0x0000000002710000-0x0000000002722000-memory.dmp

Filesize
72KB

Download
memory/4040-199-0x0000000002710000-0x0000000002722000-memory.dmp

Filesize
72KB

Download
memory/4040-197-0x0000000002710000-0x0000000002722000-memory.dmp

Filesize
72KB

Download
memory/4040-195-0x0000000002710000-0x0000000002722000-memory.dmp

Filesize
72KB

Download
memory/4040-193-0x0000000002710000-0x0000000002722000-memory.dmp

Filesize
72KB

Download
memory/4280-224-0x0000000008BD0000-0x0000000008C20000-memory.dmp

Filesize
320KB

Download
memory/4280-220-0x0000000007F20000-0x0000000007F30000-memory.dmp

Filesize
64KB

Download
memory/4280-215-0x0000000000E90000-0x0000000000EB8000-memory.dmp

Filesize
160KB

Download
memory/4280-228-0x0000000009BF0000-0x000000000A11C000-memory.dmp

Filesize
5.2MB

Download
memory/4280-227-0x00000000094F0000-0x00000000096B2000-memory.dmp

Filesize
1.8MB

Download
memory/4280-226-0x0000000008A10000-0x0000000008A2E000-memory.dmp

Filesize
120KB

Download
memory/4280-225-0x0000000008CA0000-0x0000000008D16000-memory.dmp

Filesize
472KB

Download
memory/4280-216-0x0000000008170000-0x0000000008788000-memory.dmp

Filesize
6.1MB

Download
memory/4280-217-0x0000000007BC0000-0x0000000007BD2000-memory.dmp

Filesize
72KB

Download
memory/4280-218-0x0000000007CF0000-0x0000000007DFA000-memory.dmp

Filesize
1.0MB

Download
memory/4280-223-0x0000000008A30000-0x0000000008AC2000-memory.dmp

Filesize
584KB

Download
memory/4280-222-0x0000000007E50000-0x0000000007EB6000-memory.dmp

Filesize
408KB

Download
memory/4280-221-0x0000000007F20000-0x0000000007F30000-memory.dmp

Filesize
64KB

Download
memory/4280-219-0x0000000007C20000-0x0000000007C5C000-memory.dmp

Filesize
240KB

Download
memory/4756-2481-0x0000000005480000-0x0000000005490000-memory.dmp

Filesize
64KB

Download
memory/4756-2476-0x0000000000CC0000-0x0000000000CEE000-memory.dmp

Filesize
184KB

Download
memory/5076-279-0x0000000004BC0000-0x0000000004BD0000-memory.dmp

Filesize
64KB

Download
memory/5076-277-0x0000000004BC0000-0x0000000004BD0000-memory.dmp

Filesize
64KB

Download